=================================================================================================
Tutorial made by: -=matias921=-
Program Name: Tickle 2.3 (works with all versions)
Protection: Serial (name/code)
Nag: at start and ending
Tools: W32Dasm 8.9x, hexa editor
Where: http://worldlynx.net/pgerhart/
=================================================================================================

Hi all crackers (and no-cackers)!!
At this time, I'll teach how to register a program entering any serial,
deleting the date expiration and remove a nag.

Hope enjoy this tutorial made by a boy, who likes w32dasm.

Ok...Lets start registering the program!!

1) Run "Tickle.exe" restore the program from system tray (depends of version). 
   Click File --> Register...
   Enter anything in the 2 fields.
   The program says "Name / Code mis-match. Try again."
   Remember this error message!!

2) Ok....Lets start up W32Dasm....open "Tickle.exe"
   Click search and enter the error message "Name / Code mis-match. Try again."
   You found it?....Good!!
   Now scroll up a little bit until you see:
   
* Possible StringData Ref from Data Obj ->"Thank you for registering!"

3) Ok....this is the message when you succesfully registered the program
   So now you think we must patch the program so it comes to this line..?
   RIGHT!!!
   
4) Scoll up a bit more until you see this:


* Reference To: MFC42.Ordinal:0217, Ord:0217h
                                  |
:00402D38 E8A56B0000              Call 004098E2
:00402D3D 898574FFFFFF            mov dword ptr [ebp+FFFFFF74], eax
:00402D43 8D4D84                  lea ecx, dword ptr [ebp-7C]
:00402D46 51                      push ecx
:00402D47 8B8D78FFFFFF            mov ecx, dword ptr [ebp+FFFFFF78]
:00402D4D E858020000              call 00402FAA
:00402D52 898570FFFFFF            mov dword ptr [ebp+FFFFFF70], eax
:00402D58 C645FC01                mov [ebp-04], 01
:00402D5C 8D4D84                  lea ecx, dword ptr [ebp-7C]
:00402D5F E8DC050000              call 00403340
:00402D64 85C0                    test eax, eax
:00402D66 0F8580000000            jne 00402DEC     -->jump to "Name / Code mis-match. Try again."
:00402D6C 8D55E8                  lea edx, dword ptr [ebp-18]
:00402D6F 52                      push edx
:00402D70 8D4584                  lea eax, dword ptr [ebp-7C]
:00402D73 50                      push eax
:00402D74 E807060000              call 00403380
:00402D79 25FF000000              and eax, 000000FF
:00402D7E 85C0                    test eax, eax
:00402D80 746A                    je 00402DEC      -->jump to "Name / Code mis-match. Try again."
:00402D82 E849E4FFFF              call 004011D0
:00402D87 894580                  mov dword ptr [ebp-80], eax
:00402D8A 8D4DEC                  lea ecx, dword ptr [ebp-14]
:00402D8D E88EEBFFFF              call 00401920
:00402D92 50                      push eax

5) (the code can be a little different with lower versions)
   This is the code check!
   All jumps there go to "Name / Code mis-match. Try again."
   Then, nop every jump and it will registered!
6) Open Tickle.exe with Hex Workshop or UltraEdit and:

Search for:    Replace with:
0F8580000000   909090909090
746A           9090

Remember that 90 = nop (No operation)

7) Now, run Tickle.exe and enter any text in Name, and any number in Code, Validate my code and..
   It works! :-)
   The program thinks is registered when you enter any Name/Code!
   But you run the program again and it's not registered :-<.
   You must enter any code every time you want Tickle registered.
   I must attack in other way...


=================================================================================================
Now, let's delete the start nag
1) Do you remember the text on the nag?
"Your evaluation period of 30 days has expired."
Click on Search String Data and find it.
And you are here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402A3D(C)
|
:00402A9D 837D881E                cmp dword ptr [ebp-78], 0000001E
:00402AA1 7E16                    jle 00402AB9
:00402AA3 837D883C                cmp dword ptr [ebp-78], 0000003C
:00402AA7 7F10                    jg 00402AB9
:00402AA9 6A00                    push 00000000
:00402AAB 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Your evaluation period of 30 days "
                                        ->"has expired."
                                  |
:00402AAD 684CF34000              push 0040F34C

* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
                                  |
:00402AB2 E8016E0000              Call 004098B8
:00402AB7 EB26                    jmp 00402ADF

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402AA1(C), :00402AA7(C)
|
:00402AB9 837D883C                cmp dword ptr [ebp-78], 0000003C
:00402ABD 7E20                    jle 00402ADF
:00402ABF 6A00                    push 00000000
:00402AC1 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Your evaluation period of 30 days "
                                        ->"expired one month ago."
                                  |
:00402AC3 68C4F34000              push 0040F3C4

* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
                                  |
:00402AC8 E8EB6D0000              Call 004098B8
:00402ACD 8B4588                  mov eax, dword ptr [ebp-78]
:00402AD0 83E83C                  sub eax, 0000003C
:00402AD3 8B8D34FFFFFF            mov ecx, dword ptr [ebp+FFFFFF34]
:00402AD9 8981C8000000            mov dword ptr [ecx+000000C8], eax

Note these two nags are referenced by a Jump at 00402A3D

2) Yes! Go to 00402A3D and you're here:

:00402A3D 7D5E                    jge 00402A9D

3) With a hexa editor, open Tickle.exe, search for 7D5E and change to 9090
   Run Tickle.exe without the nag.
   This eliminates the date expiration too!

=================================================================================================
                                          [Contact]
                                      matias921@come.to
=================================================================================================            ÚÄÂÄ¿ÚÄÂÄ¿                                 ³