Software Reverse Engineering - MemoryAnalyst v1.01 - Enter Any Registration
Copyright (c) 1998 Volatility
Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility

	This is a short and simple crack to patch MemoryAnalyst so that you can enter
any registration information you want.

---------------------------------------------------------------------------------------------
Target:  MemoryAnalyst v1.01 (ma101.zip) - 144,028 bytes.  Download this at:

	   ftp://src.doc.ic.ac.uk/pub/packages/simtel/win95/sysutil/ma101.zip

Tools Needed:  	WDASM - recommended (or disassembler of your choice)
		HIEW - recommended (or hex editor of your choice)
		PMTK - recommended (or patcher of your choice)
---------------------------------------------------------------------------------------------

Prepare To Crack:

	First make a backup copy of memanal.exe in a different directory.  Now run the program.
You'll first notice an annoying, flashing "Unregistered" right in the middle of the screen. 
We can't have that!  Look for a place to enter registration information (found at "Help", 
"Register Now").  Enter a dummy name and password.  Take note of what the error message says.

	NOTE: If you haven't noticed by now, we can crack many many programs easily by looking
              for the strings found in the error message.

	The message includes "Sorry, this password is not correct....".  Write this down.  Now
fire up Wdasm and disassemble memanal.exe by choosing "Disassembler", "Open file to disassemble"
then choose memanal.exe.

Starting The Crack:

	NOTE: Lines with a < in front of them indicate my comments about what the line does.

	Once the program is disassembled, you can have a look-see at "Refs", "String Data
References" to see if the string you're looking for is located there.  It is, listed as
"Sorry, this password is not correct".  Double-click on this string, and close down the SDR 
window.  You should now be back at Wdasm, and see the following:

---------------------------------------------------------------------------------------------
* Possible StringData Ref from Data Obj ->"Password invalid"
                                  |
:00406188 6898354300              push 00433598

* Possible StringData Ref from Data Obj ->"Sorry, this password is not correct. "
                                        ->"Please read and copy carefully "
                                        ->"the user name and password written "
                                        ->"in the mail we sent you."
                                  |
:0040618D 6818354300              push 00433518
---------------------------------------------------------------------------------------------

	Scroll up just a few lines, and you'll see where there's a jump, this is where we can
patch the code:

---------------------------------------------------------------------------------------------
:00406180 85C0                    test eax, eax    <test if our password is correct
:00406182 744E                    je 004061D2      <if password correct, jump registered
:00406184 6A10                    push 00000010    <if password not correct, give you bad flag
:00406186 8BCE                    mov ecx, esi     <and mark you unregistered 

* Possible StringData Ref from Data Obj ->"Password invalid"
---------------------------------------------------------------------------------------------

	We need to make the program think we're a good guy, no matter what we enter, so we
need to patch the jump from je (jump if equal) to jne (jump if not equal).  This will insure
that we'll jump to "registered" for any registration we enter... unless, of course, you enter
the correct registration!

	We need to patch the line: ":00406182 744E                    je 004061D2".  So 
highlight the line, and get the offset from below: 00005582h (5582).

---------------------------------------------------------------------------------------------
Making the Crack
---------------------------------------------------------------------------------------------

Open memanal.exe with HIEW ( c:\whatever\hiew c:\wherever\memanal.exe )
Press F4 to go to hex view
Press F5 to search for the offset
Enter your search: 5582
Press enter
Press F2 to get to code view
Press F3 to edit the code
Press F2 for ASM mode
Change "je" to "jne"
Press Enter
Press F9 to update
Press F10 to quit

---------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------
Making a Patcher
---------------------------------------------------------------------------------------------

Rename your patched program to memanal.bak
Move your copy of the original program to the same directory
Make the patcher with PMTK ( c:\whatever\pmtk memanal.exe memanal.bak )
Save your patch as binary, asm or com file (com file for an executable)
Name your patch file (memanal.com for mine)
Insert a logo if you want
You're finished! You now have a patcher for memanal.exe


-Volatility-