************************************************************************************************* CrackMe #5 ************************************************************************************************* Author: n0p3x Protection: Date Protection URL: http://www.phrozencrew.co.uk/crackme5.zip Tools: W32Dasm V8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! This time we're not going to use SoftICE ;) We need to make this CrackMe say that it's running in a good date, hehe :) ---> Let's Begin... Open the CrackMe and you'll get a Message Box saying: "The demonstration period for this program has been exceeded" Ok, remember this line or write it down. Now press "Ok" and then press "Exit" and open the CrackMe in W32Dasm. Then click on "Strn Ref" (String Data References) and double click on the line: "The demonstration period for this " And you'll see this: ------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401097(C) | :004010A8 6800100000 push 00001000 * Possible StringData Ref from Data Obj ->"Bad Luck" | :004010AD 68CA204000 push 004020CA * Possible StringData Ref from Data Obj ->"The demonstration period for this " ->"program has been exceeded" | :004010B2 688E204000 push 0040208E :004010B7 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:0000h | :004010B9 E852040000 Call 00401510 ------------------------------------------------------------------------------------------------- This is the Message Box we see at the beginning of the CrackMe :) Notice the (C)onditional Jump above, that's where the CALL to this Message Box comes from let's check it out, and you'll see this: ------------------------------------------------------------------------------------------------- :0040108F 59 pop ecx :00401090 817DF8CD070000 cmp dword ptr [ebp-08], 000007CD <--- Hmmm... :00401097 7F0F jg 004010A8 <--- Here's the Jump * Possible StringData Ref from Data Obj ->"Within Demonstration Time" | :00401099 6874204000 push 00402074 * Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0065, "" | :0040109E 6A65 push 00000065 :004010A0 53 push ebx * Reference To: USER32.SetDlgItemTextA, Ord:0000h | :004010A1 E85E040000 Call 00401504 ------------------------------------------------------------------------------------------------- See the "jg 004010A8" (Jump if Greater). Well it Jumps for us so the value must be greater. See the "cmp dword ptr [ebp-08], 000007CD", it Compares some value located at [ebp-08] with 000007CD. What's that value? we need a Hex-Converter for this ;) I've got one in my Hex-Editor, if you haven't then search for it somewhere ;) Anyway the value is: 000007CD = 1997 The year 1997 :P Well at the moment i'm in year 2001 :) So the value must be for me: 2001 = 000007D1 Ok, now click on this Compare instruction in W32Dasm and you'll see at the bottom this: "@Offset 00000690h" That's the real Offset in your Hex-Editor. Then open the file in your Hex-Editor, and don't forget to close W32Dasm otherwise we can't save. Now get to that address "00000690" and change this: 817DF8CD070000 into 817DF8D1070000 Now save the file and run it, it worked :P That's all. ---> Greetings... Everyone from TrickSoft (www.TrickSoft.net) Everyone from Cracking4Newbies (www.Cracking4Newbies.com) Everyone from Keygenning4Newbies (Keygenning4Newbies.cjb.net) And You... Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl