*****************************************************************************
*Subject: Cracking							    *
*Target: Winsplit 3.03			    				    *
*Author: BlackB								    *
*Date: 1999-05-26							    *
*Tools used: Softice, W32DSM89, HIEW 6.01        			    *
*Difficulty (scale 1-5): 1						    *
*Requirements: A bit more knowledge then basic stuff			    *
*****************************************************************************

1. Introduction
~~~~~~~~~~~~~~~

Here I am....again! I 've written quite some tuts the past weeks of programs
I cracked. Probably coz I'm becomming better and better (hehehehe) :p
Actually I should study some more.....but argh(!), what boring stuff we see
in school. I'm convinced ur thinking the same :) They'd better drop some
fuckin' boring lessons, and replace it with informatics or something. Btw,
we have absolutely NO informatics......and that suxx very very badly! 
However, I'm here to show u how I cracked Winsplit 3.03......so where r u 
waiting for? huh? ;)

2. Cracking Winsplit 3.03
~~~~~~~~~~~~~~~~~~~~~~~~~

About the protection: 30 trial uses and a nag screen. There 's a registering
option included, but as I am not so good at sniffing serials out, I almost
always use the 'dead listing' (i.e. disassembling in w32dsm) approach.

Okay, let's start......with disabling the "30 trial uses". First of all:
disassemble Winsplit.exe and save the disassembly text file.
Now, run Winsplit a few times. Notice that every time you start Winsplit,
de counter will decrease with 1. When all trial uses are used (hehe), the
following message is visible: "Sorry, your trial period of WinSplit has now 
ended." Interesting.....let's search for this text in w32dsm and yes, you 
should see:

------------------------Start of paritial code-------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004425BF(C) <- Aha, this procedure is called by 004425BF :-)
|
:004425FA 6A00                    push 00000000
:004425FC 668B0D64264400          mov cx, word ptr [00442664]
:00442603 B201                    mov dl, 01

* Possible StringData Ref from Code Obj ->"Sorry, your trial period of WinSplit "
                                        ->"has now ended."
------------------------End of partial code----------------------------------
Nothing special here so, let's go to the call at 004425BF. U should see this:

------------------------Start of paritial code-------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044253F(C) <- procedure called at 0044253F
|
:004425B8 80BB2C02000000          cmp byte ptr [ebx+0000022C], 00
:004425BF 7539                    jne 004425FA <- if end of trial then jump
------------------------End of partial code----------------------------------
Okay, we've got the jump, but if we just go 1 step higher, we'll save 1
jump. If u don't understand what I mean: don't bother, just go to code 
location 0044253F.....our final destination :-))

------------------------Start of paritial code-------------------------------
:00442538 3200                    xor al, byte ptr [eax]
:0044253A 0000                    add byte ptr [eax], al
:0044253C 53                      push ebx
:0044253D 6F                      outsd
:0044253F 667477                  je 004425B8 <- if end of trial then jump
:00442541 61                      popad
:00442542 7265                    jb 004425A9
------------------------End of partial code----------------------------------

So, there we are :)) Just NOP the je 004425B8 instruction: trial disabled:)

Now there's still 1 enoying thing: the nag. If you press the OK button on the
nagscreen, the program starts. So we have to find where the program checks if
the OK button is pushed. Therefore I used Softice:
-Set a breakpoint on postmessage (=bpx postmessage). 
-Start Winsplit
-Softice should pop
-Press CTRL-D twice.
-No press F10 until you get into an endless loop (u have to press quite some
 time!)
-When ur in the endless loop, u should see:
00429AA9   test eax, eax
00429AAB   jz 00429A6E <- jump if OK button is pressed

-Okay. The only thing we have to do now, is making a 'jmp' of the 'jz'.
-So go back to w32dsm and goto code location 00429AAB.
-There u see no 'jz' instruction but a 'je' instruction. That's normal: 
 Softice checks the Zero Flag, but actually that's the same as checking the 
 equality. 

:00429AA0 8B45FC                  mov eax, dword ptr [ebp-04]
:00429AA3 8B8050010000            mov eax, dword ptr [eax+00000150]
:00429AA9 85C0                    test eax, eax
:00429AAB 74C1                    je 00429A6E <- the "OK" button check :)
:00429AAD 8945F8                  mov dword ptr [ebp-08], eax


-Note the offset of the 'je 00429A6E' (that should be 28EAB)
-Open HIEW, load Winsplit.exe, press F4, press F3, press F5, type "28EAB",
 press enter. Now u r at the 'je' instruction.
-Press F3 and type twice "90". Press F9 to save the changes:)

Now Winsplit thinks immediately that u pushed the OK button, so as a result
of that u won't see the nagscreen anymore. Winsplit is patched!

Note: Winsplit does still draw the nagscreen! It only disappears so fast u
won't see it! I know that crack is a little sloppy, but I had no time 
figuring out how to prevent the nagscreen. My apologies!

3. Outtro
~~~~~~~~~

If u have any questions, comments, etc... mail me on cracking@softhome.com
U can also visit my homepage at http://myplace.to.be/blackb. It's an anti-
virus site....no cracking stuff.

Thanks goto: Magic Mike, +ORC, tKC, Qapla and all other fantastic tutorial writers who
teached me cracking! :-)

BlackB
 [EVC] 1999nearby, sometimes a search for just CMP EBP, 4 or MOV EBP,