-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

		 How to crack Nero 4.0.9.1 with Softice
	       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
			        by yoda	


Welcome to my first cracking tutorial. I'm a Newby ( I started cracking
about 3 month ago ) but I hope I still can teach you sth. Don't blame 
me for any faults in this tut or my bad english :)... Let's CRACK !!!

First install Nero 4.0.9.1 (downloadable at: www.ahead.de , I think :).
Then run it. Sth like that should appear:

     ----------------------------------------------
     | blah			              ?	X |
     ----------------------------------------------
     | blah, blah, ...				  |
     |      					  |
     | Name: 	   ______________________________ |
     | Company:	   ______________________________ |
     | Serial No.: ______________________________ |
     |    ________      ________      ________    |
     |    | Demo |      |  OK  |      | EXIT |    |
     ----------------------------------------------

Let's try to skip this shit >:). Enter your name, company and a Serial
number ( I prefer 1223 because sth like 12345 you will very often find
in the Ram ). What's that, the OK button is deaktivated :(. Press str+d,
so Softice will pop up. Normally we should set a breakpoint (with bpx)
on the windowsapi "enablewindow" but let's use getwindowtexta, so type
in "bpx getwindowtexta", press enter and F5. We'll be back at the 
proggy. Now add a 3 in the Serialeditbox Softice pops up. Press F5 so
long until we are back in the proggy (to test how many getwindowtext's
there are). Ok, the proggy does 3 getwindowtext. One for the name, one
for the Company and one for the Serial. Now let's erase the last "3"
in the Serialeditbox. Softice pops up. Then press 2 times F5 to go to
the last getwindowtext, press F12 to go to the call of this 
getwindowtext. Trace (F10) down some ret's until you reach sth like 
this:

:00435122 E8BF190B00              call 004E6AE6
:00435127 85C0                    test eax, eax
:00435129 7503                    jne 0043512E      <- the first con-
:0043512B 50                      push eax             ditional jump
:0043512C EB34                    jmp 00435162
...

Trace to the conditional jump which wants to jump. Maybe we don't want
:), so type in "r fl z" to change the ZeroFlag, disable your breakpoint
("bd*") and Press F5 to go back to the proggy. WoW the OK button is 
active, so let's press it. The proggy runs fine, but let's try to 
restart it. Nero says you that your Serialnumber is invalid (very 
smart). Click on the OK button and you will see the old Box which wants 
you to enter a valid serial :(.
Let's try sth different ! Close Nero and set a breakpoint on
the windowsapi (API = Application Programming Interface) messagebox 
because the first Nag looks like a messagebox. Type in (in Softice) 
"bpx messageboxa" 
(the a is for 32bit - win 9x/2000/NT). Now start Nero again. It'll 
break, so press F12 to get the caller. The messagebox will now appear.
That's not bad just click on OK and you'll be here:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
004F0B18 6804010000               push 00000104
:004F0B1D 50                      push eax
:004F0B1E 6A00                    push 00000000
:004F0B20 8DBDECFEFFFF            lea edi, dword ptr [ebp+FFFFFEEC]

* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
                                  |
:004F0B26 FF1504845100            Call dword ptr [00518404]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F0B10(U)
|
:004F0B2C 53                      push ebx
:004F0B2D 57                      push edi
:004F0B2E FF7508                  push [ebp+08]
:004F0B31 FF75F4                  push [ebp-0C]

* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:004F0B34 FF1584855100            Call dword ptr [00518584]
:004F0B3A 85F6                    test esi, esi         <- you are here
:004F0B3C 8BF8                    mov edi, eax
:004F0B3E 7405                    je 004F0B45

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We must find a jump which jumps over this messagebox but you'll see
nothing like this over this messageboxcall :(. Hmmm.. Let's go to the 
caller's call :), so Press F12 and look whether you find a 
conditional jump over the call. When it is so then set a Breakpoint
on this conditional jump (with a doubleclick in Softice) and rerun the
proggy when it breaks on the jump take it (e.g.: "r fl z"), F5 and look 
whether the messagebox appears. If it appears try the next caller's 
caller. The third caller's caller is good(

:0043519D 7E0E                    jle 004351AD <- jump we must force
:0043519F 6AFF                    push FFFFFFFF

* Possible Reference to String Resource ID=00048: "Writing Wave file"
                                  |
:004351A1 6A30                    push 00000030

* Possible Reference to String Resource ID=61265: "This serial number...
                                  |
:004351A3 6851EF0000              push 0000EF51
:004351A8 E8F4B90B00              call 004F0BA1  <- calls the first Nag

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00435195(C), :0043519D(C)
|
:004351AD 8BCF                    mov ecx, edi
:004351AF E895A90100              call 0044FB49 )

Force the jump (jle) and the messagebox telling us that we
entered a invalid serial won't pop up. But what's that, again the bitchy
Box (where on can enter name, company and serial) appears :(.
Before we do sth against this clear your breakpoints ("bc*") and
change the jle to a jmp with any Hexeditor (File: Nero.exe 
offset: 3519D patch: EB ). Now the first Nag won't appear
on startup of Nero. Close Nero and set a breakpoint on showwindow
("bpx showwindow") in Softice and run Nero. When Softice breaks on
the bitchy box try to find a conditional jump which jumps over this call.
Try also the caller's callers. 
...
Solution:
After the break press 3 times F12 then the bitchy box will appear.
Click on exit and Softice pops up again, 2 times F12 and you'll see:

:00483BBD E85672FFFF              call 0047AE18
:00483BC2 E8F415FBFF              call 004351BB <- calls bitchy box
:00483BC7 85C0                    test eax, eax <- you are here
:00483BC9 0F84D6020000            je 00483EA5   <- closes Nero
:00483BCF 8B86C0000000            mov eax, dword ptr [esi+000000C0]
:00483BD5 8D8EC0000000            lea ecx, dword ptr [esi+000000C0]

Now we are able to kill the box :). Just nop with a heweditor the call
at 00483BC2 and nop the jump at 00483BC9.( Offsets are the same number
but without the first 4 -> memory offset: 483BC2 = offset 83BC2).
Now Nero should run without any Nags :) - Done.
I hope I could explain all a bit understandable. 


GreetZ go out to all cracker on this planet !!!
Thx tKC for your great tut collections. I've read all.
Feel free to mail me: yoda_f2f@gmx.net (Don't ask me where to find any
cracking tools, please) 

Inetsides where to find tools:
www.crackstore.com
protools.cjb.net
www.warez.com (search for the program you are looking for)

CU