
                 Cracking for newbies #6 - by woody^drn

Now I'll show you how *extremely* easy it is to crack powertweak.
The protection is a timelimit. I did this in under 5 minutes!

Start the program pt2.exe.. no nag screens or anything, cewl ;) well
kinda boring though. It says that it will expire in 20 days, okay I'll
set the date 20 days from now. bang .. a nag appears saying "sorry, the
trial period of powertweak v2.0 is now over.". cool that looks like a
job for bpx messageboxa.

Break into softice and type that. Now run the program again and softice
will break, press F11 to get the caller, and now the messagebox appears.
Press okay and we're back in sice:

:004025C4 E877EFFFFF              call 00401540
:004025C9 83F814                  cmp eax, 00000014
:004025CC 7C1B                    jl 004025E9
:004025CE 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Powertweak 2.0"
                                  |
:004025D0 68C0B24000              push 0040B2C0

* Possible StringData Ref from Data Obj ->
  "Sorry, the trial period ofPowertweak "
  "2.0 is now over. Please purchase "
  "the registered version to continue "
  "using this software, or delete "
  "it now."
   |
:004025D5 68D0B24000              push 0040B2D0
:004025DA 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:004025DC FF1530844000            Call dword ptr [00408430]

Softice stopped here .. and as me scroll up a bit we can easily see that
it calls the reg engine, compares eax with 14 and jumps if lower.
Well all the have to do here is patch the jl to jmp.

But powertweak has 3 differet files you can run .. so lets goto the next
Next is ptctrl.exe .. run the file and lets see what is does.

Bam ! the same stupid nag .. well lets try a different approach so you
can learn something ;) Lets crack this in hiew alone.

Open the file in hiew and goto hex mode. Search for the text "sorry" and
hiew finds the place. I found it at 403020. Now goto the decode mode and
press F7 and F7 again. Now you can enter asm commands, type: push 403020
and it will only find this once. cewl .. 

:0040125E 83FA14                  cmp edx, 00000014
:00401261 0F8C7BFFFFFF            jl 004011E2
:00401267 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Powertweak 2.0"
                                  |
:00401269 68B4304000              push 004030B4
* Possible StringData Ref from Data Obj ->
  "Sorry, the trial period ofPowertweak "
  "2.0 is now over. Please purchase "
  "the registered version to continue "
  "using this software, or delete "
  "it now."
   |

:0040126E 6820304000              push 00403020

Geez! where have we seen that before ?? ;) heh what a moron.
okay .. well patch the jl again. run the file .. weee cracked that
one too. NEXT! I wonder what the next "protection" is ;) heh

But lets do this in w32dasm then .. oh man I bet I can write this
tutorial without looking into the next file :)

Load up w32dasm and load the sysctrl.exe, press String Refs and search
for "sorry ..." I'll bet you will find it. Patch the jl to jmp and it's
cracked. Lets check it out :)

:004033A1 83FA14                  cmp edx, 00000014
:004033A4 7C8E                    jl 00403334
:004033A6 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Powertweak 2.0"
                                  |
:004033A8 6800634000              push 00406300

oh my .. what a suprise !

That's it .. took me longer to write this than crack it !

-wOODY^dRN