Cracking for Newbies - by Dahood Target: DeskMan Tools used: W32dasm Hview Protection: 1.Time Trail NOTE: This tutorial is not totally for newbies so i excpect that u know 1.how to use w32dasm 2.how to use hview (change,search,etc...) 3.Assembly 1 thing u have to know about time trail is there is always a call or a jmp that if u eliminate u can crack the program. This program is a demo so it will always show the nag. b4 the nag shows it checks if ur lower than 30 if yes show a nag that has 2 options try and buy. if over 30 show a nag that will says expired so u dont have to the try option. disassemble the program and look for days and u should be here..... * Possible StringData Ref from Code Obj ->"You have used Desktop Manager " ->"during " | :00478434 68D8844700 push 004784D8 :00478439 8D55F8 lea edx, dword ptr [ebp-08] :0047843C A1C8694800 mov eax, dword ptr [004869C8] :00478441 8B00 mov eax, dword ptr [eax] :00478443 E88401F9FF call 004085CC :00478448 FF75F8 push [ebp-08] * Possible StringData Ref from Code Obj ->" days" | :0047844B 6808854700 push 00478508 :00478450 8D45FC lea eax, dword ptr [ebp-04] * Possible StringData Ref from Code Obj ->"%iltw" | :00478472 BA18854700 mov edx, 00478518 :00478477 E864BAF8FF call 00403EE0 :0047847C 7513 jne 00478491 ------>check this call :0047847E A18C674800 mov eax, dword ptr [0048678C] :00478483 8B00 mov eax, dword ptr [eax] * Possible StringData Ref from Code Obj ->"%iltw" | :00478485 BA18854700 mov edx, 00478518 :0047848A E851BAF8FF call 00403EE0 :0047848F 7417 je 004784A8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0047847C(C) | :00478491 A1C8694800 mov eax, dword ptr [004869C8] --->u land here :00478496 83381E cmp dword ptr [eax], 0000001E ---->cmp the days u used to 1e=30 :00478499 7C0D jl 004784A8 -->if lower jmp somewhere now i ll show u the easy way to crack the time trail. from the tool bar click debug--->loadprocess-->load and u should be here :004846FC 55 push ebp **here** :004846FD 8BEC mov ebp, esp :004846FF 83C4F4 add esp, FFFFFFF4 :00484702 53 push ebx :00484703 B8E4444800 mov eax, 004844E4 :00484708 E8EF20F8FF call 004067FC :0048470D 8B1D506A4800 mov ebx, dword ptr [00486A50] :00484713 8B03 mov eax, dword ptr [ebx] :00484715 E8E260FCFF call 0044A7FC :0048471A 8B0D646B4800 mov ecx, dword ptr [00486B64] :00484720 8B03 mov eax, dword ptr [ebx] * Possible StringData Ref from Code Obj ->"H3C" | :00484722 8B15FC904700 mov edx, dword ptr [004790FC] :00484728 E8E760FCFF call 0044A814 now click on step over untill u get to :00484728 call 0044A814 now click on step into and u ll land here :0044A814 55 push ebp :0044A815 8BEC mov ebp, esp :0044A817 51 push ecx :0044A818 53 push ebx now click on step into till u get to :0044A845 FF572C call [edi+2C] now click on step into and ull land here :00443980 55 push ebp :00443981 8BEC mov ebp, esp :00443983 81C4ECFEFFFF add esp, FFFFFEEC now click on step into till u get to :0047D493 8B15C86A4800 mov edx, dword ptr [00486AC8] :0047D499 8902 mov dword ptr [edx], eax :0047D49B A1C86A4800 mov eax, dword ptr [00486AC8] :0047D4A0 8B00 mov eax, dword ptr [eax] :0047D4A2 8B10 mov edx, dword ptr [eax] :0047D4A4 FF92D8000000 call dword ptr [edx+000000D8] ****calls the nag**** :0047D4AA A1C86A4800 mov eax, dword ptr [00486AC8] :0047D4AF 8B00 mov eax, dword ptr [eax] :0047D4B1 E8125AF8FF call 00402EC8 *****This call our program :0047D4B6 A1087A4800 mov eax, dword ptr [00487A08 scrool a bit down * Possible StringData Ref from Code Obj ->"%iltw" | :0047D4BB BA00D94700 mov edx, 0047D900 :0047D4C0 E81B6AF8FF call 00403EE0 :0047D4C5 7511 jne 0047D4D8 **check the jmp :0047D4C7 A10C7A4800 mov eax, dword ptr [00487A0C] * Possible StringData Ref from Code Obj ->"%iltw" | :0047D4CC BA00D94700 mov edx, 0047D900 :0047D4D1 E80A6AF8FF call 00403EE0 :0047D4D6 7413 je 0047D4EB * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0047D4C5(C) | :0047D4D8 833DFC7948001E cmp dword ptr [004879FC], 0000001E ----->u land here :0047D4DF 7C0A jl 0047D4EB ;cmp days used to 30 looks familiar doesnt it...so we know we are on teh right track the call :0047D4A4 FF92D8000000 call dword ptr [edx+000000D8] calls the nag b4 it checks the time probably to see if we are registered or whatever so we are going to try to make it not jmp back to check the time but jmp to out real program when u go to the call u ll land here this is the important part u land here :00447910 55 push ebp keep stepin over till u see this :0044793B 80784700 cmp byte ptr [eax+47], 00 :0044793F 7524 jne 00447965 *interesting* now terminate and go back to this line :0044793F 7524 jne 00447965 check the offset add open ur fav hex editor and go to add 46d3f now f3 to edit and change the 7524 to 7424 to make the jne je :0044793F 7524 jne 00447965 will be :0044793F 7424 je 00447965 now make sure u changed ur system time i mean date after 30 and open the program b4 u change anything back it up if ur smart .. what happens ur in now nag nuthin now ur probably thinkin how did u know that was the jne u had to change i dunno is my answer. always back up and never be scared to try things out and with exp. ull be able to tell i hope i didnt confuse u and if u have any question, comments my icq# is 69518421 or u can e mail me at webcrawler28@hotmail.com i would like to say thanks to all the crackers 2 many 2 list , for helpin me also for there tutorials also a big thanks to krobar's site http://zor.org/krobar Cracking for Newbies - by Dahood guess is that this half page of code is used to make sure the second hash is in the correct position as well. Here's what we have: