
           a$       a$$$$a                             a$a
          $$$a     a$$$$$$                a$$a  a$a   `$$$'
         $$$$$a    $$$$$$$             a$a`$$$$ `$$$   `$$
         `a$$$$    $$$ `$$  a$a        $$$a `$$$ `$$a   $$
           $$$'    $$'  $$ a$$$$      $$$$$  `$$  $$$a  $$$
           $$'          $$ $$$$$$   a$$$$$    $$  `$$$$aa$$
          $$$          a$$a  `$$$$ $$$$$' $$ a$$a  `$$$$$$$$$$
         $$$'       a$$$$$$    `$$$$$$'   $$ $$$$$$$ `$$$$$$'
      .a$$$$      a$$$$$$$$    a$$$$'        $$$$$' $$   `$$$
      $$$$$'     a$$$$$' $$  a$$$$$$$   a$$a $$'    $$$   $$$
      $$$$'      $$$$'  a$$ $$$$$ $$$$  `$$$ $$     `$$a  `$$$
      $$$$$$$$a. $$$' a$$$$ $$$$  `$$$   $$'a$$      $$$a a$$$
      `$$$$$$$$$ $$$a$$$$$$$`$$'   `$$a a$$ $$$a     `$$$$$$$$
           `a$$$$ $$$$$$' $$        `$$ $$' $$$$$$a   `$$$$$$'
              `$' `$$$'   `$         $$    a$$$$$$$$$$$
                                     `$'   `$$'

                       Ļ
                         How to Crack Winflash 4.0 
                                    by             
                                 WaxWeazle         
                       ļ



Contents:
 - Intro
 - Target
 - Things u need
 - Crack target
 - Let's start
 - Future

ͻ
 Intro: 
ͼ
Before we start with this shit, I wanna say that this is my first public
tutorial. I will try to explain as good as possibly! And don't blame me
for the bad english:) And BTW for viewing this file use MS best tool ever
made: EDIT.COM:)

ͻ
 Target: 
ͼ
Because this program is very easy 2 crack this tutorial is only useful for
newbies! If u are a real +Cracker u don't have a shit on this! BTW there
are a lot of different ways to crack this program! This is just one way!
But I think this way is the fastest way and the easiest!

ͻ
 Things u need: 
ͼ
The following things are required for this tutorial, if u don't have these
things....Get them:)

- W32Dasm 8.9
- Hiew 5.8x
- WinFlash 4.0
- Some ASM knowledge
- Ur brains:)

ͻ
 Crack target: 
ͼ
The program we will crack is called WinFlash(32-bit) 4.0! See below for a
little description of the program:

"WinFlash was written to help you learn any material that can be represented
in textual, graphical or audio formats. You can use it to easily and quickly
create a text-only deck for a fast topic review WinFlash is useful in both
scholastic and professional learning situations. In the corporate setting,
WinFlash is an excellent tool for producing training materials for employees."

ͻ
 Let's start: 
ͼ

The first thing we do is run WinFlash, a nice shareware reminder will pop-up.
After pressing 'Continue Unregistered->' u will arrive in the main screen.
In the menubar u see something about registering, but this is not important
to us, because in this case hard-cracking is faster! If we don't use a serial
to crack this sucker what method shall we use then? Simple...if u see on top
of the window u see something like this: "WinFlash32 v 4.0 - 1 day and 1 uses
in your 60-day/30-use evaluation" Hmm...let me think:) If we register the
program we have a big chance that this message is 'removed', Am I right or
am I right? So we gonna use this weakness in the program to get this sucker
fully regged!

Open W32DASM 8.9 and load WINFLS95.EXE(Get urselves a nice cup of Martini!)
wait....
And wait....
And finally W32DASM 8.9 is ready with de-assembling the file:) Now u can
see the 'source' of WinFlash. We don't need this at th moment so click
on Refs(An item in tha menu-bar) And goto 'String data references'.

At this moment a new window will pop-up with all kind of strings. Now we
can search for a string. Where are we searching for??? Simple...remember the
weakness in tha program? Search for ' Day and', found it??? take a look at
this:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:  *Note(1)
|:004441EF(C)|
:00444268 833D88DC450000    cmp dword ptr [0045DC88], 00000000
:0044426F 0F8501020000      jne 00444476
:00444275 833D18D8450000    cmp dword ptr [0045D818], 00000000
:0044427C 0F85F4010000      jne 00444476
:00444282 B8B4F34500        mov eax, 0045F3B4

* Possible StringData Ref from Code Obj ->" - "
|
:00444287 B9C8474400        mov ecx, 004447C8
:0044428C 8B55F4            mov edx, dword ptr [ebp-0C]
:0044428F E8D0F4FBFF        call 00403764
:00444294 8D95E8FDFFFF      lea edx, dword ptr [ebp+FFFFFDE8]
:0044429A A1A0D64500        mov eax, dword ptr [0045D6A0]
:0044429F E8B0E8FBFF        call 00402B54
:004442A4 8D95E8FDFFFF      lea edx, dword ptr [ebp+FFFFFDE8]
:004442AA B8B8F34500        mov eax, 0045F3B8
:004442AF E810F4FBFF        call 004036C4
:004442B4 833DA0D6450001    cmp dword ptr [0045D6A0], 00000001
:004442BB 7522              jne 004442DF
:004442BD FF35B4F34500      push dword ptr [0045F3B4]
:004442C3 FF35B8F34500      push dword ptr [0045F3B8]

* Possible StringData Ref from Code Obj ->" Day And " <--- This is tha string!
|
:004442C9 68D4474400        push 004447D4
:004442CE B8B4F34500        mov eax, 0045F3B4
:004442D3 BA03000000        mov edx, 00000003
:004442D8 E8FBF4FBFF        call 004037D8
:004442DD EB20              jmp 004442FF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004442BB(C)
|
:004442DF FF35B4F34500      push dword ptr [0045F3B4]
:004442E5 FF35B8F34500      push dword ptr [0045F3B8]

* Possible StringData Ref from Code Obj ->" Days And "
|
:004442EB 68E8474400        push 004447E8
:004442F0 B8B4F34500        mov eax, 0045F3B4
:004442F5 BA03000000        mov edx, 00000003
:004442FA E8D9F4FBFF        call 004037D8

Note(1) = On location :004441EF is a (c)jump as u can see. Let's got that
          location!

:00444194 55                      push ebp
:00444195 8BEC                    mov ebp, esp
:00444197 81C4E8FDFFFF            add esp, FFFFFDE8
:0044419D 53                      push ebx
:0044419E 56                      push esi
:0044419F 57                      push edi
:004441A0 33C9                    xor ecx, ecx
:004441A2 898DE8FEFFFF            mov dword ptr [ebp+FFFFFEE8], ecx
:004441A8 894DF8                  mov dword ptr [ebp-08], ecx
:004441AB 894DF4                  mov dword ptr [ebp-0C], ecx
:004441AE 894DF0                  mov dword ptr [ebp-10], ecx
:004441B1 8945FC                  mov dword ptr [ebp-04], eax
:004441B4 BEACF34500              mov esi, 0045F3AC
:004441B9 33C0                    xor eax, eax
:004441BB 55                      push ebp
:004441BC 685F474400              push 0044475F
:004441C1 64FF30                  push dword ptr fs:[eax]
:004441C4 648920                  mov dword ptr fs:[eax], esp
:004441C7 C605BCF3450000          mov byte ptr [0045F3BC], 00
:004441CE 8D45F4                  lea eax, dword ptr [ebp-0C]

* Possible StringData Ref from Code Obj ->"WinFlash32 v4.0"
                                  |
:004441D1 BA78474400              mov edx, 00444778
:004441D6 E85DF4FBFF              call 00403638
:004441DB 8D45F0                  lea eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"WinFlash32 PRO v4.0"
                                  |
:004441DE BA90474400              mov edx, 00444790
:004441E3 E850F4FBFF              call 00403638
:004441E8 833D8CDC450001          cmp dword ptr [0045DC8C], 00000001 <- Note(3)
:004441EF 7577                    jne 00444268  <---------------------- Note(2)
:004441F1 833DCCE8450000          cmp dword ptr [0045E8CC], 00000000
:004441F8 7537                    jne 00444231
:004441FA FF75F4                  push [ebp-0C]

* Possible StringData Ref from Code Obj ->" - Registered To "
                                  |
:004441FD 68AC474400              push 004447AC
:00444202 8D85E8FEFFFF            lea eax, dword ptr [ebp+FFFFFEE8]
:00444208 BA94DD4500              mov edx, 0045DD94
:0044420D B901010000              mov ecx, 00000101
:00444212 E8E9F4FBFF              call 00403700
:00444217 FFB5E8FEFFFF            push dword ptr [ebp+FFFFFEE8]
:0044421D B8B4F34500              mov eax, 0045F3B4
:00444222 BA03000000              mov edx, 00000003
:00444227 E8ACF5FBFF              call 004037D8
:0044422C E95E030000              jmp 0044458F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004441F8(C)
|
:00444231 FF75F0                  push [ebp-10]

* Possible StringData Ref from Code Obj ->" - Registered To "
                                  |
:00444234 68AC474400              push 004447AC
:00444239 8D85E8FEFFFF            lea eax, dword ptr [ebp+FFFFFEE8]
:0044423F BA94DD4500              mov edx, 0045DD94
:00444244 B901010000              mov ecx, 00000101
:00444249 E8B2F4FBFF              call 00403700
:0044424E FFB5E8FEFFFF            push dword ptr [ebp+FFFFFEE8]
:00444254 B8B4F34500              mov eax, 0045F3B4
:00444259 BA03000000              mov edx, 00000003
:0044425E E875F5FBFF              call 004037D8
:00444263 E927030000              jmp 0044458F


Note(2) = Here's the jump to tha shareware message!
Note(3) = If 0045DC8C = 1 then the program is regged else
          it will jump to our shareware message!

Bingo!!! The program is putting a flag at memory location 0045DC8C:
         0 = Shareware
         1 = Regged

To crack this sucker we have to find tha location where the flag is set!
This is easy! Search '0045DC8C' U get a lot of CMP 0045DC8C, ???? but
remember we are searching for the flag SET! So the program uses MOVe, so
if u see something like this: MOV dword ptr [0045DC8C], eax ur hot!
Below is some source:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043640E(C), :0043641B(C)|
:00436522 33C0                    xor eax, eax
:00436524 A38CDC4500              mov dword ptr [0045DC8C], eax <-----Note(4)
:00436529 6854DB4500              push 0045DB54
:0043652E 6A19                    push 00000019
:00436530 6890DC4500              push 0045DC90
:00436535 68A8704300              push 004370A8

Note(4)= At last we got the FLAG setter! So let change it to:
         MOV dword ptr [0045DC8C], 1    <--- 1 = regged
         For those guys who don't know how to do this:
            1) Debug program in W32DASM
            2) search for a button called 'Goto address' and push it!
            3) enter 00436524
            4) Bam..ur back! And press 'Patch Code' button
            5) U see something like this:

                     Eip:          Current instruction at eip:
                ----------------- -------------------------------
               | Eip: 00436524   | mov dword ptr [0045DC8C], eax |
                ----------------- -------------------------------
                   Enter below new instruction:
               ---------------------------------------------------
              |                                                  |
               ---------------------------------------------------

Now we are ready to patch the sucker!
|
|
|                      Eip:          Current instruction at eip:
|                ----------------- ---------------------------------
|                | Eip: 00436524   | mov dword ptr [0045DC8C], eax |
|                ----------------- ---------------------------------
|                   Enter below new instruction:
| Tha new code   ---------------------------------------------------
|--------------> | MOV [0045DC8C],1                                 |
                 ---------------------------------------------------

And press enter! Now press the 'Apply' button. If ur smart u bribe the
new code on a piece of paper, it might be handy:) Got it? It's something
like this: C7058CDC450001000000! Now press on Bill's cross of the current
window. Confirm with yes. And now run tha program. No nag screens will
appear and the program is running regged! Mission Acomplisched??? No!

We have to patch the file for ever! So close the program and ur back in
W32DASM. Goto location 00436524, write down the hex code(A38CDC4500).
Exit W32DASM(Save it first!) And use Hiew or any other good editor on
WINFLS95.EXE. Search for A3 8C DC 45 00 Found it??? This is at offset
&H35924. Now u can change it to C7 05 8C DC 45 00 01 00 00 00....Save it!
And u cracked this sucker! (Remember: Always make a backup first!)
I hope u learned something about it, cya!

ͻ
 Future: 
ͼ
I think I will bribe a new tutorial soon, only if I have enough time! I am a
very busy men, ya know! And after all I am a cracker and not an essay writer:)
I think the next tut is about serial 'fishing' so watch our site!

Logging out.....
WaxWeazle





