Essay : Cracking 99% of all Time Trials - Written by Mushy.

The Call Flow Approach :-

What is a call flow ?
*********************
When a program is run or executed, it runs through a series of
functions, procedures and instructions (both procedures
and functions are collections of instructions that are
grouped together to save space and time). A call flow
is a listing or diagram of the path a program takes
when it executes. This path can be different depending
on the circumstances when the program was run. Imagine
six procedures as follows :

1.) GetSystemTime. (Checks the system time).
2.) Installed. (Checks when you installed the program).
3.) Expired. (Displays an expired message).
4.) DaysLeft. (Displays the message 'you have % days left').
5.) Halt. (Quits the program).
6.) Main. (The main program).

Using the procedures, the psuedo asm code of a Time Trial 
protection would be something like this :

00000001 :Call GetSystemTime.
00000002 :Call Installed.
00000003 :if (GetSystemTime - Installed) is greater than 30 days then
00000004 :   Call Expired,
00000005 :   Jmp Halt.
00000006 :otherwise
00000007 :   Call DaysLeft,
00000008 :   Jmp Main.

This would look something like this in real terms :

Call 041829B0 (GetSystemTime)
Call 0492832C (Installed)
Cmp  Ax,Bx    (if statement)
JL   04927435 (Jump or No Jump, depending on values ax and bx)
Call 04348234 (Expired)
Jmp  0432833C (Halt)
---JL Address---
Call 04583BC0 (DaysLeft Message)
Jmp  042392BC (Main Program) 


If you look at the above code you will see that the way the
program runs depends on the values of ax and bx before the JL
command. The problem is that in a large disassembly of code it
is often difficult to find the right place to patch because there
are so many cmp/jl or cmp/jne occurances. So how do we go about
finding the correct location ?


Finding the right location.
***************************

Using the above code we can generate two possible program flows.
When you are still in the 30 day trial period, the call flow 
would look like this :

GetSystemTime
Installed
Cmp ax,bx
JL (Jump)
DaysLeft
Main.

When the trial period has expired the call flow would look like
this :

GetSystemTime
Installed
Cmp ax,bx
JL ( No Jump )
Expired
Halt.

Using these two listings we can see that up until the JL command,
everything is the same, except that the first listing Jumps and
the second listing doesn`t. The JL command is dependant on the
value of ax and bx. To crack a time trial, all we have to do
is to either change the value of ax and bx (The correct way) so 
that you will always have a trial period (Or) change the JL to a
Jmp and force the program to use the path of the first call flow.


Ok,I understand the principle. Now show me how to do it ?
*********************************************************

The tools we need :

SoftIce v3.23 installed with the Symbol Loader.
A hex editor.
(No disassembler is needed)

Firstly, load up the symbol loader that is installed with softice.
You can find it in the folder on the taskbar. Go to the file
menu in the symbol loader and click on 'open module'. Then find and
click on the Executable file / Program that you wish to crack. 
Once this has been done, go to the Module menu and click on Load 
Module. Normally, this will greet you with an error message telling 
you that an error has occured during sysmbol translation. Just click 
on 'Yes' to continue loading the exe file. Softice will now break due
to symbol loader which can be confirmed by looking in the information
window. You will also see a lot of lines in the code window that will
look like this :

FFFF INVALID
FFFF INVALID
FFFF INVALID
FFFF INVALID
FFFF INVALID

etc,.......


Ignore this,.... it is not an error. It is just displaying an area in
memory that softice can`t determine yet. At this moment we are just
going to set up softice so that it displays what we want in the
command window. (Remember that everything in the command window
is logged). 


Step 1 : Close the code window.
*******************************
Start by typing 'wc' in softice. This command toggles
the code window. We DONT want the code window to display, so make
sure that this window is closed. You can also close this window by
using the mouse. You can so this by clicking on the top edge of the
window that you want to close and drag it upwards as far as it will
go. This will make the window disappear.


Step 2 : Set a breakpoint on GetSystemTime.
*******************************************
We now need to set a breakpoint on GetSystemTime (One of the many
used api functions to return the current Date and Time). You can
set the breakpoint by typing 'BPX GetSystemTime' in the command
window now. By the way,... GetSystemTime is just the address of
the function. If you knew what the address of the function was,
you could also of typed 'BPX 004283CD' etc,..... This means that
you can also add an offset to a BPX for example 'BPX GetSystemTime + 4'.
This will break at an offset of 4 from the start of the function.


Step 3 : Continue loading the program.
**************************************
Now that you have set the breakpoint in softice (BPX GetSystemTime), it
is time to let the program continue to load and run. All you have to do 
is to press CTRL and D together. As the program continues to load and
run, eventually it will execute the Function 'GetSystemTime'. When 
this happens, softice will pop up and pause the program at the beginning
of the Function. You will see the text 'BPX due to KERNEL32!GetSystemTime'
appear in the command window. We are now in the correct place to start 
logging.


Step 4 : Step out of the Function.
**********************************
Now that you are placed at beginning of the function 'GetSystemTime'.
We need to step past it, so that we are at the next asm command
directly after the whole function has executed. (Note: The function
'GetSystemTime' is part of the Kernel32.dll found in the windows
system directory). This function will always run the same set of
commands regardless of the computers state, therefore we do not need 
to log the commands of this function. To step to the very next asm
instruction after the function, all you need to do is press F11
(Function key 11) once. It is at this point that things start to get
interesting. 


Step 5 : Log all commands, up until the nag screen.
***************************************************
It`s now time to log everything. All you have to do is step through
the code by pressing F10 (Function key 10) until the nag screen
that display`s 'You have % day`s left' appear. You can hold down
F10 until the screen pops up. You will notice that all the lines
of executed code are displayed in the command window. All of this
information is being logged in the softice Buffer.


Step 6 : Save the log file.
***************************
When the nag screen appears, it is time to save the first log file.
You do this by clicking on the softice symbol loader that should
still be loaded. It may be minimised at the bottom of your screen. If
so, then just maximise it and go to the File Menu and click on
'Save softice history as,...'. Save this file as Log1.txt . If you
load this file into a text editor like wordpad or notepad, you will
see that it has logged the command windows activity from softice. This
is our 'First Call Flow' file. Get the idea :-).....


Step 7 : Set the date forward and do it all again.
**************************************************
What you need to do now is to create a second call log file, but
this time you need to set the date of your system forwards so that
the time trial will show the expired message. :-). This will force
the flow of the program to take a different path sometime after the
'GetSystemTime' Function, but before the nag screen appears.


Step 8 : Compare the two log files.
***********************************
After you have completed all the steps again and saved a second log
file, you need to compare them. Below, I have included two sample
log files from a new Micro$oft drawing package that supposedly is
well protected. :

LOG FILE 1. ( You have % days left )
***********
Break due to BPX KERNEL32!GetSystemTime  (ET=33.15 milliseconds)
Break due to G (ET=383.02 microseconds)
015F:78026B90  663B0512870378      CMP     AX,[78038712]
015F:78026B97  756B                JNZ     78026C04                  (JUMP )
015F:78026C04  8D8534FFFFFF        LEA     EAX,[EBP-00CC]
015F:78026C0A  50                  PUSH    EAX
015F:78026C0B  FF1540D10278        CALL    [KERNEL32!GetTimeZoneInformation]
015F:78026C11  83F8FF              CMP     EAX,-01
015F:78026C14  7430                JZ      78026C46                  (NO JUMP)
015F:78026C16  83F802              CMP     EAX,02
015F:78026C19  7527                JNZ     78026C42                  (NO JUMP)
015F:78026C1B  66837DCE00          CMP     WORD PTR [EBP-32],00
015F:78026C20  7420                JZ      78026C42                  (NO JUMP)
015F:78026C22  837DDC00            CMP     DWORD PTR [EBP-24],00
015F:78026C26  741A                JZ      78026C42                  (NO JUMP)
015F:78026C28  6A01                PUSH    01
015F:78026C2A  58                  POP     EAX
015F:78026C2B  56                  PUSH    ESI
015F:78026C2C  57                  PUSH    EDI
015F:78026C2D  8D75E0              LEA     ESI,[EBP-20]
015F:78026C30  BF08870378          MOV     EDI,78038708
015F:78026C35  A5                  MOVSD
015F:78026C36  A5                  MOVSD
015F:78026C37  A5                  MOVSD
015F:78026C38  A5                  MOVSD
015F:78026C39  5F                  POP     EDI
015F:78026C3A  A300870378          MOV     [78038700],EAX
015F:78026C3F  5E                  POP     ESI
015F:78026C40  EB90                JMP     78026CD2                  (JUMP )
015F:78026BD2  50                  PUSH    EAX
015F:78026BD3  0FB745FC            MOVZX   EAX,WORD PTR [EBP-04]
015F:78026BD7  50                  PUSH    EAX
015F:78026BD8  0FB745FA            MOVZX   EAX,WORD PTR [EBP-06]
015F:78026BDC  50                  PUSH    EAX
015F:78026BDD  0FB745F8            MOVZX   EAX,WORD PTR [EBP-08]
015F:78026BE1  50                  PUSH    EAX
015F:78026BE2  0FB745F6            MOVZX   EAX,WORD PTR [EBP-0A]
015F:78026BE6  50                  PUSH    EAX
015F:78026BE7  0FB745F2            MOVZX   EAX,WORD PTR [EBP-0E]
015F:78026BEB  50                  PUSH    EAX
015F:78026BEC  0FB745F0            MOVZX   EAX,WORD PTR [EBP-10]
015F:78026BF0  50                  PUSH    EAX
015F:78026BF1  E8EE000000          CALL    78026CE4
015F:78026BF6  8B4D08              MOV     ECX,[EBP+08]
015F:78026BF9  83C41C              ADD     ESP,1C
015F:78026BFC  85C9                TEST    ECX,ECX
015F:78026BFE  7402                JZ      78026C02                  (NO JUMP)
015F:78026C00  8901                MOV     [ECX],EAX
015F:78026C02  C9                  LEAVE
015F:78026C03  C3                  RET
015F:300D2072  83C404              ADD     ESP,04
015F:300D2075  8D4C2410            LEA     ECX,[ESP+10]
015F:300D2079  51                  PUSH    ECX
015F:300D207A  FF15B4841030        CALL    [301084B4]
015F:300D2080  83C404              ADD     ESP,04
015F:300D2083  8BF0                MOV     ESI,EAX
015F:300D2085  8D54243C            LEA     EDX,[ESP+3C]
015F:300D2089  B909000000          MOV     ECX,00000009
015F:300D208E  8D7C2418            LEA     EDI,[ESP+18]
015F:300D2092  8D442418            LEA     EAX,[ESP+18]
015F:300D2096  52                  PUSH    EDX
015F:300D2097  50                  PUSH    EAX
015F:300D2098  F3A5                REPZ MOVSD
015F:300D209A  E8E1FDFFFF          CALL    300D1E80
015F:300D209F  83C408              ADD     ESP,08
015F:300D20A2  85C0                TEST    EAX,EAX
015F:300D20A4  7E19                JLE     300D20BF                  (JUMP )
015F:300D20BF  8D442460            LEA     EAX,[ESP+60]
015F:300D20C3  8D4C2418            LEA     ECX,[ESP+18]
015F:300D20C7  50                  PUSH    EAX
015F:300D20C8  51                  PUSH    ECX
015F:300D20C9  E8B2FDFFFF          CALL    300D1E80
015F:300D20CE  83C408              ADD     ESP,08
015F:300D20D1  85C0                TEST    EAX,EAX
015F:300D20D3  7E33                JLE     300D2108                  (JUMP )
015F:300D2108  6820D91630          PUSH    3016D920
015F:300D210D  E83EFCFFFF          CALL    300D1D50
015F:300D2112  83C404              ADD     ESP,04
015F:300D2115  85C0                TEST    EAX,EAX
015F:300D2117  7410                JZ      300D2129                  (JUMP )
015F:300D2129  391D20D91630        CMP     [3016D920],EBX
015F:300D212F  0F85D6010000        JNZ     300D230B                  (JUMP )
015F:300D230B  6A4C                PUSH    4C
015F:300D230D  6824D91630          PUSH    3016D924
015F:300D2312  E8E9F9FFFF          CALL    300D1D00
015F:300D2317  8B0D20D91630        MOV     ECX,[3016D920]
015F:300D231D  83C408              ADD     ESP,08
015F:300D2320  3BC1                CMP     EAX,ECX
015F:300D2322  0F841DFEFFFF        JZ      300D2145                  (JUMP )
015F:300D2145  8D542418            LEA     EDX,[ESP+18]
015F:300D2149  6848D91630          PUSH    3016D948
015F:300D214E  52                  PUSH    EDX
015F:300D214F  E82CFDFFFF          CALL    300D1E80
015F:300D2154  83C408              ADD     ESP,08
015F:300D2157  85C0                TEST    EAX,EAX
015F:300D2159  7D26                JGE     300D2181                  (JUMP )
015F:300D2181  803DA480163003      CMP     BYTE PTR [301680A4],03
015F:300D2188  0F876D010000        JA      300D22FB                  (NO JUMP)
015F:300D218E  8BAC24D0000000      MOV     EBP,[ESP+000000D0]
015F:300D2195  C745009F860100      MOV     DWORD PTR [EBP+00],0001869F
015F:300D219C  A0A4801630          MOV     AL,[301680A4]
015F:300D21A1  A801                TEST    AL,01
015F:300D21A3  744B                JZ      300D21F0                  (NO JUMP)
015F:300D21A5  33C0                XOR     EAX,EAX
015F:300D21A7  8D4C2418            LEA     ECX,[ESP+18]
015F:300D21AB  A0A5801630          MOV     AL,[301680A5]
015F:300D21B0  51                  PUSH    ECX
015F:300D21B1  6824D91630          PUSH    3016D924
015F:300D21B6  8D3440              LEA     ESI,[EAX*2+EAX]
015F:300D21B9  C1E603              SHL     ESI,03
015F:300D21BC  E85FFDFFFF          CALL    300D1F20
015F:300D21C1  83C408              ADD     ESP,08
015F:300D21C4  3BC3                CMP     EAX,EBX
015F:300D21C6  0F8C2F010000        JL      300D22FB                  (NO JUMP)
015F:300D21CC  3BC6                CMP     EAX,ESI
015F:300D21CE  7C0A                JL      300D21DA                  (NO JUMP)
015F:300D21D0  BB04000000          MOV     EBX,00000004
015F:300D21D5  E9E6000000          JMP     300D22C0                  (JUMP )
015F:300D22C0  8B4500              MOV     EAX,[EBP+00]
015F:300D22C3  33C9                XOR     ECX,ECX
015F:300D22C5  8A0DA9801630        MOV     CL,[301680A9]
015F:300D22CB  3BC1                CMP     EAX,ECX
015F:300D22CD  7F05                JG      300D22D4                  (JUMP )
015F:300D22D4  6A4C                PUSH    4C
015F:300D22D6  6824D91630          PUSH    3016D924
015F:300D22DB  E820FAFFFF          CALL    300D1D00
015F:300D22E0  83C408              ADD     ESP,08
015F:300D22E3  A320D91630          MOV     [3016D920],EAX
015F:300D22E8  6820D91630          PUSH    3016D920
015F:300D22ED  E80EFBFFFF          CALL    300D1E00
015F:300D22F2  83C404              ADD     ESP,04
015F:300D22F5  85C0                TEST    EAX,EAX
015F:300D22F7  8BC3                MOV     EAX,EBX
015F:300D22F9  7505                JNZ     300D2300                  (JUMP )
015F:300D2300  5F                  POP     EDI
015F:300D2301  5E                  POP     ESI
015F:300D2302  5D                  POP     EBP
015F:300D2303  5B                  POP     EBX
015F:300D2304  81C4BC000000        ADD     ESP,000000BC
015F:300D230A  C3                  RET
015F:3000ADB6  8BF0                MOV     ESI,EAX
015F:3000ADB8  83C404              ADD     ESP,04
015F:3000ADBB  8D46FF              LEA     EAX,[ESI-01]
015F:3000ADBE  83F805              CMP     EAX,05
015F:3000ADC1  773D                JA      3000AE00                  (NO JUMP)



LOG FILE 2. ( The demo has expired )
***********
KERNEL32!GetSystemTime
Break due to G (ET=380.57 microseconds)
015F:78026B8C  668B45EA            MOV     AX,[EBP-16]
015F:78026B90  663B0512870378      CMP     AX,[78038712]
015F:78026B97  756B                JNZ     78026C04                  (JUMP )
015F:78026C04  8D8534FFFFFF        LEA     EAX,[EBP-00CC]
015F:78026C0A  50                  PUSH    EAX
015F:78026C0B  FF1540D10278        CALL    [KERNEL32!GetTimeZoneInformation]
015F:78026C11  83F8FF              CMP     EAX,-01
015F:78026C14  7430                JZ      78026C46                  (NO JUMP)
015F:78026C16  83F802              CMP     EAX,02
015F:78026C19  7527                JNZ     78026C42                  (NO JUMP)
015F:78026C1B  66837DCE00          CMP     WORD PTR [EBP-32],00
015F:78026C20  7420                JZ      78026C42                  (NO JUMP)
015F:78026C22  837DDC00            CMP     DWORD PTR [EBP-24],00
015F:78026C26  741A                JZ      78026C42                  (NO JUMP)
015F:78026C28  6A01                PUSH    01
015F:78026C2A  58                  POP     EAX
015F:78026C2B  56                  PUSH    ESI
015F:78026C2C  57                  PUSH    EDI
015F:78026C2D  8D75E0              LEA     ESI,[EBP-20]
015F:78026C30  BF08870378          MOV     EDI,78038708
015F:78026C35  A5                  MOVSD
015F:78026C36  A5                  MOVSD
015F:78026C37  A5                  MOVSD
015F:78026C38  A5                  MOVSD
015F:78026C39  5F                  POP     EDI
015F:78026C3A  A300870378          MOV     [78038700],EAX
015F:78026C3F  5E                  POP     ESI
015F:78026C40  EB90                JMP     78026CD2                  (JUMP )
015F:78026BD2  50                  PUSH    EAX
015F:78026BD3  0FB745FC            MOVZX   EAX,WORD PTR [EBP-04]
015F:78026BD7  50                  PUSH    EAX
015F:78026BD8  0FB745FA            MOVZX   EAX,WORD PTR [EBP-06]
015F:78026BDC  50                  PUSH    EAX
015F:78026BDD  0FB745F8            MOVZX   EAX,WORD PTR [EBP-08]
015F:78026BE1  50                  PUSH    EAX
015F:78026BE2  0FB745F6            MOVZX   EAX,WORD PTR [EBP-0A]
015F:78026BE6  50                  PUSH    EAX
015F:78026BE7  0FB745F2            MOVZX   EAX,WORD PTR [EBP-0E]
015F:78026BEB  50                  PUSH    EAX
015F:78026BEC  0FB745F0            MOVZX   EAX,WORD PTR [EBP-10]
015F:78026BF0  50                  PUSH    EAX
015F:78026BF1  E8EE000000          CALL    78026CE4
015F:78026BF6  8B4D08              MOV     ECX,[EBP+08]
015F:78026BF9  83C41C              ADD     ESP,1C
015F:78026BFC  85C9                TEST    ECX,ECX
015F:78026BFE  7402                JZ      78026C02                  (NO JUMP)
015F:78026C00  8901                MOV     [ECX],EAX
015F:78026C02  C9                  LEAVE
015F:78026C03  C3                  RET
015F:300D2072  83C404              ADD     ESP,04
015F:300D2075  8D4C2410            LEA     ECX,[ESP+10]
015F:300D2079  51                  PUSH    ECX
015F:300D207A  FF15B4841030        CALL    [301084B4]
015F:300D2080  83C404              ADD     ESP,04
015F:300D2083  8BF0                MOV     ESI,EAX
015F:300D2085  8D54243C            LEA     EDX,[ESP+3C]
015F:300D2089  B909000000          MOV     ECX,00000009
015F:300D208E  8D7C2418            LEA     EDI,[ESP+18]
015F:300D2092  8D442418            LEA     EAX,[ESP+18]
015F:300D2096  52                  PUSH    EDX
015F:300D2097  50                  PUSH    EAX
015F:300D2098  F3A5                REPZ MOVSD
015F:300D209A  E8E1FDFFFF          CALL    300D1E80
015F:300D209F  83C408              ADD     ESP,08
015F:300D20A2  85C0                TEST    EAX,EAX
015F:300D20A4  7E19                JLE     300D20BF                  (JUMP )
015F:300D20BF  8D442460            LEA     EAX,[ESP+60]
015F:300D20C3  8D4C2418            LEA     ECX,[ESP+18]
015F:300D20C7  50                  PUSH    EAX
015F:300D20C8  51                  PUSH    ECX
015F:300D20C9  E8B2FDFFFF          CALL    300D1E80
015F:300D20CE  83C408              ADD     ESP,08
015F:300D20D1  85C0                TEST    EAX,EAX
015F:300D20D3  7E33                JLE     300D2108                  (JUMP )
015F:300D2108  6820D91630          PUSH    3016D920
015F:300D210D  E83EFCFFFF          CALL    300D1D50
015F:300D2112  83C404              ADD     ESP,04
015F:300D2115  85C0                TEST    EAX,EAX
015F:300D2117  7410                JZ      300D2129                  (JUMP )
015F:300D2129  391D20D91630        CMP     [3016D920],EBX
015F:300D212F  0F85D6010000        JNZ     300D230B                  (JUMP )
015F:300D230B  6A4C                PUSH    4C
015F:300D230D  6824D91630          PUSH    3016D924
015F:300D2312  E8E9F9FFFF          CALL    300D1D00
015F:300D2317  8B0D20D91630        MOV     ECX,[3016D920]
015F:300D231D  83C408              ADD     ESP,08
015F:300D2320  3BC1                CMP     EAX,ECX
015F:300D2322  0F841DFEFFFF        JZ      300D2145                  (JUMP )
015F:300D2145  8D542418            LEA     EDX,[ESP+18]
015F:300D2149  6848D91630          PUSH    3016D948
015F:300D214E  52                  PUSH    EDX
015F:300D214F  E82CFDFFFF          CALL    300D1E80
015F:300D2154  83C408              ADD     ESP,08
015F:300D2157  85C0                TEST    EAX,EAX
015F:300D2159  7D26                JGE     300D2181                  (JUMP )
015F:300D2181  803DA480163003      CMP     BYTE PTR [301680A4],03
015F:300D2188  0F876D010000        JA      300D22FB                  (NO JUMP)
015F:300D218E  8BAC24D0000000      MOV     EBP,[ESP+000000D0]
015F:300D2195  C745009F860100      MOV     DWORD PTR [EBP+00],0001869F
015F:300D219C  A0A4801630          MOV     AL,[301680A4]
015F:300D21A1  A801                TEST    AL,01
015F:300D21A3  744B                JZ      300D21F0                  (NO JUMP)
015F:300D21A5  33C0                XOR     EAX,EAX
015F:300D21A7  8D4C2418            LEA     ECX,[ESP+18]
015F:300D21AB  A0A5801630          MOV     AL,[301680A5]
015F:300D21B0  51                  PUSH    ECX
015F:300D21B1  6824D91630          PUSH    3016D924
015F:300D21B6  8D3440              LEA     ESI,[EAX*2+EAX]
015F:300D21B9  C1E603              SHL     ESI,03
015F:300D21BC  E85FFDFFFF          CALL    300D1F20
015F:300D21C1  83C408              ADD     ESP,08
015F:300D21C4  3BC3                CMP     EAX,EBX
015F:300D21C6  0F8C2F010000        JL      300D22FB                  (NO JUMP)
015F:300D21CC  3BC6                CMP     EAX,ESI
015F:300D21CE  7C0A                JL      300D21DA                  (JUMP )
015F:300D21DA  2BF0                SUB     ESI,EAX
015F:300D21DC  B8ABAAAA2A          MOV     EAX,2AAAAAAB
015F:300D21E1  F7EE                IMUL    ESI
015F:300D21E3  C1FA02              SAR     EDX,02
015F:300D21E6  8BC2                MOV     EAX,EDX
015F:300D21E8  C1E81F              SHR     EAX,1F
015F:300D21EB  03D0                ADD     EDX,EAX
015F:300D21ED  895500              MOV     [EBP+00],EDX
015F:300D21F0  F605A480163002      TEST    BYTE PTR [301680A4],02
015F:300D21F7  0F84B3000000        JZ      300D22B0                  (JUMP )
015F:300D22B0  B909000000          MOV     ECX,00000009
015F:300D22B5  8D742418            LEA     ESI,[ESP+18]
015F:300D22B9  BF48D91630          MOV     EDI,3016D948
015F:300D22BE  F3A5                REPZ MOVSD
015F:300D22C0  8B4500              MOV     EAX,[EBP+00]
015F:300D22C3  33C9                XOR     ECX,ECX
015F:300D22C5  8A0DA9801630        MOV     CL,[301680A9]
015F:300D22CB  3BC1                CMP     EAX,ECX
015F:300D22CD  7F05                JG      300D22D4                  (JUMP )
015F:300D22D4  6A4C                PUSH    4C
015F:300D22D6  6824D91630          PUSH    3016D924
015F:300D22DB  E820FAFFFF          CALL    300D1D00
015F:300D22E0  83C408              ADD     ESP,08
015F:300D22E3  A320D91630          MOV     [3016D920],EAX
015F:300D22E8  6820D91630          PUSH    3016D920
015F:300D22ED  E80EFBFFFF          CALL    300D1E00
015F:300D22F2  83C404              ADD     ESP,04
015F:300D22F5  85C0                TEST    EAX,EAX
015F:300D22F7  8BC3                MOV     EAX,EBX
015F:300D22F9  7505                JNZ     300D2300                  (JUMP )
015F:300D2300  5F                  POP     EDI
015F:300D2301  5E                  POP     ESI
015F:300D2302  5D                  POP     EBP
015F:300D2303  5B                  POP     EBX
015F:300D2304  81C4BC000000        ADD     ESP,000000BC
015F:300D230A  C3                  RET
015F:3000ADB6  8BF0                MOV     ESI,EAX
015F:3000ADB8  83C404              ADD     ESP,04
015F:3000ADBB  8D46FF              LEA     EAX,[ESI-01]
015F:3000ADBE  83F805              CMP     EAX,05
015F:3000ADC1  773D                JA      3000AE00                  (JUMP )


Step 9 : Find the first point where the two log files differ.
*************************************************************
You may have noticed that the two log files are identical until the address 015F:3000ADC1.
In the first log file, the command at this address doesn`t jump, but in the second log file,
the very same command Jumps. This is because the value of EAX at that point in time are
different in the two logs.
Have a look at the three lines of code :
LEA   EAX,[ESI-01]     This looks at the byte at the address ESI-01 and puts the value in EAX.
CMP   EAX,05           This looks to see if the value in EAX is equal to 5.
JA    3000AE00         Jump if Above to address 300AE00.


Step 10 : What do I do now ?
****************************
We need to change the file so that the JA command does NOT jump. You can do this several ways.
The cheap`n`nasty way is to nop(No Operation) the 'JA 3000AE00' command by changing the two
values '77 3D' at address 015F:3000ADC1 to '90 90'. Although this will do the job most of the
time, the correct way is to lie to the rest of the program by changing the 'LEA EAX,[ESI-01]' 
which is 3 bytes long ,the 'CMP EAX,05' which is also 3 bytes and the 'JA' command (2 bytes)
, (8 bytes in total for the three asm commands) with the command 'MOV EAX,00000005' 
(5 bytes long) and 3 'NOP' commands (1 byte each). This ensures that the EAX register has the
correct value and you are replacing the same ammount of bytes in the program.


Step 11 : Pathcing the program.
*******************************
All that remains now is to load your program into your favourite Hex editor and search for
the pattern of bytes found in the log file for the LEA,CMP and JA commands and patch it.
For this example,....
Replace '8D46FF83F805773D' with 'B805000000909090'.

B805000000 = MOV EAX,05
90         = NOP


Note : You may need to narrow down your search for these bytes by adding the two lines of 
bytes found above the asm code you are looking for into your search query.


Ending Note.
************
This way of cracking which I call the 'Call Flow Method' has many other possibilities where
there are two states of execution.
For instance,.... 
Cracking CRC checking routines (Program modified/Not modified), 
Dongle protection (Dongle plugged in/Not plugged in), 
Three tries and your out password protection, 
Programs that only let you use a feature a certain number of times. 

I hope this tuorial will help people not only to speed up the cracking process, but also help
to understand HOW a program works and aid in the cracking of the more difficult targets.
I`m now off to drink loads of caffine and give my head a rest before starting my next
tut. 

L8R Mushy :-)



Greetz go to :
**************

The TCS Crew. (Best in the land ;-)
KM. (Only 1 more year to go : Freedom!!!!)
The Magician (Keep those degrees rolling and don`t let the fedz win.)
VnC (See ya at the show. Phone Me!!)
Everyone at +fravia`s msgbd.
Jeff (Great cracking board. Like the TIP of the day)








