Cracking Air Messanger LAN Server v1.5 Updated in 03/06/99
Made by UFK ufk@hotmail.com
----------------------------------------------------------
this is my 1st tutorial so bare with me here :)
if you find things to improve please let me know.
* NOTICE * * NOTICE * * NOTICE * * NOTICE * * NOTICE * * NOTICE *
there are 2 different versions of this program.in one the EXE file is 875,520 and in the
newer it's 876,544. so i'm gonna teach you to crack the 876,544 Version.
don't ask me why they're both the same version! :D i didn't make this program.
i'm currently using NT4 Service Pack 4 to crack the program.
ok so the tools that we need to crack it is an Hex editor, IDA and SoftICE.
this tutorial is not for too begginers cause you need to have a bit of
an IDA background. ok.. so lets start. install that program, and start
disassembling it with IDA. while you're doing it run the program.
ok first we have an annoying NAG screen. wait i'll run the program too.
an annoying neg about Continue or Web Register crap.
ok now you see when your program will be expired. same as in the
about window.. you see when the program will be expired and lots of
demo versions texts and crap. ok.. now change your computers date to some
date that the program will stop working. ok now run it, and voila!
an annoying nag "Your 30 Day Trial Has Expired!". now i tried to find in
IDA the text "your 30", "trial".. anything. but i found nothing that
got to do with that nag. i tried with softice to bpx on messageboxexa,
messageboxa but nothing! doesn't break. i tried on CreateWindowExa and it
breaks too much :) the thing is that we didn't notice this one little thing.
the BEEP the we hear when the nag appears. ok so we go to IDA to
View->Segments->.idata in idata you can find the external functions calls.
so i don't know what function does a beep so i'll search for the word "beep"
with alt-t. text search. and what do you know? i found messagebeep with only
one x-ref. now press on the x-ref. and uh-oh. too many x-refs in it.
so what we're going to do is to run Softice, to bpx on MessageBeep.
to run the LAN program and when it breaks to find out where it breaks.
how do we do that? simply. after softice breaks on Messagebeep.
press F12 to get out of the function. now press "code on" so you'll see
the hex values of each command. and copy the hex values
of the messagebeep call and the function after it.
001B:004577FC E8 5B DC FA FF call j_messagebeep
001B:00457801 F7 D8 neg eax
now search for those bytes with binary search (alt-b) in IDA. you found it!
now check if it's the same address as in softice (4577FC). yes it is!
now we're gonna mark this point with alt-M so it will be easy for us to go
to it later on. now look at the code, there's a beep, and before it a push,
and before it a LABEL! that's very nice :D that problebly means that if
you're not registered it jumps here. so we press on the X-Ref and yep.
we see JZ to that address.
CODE:004577F2 74 06 jz short CODE_4577FA
so you see the memory address? break on it with softice. change the flags
so it won't jump and see if it works. there's a chance that it will break
several times so change the flags each time. ok.. there's no NAG!! but the
program quits on us. poop. not good. so what now? simply. we'll move one
jmp backwards. hey what do we see here!
jnz to some address, mov, cmp, and then jz to the same address!
ok so we'll change the jnz cause it's the first jmp to the same address.
the memory address of that jmp is 4577da.
cmp byte ptr [eax+82h], 0
jnz short CODE_457830 ; THIS IS WHAT WE'RE TRYING TO CHANGE NOW!
mov eax, [ebp+var_4]
cmp byte ptr [eax+81h], 0
jz short CODE_457830
mov eax, [ebp+var_4]
cmp byte ptr [eax+98h], 0
jz short CODE_4577FA ; that's the last jmp we tried to change and didn't work!
mov [ebp+var_5], 0
jmp short CODE_457830
CODE_4577FA:
push 40h
call j_MessageBeep ; BEEEEEEEEEEEP!
neg eax
ok now.. it breaks several times.. make it jmp man! and voila! it works! :D
ok so now we already marked it with alt-M so we know where we wanna change
what. now lets move forward. i don't like this nag when i run the program!
and when it says demo version in the about box.. yuck! ok.. so this is a
method that i use in almost every program i wanna crack. do a binary search
with IDA for "registered to:". and ok.. we found 2! :D with one x-ref to each.
add bh, bh
db 3 dup(0FFh), 0Fh, 3 dup(0)
str->RegisteredTo db 'Registered To: ',0 ; DATA XREF: CODE:00478835�o
db 4 dup(0FFh), 0Bh
AND
add [eax], al
db 4 dup(0FFh), 0Fh, 3 dup(0)
str->RegisteredTo_0 db 'Registered To: ',0 ; DATA XREF: CODE:0047D3B6�o
push ebp
mov ebp, esp
ok.. so press on the X-REF of the 1st "Registered to:" string. you can
see a label before that line. press on the X-ref and there's a jnz to it.
so we know we need to change it to jmp! :D so it will always jmp to that
string. now go to the 2nd "Registered To:" and press on it's X-Ref.
now we see "mov edx, offset str->Registered_To_0". you can see something
a bit different but same idea. you can see a label before it. press on
it's X-REF and voila! a jnz! now we know we need to change
that to a jmp too. cool! now.. it's the time to use an hex editor.
i suggest you'll use Hacker's VIEW.
it's the best hex editor ever! why? cause we can change assembler commands
without knowing their hex values. that's my most fav option in it :D ok.
i'm not gonna teach you how to change bytes cause it's not an hacker's
view editor. but if you have problems you can always e-mail me and ask.
of course you can you use any hex editor you like but.. HIEW is very powerful.
ok hope you understand something. bu-bye for now.
IRCNICK: UFK
EMAIL : UFK@HOTMAIL.COM
ICQ : 1416041