Tutor for cracking The Bat! v1.00 (Internet e-mail client)
by TheBrabo - The Netherlands.

(http://www.ritlabs.com/the_bat)

It's an easy patch. You can do a S/N, just catch the input
and follow the commands. It looks complicated and my rule is to spend
as little time as needed. But a S/N is better than a patch (newer versions).

Oke how do I proceed for this crack:
1. Do a disassembly with WDASM or IDAPRO (I'm still looking for a 
   registered version of IDAPRO). I used WDASM because it is quick and
   in most cases sufficient.
   We see that in the about box a message is shown that you're unregistered. 
   This can mean two things:
     - there are two (or more) about boxes
     - the text itself is displayed in a general about box (most common)
   Via the Symantec resource editor you'll find that the programmer doesn't
   follow the regular guidelines, so you can't tell yet what is appropriate.
   I think the second one, so you can do a test on TEXTOUT or something like
   that when the aboutbox will be displayed/created. I'll do it with another
   intelligent way (I'm no programmer - I never had a course in that way - 
   so I do with "common sense").

2. Look for "REGISTER" in the disassembled text and you'll find only this:
       :00408C2A BA74A24000              mov edx, 0040A274   ; "Version %s"
       :00408C2F E8789AFFFF              call 004026AC
       :00408C34 8D8390000000            lea eax, dword ptr [ebx+00000090]
       :00408C3A BA88A24000              mov edx, 0040A288   ; "UNREGISTERED"
       :00408C3F E8689AFFFF              call 004026AC
       :00408C44 8D8394000000            lea eax, dword ptr [ebx+00000094]
       :00408C4A BAB0A24000              mov edx, 0040A2B0  ; "Registered to"
       :00408C4F E8589AFFFF              call 004026AC
       :00408C54 8D8398000000            lea eax, dword ptr [ebx+00000098]
       :00408C5A BACCA24000              mov edx, 0040A2CC

3. Now you know where the text "UNREGISTERED" is saved. Start up
   SoftIce and do a BPX 408C34. Just step over the three commands and
   you'll see that the string is stored at the address EAX points to.
   In my case EAX=EC0C6900. So the string is at DS:00690CEC, do a check
   (D 690CEC). 
   The reference address is [EBX+90] (DS:4F2580). Probably later on
   overruled when you choose a different language.

4. Do a BPM on address DS:EBX+90 and run the programme further on (F5).
   You'll see that SoftIce will come up a couple of times. But we're only
   interested in the aboutbox, so ignore these pop ups.

5. From the menu, choose Help|About and SoftIce will stop the programme
   at CS:48AF3B. This is part of the disassembly:
       :0048AF25 E822D00400              call 004D7F4C
       :0048AF2A A1600B4F00              mov eax, dword ptr [004F0B60]
       :0048AF2F 80784B00                cmp byte ptr [eax+4B], 00
       :0048AF33 7513                    jne 0048AF48
       :0048AF35 8B1580254F00            mov edx, dword ptr [004F2580]      ; Text Unregistered
       :0048AF3B 8B83C0010000            mov eax, dword ptr [ebx+000001C0]
       :0048AF41 E806D00400              call 004D7F4C
       :0048AF46 EB3B                    jmp 0048AF83
       :0048AF48 8D45FC                  lea eax, dword ptr [ebp-04]        ; Registered version starts
       :0048AF4B 50                      push eax
       :0048AF4C 8D55F0                  lea edx, dword ptr [ebp-10]
       :0048AF4F A1600B4F00              mov eax, dword ptr [004F0B60]
       :0048AF54 83C04B                  add eax, 0000004B
       :0048AF57 E85C22FBFF              call 0043D1B8
       :0048AF5C 8B45F0                  mov eax, dword ptr [ebp-10]
       :0048AF5F 8945F4                  mov dword ptr [ebp-0C], eax
       :0048AF62 C645F80B                mov [ebp-08], 0B
       :0048AF66 8D55F4                  lea edx, dword ptr [ebp-0C]
       :0048AF69 33C9                    xor ecx, ecx
       :0048AF6B A184254F00              mov eax, dword ptr [004F2584]
       :0048AF70 E82FB2F7FF              call 004061A4
       :0048AF75 8B55FC                  mov edx, dword ptr [ebp-04]
       :0048AF78 8B83C0010000            mov eax, dword ptr [ebx+000001C0]
       :0048AF7E E8C9CF0400              call 004D7F4C
       :0048AF83 B201                    mov dl, 01                       ; go on, registered or not
       ..... 
   It appears that the string is loaded at CS:48AF35. You could do a
   search on [004F2580] in the disassembly, but it's not always so easy
   as now. The BPM way works most of the time.

6. What do you see just before the command line, right a JNE. The compare method 
   is the most used way by programmers. (It is better to do a jump with a variable
   address or a source code which is generated real time, but they are
   crackable as well.) Ok, we'll do a test whether we're right. BPX on
   the JNE and run the programme further on.

7. Choose Help|About and Softice will pop up on CS:48AF33. Change the Z-flag
   (type: R FL=Z) and run the programme further. The dialog box says now
   that the programme is registered. So you know now that when address
   [EAX+4B] is greater than zero you're registered. You can try it if you
   want to. Change this address into 1. Do a E EAX+4B change the first value
   (it is a byte compare) into 1, press enter, and F5. You see: it works from
   then on!

8. Next thing is to figure out where this address is set. Just BPM [EAX+4B]
   at CS:48AF2F (you have to do it on that command line 'cause you don't know
   EAX otherwise) and leave the programme.

9. Start-up the programme and SoftIce will pop up at the following four 
   command lines who "do" something with this memory address before the NAG 
   is shown:
     A. 401CD2
     B. 48AF33
     C. 4A2D44
     D. 43D1B1

   A. So look at the first one:
        :00401CC8 8B48E8                  mov ecx, dword ptr [eax-18]
        :00401CCB 31C0                    xor eax, eax
        :00401CCD 51                      push ecx
        :00401CCE C1E902                  shr ecx, 02
        :00401CD1 49                      dec ecx
        :00401CD2 F3                      repz
      In my case (the shareware version) it will zero the address. You can
      overrule this but it's more difficult than the method I will show you.
   B. It's the same as the dialogbox described above
   C. The third one:
        :004A2D37 6A00                    push 00000000
        :004A2D39 6A00                    push 00000000
        :004A2D3B A1600B4F00              mov eax, dword ptr [004F0B60]
        :004A2D40 0FB6404B                movzx eax, byte ptr [eax+4B]
        :004A2D44 05A40A0000              add eax, 00000AA4
        :004A2D49 50                      push eax
        :004A2D4A 8BC3                    mov eax, ebx
        :004A2D4C E8AF880300              call 004DB600
        :004A2D51 50                      push eax
        :004A2D52 E8811BF6FF              Call 004048D8   ; user32.PostMessageA
      The address is read, and I think used for the opening NAG.
   D. The forth one:
        :0043D1A4 FC                      cld
        :0043D1A5 57                      push edi
        :0043D1A6 89C7                    mov edi, eax   ; EDI=5A2943 (my EAX+4B you saw earlier)
        :0043D1A8 30C0                    xor al, al
        :0043D1AA B9FFFFFFFF              mov ecx, FFFFFFFF
        :0043D1AF F2                      repnz
        :0043D1B0 AE                      scasb
        :0043D1B1 91                      xchg eax,ecx
        :0043D1B2 F7D0                    not eax
        :0043D1B4 48                      dec eax
        :0043D1B5 5F                      pop edi
        :0043D1B6 C3                      ret
      This scans for the value AL (=0). This is only a compare method. The result of this
      procedure is whether you are registered or not.

   So what have you learned: three of these are readers, the first one is a writer.
   Probably the address is not written because registration information is missing, but
   (A) could also write the results of this check. You can go deeper on this (it's the
   best to do) - a good programmer will modify the first one - but as I said I'm no 
   programmer. The easiest way is to change the second memory check.

10.We're going to change the first compare (B) into a writing.
   We saw earlier the following compare:
       :0048AF2A A1600B4F00              mov eax, dword ptr [004F0B60]
       :0048AF2F 80784B00                cmp byte ptr [eax+4B], 00
       :0048AF33 7513                    jne 0048AF48
       :0048AF35 8B1580254F00            mov edx, dword ptr [004F2580]      ; Text Unregistered
   Just BPX CS:48AF2F. Run the programme again until SoftIce pops up at this
   address. Press A and enter and enter the following command lines:
        MOV BYTE PTR [EAX+4B],1
        JMP 48AF48
   You're lucky, the assembler says the next command line will start at 48AF35. Just 
   press enter and write down the new command codes (it is: C6404B01 and EB13). If 
   the new commands are shorter (they don't reach 48AF35) then you can NOP accordingly. 
   In case it's longer it's no problem for this programme because the lines from 48AF35 
   to 48AF48 aren't used anymore (but you have to be careful that 48AF48 doesn't change!). 
   You'll see that everything works like you're registered.
   
11.Now you only have to patch the programme (change 80784B0075138B into C6404B01EB138B)
   and test the programme with a new system date.

That's it.

Hope to see you in The Netherlands,
TheBrabo.

Keep in mind that this tutorial is not illegal, using unregistered versions is! You 
sometimes can correct errors in programmes (like in PCB Developer's Individual Assistant 
which I found the other day). In countries with the EU law you are allowed to make use 
of these patches. 