Target:	WinLyrics v2.43 (Winamp Plug-in)
Title:	Reversing a Time-Limited Trial Driver
Protection:	None
Tools:	Olly v1.10 Step 2
RE Level:	Intermediate
OS Requirement:	WinALL
Tutorial By:	MaDMAn_H3rCuL3s/ARTeam
Compiled:	May 9th, 2004

The Reason I labeled this "Intermediate" is because this type of crack is pretty difficult. In order for us to crack it we must have Winamp installed. So before we can begin please install Winamp. Okay now that we have Winamp installed we can begin. This tutorial is gonna be long I will warn you. There are many ways to get lost in this crack. The crack I will show you will enable any serial to work, also removes time-limit. At first I thought the crack didn't work because after it accepted code it still had the serial box pop up. After entering my serial again. It accepted it. So now with-out further ado......here's the tutorial.

Let us begin by starting up Olly and loading the target into her. You know (I hope) that we will need to load Winamp and not the actual target. We will use Winamp and venture through it to find our crack. Okay. So now start up Olly and load Winamp into her. If Winamp isn't registered it's not a problem, mine wasn't. I only used it for this crack. I wanted to try something new. So you will see mostly Winamp shit if you search for String Ref's. Which is normal. You will need to actually start-up Winamp and select "Executable Modules" to actually view the target. So now go ahead and do this. If you are unsure of how to do this Look below for some pictures that are in order of sequence.

You have noticed that the target is now listed in the "Executable Modules". See it? So you will need to double click on it and then do a right click, search for.., referenced text strings. Now we will be cooking. Now you see some strings we can work with here. So start looking through the strings and look for anything of interest. If you notice the target is loaded now and you can enter anything you want into it. So why not check that out. Look below for picture.

Well now I have a string to look for. "Time Expired". That should be easy to reverse though, I want the whole target done. So go ahead and enter in your favorite serial number and hit "OK". Look below for picture.

Well now we have 2 strings to go on here. "Time Expired" and "Activation Code...." So go back to your "String Ref's" and look for these 2 strings. Find Them?

Now that we have something to go on here lets enter our serial into her again and see what the target tells us. Okay people this is real easy here. Think for a minute. If we break at this string, we are probably too late to make a difference in the code....correct? Okay, so scroll up a bit. I know all this will look confusing to you. the jumps and calls are all weird here. As you scroll up you will notice other errors. Look below for some pictures.

Well I hope you see where I am going with this. Lets set a BP on the Call above the "Thank You for your support" string. That looks like that's our "IsWinLyrics_Reg" routine. So erase our prior BP and set this one. Hit F9 to enable you to enter in a serial again. Okay people this is real easy. As soon as we break we are gonna be exactly where we wanna be. This is our decision routine. Cause you see it's gonna test EAX and then JE. So we need to see what EAX is and what it needs to be in order to be registered. So after you put a BP on this call Hit F9 and then hit the "OK" button at the target. You will now break into the routine. Look at EDX.... You see your serial number there? Good. Follow this call people. This will take us on the registration journey. So after the target breaks hit F7 to follow this call. Look below for pictures.

Okay so we land at offset 02344760. We are in the Call routine to determine if the target is registered or not. You notice that most of these jumps go to offset 0234487E? The whole idea here is that these jumps must never take place. We need to follow through the code all the way to the end in order to register correctly. In my original patch I only reversed 2 jumps. Now that I am going back through this, I believe I was incorrect. I should have patched a few more. So I will release a *Proper* patch. So I will now show you exactly what I patched and why I did it.

As you have already noticed there a few jnz's to offset 0234487E. these jumps must not take place in order for WinLyrics to register. So what I had done originally was just patch offsets: 023447CD & 0234481FF. I should have known that this only would work for my serial number. So the proper way of doing this is to patch all the jnz's referencing offset 0234487E to NOP. I have included the *Proper* patch for this inside this tutorial. Thats your bonus for reading it. So this is a real easy (when we understand what we are doing) crack. So here is a list of the jumps you will need to NOP in order for this target to be registered:

These will officially crack this target. That's a lot of patching Huh? You will notice that the target refers back to the registration routine after being registered. This is okay cause we have patched it so it will take any serial number now. I hope you have learned something new today. I am sorry I made myself look like an ass. Totally forgot about how the jump reverse would effect other numbers. So... I thank you for your time. Please visit ARTeam website for more tutorials on Olly. Get the patch here!

*note2: If you enjoyed reversing this target please remember that the author of the program worked really hard in developing it. Please buy it if you find yourself using it past the trial period.