Thursday, November 15, 2007

Step By Step "HOW TO CRACK CHANGE ANY ICON 1.1"

Step By Step "HOW TO CRACK CHANGE ANY ICON 1.1"
-------------------------------------------------------------------------------------------------
HOW TO CRACK CHANGE ANY ICON 1.1 - A TUTORIAL BY CoDe_BrEAKer
-------------------------------------------------------------------------------------------------

DISCLEMIER:-FOR EDUCATIONAL PURPOSE ONLY.NOT I NOR PUBLISHER OF THIS IS HELD RESPONSIBLE FOR ILLEGLE USE OF THIS ARTICALE.IF YOU DO NOT AGREE THAN PLEASE LEAVE IT NOW.YOU MUST BUY THE SOFTWARE YOU USE.

target :-change any icon 1.1
protection:-only 7 day trial!!!!huh....(a nag screen)
tools used:-w32dasm,hiew
level:-very very easy

lets start.i dont think this is so great programm that only 7 days trial is given to user. i dont know what the author think.lets start cracking . first step we do is analysis the target program.start the change any icon
and take a look. it just display a nag screen "u r on xxx day of ur evaluation ...."and give the option "try now "and "bye now "then start the application.now close the application ohh.... once again nag screen.ok now close the apllication and set your system date one month forward.
start change any icon .!!!it display a nag screen "evaluation expired" and give the option of register or close.remeber this string and close the application.(and yaaa this programm will work after the expiration period if u press alt+f4 to close nag screen.if u dont belive try it !!!!but any one like us don't like this kind of stupid nag screen it show before starting and ending the program.therefor we crack this program.)
now run the w32dasm and load the cganyico.exe in to it.click on string data refrence and search for the string "evaluation expired".now doubleclick on it and agian double click on it to see how many times this message get called(and yaaa always check how many times a given string is called) .we see that this message called from two diffrent placeses.i think u understand why this is called two times.
.if not then please run this application once again.understand!!! ok i will tell u.this message is shown two times to us first when we start the application and second when we close the application.
now go to the first location (by double clicking on "evaluation expired") and you are here:-

* Possible StringData Ref from Code Obj ->"Evaluation Expired!" <---------YOU ARE HERE
|
:0046D002 BA9CD04600 mov edx, 0046D09C
:0046D007 E82CF0FBFF call 0042C038
:0046D00C A1E81E4700 mov eax, dword ptr [00471EE8]
:0046D011 8B00 mov eax, dword ptr [eax]
:0046D013 8B80DC020000 mov eax, dword ptr [eax+000002DC]
:0046D019 33D2 xor edx, edx
:0046D01B 8B08 mov ecx, dword ptr [eax]
:0046D01D FF515C call [ ecx+5C ]
:0046D020 EB39 jmp 0046D05B

now take a look some line above from we landed.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046CFAD(C)-----------------MESSAGE CALLED FROM THIS LOCATION
|
:0046CFC1 33D2 xor edx, edx
:0046CFC3 8B806C030000 mov eax, dword ptr [eax+0000036C]
:0046CFC9 E886FDFDFF call 0044CD54
:0046CFCE E83DA3FFFF call 00467310
:0046CFD3 8BD8 mov ebx, eax
:0046CFD5 8B0DE81E4700 mov ecx, dword ptr [00471EE8]
:0046CFDB A144214700 mov eax, dword ptr [00472144]
:0046CFE0 8B00 mov eax, dword ptr [eax]
:0046CFE2 8B1588D24600 mov edx, dword ptr [0046D288]
:0046CFE8 E8CFD0FDFF call 0044A0BC
:0046CFED 81FBBB0D0000 cmp ebx, 00000DBB
:0046CFF3 752D jne 0046D022
:0046CFF5 A1E81E4700 mov eax, dword ptr [00471EE8]
:0046CFFA 8B00 mov eax, dword ptr [eax]
:0046CFFC 8B80F8020000 mov eax, dword ptr [eax+000002F8
so there is a check on location 0046CFAD.now goto this location
and you see this
:0046CFAD 7412 je 0046CFC1
now put ur bar of w32dasm on this line and note the offset then change this jump je to jne by changing 74 to 75 using hiew.

ok now again goto string data refrence and goto the location where second call to "evaluation expired" is made.and then u r here:-

Possible StringData Ref from Code Obj ->"Evaluation Expired!"<<<<-----------YOU ARE HERE
|
:004679D2 BA707A4600 mov edx, 00467A70
:004679D7 E85C46FCFF call 0042C038
:004679DC A1E81E4700 mov eax, dword ptr [00471EE8]
:004679E1 8B00 mov eax, dword ptr [eax]
:004679E3 8B80DC020000 mov eax, dword ptr [eax+000002DC]
:004679E9 33D2 xor edx, edx
:004679EB 8B08 mov ecx, dword ptr [eax]
:004679ED FF515C call [ecx+5C]
:004679F0 EB39 jmp 00467A2B

now take a look some line above we landed
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00467994(C)<<<<<<<<-------------------------------MESSAGE CALLED FROM THIS LOCATION

|
:0046799E E86DF9FFFF call 00467310
:004679A3 8BD8 mov ebx, eax
:004679A5 8B0DE81E4700 mov ecx, dword ptr [00471EE8]
:004679AB A144214700 mov eax, dword ptr [00472144]
:004679B0 8B00 mov eax, dword ptr [eax]
:004679B2 8B1588D24600 mov edx, dword ptr [0046D288]
:004679B8 E8FF26FEFF call 0044A0BC
:004679BD 81FBBB0D0000 cmp ebx, 00000DBB
:004679C3 742D je 004679F2
:004679C5 A1E81E4700 mov eax, dword ptr [00471EE8]
:004679CA 8B00 mov eax, dword ptr [eax]
:004679CC 8B80F8020000 mov eax, dword ptr [eax+000002F8]

so there is a check on location 00467994.now goto this location
and you see this
:00467994 7408 je 0046799E
now put ur bar of w32dasm on this line and note the offset then change this jump je to jne by changing 74 to 75 using hiew.
now run change any icon no nag screen any more !!!!!

but one minute!!!! just goto the option of FOLDER.select any folder to change and click on change. ohh....."Sorry, Only Registered version can use this function."
ok it is the only option which disable in the shareware version.so once again diassemble cganyico.exe and search for the string "Sorry, Only Registered version can use this function."(and yaaa always check how many times a given string is called).ok well this is called only one time.click on it and ur here

* Possible StringData Ref from Code Obj ->"Sorry, Only Registered version "
->"can use this function." <<<<-----------YOU ARE HERE
|
:0046B7DC B86CB94600 mov eax, 0046B96C
:0046B7E1 E82239FEFF call 0044F108
:0046B7E6 E930010000 jmp 0046B91B
now see some line above we landed

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B7B5(C)
|
:0046B7D3 803DEC38470000 cmp byte ptr [004738EC], 00
:0046B7DA 750F jne 0046B7EB<<<<<----------------THIS JUMP

change this jne to je.
now run the application and it works!!!!!

voila !!!! we cracked another STUPID PROTECTION.....