Name      : Just Another Commander

Version   : 2.01

Editor    : Klappert

Target    : jac.exe

Tools     : W32Dasm
            Hiew
            Brain
            
Cracker   : LW2000

Tutorial  : No.49

http://www.a-l-e-x.de



---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---

1.      Ok, lets do a quick crack on Just Another Commander. Start the
        Proggy and you see a Nag, write down the text.
        Load the bitch into W32Dasm and make a Deadlisting.
        Go to our string:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00523877(U)
|
:00523887 803D14E753001E          cmp byte ptr [0053E714], 1E
:0052388E 7621                    jbe 005238B1  <-- Bad Boy
:00523890 6A00                    push 00000000
:00523892 668B0D103D5200          mov cx, word ptr [00523D10]
:00523899 33D2                    xor edx, edx

Possible StringData from Code Obj->"Sie haben JAC bereits an 30 Tagen"
                                 ->"getestet. Wenn Sie das Programm"
                                 ->"weiter nutzen m"
                                  |
:0052389B B8A03D5200              mov eax, 00523DA0
:005238A0 E87B36F6FF              call 00486F20
:005238A5 C60500E7530000          mov byte ptr [0053E700], 00
:005238AC E9A1000000              jmp 00523952


2.      Mhmm quiet simple! We want to load the program every time - also
        if we are over the trail period. So we must jump every time!
        We do this by changing the jbe to jmp.
        (i don't tell you today how to do this - you should know this
        already. If not read one of my old tuts!)

3.      Ok works fine, but the Nag and this splash is still there...
        Let's think a bit =) 
        We want to go to the Main Screen, so take a look at the titel bar

        Just Another Commander - UNREGISTRIERTE SHAREWAREVERSION

        Make a Deadlisting on "Just Another Commander":

:00523A65 FF5250                  call [edx+50]

* Possible StringData Ref from Code Obj ->"Just Another Commander"
                                  |
:00523A68 BA403C5200              mov edx, 00523C40  <-- note the offset
:00523A6D A130765200              mov eax, dword ptr [00527630]
:00523A72 E80554F0FF              call 00428E7C
:00523A77 B9C0E55300              mov ecx, 0053E5C0
:00523A7C BAD8644E00              mov edx, 004E64D8

4.      Note the offset from :00523A68, because we must jump there,
        if we want to start the main part. But from where we jump
        to the main part? Mhmm *g*, do you remember the date check ;)
        Ok, go to :0052388, again.

        We must change the jbe 005238B1 (or jmp 005238B1 if
        already changed) to jmp 00122E68 (our new noted offset!)

5.      Lets do so. Open Jac.exe in Hiew, enter decode mode.
        Press F5 and goto Offset 122C8E. Press F3, F2 and enter

        jmp 00122E68 [Enter]
        [Esc]

        Save your work.

btw: if you get a msg because of a datechange, note the text and go to
the reference.


:005237A6 DFE0                    fstsw ax
:005237A8 9E                      sahf
:005237A9 7331                    jnb 005237DC  <<--- Bad Boy!
:005237AB DD0504E75300            fld qword ptr [0053E704]
:005237B1 83C4F4                  add esp, FFFFFFF4
:005237B4 DB3C24                  fstp tbyte ptr [esp]
:005237B7 9B                      wait
:005237B8 8D45F0                  lea eax, dword ptr [ebp-10]
:005237BB E80843EEFF              call 00407AC8
:005237C0 8B55F0                  mov edx, dword ptr [ebp-10]
:005237C3 8D45DC                  lea eax, dword ptr [ebp-24]
:005237C6 E8DD0CEEFF              call 004044A8
:005237CB 8D4DDC                  lea ecx, dword ptr [ebp-24]
:005237CE 33D2                    xor edx, edx
:005237D0 A1F4E65300              mov eax, dword ptr [0053E6F4]
:005237D5 E83A74F2FF              call 0044AC14
:005237DA EB1C                    jmp 005237F8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005237A9(C)  <-- here we go
|
:005237DC 6A00                    push 00000000
:005237DE 668B0D103D5200          mov cx, word ptr [00523D10]
:005237E5 B203                    mov dl, 03

Possible StringData Ref from Code Obj->"Sie haben doch wohl nicht an der"
                                     ->"Datumseinstellung rumgespielt"
                                     ->"um die Shareware-Kontrolle zu"
                                     ->"umgehen??"
                                  |
:005237E7 B81C3D5200              mov eax, 00523D1C



Now note the offset from :005237A9 and go there in hiew.
Change the 7331 to 9090 and you never hear of this msg again ;)


If you don't like the 'UNREGISTRIERTE SHAREWAREVERSION' string,
search in the exe with hiew after this string
(554E5245474953545249455254452053484152455741524556455253494F4E in Hex)
and replace it ( for example with
52656769737472696572742066FC72204C5732303030205B4369415D2020 or whatever
you like - but it must have the same length!).

Now try it!


Congratulation! You have a NAG, Splash and Trail-free version.

FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!