Copy Link
Add to Bookmark
Report

PhRoZeN CReW - Tutorial 3 - 27-8-1997

eZine's profile picture
Published in 
PhRoZeN CReW
 · 1 year ago

                          ‹‹€€≤‹‹                   ∞ 
‹≤≤flfl flfl≤≤‹‹ ˛ fl ‹ ± ‹‹≤≤‹
‹ ‹fl ‹‹‹€€€€‹‹‹ fl€≤‹ fl ‹≤ ˛flflflflfl€€≤≤‹
‹fl fl ‹ fl ‹€€≤≤€€€€€€€€‹ fl€€ ∞ ∞ ∞∞±±≤≤≤€€€€€‹‹‹ flfl€€‹
fi› ‹€€flfl fl€€€≤€€ fi€€‹ ‹ ‹€€€€≤€€€€€€€€‹ fl≤≤fl
fl‹ ‹flfl ‹ ∞∞ fi€≤≤≤€› €fl fi€€€flfl€€€€€€€€€≤€
fl fl ‹‹‹€€ €€€≤€€€ fl ‹ ‹€€€› fi≤€€€€€≤≤≤≤±±∞∞ ∞ ∞
˛ ‹‹‹‹€€€€€≤≤€› €‹‹€€€€€€€› fl fl€≤€€€ fl≤€€€€flfl≤fl ‹‹
fl‹ fl≤≤€€€≤≤≤≤€› €≤≤€€€€€€≤€ ‹ ∞ ∞∞ ‹ fl≤≤€ flfl ‹‹ ± ‹≤≤fl
fi≤‹ €€€€€€≤≤≤›€€≤€€€€€€€fl ∞ ∞ ∞ €€‹ fl≤› ‹≤€≤fl ∞ fifl
≤€€€›fi€€€€€€≤≤› fl€€€≤≤flfl fi≤€€€ fl fl≤fl
∞ ∞ ∞∞±±≤≤≤€€ €€€€€€≤≤€ ≤≤≤€€›
±≤≤€€€ €≤€€€€€≤≤› ∞∞∞∞∞ ∞ ∞ fl≤≤fl ‹ ‹€≤‹
± ≤fl €≤€€€€€€≤€ ∞∞∞ ∞ ∞ fl ‹ ± ‹≤ ‹ ∞ fl€€€≤‹ ∞
∞ fi≤≤€€€€€€€≤€‹ ∞ ∞ fi€≤‹‹€≤› fl≤fl∞∞∞∞ fi€≤≤≤fl fl ∞∞∞∞ ∞
‹≤≤€€€€€flflflflflflfl ∞ ∞∞∞±±≤≤≤€€€› ∞ ‹€€≤≤€‹‹ ∞
‹‹€≤€flflfl ‹≤€‹‹ ± fl€€€‹ ‹≤flfl flflfl≤‹‹
‹˛flfl fl€≤≤€€‹ ∞ fl≤€€‹‹flfl ‹˛ fl fl ‹
‹ ‹ ˛ ‹ flfl≤€€‹ fi≤≤fl ∞ fi› ∞∞ fi›
fi› fl ‹ fl flfl‹ ∞ ‹fl ∞ ∞∞∞ fl‹ €
fl‹ fl fi€‹ [cH]fi€ fl ‹ fl ∞ fl ‹ fl
˛ ‹ ˛fl ‹≤fl flfl ‹ ˛fl
˛fl

Hi dudes!

I'm here in the hospital, nice nurses! :-) This time I would like to teach you how to crack time limit (or date expiration) and how to remove some NAGS. I know I've promised you to write a tutor about Soft-ICE but this time I couldn't because I don't have enough memory to run SI.

(I've only 8 meg RAM on LapTop) :-)

Sorry for my bad grammatical errors, I hope you'll understand this piece! :-)
Ok, let's go!

TOOLS

  • For tools you need the followings: (I use these tools, I assume you'll use 'em)
  • W32Dasm 8.9 or high version (use FTP search: W32DSM89.ZIP)
  • Hacker's View 5.65 (E-mail: sen@suslikov.kemerovo.su)
  • FAR 1.40b (ftp://ftp.elf.stuba.sk/pub/pc/utilfile/far140b.exe) It's real nice!
  • Or ask any crackers to get you these tools, they'll be happy to serve you! :-)

CONTENTS

(Because of no modem here for a while I couldn't grab the latest shareware, so I use those old programs for demonstration.)

PART 1a: To remove NAGs in Horas 2.1a (without W32Dasm)

(I use this part alltime 'cos it's easier and faster)

Step 1. Run HORAS.EXE

Step 2. Now you see these annoying NAGs screen, you would like to remove this NAGs, right? :-)

Step 3. Ok, exit the program.

Step 4. Run FAR, go to Horas directory.

Step 5. Copy HORAS.EXE to HORAS.EXX (for backup) and run HIEW HORAS.EXE.

Step 6. Press F4 to select HEX Mode, now you'll see HEX craps in HORAS.EXE. No need to pee your pants! :-)

Step 7. Do you remember what the crap says in NAGs screen? Ah, you should write down these craps when running PEXE32.EXE. Like "Welcome to Horas" or "Horas is a shareware application. You are invited to.." etc etc.

Step 8. Press F7 to search, enter "welcome" (at ASCII field). Does it find the string? Ok, remember HORAS.EXE file is a 32bit program, so it'll use "00" string between each letter like "w e l c o m e" (not space character between in!)

Step 9. Press F7 again, enter "w" (at ASCII), press DOWN arrow key, enter "00" (at HEX field), press UP arrow key, enter "e", press DOWN, "00", UP, "l", DOWN, "00", UP, "c", DOWN, "00", UP, "o", DOWN, "00", UP, "m", DOWN, "00", UP, "e". You should see the following:

        …Õ[F2:Forward /F4:Full ]ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕ... 
∫ ASCII: w e l c o m e∞∞∞∞∞∞∞ ...
∫ ...
∫ Hex: 77 00 65 00 6C 00 63 00 6F 00 6D 00 65 ∞∞∞∞∞∞...
»ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕ...

Step 10. Ok, press ENTER to find these string. Now you'll see like this:

.000478C0:  06 00 00 00-00 00 DE 00-64 00 00 00-00 00 57 00       fi d     W 
.000478D0: 65 00 6C 00-63 00 6F 00-6D 00 65 00-20 00 74 00 e l c o m e t
.000478E0: 6F 00 20 00-25 00 73 00-00 00 08 00-4D 00 53 00 o % s M S
.000478F0: 20 00 53 00-61 00 6E 00-73 00 20 00-53 00 65 00 S a n s S e
.00047900: 72 00 69 00-66 00 00 00-00 00 02 50-00 00 00 00 r i f P
.00047910: 07 00 07 00-D0 00 30 00-84 69 FF FF-82 00 25 00 – 0 ÑiˇˇÇ %
.00047920: 73 00 20 00-69 00 73 00-20 00 61 00-20 00 73 00 s i s a s
.00047930: 68 00 61 00-72 00 65 00-77 00 61 00-72 00 65 00 h a r e w a r e
.00047940: 20 00 61 00-70 00 70 00-6C 00 69 00-63 00 61 00 a p p l i c a
.00047950: 74 00 69 00-6F 00 6E 00-2E 00 20 00-20 00 59 00 t i o n . Y
.00047960: 6F 00 75 00-20 00 61 00-72 00 65 00-20 00 69 00 o u a r e i

Step 11. Look at FF FF 82 just before the string "%s is a shareware.." It's where it'll generate dialogs, remember only 2 or 4 FF's and 82 bytes will do the tricks! Now use the arrows key to bring the cursor at "82" You'll see "4791C" above the screen, now press F3 and change "82" to "7E", look above the screen, you're at Offset Address 4191C. It's where you can patch it. Press F9 to update HORAS.EXE. Somebody has told me that you can change "82" to "90" in stead of "7E", 90 or 7E will do the same tricks.

Step 12. Remember only 4 FF's and 82 bytes will work otherwise you can fuck your arse. Sometimes 2 FF's and 82 bytes would work, now once you've changed "82" to "7E", it won't generate the dialogs. Exit HIEW and run HORAS.EXE.

Step 13. Do you see those NAGs screen? Kewl!! You've cracked Horas 2.1a!!

PART 1b: To crack date expiration in Horas 2.1a (with W32Dasm)

Step 1. Run HORAS.EXE

Step 2. You'll see the error message which it says that it has expired. (You should write down this message) and exit the program.

Step 3. Run FAR, go to Horas directory.

Step 4. Copy HORAS.EXE to HORAS.EXX (for backup) and copy HORAS.EXE to HORAS.W32 (for use by W32Dasm)

Step 5. Run W32Dasm and disassemble HORAS.W32.

Step 6. Once it's disassembled, click STRING DATA REFERENCE, look down for the string "The evaluation period for this product has expired. Please..". (You should remember that error message), double click on it.

Step 7. Close SDR window, you should see the line:

        * Possible Reference to String Resource ID=25016: "The evaluation per.. 
:0040C975 68B8610000 push 000061B8
...

Step 8. Ok, press UP arrow key till you see:

        * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: 
|:0040C904 (C), :0040C918 (C), :0040C92D (C)
|
...

Step 9. Now press PgUp key 2 or 3 times till you see:

        :0040C8F7 85C0                    test eax, eax 
:0040C8F9 0F85BD000000 jne 0040C9BC
:0040C8FF 8B4628 mov eax, dword ptr [esi+28]
:0040C902 85C0 test eax, eax
:0040C904 756B jne 0040C971
:0040C906 8B17 mov edx, dword ptr [edi]
:0040C908 51 push ecx
:0040C909 8BC4 mov eax, esp

Step 10. Look at 0040C904, do you remember that referenced addresses? Now look up till you find the last comparison like "test" or "jne" etc. Look at 0040C8F7, it's where it will jump to when it has expired. Let's try. Make sure the green color bar is on 0040C8F9 0F85BD000000 jne 0040C9BC and you should see Offset address below on the screen like @Offset 0000BCF9h. It's where you can patch it in HORAS.EXE.

Step 11. Go back to FAR, run HIEW HORAS.EXE, press F4 to select Decode mode (ASM), press F5 and enter BCF9. You should see like:

    .0000C8F9: 0F84BD000000                 je    .00000C9BC   ---------- (1) 
.0000C8FF: 8B4628 mov eax,[esi][00028]
.0000C902: 85C0 test eax,eax

Step 12. That's where you can change the bytes, press F3, enter 0F85, press F9 to update HORAS.EXE. Exit HIEW.

Step 13. Run HORAS.EXE, does it expire? Voila! You've cracked Horas 2.1a!!

PART 2a: To crack date expiration in WinHacker95 2.0b3 (with W32Dasm)

Step 1. Run WH95.EXE

Step 2. You'll see the error message which it says that it has expired, or else you'll have to register it. (You should write down this message) and exit the program.

Step 3. Run FAR, go to WH95 directory.

Step 4. Copy WH95.EXE to WH95.EXX (for backup) and copy WH95.EXE to WH95.W32 (for use by W32Dasm)

Step 5. Run W32Dasm and disassemble WH95.W32.

Step 6. Once it's disassembled, click STRING DATA REFERENCE, look down for the string "Your trial period is over!". (You should remember that error message), double click on it.

Step 7. Close SDR window, you should see the line:

        * Possible StringData Ref from Data Obj ->"Your trial peroid is over!" 
:00429977 6844D34400 push 0044D344
:0042997C 8D8208020000 lea eax, dword ptr [edx+00000208]
:00429982 50 push eax

Step 8. Ok, press UP arrow key till you see:

        * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: 
|:004298AE (C)
|
...

Step 9. Now press PgUp key 4 or 5 times till you see:

          :004298AE 0F82A1000000            jb 00429955 
:004298B4 7517 jne 004298CD
:004298B6 51 push ecx
:004298B7 8D8208020000 lea eax, dword ptr [edx+00000208]

Step 10. Look at 004298AE, do you remember that referenced addresses? It's where it will jump to when it has expired. Let's find out. Make sure the green color bar is on 004298AE 0F82A1000000 jb 00429955 and you should see Offset address below on the screen like @Offset 00028CAEh. It's where you can patch it in WH95.EXE.

Step 11. Go back to FAR, run HIEW WH95.EXE, press F4 to select Decode mode (ASM), press F5 and enter 28CAE. You should see like:

   .000298AE: 0F82A1000000                 jb    .000029955   ---------- (1) 
.000298B4: 7517 jne .0000298CD ---------- (2)
.000298B6: 51 push ecx

Step 12. That's where you can change the bytes, press F3, enter EB0090909090, press F9 to update WH95.EXE. Those EB00 will say not to jump but to continue on next line, and those 90909090 will make them NOP, got it? Exit HIEW.

Step 13. Run WH95.EXE, does it expire? Voila! You've cracked WH95 2.0b3!!

PART 2b: How to crack WH95 2.0b3 (to enter any serials)

Step 1. Run WH95.EXE

Step 2. Enter "TKC/PC '97" at Name, at Company: "PC '97", and Serial: "12345" and click on Register.

Step 3. You'll see the error message. (You should write down this message) and exit the program.

Step 4. Run FAR, go to WH95 directory.

Step 5. Copy WH95.EXE to WH95.EXX (for backup) and copy WH95.EXE to WH95.W32 (for use by W32Dasm)

Step 6. Run W32Dasm and disassemble WH95.W32.

Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string "Invalid Serial Number!". (You should remember that error message), double click on it.

Step 8. Close SDR window, you should see the line:

        * Possible StringData Ref from Data Obj ->"Invalid Serial Number!" 
:00429719 68E0D24400 push 0044D2E0
:0042971E 8D4DF0 lea ecx, dword ptr [ebp-10]
...

Step 9. Ok, now you must look for the last comparison like CMP, JNE, JE, TEST, etc before the error string. Press UP arrow key till you find:

        :004296FB 7474                    je 00429771 
:004296FD 8B4DF0 mov ecx, dword ptr [ebp-10]
:00429700 C7416C00000000 mov [ecx+6C], 00000000
...

Step 10. Now you know where it jumps to when you've entered the wrong code. Let's see see if it will work when we replace "je" with "jne" or with "eb". Make sure the green color bar is on :004296FB 7474 je 00429771, you should see Offset address below on the screen like @Offset 00028AFBh. It's where you can patch it in WH95.EXE.

Step 11. Go back to FAR, run HIEW WH95.EXE, press F4 to select Decode mode (ASM), press F5 and enter 28AFB. You should see like:

   .000296FB: 7474                         je    .000029771   ---------- (1) 
.000296FD: 8B4DF0 mov ecx,[ebp][-0010]
.00029700: C7416C00000000 mov d,[ecx][0006C],000000000

Step 12. That's where you can change the bytes, press F3, enter EB, press F9 to update WH95. Exit HIEW.

Step 13. Run WH95.EXE, enter any code. Does it work? Don't pee, let's continue.

Step 14. Run WH95.EXE again.

Step 15. Enter "TKC/PC '97" at Name, at Company: "PC '97", and Serial: "12345" and click on Register.

Step 16. You'll see another error message. (You should write down this message) and exit the program.

Step 17. Go back to W32Dasm, click STRING DATA REFERENCE, look down for the string "Error 1000: Invalid Serial Number!". (You should remember that error message), double click on it.

Step 18. Close SDR window, you should see the line:

       * Possible StringData Ref from Data Obj ->"Error 1000: Invalid Serial.." 
:004229C3 686CCE4400 push 0044CE6C
:004229C8 E8C3030000 call 00422D90
...

Step 19. Ok, now you must look for the last comparison like CMP, JNE, JE, TEST, etc before the error string. Press UP arrow key till you find:

        :004229BC 7424                    je 004229E2 
:004229BE 6A3B push 0000003B
:004229C0 8B4DEC mov ecx, dword ptr [ebp-14]
...

Step 20. Now you know where it jumps to when you've entered the wrong code. Let's see see if it will work when we replace "je" with "jne" or with "eb". Make sure the green color bar is on :004229BC 7424 je 004229E2, you should see Offset address below on the screen like @Offset 00021DBCh. It's where you can patch it in WH95.EXE.

Step 21. Go back to FAR, run HIEW WH95.EXE, press F4 to select Decode mode (ASM), press F5 and enter 21DBC. You should see like:

     .000229BC: 7424                         je    .0000229E2   ---------- (1) 
.000229BE: 6A3B push 03B
.000229C0: 8B4DEC mov ecx,[ebp][-0014]

Step 22. That's where you can change the bytes, press F3, enter EB, press F9 to update WH95. Exit HIEW.

Step 23. Run WH95.EXE, enter any code. Voila! You've cracked WH95 2.0b3!! Ok, enough for now. I hope you've enjoyed this tutor too much as I did! :-)

I'll see you next time at Tutor #4!

Have fun,

The Keyboard Caper,
The Founder of PhRoZeN CReW '94 - '97
27-8-1997

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT