Tutor for cracking The Bat! v1.00 (Internet e-mail client) by TheBrabo - The Netherlands. (http://www.ritlabs.com/the_bat) It's an easy patch. You can do a S/N, just catch the input and follow the commands. It looks complicated and my rule is to spend as little time as needed. But a S/N is better than a patch (newer versions). Oke how do I proceed for this crack: 1. Do a disassembly with WDASM or IDAPRO (I'm still looking for a registered version of IDAPRO). I used WDASM because it is quick and in most cases sufficient. We see that in the about box a message is shown that you're unregistered. This can mean two things: - there are two (or more) about boxes - the text itself is displayed in a general about box (most common) Via the Symantec resource editor you'll find that the programmer doesn't follow the regular guidelines, so you can't tell yet what is appropriate. I think the second one, so you can do a test on TEXTOUT or something like that when the aboutbox will be displayed/created. I'll do it with another intelligent way (I'm no programmer - I never had a course in that way - so I do with "common sense"). 2. Look for "REGISTER" in the disassembled text and you'll find only this: :00408C2A BA74A24000 mov edx, 0040A274 ; "Version %s" :00408C2F E8789AFFFF call 004026AC :00408C34 8D8390000000 lea eax, dword ptr [ebx+00000090] :00408C3A BA88A24000 mov edx, 0040A288 ; "UNREGISTERED" :00408C3F E8689AFFFF call 004026AC :00408C44 8D8394000000 lea eax, dword ptr [ebx+00000094] :00408C4A BAB0A24000 mov edx, 0040A2B0 ; "Registered to" :00408C4F E8589AFFFF call 004026AC :00408C54 8D8398000000 lea eax, dword ptr [ebx+00000098] :00408C5A BACCA24000 mov edx, 0040A2CC 3. Now you know where the text "UNREGISTERED" is saved. Start up SoftIce and do a BPX 408C34. Just step over the three commands and you'll see that the string is stored at the address EAX points to. In my case EAX=EC0C6900. So the string is at DS:00690CEC, do a check (D 690CEC). The reference address is [EBX+90] (DS:4F2580). Probably later on overruled when you choose a different language. 4. Do a BPM on address DS:EBX+90 and run the programme further on (F5). You'll see that SoftIce will come up a couple of times. But we're only interested in the aboutbox, so ignore these pop ups. 5. From the menu, choose Help|About and SoftIce will stop the programme at CS:48AF3B. This is part of the disassembly: :0048AF25 E822D00400 call 004D7F4C :0048AF2A A1600B4F00 mov eax, dword ptr [004F0B60] :0048AF2F 80784B00 cmp byte ptr [eax+4B], 00 :0048AF33 7513 jne 0048AF48 :0048AF35 8B1580254F00 mov edx, dword ptr [004F2580] ; Text Unregistered :0048AF3B 8B83C0010000 mov eax, dword ptr [ebx+000001C0] :0048AF41 E806D00400 call 004D7F4C :0048AF46 EB3B jmp 0048AF83 :0048AF48 8D45FC lea eax, dword ptr [ebp-04] ; Registered version starts :0048AF4B 50 push eax :0048AF4C 8D55F0 lea edx, dword ptr [ebp-10] :0048AF4F A1600B4F00 mov eax, dword ptr [004F0B60] :0048AF54 83C04B add eax, 0000004B :0048AF57 E85C22FBFF call 0043D1B8 :0048AF5C 8B45F0 mov eax, dword ptr [ebp-10] :0048AF5F 8945F4 mov dword ptr [ebp-0C], eax :0048AF62 C645F80B mov [ebp-08], 0B :0048AF66 8D55F4 lea edx, dword ptr [ebp-0C] :0048AF69 33C9 xor ecx, ecx :0048AF6B A184254F00 mov eax, dword ptr [004F2584] :0048AF70 E82FB2F7FF call 004061A4 :0048AF75 8B55FC mov edx, dword ptr [ebp-04] :0048AF78 8B83C0010000 mov eax, dword ptr [ebx+000001C0] :0048AF7E E8C9CF0400 call 004D7F4C :0048AF83 B201 mov dl, 01 ; go on, registered or not ..... It appears that the string is loaded at CS:48AF35. You could do a search on [004F2580] in the disassembly, but it's not always so easy as now. The BPM way works most of the time. 6. What do you see just before the command line, right a JNE. The compare method is the most used way by programmers. (It is better to do a jump with a variable address or a source code which is generated real time, but they are crackable as well.) Ok, we'll do a test whether we're right. BPX on the JNE and run the programme further on. 7. Choose Help|About and Softice will pop up on CS:48AF33. Change the Z-flag (type: R FL=Z) and run the programme further. The dialog box says now that the programme is registered. So you know now that when address [EAX+4B] is greater than zero you're registered. You can try it if you want to. Change this address into 1. Do a E EAX+4B change the first value (it is a byte compare) into 1, press enter, and F5. You see: it works from then on! 8. Next thing is to figure out where this address is set. Just BPM [EAX+4B] at CS:48AF2F (you have to do it on that command line 'cause you don't know EAX otherwise) and leave the programme. 9. Start-up the programme and SoftIce will pop up at the following four command lines who "do" something with this memory address before the NAG is shown: A. 401CD2 B. 48AF33 C. 4A2D44 D. 43D1B1 A. So look at the first one: :00401CC8 8B48E8 mov ecx, dword ptr [eax-18] :00401CCB 31C0 xor eax, eax :00401CCD 51 push ecx :00401CCE C1E902 shr ecx, 02 :00401CD1 49 dec ecx :00401CD2 F3 repz In my case (the shareware version) it will zero the address. You can overrule this but it's more difficult than the method I will show you. B. It's the same as the dialogbox described above C. The third one: :004A2D37 6A00 push 00000000 :004A2D39 6A00 push 00000000 :004A2D3B A1600B4F00 mov eax, dword ptr [004F0B60] :004A2D40 0FB6404B movzx eax, byte ptr [eax+4B] :004A2D44 05A40A0000 add eax, 00000AA4 :004A2D49 50 push eax :004A2D4A 8BC3 mov eax, ebx :004A2D4C E8AF880300 call 004DB600 :004A2D51 50 push eax :004A2D52 E8811BF6FF Call 004048D8 ; user32.PostMessageA The address is read, and I think used for the opening NAG. D. The forth one: :0043D1A4 FC cld :0043D1A5 57 push edi :0043D1A6 89C7 mov edi, eax ; EDI=5A2943 (my EAX+4B you saw earlier) :0043D1A8 30C0 xor al, al :0043D1AA B9FFFFFFFF mov ecx, FFFFFFFF :0043D1AF F2 repnz :0043D1B0 AE scasb :0043D1B1 91 xchg eax,ecx :0043D1B2 F7D0 not eax :0043D1B4 48 dec eax :0043D1B5 5F pop edi :0043D1B6 C3 ret This scans for the value AL (=0). This is only a compare method. The result of this procedure is whether you are registered or not. So what have you learned: three of these are readers, the first one is a writer. Probably the address is not written because registration information is missing, but (A) could also write the results of this check. You can go deeper on this (it's the best to do) - a good programmer will modify the first one - but as I said I'm no programmer. The easiest way is to change the second memory check. 10.We're going to change the first compare (B) into a writing. We saw earlier the following compare: :0048AF2A A1600B4F00 mov eax, dword ptr [004F0B60] :0048AF2F 80784B00 cmp byte ptr [eax+4B], 00 :0048AF33 7513 jne 0048AF48 :0048AF35 8B1580254F00 mov edx, dword ptr [004F2580] ; Text Unregistered Just BPX CS:48AF2F. Run the programme again until SoftIce pops up at this address. Press A and enter and enter the following command lines: MOV BYTE PTR [EAX+4B],1 JMP 48AF48 You're lucky, the assembler says the next command line will start at 48AF35. Just press enter and write down the new command codes (it is: C6404B01 and EB13). If the new commands are shorter (they don't reach 48AF35) then you can NOP accordingly. In case it's longer it's no problem for this programme because the lines from 48AF35 to 48AF48 aren't used anymore (but you have to be careful that 48AF48 doesn't change!). You'll see that everything works like you're registered. 11.Now you only have to patch the programme (change 80784B0075138B into C6404B01EB138B) and test the programme with a new system date. That's it. Hope to see you in The Netherlands, TheBrabo. Keep in mind that this tutorial is not illegal, using unregistered versions is! You sometimes can correct errors in programmes (like in PCB Developer's Individual Assistant which I found the other day). In countries with the EU law you are allowed to make use of these patches.