Cracking for Newbies - by Dahood Target: Disk Utlility Tools used: W32dasm Hview Protection: 1.Nag Screen NOTE: This tutorial is not totally for newbies so i excpect that u know 1.how to use w32dasm 2.how to use hview (change,search,etc...) 3.Assembly now after 30 days U have to uninstall the program , so if u dont uninstall it it still works u just get to see the nag screen. i change my system date to like like 2 month ahead and all it did was show a nag. anyways there are 2 ways 1.hard long ( good to know) 2.takes 2 sec so make 2 copies of the program Disassemble the program 1. use copy 1 we are tryin to go striaght to the real program. from the menu click on debug---->load process---->load and u should be here //******************** Program Entry Point ******** :004114D0 55 push ebp :004114D1 8BEC mov ebp, esp click step over untill u see :0041161D E875FF0000 call 00421597 now click in step in to and ull be here :00421597 FF742410 push [esp+10]----u land here step over till :0042159B FF742410 push [esp+10] :0042159F FF742410 push [esp+10] :004215A3 FF742410 push [esp+10] :004215A7 E87C830000 call 00429928 ---->when u get here click step into and u should be here :00429928 53 push ebx :00429929 56 push esi keep stepinto over till u see :0042995F FF5658 call [esi+58] now step into and ull be here :0040A04F 55 push ebp :0040A050 8BEC mov ebp, esp now step over untill ( we are almost there just tryin to trace the of the nag) there has to be je or jne to nag other wise real program :0040A18D E863040000 call 0040A5F5 now step into and u should be here 0040A5F5 55 push ebp step over till u get here :0040A63C 740A je 0040A648 **if this jmp makes it it will jmp over :0040A642 :0040A63E 8B06 mov eax, dword ptr [esi] :0040A640 8BCE mov ecx, esi :0040A642 FF90C0000000 call dword ptr [eax+000000C0] **when u get here the nag shows * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040A631(C), :0040A63C(C) | :0040A648 33C0 xor eax, eax :0040A64A 5E pop esi :0040A64B C9 leave :0040A64C C3 ret so now we know if this jmp je 0040A648 makes it to 0040A648. then it will jmp over 0040A642 which calls the nag so lets change je to jne :0040A63C 740A je 0040A648 will be :0040A63C 750A jne 0040A648 now open the program.... did it work yes for this u have 2. open the copy 2 in hview make sure ur in text mode and search for & R e g i s t e r and u will find it at 00451570 loo u should see FF FF 80 26 00 52 00 65 00 67 == change the 80 to 7e save and exit now try it does it work???? yes but when ur in the program the about button wont work, but the first way the about button work u chose what is better for u i hope i didnt confuse u and if u have any question, comments my icq# is 69518421 or u can e mail me at webcrawler28@hotmail.com i would like to say thanks to all the crackers 2 many 2 list , for helpin me also for there tutorials also a big thanks to krobar's site http://zor.org/krobar Cracking for Newbies - by Dahood50FBC 8B80F0010000 mov eax, dword ptr [eax+000001F0]