**************MEXELITE98 TUTORIAL************** bulll [mex98] url: n/a Target:Cabrio v2.5 Request: snipes 'c4n' Protection: Time limit, Nag Screen Tools: Softice v3.0 or later, Hexworks Hex Editor, W32dasm(<--by far the best no matter what you hear:) OK hear ya go. You must excuse my poor writing abilities I am not a usual tutorial writer that job is normally left to Vizion[mex98], but here goes. I suppose that you do have some knowledge in general cracking because this is not a "teach you how to crack tute" but more just a how to crack this proggie. Ok. First you need to install the proggie and run it a few times just to see whats goin on. Well we get this nasty "you have blah blah days left" and 30 days just isnt enough time for use to "try before we buy" now is it. So fire up you w32dasm or whatever you use and lets get this baby opened up. Now check your your string references and also your functions (imports and exports)...Well... really nothin interesting in the string ref....hmmm.... Lets go ahead and turn our clock up atleast 30 days. I usually go more. Now we get the usual "ex- pired" and if we turn it back to normal time that just doesnt fix it either. So now its time to get our good ole sice to take a look at it. When you looked in w32dasm at your functions you should have seen several "dialog" functions. Just set a bpx on some of those (the winner is 'dialogbox') When sice first breaks you will have to press f12 so that you will get back to the function.Then... Now when sice breaks you should see something like this:::: :0003.7674 8C161C18 mov [181C], ss :0003.7678 FF362A1A push word ptr [1A2A] :0003.767C FF7608 push word ptr [bp+08] :0003.767F FF7606 push word ptr [bp+06] :0003.7682 FF36F819 push word ptr [19F8] :0003.7686 FF76FE push word ptr [bp-02] :0003.7689 FF76FC push word ptr [bp-04] :0003.768C 9A01350000 call USER.DIALOGBOX <---This is where you will land :0003.7691 40 inc ax :0003.7692 740F je 76A3 :0003.7694 FF76FE push word ptr [bp-02] :0003.7697 FF76FC push word ptr [bp-04] :0003.769A 9AAA760000 call KERNEL.FREEPROCINSTANCE :0003.769F 33C0 xor ax, ax :0003.76A1 C9 leave :0003.76A2 CB retf But you say .........how did we get here???? Well you scroll up and you will find a conditional jump at .7651 but thats no good for us....so.....???? 0003.764F 0BD0 or dx, ax :0003.7651 745B je 76AE <---useless :0003.7653 8B460A mov ax, [bp+0A] We have to use a bit of zen ........we know that our days are calculated and if we pass over our 30 day trial limit then our proggie will be useless. Also .......if we are not registered we will get that nag screen. So .....we have to look through the code and find our "sweet" spot.: :0003.7172 8BD8 mov bx, ax :0003.7174 8C46FE mov [bp-02], es :0003.7177 268B470A mov ax, es:[bx+0A] :0003.717B 8946F6 mov [bp-0A], ax :0003.717E 268B470E mov ax, es:[bx+0E] :0003.7182 8946F4 mov [bp-0C], ax :0003.7185 8D46E2 lea ax, [bp-1E] :0003.7188 16 push ss :0003.7189 50 push ax :0003.718A 9ABC24D66A call 0001.24BC :0003.718F 83C404 add sp, 0004 :0003.7192 8EC2 mov es, dx :0003.7194 8BD8 mov bx, ax :0003.7196 8C46FE mov [bp-02], es :0003.7199 268B7F0A mov di, es:[bx+0A] :0003.719D 268B470E mov ax, es:[bx+0E] :0003.71A1 8946F2 mov [bp-0E], ax :0003.71A4 837EE800 cmp word ptr [bp-18], 0000 <--How sweet it is!!!! :0003.71A8 7557 jne 7201 <--Bad jump ewww!!!! (this is our spot to werk on) :0003.71AA 8B46FA mov ax, [bp-06] :0003.71AD 2B46F6 sub ax, [bp-0A] :0003.71B0 69C06D01 imul ax, 016D :0003.71B4 2B46F4 sub ax, [bp-0C] :0003.71B7 0346F8 add ax, [bp-08] :0003.71BA 3B4606 cmp ax, [bp+06] :0003.71BD 7D42 jge 7201 <---if we have gone over our time limit jump :0003.71BF 2B7EFA sub di, [bp-06] :0003.71C2 F7DF neg di :0003.71C4 69C76D01 imul ax, di, 016D :0003.71C8 2B46F2 sub ax, [bp-0E] :0003.71CB 0346F8 add ax, [bp-08] :0003.71CE 7831 js 7201 :0003.71D0 8B460A mov ax, [bp+0A] :0003.71D3 0B4608 or ax, [bp+08] :0003.71D6 7462 je 723A <--Very sweet!! :0003.71D8 8B46F6 mov ax, [bp-0A] :0003.71DB 2B46FA sub ax, [bp-06] :0003.71DE 69C06D01 imul ax, 016D :0003.71E2 2B46F8 sub ax, [bp-08] :0003.71E5 0346F4 add ax, [bp-0C] :0003.71E8 034606 add ax, [bp+06] :0003.71EB 99 cwd :0003.71EC 52 push dx :0003.71ED 50 push ax :0003.71EE FF760C push word ptr [bp+0C] :0003.71F1 FF760A push word ptr [bp+0A] :0003.71F4 FF7608 push word ptr [bp+08] :0003.71F7 9A36761472 call 0003.7636 :0003.71FC 83C40A add sp, 000A :0003.71FF EB39 jmp 723A Well this snippet of code is found by scrolling up a bit from our initial sice break. This is in- teresting to us also. Theres alot of checks goin on here. Should we display the nag or not...or should we display the time over nag. Well what we will do is change it so that it will never show a nag and never ever expire so that we can really evaluate this proggie:))) So we see the spot at 71A4 and just below it an evil jump. So let's fix it. In w32dasm find the offset of the code ...it is found at offset 0001C134. So fire up your hex editor and goto the offset. Now all we have to do is change our bytes and we'll be set. So for the crack: :0003.71A8 7557 <--change this :0003.71AA 8B46FA <--and this to........ ---------------------------- THIS :0003.71A8 E98F <-- :0003.71AA 006800 <--Fixed bytes:)))) You notice that we had to pad our bytes 46FA with 6800 (push 00) so that we would work all right:)) Now you just have to rename your .bak to .exe and you will have a cracked proggie that you can evaluate for as long as you like. Now isn't that better??? In the crack that i made....i changed the"Evaluation"in the about box to "cracked" ...just for amusement:)) I hope this helps you on your journey to crack any and everything...Have fun bulll[mex98] A NEW BREED Greets to all members of mexelite and all visitors of #cracking4newbies