Cracking for Newbies - by Dahood Target: East-Tec Format Secure v 1.5 Tools used: W32dasm Hview Protection: Nag screen + time trail NOTE: This tutorial is not totally for newbies so i excpect that u know 1.how to use w32dasm 2.how to use hview (change,search,etc...) 3.Assembly After u install the program open it and check the protection how it works and everything u can. Are u ready??? ok good First let disassemble it now we have to crack the nag screen and the time trail what first ...... hmm lets do time trail k go to Debug--->load process and ---->autostepover after a bit the program will start or u can check the step into so u can really trace it now terminate when u go back to w32dasm ull be here.... //******************** Program Entry Point ******** :0046212C 55 push ebp :0046212D 8BEC mov ebp, esp :0046212F 83C4F4 add esp, FFFFFFF4 :00462132 B8DC1E4600 mov eax, 00461EDC :00462137 E8943CFAFF call 00405DD0 * Possible StringData Ref from Code Obj ->"INSTALL.DA2" | :0046213C B9A4214600 mov ecx, 004621A4 * Possible StringData Ref from Code Obj ->"INSTALL.DA1" | :00462141 BAB8214600 mov edx, 004621B8 * Possible StringData Ref from Code Obj ->"INSTALL.DA0" | :00462146 B8CC214600 mov eax, 004621CC :0046214B E8E8F9FFFF call 00461B38 --------->checks if ur over 30 days lets go in this jump + ;it shows the nag :00462150 84C0 test al, al :00462152 7441 je 00462195 ---->if u press exit leave :00462154 A104484600 mov eax, dword ptr [00464804] :00462159 8B00 mov eax, dword ptr [eax] :0046215B E86065FEFF call 004486C0 :00462160 A104484600 mov eax, dword ptr [00464804] :00462165 8B00 mov eax, dword ptr [eax] * Possible StringData Ref from Code Obj ->"East-Tec FormatSecure" :00462167 BAE0214600 mov edx, 004621E0 :0046216C E87361FEFF call 004482E4 :00462171 8B0D44484600 mov ecx, dword ptr [00464844] :00462177 A104484600 mov eax, dword ptr [00464804] :0046217C 8B00 mov eax, dword ptr [eax] :0046217E 8B1574F64500 mov edx, dword ptr [0045F674] :00462184 E84F65FEFF call 004486D8 :00462189 A104484600 mov eax, dword ptr [00464804] :0046218E 8B00 mov eax, dword ptr [eax] :00462190 E8C365FEFF call 00448758 ---------->calls the real program k let me explain :0046214B E8E8F9FFFF call 00461B38 calls the time check go onto the call and scroll down a bit till u see this code :00461BEA E8A50BFFFF call 00452794 :00461BEF A124594600 mov eax, dword ptr [00465924] :00461BF4 3B0514454600 cmp eax, dword ptr [00464514] :00461BFA 7E25 **jle 00461C21 --->jump if the number of days is lower :00461BFC 8B45F4 mov eax, dword ptr [ebp-0C] ; as u can see it jumps over the trail expired :00461BFF 8B80C8020000 mov eax, dword ptr [eax+000002C8] ;only if the number of days is lower than 30 :00461C05 33D2 xor edx, edx :00461C07 8B08 mov ecx, dword ptr [eax] :00461C09 FF5160 call [ecx+60] :00461C0C 8B45F4 mov eax, dword ptr [ebp-0C] :00461C0F 8B80D4020000 mov eax, dword ptr [eax+000002D4] * Possible StringData Ref from Code Obj ->"Trial Expired" | :00461C15 BA9C1D4600 mov edx, 00461D9C :00461C1A E879A4FCFF call 0042C098 :00461C1F EB3F jmp 00461C60 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00461BFA(C) | **:00461C21 8D45F0 lea eax, dword ptr [ebp-10];it jumps here :00461C24 50 push eax k lets change that to jmp 00461C21 so it ll always jump if the number of days is over 30 or under or equal and never displays the MESSAGE now the real check scroll down till the end of this section and ull see another jump if lower than...jle :00461D0F A124594600 mov eax, dword ptr [00465924] :00461D14 3B0514454600 cmp eax, dword ptr [00464514] :00461D1A 7E04 jle 00461D20 ----->change this to jmp :00461D1C C645FF00 mov [ebp-01], 00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00461D1A(C) | :00461D20 33C0 xor eax, eax :00461D22 5A pop edx make sure to change BOTH jle to jmp.. now if u set the date forward it shows the expired message but it still gives u the option of try now we have to kill the nag k look back to where we started the same call that checked the time sent the nag * Possible StringData Ref from Code Obj ->"INSTALL.DA0" | :00462146 B8CC214600 mov eax, 004621CC :0046214B E8E8F9FFFF call 00461B38 ---this call *:00462150 84C0 test al, al <-----------new jmp :00462152 7441 je 00462195 ---->if u press exit leave :00462154 A104484600 mov eax, dword ptr [00464804] a lil bit down :00462189 A104484600 mov eax, dword ptr [00464804] :0046218E 8B00 mov eax, dword ptr [eax] :00462190 E8C365FEFF call 00448758 ---------->calls the real program so now all u have to do is change the :0046214B E8E8F9FFFF call 00461B38 to :0046214b 8900000000 jmp 00462150 so ill look like this :00462146 B8CC214600 mov eax, 004621CC :0046214B 8900000000 jmp 00462150 :00462150 84C0 test al, al :00462152 7441 je 00462195 so now we know that it jump to the next line and it automatically goes to line :00462190 E8C365FEFF call 00448758 ---------->calls the real program lol k now u say to ur self so there in no point of changing the jle to jmp beacuse :0046214B 8900000000 jmp 00462150 by passes evrything and jumps to the real program to to crack this all u have to do is change the call 00461B38 to jmp 00462150 the reason i traced in the call is becuase there is probably another check for the time trail somewhere (not sure) and im not going to trace and trace but its up to u This is my first tutorial. i hope i didnt confuse u and if u have any question, comments my icq# is 69518421 or u can e mail me at webcrawler28@hotmail.com i would like to say thanks to all the crackers 2 many 2 list , for helpin me also for there tutorials also a big thanks to krobar's site: http://zor.org/krobar Cracking for Newbies - by Dahoodfont>