__I'''''''''''''''''''''''''''''''''''''''''''I__ The Ultimate Begginer Cracker's Book v1.4__I'''''''''''''''''''''''''''''''''''''''''''I__
I                                                                           by basdog22                                                                                  I
-------------------------------------------------------------------------------------------------------------------------------------------------
Well i started writing this tut cause there are NOT a lot of them availiable on the NET even now
that knowledge is wide spreaded.
This tut is aimed at the very newbies so if you are an advanced or an intermediate cracker through
it away cause it just occupies space in your HDD and nothing more.

I would like to apologise for my bad English and some spelling mistakes that i will for sure make
here.English isn't my mother tongue so don't blame me ;)

First of all:
Make your notepad's resolution so that the line below will be shown in it's all length
<------------------------------------------------------------------------------------------------------------------------------------------------>
""""""""""""""""""""""""""""""""""""""Cracking IDA (Interactive Disassembler)""""""""""""""""""""""""""""""""""""""

Hello,
This tut is late and i apologize for this.Today we will crack our first commercial prog.IDA (The Interactive Disassembler) is a powerfull disassembler, better than W32Dasm but harder for newbies to work with.You can even disassemble packed executables with this Yammy tool.You can find IDA in a lot of homepages on the NET but what we want right now is to find the DEMO version of it which is located at http://crackpltools.prv.pl/
~~~~~~~~~~~~~~~~~
OK if you downladed it and installed it try to run it and after the NAG you see...
Oops a message tells us that "Sorry the evaluation version is expired"
                                                    ~~~~~~~~~~~~~~~~~~~~
Grab this message and fire up W32Dasm disassemble the file Idag.exe and in the SDR(String Data References) look for : "Sorry the evaluation version is expired" <------ D-Click on it and you land here:
------------------------------------------------------------Cut here--------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412286(C) <----------------------------<------------------------------<------------ Smille ;=)
|
:00412292 6A00                    push 00000000
:00412294 E8E78A0900              call 004AAD80
:00412299 59                      pop ecx
:0041229A 3DD00E503A              cmp eax, 3A500ED0
:0041229F 7C3E                    jl 004122DF

* Possible StringData Ref from Data Obj ->"Sorry, the evaluation version "
                                        ->"is expired."
                                  |
:004122A1 68CD634B00              push 004B63CD   <------------------- We land here
:004122A6 E81921FFFF              call 004043C4
:004122AB 59                      pop ecx
:004122AC BAF0FFFFFF              mov edx, FFFFFFF0
:004122B1 8B0D24564C00            mov ecx, dword ptr [004C5624]
:004122B7 8B01                    mov eax, dword ptr [ecx]
:004122B9 8B80A4060000            mov eax, dword ptr [eax+000006A4]
:004122BF E850CB0900              call 004AEE14
:004122C4 8BD8                    mov ebx, eax
:004122C6 A124564C00              mov eax, dword ptr [004C5624]
:004122CB 8B10                    mov edx, dword ptr [eax]
:004122CD 8B82A4060000            mov eax, dword ptr [edx+000006A4]
:004122D3 FFD3                    call ebx
:004122D5 B801000000              mov eax, 00000001
------------------------------------------------------------Cut here--------------------------------------------------------------------------
So this message was referenced by a (C)onditional jump at address 00412286.Do a Shift+F12 and write this address in the text box and hit OK.It takes us here:
------------------------------------------------------------Cut here--------------------------------------------------------------------------
* Reference To: IDA.Ordinal:0191, Ord:0191h
                                  |
:0041227E E897D20900              Call 004AF51A
:00412283 833F01                  cmp dword ptr [edi], 00000001
:00412286 750A                    jne 00412292   <---------------------- We are here
:00412288 B801000000              mov eax, 00000001
:0041228D E8DEB50100              call 0042D870

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412286(C)
|
:00412292 6A00                    push 00000000
:00412294 E8E78A0900              call 004AAD80
:00412299 59                      pop ecx
:0041229A 3DD00E503A              cmp eax, 3A500ED0
:0041229F 7C3E                    jl 004122DF
------------------------------------------------------------Cut here--------------------------------------------------------------------------
So the 750A jne 00412292 is responsible for the "Expired" message.We look at the bottom of W32Dasm and we see it is in offset 00011886.So fire up your Hex Editor and scroll down to 00011886 and look for 750A.Now change it to 740A save and run Idag.exe but shit again the same message why??? Well lets look at the code again:
------------------------------------------------------------Cut here--------------------------------------------------------------------------
* Reference To: IDA.Ordinal:0191, Ord:0191h
                                  |
:0041227E E897D20900              Call 004AF51A
:00412283 833F01                  cmp dword ptr [edi], 00000001
:00412286 750A                    jne 00412292  <------------------ This is our jump
:00412288 B801000000              mov eax, 00000001
:0041228D E8DEB50100              call 0042D870

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412286(C)  <------------------------------------------------------------ This is from we were referenced
|
:00412292 6A00                    push 00000000
:00412294 E8E78A0900              call 004AAD80
:00412299 59                      pop ecx
:0041229A 3DD00E503A              cmp eax, 3A500ED0
:0041229F 7C3E                    jl 004122DF    <----------------------- Jump if less???

* Possible StringData Ref from Data Obj ->"Sorry, the evaluation version "
                                        ->"is expired."
                                  |
:004122A1 68CD634B00              push 004B63CD <------------- When we D-Click on the message we land here
:004122A6 E81921FFFF              call 004043C4
:004122AB 59                      pop ecx
:004122AC BAF0FFFFFF              mov edx, FFFFFFF0
:004122B1 8B0D24564C00            mov ecx, dword ptr [004C5624]
:004122B7 8B01                    mov eax, dword ptr [ecx]
:004122B9 8B80A4060000            mov eax, dword ptr [eax+000006A4]
:004122BF E850CB0900              call 004AEE14
:004122C4 8BD8                    mov ebx, eax
:004122C6 A124564C00              mov eax, dword ptr [004C5624]
:004122CB 8B10                    mov edx, dword ptr [eax]
:004122CD 8B82A4060000            mov eax, dword ptr [edx+000006A4]
:004122D3 FFD3                    call ebx
:004122D5 B801000000              mov eax, 00000001
------------------------------------------------------------Cut here--------------------------------------------------------------------------
So we changed the jump at 00412286 and it means that now it will not jump but what we did is that we disabled the NAG screen but not the time limit.A little code down at 0041229F we see a jl 004122DF (Jump if date is less than the limit???).So when it comes to this address it does not jump because the date is greater than the limit and it goes on to the "Expired" message.What we must do is to make the conditional jl to a unconditional jump.We do this by changing the 7C3E to EB3E.Again fire up you Editor and look at the offset 0001189F for 7C3E,change it to EB3E save and exit.Now run Idag.exe.WOW it works
We just cracked the time limit protection.
But do you remember what the NAG screen told us at the beggining of the prog???
It said:
Evaluation version with the following limitations:
1.Only MS Windows (PE) files are supported <----- I don't think this is important  unless you want to                                                                                                       disassemble .com files. (Fairly easy to crack)
2.It is time limited <------------------------------------------ We just cracked this one
3.Save is disabled <---------------------------------------- We are not ready yet to Reverse Enginere
but i have found another limitation:
Try to disassemble Idag.exe with IDA and you get this message "Sorry, the demo version will not disassemble itself.Please select another file"
So the DEMO version can't disassemble itself.

COOL this is something that i will leave it to you to do.Something like homework.It is a little bit tricky and we will do it together in my next tut but give it a try.

--------------------------------------------------------------------------------------------------------------------------------------------------
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

Thanks for reading this shit.I hope you gained some knowledge from this tut.
My main goal was to help people who are interested in starting with the art of cracking (Not even newbies) but didn't know what tools to get and how to make them work.
If you think that i should add some stuff in this tut or anything else you can send me your ideas to basdog22@yahoo.com i would apreciate it.

""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
In my next tutorial version 1.5 we will finish what we started today by cracking the "Can't disassemble itself" limitation.You can download IDA from --------->  http://crackpltools.prv.pl/ 
Till then go out there and have a drink with your girl and have fun cause the real life is out there...

to be continued...