Flu[X]'s Cracking tutor #3 Ok, well i havent wrote one in over a month.. This one i kinda basic... but still semi interesting.. Tools: -Cyber Creek Avalanche 98 (www.cybercreek.com)-- I used build 1351 -W32Dasm -A patch maker (I prefer my patching engine) -Brains Ok first lets gather some info about this program... We start it and see a nag... we hit ok.. blah.. aonther nag comes up... We have 2 chouces.. a serial or a patch... I briefly traced through it in softice.. and it didnt look like it was gonna be fun to make a serial... so on with the byte patch.... Ok we disassemble it... lets look for that annoying text in the opening nag... After searching you will come across the below code... * Referenced by a CALL at Address: |:0045F5C3 | :0045F42C 55 push ebp :0045F42D 8BEC mov ebp, esp :0045F42F 803D98CE490000 cmp byte ptr [0049CE98], 00 <- could it be a regflag?? :0045F436 7551 jne 0045F489 <- if not 0 pass the nag screen :0045F438 6840200400 push 00042040 * Possible StringData Ref from Code Obj ->"CyberCreek Avalanche 98" | :0045F43D B98CF44500 mov ecx, 0045F48C * Possible StringData Ref from Code Obj ->" This application requires " ->"that you license this product " ->"before using it." Ok. now look at the 2 lines i have marked... not bad eh? it looks like a simple regflag... For those of you that dont know what a regflag is, a regflag is like a true/false marker to tell a program if it is registered or not.. switching the marker usually will make a program be registered.. well... since the is most likely a regflag system.. just changing the jump wont be good enough as other items in this program usually use it to.. however we have a nice advantage here.. remember how the first thing we saw was that nag screen and how it is controlled by this regflag... well most likely this is the first item to pass through the regflag test.. meaning it is the first item to check the flag :) This means we can modify the content of the flag before anything else uses it.. we know that if the flag = 0 it is unregistered,,, so we change it to 1 then we fix that nasty jump to always skip that nag :) new code should look like this: * Referenced by a CALL at Address: |:0045F5C3 | :0045F42C 55 push ebp :0045F42D 8BEC mov ebp, esp :0045F42F 6C3D98CE490100 mov byte ptr [0049CE98], 01 <- move the flag to true :) :0045F436 EB51 jmp 0045F489 <- skip the nag :) :0045F438 6840200400 push 00042040 * Possible StringData Ref from Code Obj ->"CyberCreek Avalanche 98" | :0045F43D B98CF44500 mov ecx, 0045F48C * Possible StringData Ref from Code Obj ->" This application requires " ->"that you license this product " ->"before using it." thats it.. run it.. now it runs like the registered copy.. funny how programmers protect a 300$ program isnt it? now use your patcher of choice to make a patch :)