Cracking for Newbies - by Dahood Target: APrintDirect Ver 4.0.2.0 Tools used: W32dasm Hview Protection: 1.Time Trail NOTE: This tutorial is not totally for newbies so i excpect that u know 1.how to use w32dasm 2.how to use hview (change,search,etc...) 3.Assembly run the program. u have 21 days to use after u have to register to use it. when u open the program u get a nag say the number of days u have and used, or if it expired. so move ur system date 21 days ahead and open the program u should see the expired nag. Disassemble the program look at the strings lots of good strings but lets try to trace and see what calls the nag Debug --->loadprocess ------> load and u should be here //******************** Program Entry Point ******** :00499158 55 push ebp :00499159 8BEC mov ebp, esp :0049915B 83C4F4 add esp, FFFFFFF4 click on the step over untill u get to :004991D1 E8FA76FBFF call 004508D0 ----->calls the nag :004991D6 8B0DDCBD4900 mov ecx, dword ptr [0049BDDC] :004991DC 8B06 mov eax, dword ptr [esi] :004991DE 8B1594194900 mov edx, dword ptr [00491994] :004991E4 E8E776FBFF call 004508D0 :004991E9 8B06 mov eax, dword ptr [esi] :004991EB E86077FBFF call 00450950 -----> calls the real program if u dont know how i found that out when u get to call 004508D0 click on step over and the nag come up and if u click continue and step over when u get to call 00450950 the program starts. if u do this u have to close and start all over ok lets go on tracing the nag when u get to call 004508D0 click ctep into and u should be here :004508D0 55 push ebp :004508D1 8BEC mov ebp, esp :004508D3 51 push ecx click step over untill :00450901 FF572C call [edi+2C] then click step into and u should be here :00449914 55 push ebp we are almost there click step over still u get here :004499B5 E8566BFCFF call 00410510 now step into and u ll be here :00410510 55 push ebp click on step over till u get here :0041057F 7405 je 00410586 * u land here* :00410581 E83EFEFFFF call 004103C4 -----> this call s the nag * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041057F(C) | :00410586 33C0 xor eax, eax now this looks interesting there is a jmp if equal right on top of the nag call so if its a jne it jmps straight to xor eax, eax and over the nag call open hview and go to offset F97f and change the 7405 to 7505 = je to jne f9 to save and f 10 to exit open the program and it jmps straight in without showing the nag the title bar doesn't say unregistered or anything other than the name of the program check help ---->about ????? still says unregistered evaluation version . at this point this program is cracked and would never show u any nags u can stop now or u can continue and change that.... while ur looking at the strings u probably saw unregistered evaluation version go to it and u should be here * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004912D5(C) | * Possible StringData Ref from Code Obj ->"Unregistered Evaluation Version" | :004912FC BA38134900 mov edx, 00491338 :00491301 8B83A0030000 mov eax, dword ptr [ebx+000003A0] :00491307 E8A80EFAFF call 004321B4 u see the conditional jmp 004912D5(C) go to it and u should be here :004912D5 7425 je 004912FC ---->interesting :004912D7 8D55FC lea edx, dword ptr [ebp-04] lets try to change 004912D5 7425 je 004912FC to 004912D5 7525 jne 004912FC same way u did b4 in hview save and exit and test it...... Ok this is better its easy if u know how to use the loadprocess again i hope i didnt confuse u and if u have any question, comments my icq# is 69518421 or u can e mail me at webcrawler28@hotmail.com i would like to say thanks to all the crackers 2 many 2 list , for helpin me also for there tutorials also a big thanks to krobar's site http://zor.org/krobar Cracking for Newbies - by Dahood