============================================================================
TITLE:
Patching HexDecOctBin Converter v1.00
============================================================================
TOOLS USED:
OllyDbg v1.09d(step 4)
Hiew 6.85
Brain (Preferably version human or above)
============================================================================
TARGET:
robhdob.exe
============================================================================
LOCATION OF TOOLS AND PROGRAM:
http://www.grinders.withernsea.com/tools/odbg109d.rar
http://www.grinders.withernsea.com/tools/hiew685.rar
http://www.grinders.withernsea.com/tools/HexDecOctBinv1.00.rar
============================================================================
CONTACT INFORMATION:
Msn Messenger - jammysa@hotmail.com
Icq# - 46313648
Email Address - Merlin@accessroot.com
============================================================================
TUTORIAL VERSION:
v1.0 Written 4th of December 2003.
============================================================================
AUTHOR AND OTHER ALIASES:
Merlin

Nilrem2
Nilrem
Grimgnaw
Khulad
Khulad Illphukiir
(-~Merlin~-)
============================================================================
First make a backup of robhdob.exe
Load up robhdob.exe, as you can see the program expires in 21 days, so close the program and move your clock forward one year (I'm too lazy to move it forward 21 days) to see what happens when our 21 days trial period has expired. We get given the error message "Sorry, this copy of the program has expired."
Let's start our Disassembler/Debugger OllyDbg and open up robhdob.exe in OllyDbg.
So, let's search for this string, right click in the CPU - robhdob.exe Module window, choose Search For -> All referenced text string, scroll up to the top, select the top line, and right click, select Search for text, and type in, without quotation marks, "Sorry, this copy of the program has expired." uncheck 'Case sensitive' and 'Entire scope' then hit Enter, hmm it can't find it, well what now? Well we know it's a time trial program, and that means the program must find out the current date, the common ones for this are:
{GetTimeZoneInformation
GetSystemTime
GetFileTime
GetLocalTime}
Let's go for GetSystemTime, left click it, right click it, and select 'Find references to import' -> 'Selected Command', set breakpoint (F2) on one that comes up in the new window, then press Enter (follow in disassembler). Press F9 to run robhdob.exe, and it lands at our breakpoint, the message box hasn't popped up, so we know it is been the command is been called before the messagebox is called. Hit F9 again, and we get the error message, click ok, then ok again, then restart the program in OllyDbg (Ctrl+F2). Now let's go to our breakpoint, the quick way is to press alt+b, then double click 00406507. Ok so we want to find the command that brings us here, so right click and hit Ctrl+R ('Find references to' -> Selected Command), hmm there are no other ones (the red one means we are already there), let's try going to the top of the routine because there are no jumps in the routine before our call so there must be a call to it, the top of the routine is where the black line starts which is 004064F0, so left click it, right click and find reference to command, double click the black one to 'Follow in Disassembler'. So we are at the place that gets our SytemTime, we want to stop this from happening so we NOP it. NOP means No-Operation and in hex it is 90, we have 5 bytes to nop E8 33 15 FF FF, to do this quickly in OllyDbg since we want to NOP all of it, we right click, choose 'Binary -> Fill with NOPS'. Now hit F9 to start the program. Then click ok on the shareware nag. Well done cracker you can now use this program forever, however OllyDbg only makes changes to the program temporarily. Write down the address we will be wanting to go to (00414FB8) and the bytes we want to change (E8 33 15 FF FF), launch Hiew, and open robhdob.exe and press F4 (Mode) and choose Debug, ahh isn't that much better, now we need to go to the address, so press F5 (goto) and type .00414FB8 and hit enter (we put a dot before it if we are searching for an address), now go back to OllyDbg, click 'Debug -> close' at the menubar, otherwise Hiew would be in Read-Only mode when trying to edit the program. Now we are at 00414FB8, press F3 (Edit) and type 90 five times, followed by F9 (Update), and then finally F10 (Close). Well done you have successfully cracked HexDecOctBin Converter V1.00!
Remember, if you use the program then buy it.
============================================================================
SHOUTZ AND GREETZ:
Once again thankyou Kyrstie for been my girlfriend, I know I pi$$ you off sometime hehe, to Hoof Arted for inspiring me to write tutorials for OllyDbg, the creators of RegView, Hiew, and OllyDbg.
============================================================================