Cracking for Newbies  - by Dahood
                

Target: BurnIn Test Version 3.0 

Tools used: W32dasm
	    Hview


Protection: Nag Screen + time trail


NOTE: This tutorial is not totally for newbies so i excpect that u know
1.how to use w32dasm
2.how to use hview (change,search,etc...)
3.Assembly


we have to kill the nag and kill he time trail
ok first the nag screen
disassemble it and click on debug then load process
now go step by step and see what calls the nag i landed here


* Reference To: USER32.ShowWindow, Ord:026Fh
                                  |
:00401B85 FF1510534300            Call dword ptr [00435310] ->shows nag
:00401B8B 56                      push esi

* Reference To: USER32.UpdateWindow, Ord:0296h
                                  |
:00401B8C FF1518534300            Call dword ptr [00435318]
:00401B92 56                      push esi
:00401B93 E8980F0000              call 00402B30
:00401B98 83C404                  add esp, 00000004
:00401B9B E8C01B0100              call 00413760
:00401BA0 85C0                    test eax, eax
:00401BA2 750C                    jne 00401BB0 --->if u click yes enter the program
:00401BA4 E8871E0000              call 00403A30
:00401BA9 53                      push ebx

* Reference To: USER32.PostQuitMessage, Ord:01E5h
                                  |
:00401BAA FF1514534300            Call dword ptr [00435314]

now we know that the nag pops at the same time as the program
but we can't access the program untill u select continue or quit
if we change jne 00401BB0 to je 00401BB0 when u click continue 
u'll exit  so why dont we change it to jmp 00401BB0 so it will 
always jump ***THIS WAY U KILLED THE TIME TRAIL ****
test it out u still see the nag but u can access the program
if u click quit or continue or hit the x and close it the real program
doesnt close k good now

lets kill the nag screen by looking for a string in ur nag like Key
open ur fav hex editor and search for key

remmember K e y in ASCII and in hex 4b 00 65 00 79

ull land at 004580E0 u should see 
FF FF 82  ========= é K e y
change 82 to 7e so it will look like
FF FF 7E  ========= ~ K e y
save it and open the program  is the nag still there? k good...

now the time trail
we have 30 days to try it 
click help and about 
k now exit the program and change ur system time after 1 month and see what happens it gives u 
another nag sayin The evaluation time has expired! blah blah
so we have to search for something like The evaluation time has expired
click ok and ur suppose to exit BUT.. ur still in the program 
so all u have to do  is like what we did in the
nag screen in the first one 
open ur fav hex editor and find the string..........
damm it can u find anything casue i cant...
k lets check it from a different point 
Debug->load process and trace where that dam messagebox cam from then terminate it 
and u should land here

* Reference To: USER32.MessageBoxA, Ord:01C3h
                                  |
:00413C75 FF1538534300            Call dword ptr [00435338]
:00413C7B 56                      push esi ------> u land here
:00413C7C E813270100              call 00426394
:00413C81 57                      push edi
:00413C82 E80D270100              call 00426394
:00413C87 8B154C254500            mov edx, dword ptr [0045254C]
:00413C8D 52                      push edx
:00413C8E E801270100              call 00426394
:00413C93 83C40C                  add esp, 0000000C

* Possible Reference to Dialog: TESTCONFIG, CONTROL_ID:0003, "All On"
                                  |
:00413C96 B803000000              mov eax, 00000003 -------> this must be a good call 
:00413C9B 5F                      pop edi                   \ ;since it says all on right?? hehe
:00413C9C 5E                      pop esi                    \
:00413C9D 5D                      pop ebp                     \
:00413C9E 5B                      pop ebx                     /
:00413C9F 83C40C                  add esp, 0000000C           \
:00413CA2 C3                      ret                         /  
                                                              \
k scroll up and see what calls this                           /
                                                              \
:00413C2B 3BFE                    cmp edi, esi                /
:00413C2D 7E08                    jle 00413C37****bad jump >>/  ;So lets make it JMP 00413c96
:00413C2F 3BD3                    cmp edx, ebx
:00413C31 0F84B2010000            je 00413DE9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413C2D(C) ----> so this jump calls our nag sayin expired
|
:00413C37 8B7578                  mov esi, dword ptr [ebp+78]
:00413C3A 8B7D70                  mov edi, dword ptr [ebp+70]
:00413C3D 03F7                    add esi, edi
:00413C3F 3BCE                    cmp ecx, esi
:00413C41 7E60                    jle 00413CA3
:00413C43 3BD3                    cmp edx, ebx
:00413C45 755C                    jne 00413CA3

so now instead of :00413C2D 7E08                    jle 00413C37 --->if over 30 days show nag
								     ;but u can still enter the program

change it to   :00413C2D                         jmp 00413c96 ----->ID:0003, "All On"

u get it to  jump over every thing to the good jump ,
instead of jumping to the messagebox if lower or equal
try this do it work yep......

This is my Third tutorial. i hope i didnt confuse u and if u have any question, comments
my icq# is 69518421 or u can e mail me at webcrawler28@hotmail.com

i would like to say thanks to all the crackers 2 many 2 list , for helpin me also for there 
tutorials
also a big thanks to krobar's site: http://zor.org/krobar
 				
				Cracking for Newbies  - by Dahood </font></dt>