How to crack Disketer v1.2 by _PIRO_ toolz: W32Dasm Hiew Target: Disketer v1.2 Target Address: http://members.xoom.com/dolinaysoft or http://skyscraper.fortunecity.com/memory/784 Hello I seen you've d/l my 5th tut. Ok well lets have a brief description of this program...This program is supposed to fix diskettes with bad sectors...I have'nt really tested it because like in my other tuts i wrote that i goto Winfiles.com and get a bunch of practice programs well this is one of them :) Ok enough of that shit lets getta crackin :) Ok install Disketter and open it...as you can see from that intro splash screen that we got a time limit program on our hands...well that no problem for us right :) ok well lets see what else we got, click on the Help button and click on About Disketer ... well enter a Serial # by clickin ENT ... throw in your dummy code and see what happens?? well "INVALID SERIAL NUMBER" remember that and close down Disketer. Fire up W32Dasm and load up Disketer...hit the STRN button and choose INVALID SERIAL NUMBER lets have a look at what we got :0040ED3D: 50 push eax :0040ED3E: 8BCF mov ecx,edi :0040ED40: 53 push ebx :0040ED41: E871D6FFFF call 00040C3B7 :0040ED46: 85C0 test eax,eax :0040ED48: 750B jne 00040ED55 :0040ED4A: 6A00 push 000 :0040ED4C: 6A00 push 000 * Possible StringData Ref from Data Obj ->"Invalid registration number" :0040ED4E: 68C8DE4400 push 00044DEC8 :0040ED53: EB8D jmp 00040ECE2 * Referenced by a (U)nconditional or (C)onditional Jump at Address |:0040ED48 (C) | :0040ED55: 53 push ebx :0040ED56: 8BCF mov ecx,edi :0040ED58: E834D7FFFF call 00040C491 Well I know lots of newbie crackers want to change that JNE to a JE. Well dont, see that CALL thats what we want...make sure that green bar is on the CALL and hit your right -> arrow key to see where the other calls are referenced to that CALL "argghhh that probaby made no snse, but just hit the -> right arrow key :) Here we land * Referenced by a CALL at Addresses: |:0040C133 , :0040ED41 | .0040C3B7: FF742408 push d,[esp][00008] .0040C3BB: E80E000000 call .00040C3CE .0040C3C0: 2B442404 sub eax,[esp][00004] .0040C3C4: 83F801 cmp eax,001 .0040C3C7: 1BC0 sbb eax,eax .0040C3C9: F7D8 neg eax .0040C3CB: C20800 retn 00008 Now we know that we were just at :0040ED41 so lets see where that other Call is from so click on GOTO and select Goto Code Location...and enter in :0040C133 and this is where we land .0040C128: 83C40C add esp,00C .0040C12B: 8BCE mov ecx,esi .0040C12D: FF75F8 push d,[ebp][-0008] .0040C130: FF75EC push d,[ebp][-0014] .0040C133: E87F020000 call .00040C3B7 .0040C138: 83F801 cmp eax,001 .0040C13B: 1BC0 sbb eax,eax .0040C13D: 258B030000 and eax,00000038B .0040C142: 055F010000 add eax,00000015F .0040C147: EB31 jmps .00040C17A And a little below that we see * Referenced To: ADVAPI32.RegSetValueExA, Ord:00ECh* See now we know that, that call checks the registry to compare the bad serial with the new one so we know what to do...so lets make a copy of Disketer and open Disketer with HIEW...hit ENTER 2 times and then hit F5 to go to the Goto mode and enter B533 which is our first offset CALL and hit ENTER when you get to your code section hit F3 and then enter 90, 5 times which will NOP out that call then hit F9 to update and goto your second CALL which is at E141 and do the same as you did before which was NOPPING out the CALL, make sure you hit F9 to update Disketer and then close down Hiew. Re-open the patched Disketer and Hit Help and the click on Help button and click on About Disketer and register it...close down Disketer and re-open it and BOOM its Registered :) I tried to go slow and explain what is goin on so that you may be able to apply this knowledge to another program...I hope you found this helpful but if you didnt follow a certain part just E-mail me or ICQ message me with your question....bye for now...L8terz Email xx_piro_xx@hotmail.com ICQ# 38754864 *Greetz to C4A and Bruteforce* eax, edx <-- the last compare..