Cracking Family Archive v1.1.4 Made By UFK Updated in: 03/20/99
------------------------------------------

Hiya people. it's time for my 3rd Tutorial. hope you liked the last two.
ok this one has a really easy protection. it's a 30 days trial.
what you need for this one is IDA, Softice and of course an hex
editor in the end. ok so let's start.

download the program! done already?

run the program! yea.. it runs nicely.. nice little program..
now lets check some stuff out.. press on things see how nicely
they work. now press on that nice little cat. you get this nice
window says "Unregistered version" ewewew we hate that!
and of course you can press on "Register" blah blah blah..
welp lets start.

Run IDA and start dissasembling the program and wait for it
        to finish. people always like to play with softice. i like to
        play with it! well you can try to break on several things
        and check things out but of course i won't explane about that
	cause it's not gonna help you at all :)

it's a 30 days trial right? so lets see what it says. change
	your date to a year after or something and run the program.
	what do we have here??!?! A NAG SCREEN!!! whoohhoo scary!
	lets do a binary search for the text in that window.
	so press alt-b and search for "you are using this product".
	did we found it? yep! but there's no X-Ref to it. what do we
	do? lets try searching for "Unregistered". and yep! we find
	it on CODE:004C5BA8 and there's on X-Ref to it. ok lets press
	on the X-Ref see where it goes.
	
CODE:004C5B40                  CODE_4C5B40:
CODE:004C5B40 BA A8 5B 4C 00   mov edx, offset str->UnregisteredCop

(you may see it a bit differently)
cool! it's moving to eax the offset of that string and there's a label
to it. cool! lets press on it's X-Ref and what do we see here?

CODE:004C5AF9 74 45		jz short CODE_4C5B40
CODE:004C5AFB BA 84 5B 4C 00	mov edx, offset str->ThisCopyIsLicen

lets see! if it doesn't jmp it will use the "This copy is licenced..."
instead of that "unregistered string" ok so we change the jmp to 2 nops
and we're done! it will never jmp! :) ok so this is good just for the 
menu that appears when we press on the Cat picture. but what with the nag
screen when the trial is over? ok so we really can't find an x-ref
to the strings in the nag screen, and it's hard to break on CreateWindow
or something with softice. so what can we do? ok so this is the thing.
lets check what does the program checks before the JZ :) follow my lead?
not yet? ok. lets move up a few more lines before the Jump Zero.

CODE:004C5AF1 A1 44 A1 4F 00	mov eax, ds:DATA_4FA144
CODE:004C5AF6 80 38 00		cmp byte ptr [eax], 0
CODE:004C5AF9 74 45		jz short CODE_4C5B40
CODE:004C5AFB BA 84 5B 4C 00	mov edx, offset str->ThisCopyIsLicen

here we see that it moves to eax an address. and then it checks this
address with the Zero. so lets press on this address and see where
it follows us.

CODE:004C5AF1 A1 44 A1 4F 00	mov eax, ds:DATA_4FA144 <- PRESS HERE!
                                             ^^^^^^^^^

DATA:004FA144 94 D2 4F 00	DATA_4FA144 dd offset BSS_4FD294; DATA XREF: CODE_4C35E4+6
							; CODE:004C5077
							; CODE:004C5113
							...

ok we see that this thingy points to an address and it has 8 X-Refs!
so what can we do now? my idea is to go to each of the X-Ref, to see
what it does with this data and if there's a jz or jnz on this address
so to set a breakpoint with softice and to see if this is the one we need.
don't follow? well keep reading it will get clearer :)
press on the 1st X-Ref "CODE_4C35E4+6". it moves us to

CODE:004C35EA A1 44 A1 4F 00		mov eax, ds:DATA_4FA144
CODE:004C35EF 80 38 00			cmp byte ptr [eax], 0
CODE:004C35F2 75 2A			jnz short CODE_4C361E

ok we see that it takes the data compares to 0 and if it's not equal
to 0 it jumps. ok so lets note the jnz address for later on.

now pres Esc to go back to the X-ref's list that go to the 2nd X-Ref
"CODE:004C5077". in this one we have lots of lines with nothing important.
we have there "mov eax, ds:DATA_4FA144" that's our data, after that
some xors, pushes, calls to a procedure and "test al, al". now that's
got nothing to do with us it probebly checks the outcode of the procedure.

Press Esc and move to the 3rd X-Ref. in here again nothing interesting.

Press Esc and move to the 4th X-Ref. in here something very interesting.
this is the check that we eliminated in the begining of the tutorial.
remember ? so when you press on the cat it will say "registered".

Press Esc and move to the 5th X-Ref.
it brings us to the same place the 4th X-Ref brought us. why? cause
the program uses that data twice before actually checking it. why?
who cares! :D

Press Esc and move to the 6th X-Ref. nothing interesting.

Press Esc and move to the 7th X-Ref. ah ah!

CODE:004EE10B A1 44 A1 4F 00		mov eax, ds:DATA_4FA144
CODE:004EE110 0F 94 00			setz byte ptr [eax]
CODE:004EE133 A1 44 A1 4F 00		mov eax, ds:DATA_4FA144 
(if you didn't notice this is our 8th X-Ref)
CODE:004EE118 80 38 00			cmp byte ptr [eax], 0
CODE:004EE11B 0F 85 DE 00 00 00		jnz CODE_4EE1FF

cool! we have another jump! only this time it's jnz!
ok so we'll note this address too. so we have 2 address.
one is "4C35F2" from this one:
CODE:004C35F2 75 2A			jnz short CODE_4C361E

and the 2nd is "4EE11B" from this one:
CODE:004EE11B 0F 85 DE 00 00 00		jnz CODE_4EE1FF

now what we're gonna do is to start the symbol loader of softice, to
load our program and when softice breaks before the program starts
to set breakpoints on those two address using BPX and offset 001b.
why offset 001B? that's the offset of your code :) how do i know?
well that's a fact! and besides when softice breaks it breaks
on the 1st command of the program and you see this offset! :D
001B:bla bla bla: bla bla..

ok now set bpx on both of the address and continue running the program.

what do you say? it breaks on the address "4EE11B"

CODE:004EE133 A1 44 A1 4F 00		mov eax, ds:DATA_4FA144 
CODE:004EE118 80 38 00			cmp byte ptr [eax], 0
CODE:004EE11B 0F 85 DE 00 00 00		jnz CODE_4EE1FF <- BREAKS HERE!!

ok now change the Zero flag from on to off and continue running the program.
YES!!! IT'S WORKING!!! means you have to change jnz to JMP!

done! see? wasn't too hard. now how do you find where is this code
in the exe file? well you can search for the hex value of the commands
but that's annoying. there's a nice program made by the mighty one!
iczelion, called "Virtual Address to File Offset". you load the exe
file with it. write the memory address and it gives you the offset
of it in the exe file itself. cool ah? :D you can download it at his
site iczelion.cjb.net.

i wanna thank to ytc and izcelion and anyone else who helped me 
in cracking. bu-bye for now!

ufk@hotmail.com
ICQ:1416041
Irc Nick: UFK
