Cracking Air Messanger LAN Server v1.5 Updated in 03/06/99
Made by UFK

this is my 1st tutorial so bare with me here :)
if you find things to improve please let me know.

there are 2 different versions of this one the EXE file is 875,520 and in the
newer it's 876,544. so i'm gonna teach you to crack the 876,544 Version.
don't ask me why they're both the same version! :D i didn't make this program.

i'm currently using NT4 Service Pack 4 to crack the program.

ok so the tools that we need to crack it is an Hex editor, IDA and SoftICE.
this tutorial is not for too begginers cause you need to have a bit of 
an IDA background. ok.. so lets start. install that program, and start 
disassembling it with IDA. while you're doing it run the program. 
ok first we have an annoying NAG screen. wait i'll run the program too. 
an annoying neg about Continue or Web Register crap.
ok now you see when your program will be expired. same as in the 
about window.. you see when the program will be expired and lots of 
demo versions texts and crap. ok..  now change your computers date to some 
date that the program will stop working. ok now run it, and voila! 
an annoying nag "Your 30 Day Trial Has Expired!". now i tried to find in 
IDA the text "your 30", "trial".. anything. but i found nothing that
got to do with that nag. i tried with softice to bpx on messageboxexa, 
messageboxa but nothing! doesn't break. i tried on CreateWindowExa and it 
breaks too much :) the thing is that we didn't notice this one little thing. 
the BEEP the we hear when the nag appears. ok so we go to IDA to 
View->Segments->.idata in idata you can find the external functions calls. 
so i don't know what function does a beep so i'll search for the word "beep" 
with alt-t. text search. and what do you know? i found messagebeep with only 
one x-ref. now press on the x-ref. and uh-oh. too many x-refs in it.
so what we're going to do is to run Softice, to bpx on MessageBeep. 
to run the LAN program and when it breaks to find out where it breaks. 
how do we do that? simply. after softice breaks on Messagebeep. 
press F12 to get out of the function. now press "code on" so you'll see 
the hex values of each command. and copy the hex values
of the messagebeep call and the function after it.

001B:004577FC E8 5B DC FA FF call j_messagebeep
001B:00457801  F7 D8            neg eax

now search for those bytes with binary search (alt-b) in IDA. you found it! 
now check if it's the same address as in softice (4577FC). yes it is! 
now we're gonna mark this point with alt-M so it will be easy for us to go 
to it later on. now look at the code, there's a beep, and before it a push, 
and before it a LABEL! that's very nice :D that problebly means that if 
you're not registered it jumps here. so we press on the X-Ref and yep. 
we see JZ to that address.

CODE:004577F2 74 06     jz short CODE_4577FA

so you see the memory address? break on it with softice. change the flags 
so it won't jump and see if it works. there's a chance that it will break 
several times so change the flags each time. ok.. there's no NAG!! but the 
program quits on us. poop. not good. so what now? simply. we'll move one 
jmp backwards. hey what do we see here!
jnz to some address, mov, cmp, and then jz to the same address!
ok so we'll change the jnz cause it's the first jmp to the same address.
the memory address of that jmp is 4577da.

cmp     byte ptr [eax+82h], 0
mov     eax, [ebp+var_4]
cmp     byte ptr [eax+81h], 0
jz      short CODE_457830 
mov     eax, [ebp+var_4]
cmp     byte ptr [eax+98h], 0
jz      short CODE_4577FA ; that's the last jmp we tried to change and didn't work!
mov     [ebp+var_5], 0
jmp     short CODE_457830
push    40h
call    j_MessageBeep         ; BEEEEEEEEEEEP!
neg     eax

ok now.. it breaks several times.. make it jmp man! and voila! it works! :D 
ok so now we already marked it with alt-M so we know where we wanna change 
what. now lets move forward. i don't like this nag when i run the program! 
and when it says demo version in the about box.. yuck! ok.. so this is a 
method that i use in almost every program i wanna crack. do a binary search 
with IDA for "registered to:". and ok.. we found 2! :D with one x-ref to each.

add     bh, bh
db 3 dup(0FFh), 0Fh, 3 dup(0)
str->RegisteredTo db 'Registered To: ',0 ; DATA XREF: CODE:00478835o
db 4 dup(0FFh), 0Bh


add     [eax], al
db 4 dup(0FFh), 0Fh, 3 dup(0)
str->RegisteredTo_0 db 'Registered To: ',0 ; DATA XREF: CODE:0047D3B6o
push    ebp
mov     ebp, esp

ok.. so press on the X-REF of the 1st "Registered to:" string. you can 
see a label before that line. press on the X-ref and there's a jnz to it. 
so we know we need to change it to jmp! :D  so it will always jmp to that 
string. now go to the 2nd "Registered To:" and press on it's X-Ref.
now we see  "mov edx, offset str->Registered_To_0". you can see something 
a bit different but same idea. you can see a label before it. press on 
it's X-REF and voila! a jnz! now we know we need to change
that to a jmp too. cool! now.. it's the time to use an hex editor.
i suggest you'll use Hacker's VIEW. 
it's the best hex editor ever! why? cause we can change assembler commands 
without knowing their hex values. that's my most fav option in it :D ok. 
i'm not gonna teach you how to change bytes cause it's not an hacker's
view editor. but if you have problems you can always e-mail me and ask.
of course you can you use any hex editor you like but.. HIEW is very powerful.
ok hope you understand something. bu-bye for now.

ICQ    : 1416041
p; #      ###