Name : Directory Snoop Version : 3.11 Editor : Briggs Softworks Target : DirSnoop.exe Tools : GetTyp Procdump Hiew W32Dasm Brain Cracker : LW2000 Tutorial : No.54 http://www.briggssoft.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. OK, set the system date to the next month so that Directory Snooper expires. Start DirSnoop. *BOOM* Note the text of the msg. Now run gtw on DirSnoop.exe! Mhmm, packed by Shrinker 3.3 =) Now load my favorite tool PROCDUMP and unpack the proggy (I think you know how to do this - if not read my old tuts!) Then Load the unpacked DirSnoop into W32Dasm and make a Deadlisting. Go to our string: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00494689(U) <-- here we go | :00494698 6A00 push 00000000 * Possible StringData Ref from Code Obj ->"You have used Directory Snoop" | :0049469A 6864484900 push 00494864 :0049469F 8D55E8 lea edx, dword ptr [ebp-18] :004946A2 8BC6 mov eax, esi :004946A4 E81342F7FF call 004088BC :004946A9 FF75E8 push [ebp-18] 2. We came from 0494689 so lets go there and take a look! * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00494638(C), :0049463E(C) | :00494663 E85453F7FF call 004099BC :00494668 E8D3E3F6FF call 00402A40 :0049466D 8BF0 mov esi, eax :0049466F 83EE1E sub esi, 0000001E :00494672 2B3524904900 sub esi, dword ptr [00499024] :00494678 85F6 test esi, esi :0049467A 7E64 jle 004946E0 <-- jmp all ok :0049467C 83FE01 cmp esi, 00000001 :0049467F 750A jne 0049468B <-- jmp Bad Boy :00494681 8D45FC lea eax, dword ptr [ebp-04] :00494684 E827F5F6FF call 00403BB0 :00494689 EB0D jmp 00494698 <-- jmp Bad Boy 3. In :0049467A is a jle that jumps to 004946E0. This is main-proggy-part, so what should we do? Jump there everytime, if over trail or not? Sounds nice, lets do so! Note the Offset from :0049467A and go there in hiew. Goto decode mode, press F3 to edit, and change 7E64 -> EB64 (jle -> jump). Save your work and try it. 4. Fine! It works! Now lets do some visual face lifting of the program... Search for ** Printed with Unregistered Directory Snoop ** ( in hex this is 2A2A205072696E746564207769746820556E726 56769737465726564204469726563746F727920536E6F6F70202A) and repleace it with 20202020202020202020202020202020202020202020202020202020 202020202020202020202020202020202020 So this nagging text has gone 4-ever! Lets go on... Search for [Unregistered Shareware] (in hex it is 5B556E72656769737465726564205368617265776172655D) and replace it with 437261636B6564206279204C5732303030205B4369415D20 Search for Unregistered Shareware (in hex it is 556E7265676973746572656420536861726577617265) and replace it with 4C5732303030205B4369415D20202020202020202020 If you do not like my face lifting, you can enter your own text, but remember it must have the same length! Congratulation! You have a facelifted version that will never expire. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!