Cracking for Newbies - by Dahood Target: WinSysClean Version 3.60 Tools used: W32dasm Hview Protection: 1.Nag Screen 2.Enable 3 functions NOTE: This tutorial is not totally for newbies so i excpect that u know 1.how to use w32dasm 2.how to use hview (change,search,etc...) 3.Assembly Disassemble the program 1. kill the nag find the message that u got in the nag which is This is an UNREGISTERED blah blah balh k disassemble it and search and u ll end up here * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004197A1(C) | :00419817 83CFFF or edi, FFFFFFFF :0041981A 57 push edi :0041981B 6A34 push 00000034 --->Calls the expired nag * Possible Reference to String Resource ID=00186: "This is an UNREGISTERED 30-days Evaluation Copy of WinSysCle" | :0041981D 68BA000000 push 000000BA ---->Calls the trail nag :00419822 E8117C0200 call 00441438 :00419827 BB07000000 mov ebx, 00000007****** :0041982C 3BC3 cmp eax, ebx :0041982E 0F8435060000 je 00419E69 --->if yes then enter the program ***** :00419834 6A00 push 00000000 :00419836 8D8C2488000000 lea ecx, dword ptr [esp+00000088] so dont change the je 00419E69 to jne 00419E69 and if u did already u probably noticed that when u get the nag and u press no u enter and if u press yes it leaves... anyways u see that conditional jump |:004197A1(C) go to it to see what calls that nag and ull end up here :0041979B 399E68010000 cmp dword ptr [esi+00000168], ebx :004197A1 7574 jne 00419817 ------>u land here ********** :004197A3 899EFC030000 mov dword ptr [esi+000003FC], ebx ok so jne 00419817 = jump if not equal now if we changed to jmp 00419817 nuthin will happen if u remmember ealier at je 00419E69 *** this must be our real program so lets make the jne 00419817 to jmp 00419827 so :004197A1 7574 jne 00419817 will be :004197A1 EB74 jmp 00419827 this way itll jump right away to the program and it will skip all that other shit.. 2.to enable 3 functions a.Delete invalid Desktop Shortcuts.-->main menu b.Delete invalid uninstall entries----->Reg Section c.Delete Windows Run History---->Reg Section k lets search for the message "This option is available ONLY IN THE REGISTERED VERSION of W" and we land here :0040BDDF 90 nop :0040BDE0 8B4178 mov eax, dword ptr [ecx+78] :0040BDE3 6A00 push 00000000 :0040BDE5 6A00 push 00000000 :0040BDE7 68F1000000 push 000000F1 :0040BDEC 50 push eax ------>interesting****** * Reference To: USER32.SendMessageA, Ord:0218h | :0040BDED FF15F8C54400 Call dword ptr [0044C5F8] :0040BDF3 6AFF push FFFFFFFF :0040BDF5 6A30 push 00000030 --->empty message * Possible Reference to String Resource ID=00184: "This option is available ONLY IN THE REGISTERED VERSION of W" | :0040BDF7 68B8000000 push 000000B8 ---->The message we searched for :0040BDFC E837560300 call 00441438 ---->checks the button :0040BE01 C3 ret 2 thing u have to change 1.:0040BDEC 50 push eax to :0040BDEC 56 push esi ------> will allows u to check 2.:0040BDF7 68B8000000 push 000000B8 to :0040BDF7 68B8000000 push 00000030 -----> shows an empty message box oh yeah now u can find out with one (function u fixed) k its b.Delete invalid uninstall entries now 2 more * Reference To: USER32.SendMessageA, Ord:0218h | :00411050 8B81BC050000 mov eax, dword ptr [ecx+000005BC] :00411056 6A00 push 00000000 :00411058 6A00 push 00000000 :0041105A 68F1000000 push 000000F1 :0041105F 50 push eax ---------->change to esi :00411060 FF15F8C54400 Call dword ptr [0044C5F8] :00411066 6AFF push FFFFFFFF :00411068 6A30 push 00000030 * Possible Reference to String Resource ID=00184: "This option is available ONLY IN THE REGISTERED VERSION of W" | :0041106A 68B8000000 push 000000B8 ----->change to 30 :0041106F E8C4030300 call 00441438 :00411074 C3 ret this is an extra 1 :00411080 8B8180050000 mov eax, dword ptr [ecx+00000580] :00411086 6A00 push 00000000 :00411088 6A00 push 00000000 :0041108A 68F1000000 push 000000F1 :0041108F 50 push eax ------> esi * Reference To: USER32.SendMessageA, Ord:0218h | :00411090 FF15F8C54400 Call dword ptr [0044C5F8] :00411096 6AFF push FFFFFFFF :00411098 6A30 push 00000030 * Possible Reference to String Resource ID=00184: "This option is available ONLY IN THE REGISTERED VERSION of W" | :0041109A 68B8000000 push 000000B8 ------>30 :0041109F E894030300 call 00441438 :004110A4 C3 ret also :004110B0 8B8144050000 mov eax, dword ptr [ecx+00000544] :004110B6 6A00 push 00000000 :004110B8 6A00 push 00000000 :004110BA 68F1000000 push 000000F1 :004110BF 50 push eax --->esi * Reference To: USER32.SendMessageA, Ord:0218h | :004110C0 FF15F8C54400 Call dword ptr [0044C5F8] :004110C6 6AFF push FFFFFFFF :004110C8 6A30 push 00000030 * Possible Reference to String Resource ID=00184: "This option is available ONLY IN THE REGISTERED VERSION of W" | :004110CA 68B8000000 push 000000B8 --->30 :004110CF E864030300 call 00441438 :004110D4 C3 ret and :004118B0 8B8108050000 mov eax, dword ptr [ecx+00000508] :004118B6 6A00 push 00000000 :004118B8 6A00 push 00000000 :004118BA 68F1000000 push 000000F1 :004118BF 50 push eax --->esi * Reference To: USER32.SendMessageA, Ord:0218h | :004118C0 FF15F8C54400 Call dword ptr [0044C5F8] :004118C6 6AFF push FFFFFFFF :004118C8 6A30 push 00000030 * Possible Reference to String Resource ID=00184: "This option is available ONLY IN THE REGISTERED VERSION of W" | :004118CA 68B8000000 push 000000B8 --->30 :004118CF E864FB0200 call 00441438 :004118D4 C3 ret this is a big 1 its the delete windows history :00414A70 56 push esi :00414A71 8BF1 mov esi, ecx :00414A73 57 push edi * Reference To: USER32.SendMessageA, Ord:0218h | :00414A74 8B3DF8C54400 mov edi, dword ptr [0044C5F8] :00414A7A 8B86B4000000 mov eax, dword ptr [esi+000000B4] :00414A80 6A00 push 00000000 :00414A82 6A00 push 00000000 :00414A84 68F1000000 push 000000F1 :00414A89 50 push eax -------- >change to esp :00414A8A FFD7 call edi :00414A8C 6AFF push FFFFFFFF :00414A8E 6A30 push 00000030 * Possible Reference to String Resource ID=00184: "This option is available ONLY IN THE REGISTERED VERSION of W" | :00414A90 68B8000000 push 000000B8 ----->change to 30 :00414A95 E89EC90200 call 00441438 :00414A9A 8B8EB4000000 mov ecx, dword ptr [esi+000000B4] :00414AA0 6A00 push 00000000 :00414AA2 6A00 push 00000000 :00414AA4 68F1000000 push 000000F1 -------->change to 00000000 :00414AA9 51 push ecx :00414AAA FFD7 call edi :00414AAC 5F pop edi :00414AAD 5E pop esi :00414AAE C3 ret more complicated so now when u check an empty message box pops up and when u put ok the check mark is still there.now u have to change something that will make the messagebox not come come up and that is it folks......... wow that was long This is my 6th tutorial. i hope i didnt confuse u and if u have any question, comments my icq# is 69518421 or u can e mail me at webcrawler28@hotmail.com i would like to say thanks to all the crackers 2 many 2 list , for helpin me also for there tutorials also a big thanks to krobar's site: http://zor.org/krobar Cracking for Newbies - by Dahoode="Courier New">to a jump i *guess* as