Reverse Engineering for Beginners : Software cracking & Impossible shutdown practical joke (Windows7)

Posted Dec 25, 2025 Updated Jan 9, 2026

By 0X_V3n0m

3 min read

1.19 Software cracking

The author said at the beginning that the vast majority of programs can be cracked in this way

That you search for the place where the protection is checked,

Whether dongle, license key, serial number, etc.

And he said that it is often in this form:

Assembly


...
call check_protection
jz all_OK
call message_box_protection_missing
call exit
all_OK:
; continue
...

So if you saw a patch (or “crack”) that cracks a program, and this patch changed the bytes 0x74 / 0x75

(JZ / JNZ instructions) to 0xEB (JMP), then this is exactly the topic.

And then it means and in short the software cracking process in the end comes to searching for this JMP instruction.

There are also cases, the program in them checks the protection from time to time,

Whether dongle, or license server asked via the internet.

Then you have to search for the function that checks the protection,

And then patch it, and put in it:

Assembly


xor eax, eax
retn

Or like this:

Assembly


mov eax, 1
retn

It is important to understand that after you patch at the beginning of the function, often there will be (garbage) coming after these instructions.

This garbage is part of one instruction, along with several instructions after it.

Real case

This is the beginning of a real function, we want to replace it with return 1;

Listing 1.153: Before

Assembly


8BFF            mov edi,edi
55              push ebp
8BEC            mov ebp,esp
81EC68080000    sub esp,000000868
A110C00001      mov eax,[00100C010]
33C5            xor eax,ebp
8945FC          mov [ebp][-4],eax
53              push ebx
8B5D08          mov ebx,[ebp][8]

Listing 1.154: After

Assembly


B801000000      mov eax,1
C3              retn
EC              in al,dx
68080000A1      push 0A1000008
10C0            adc al,al
0001            add [ecx],al
33C5            xor eax,ebp
8945FC          mov [ebp][-4],eax
53              push ebx
8B5D08          mov ebx,[ebp][8]
...

Here we see some wrong instructions appeared

IN، PUSH، ADC، ADD —

And after them, the disassembler adjusted itself and continued decoding the rest of the code.

And this is not important — all the instructions after RETN will never be executed,

Unless there is a direct jump coming from another place,

And this in the general case will not be possible.

There may also be a global Boolean variable,

In which there is a flag, whether the program is registered or not.

Assembly


init_etc proc
...
call check_protection_or_license_file
mov is_demo, eax
...
retn
init_etc endp
...
save_file proc
...
mov eax, is_demo
cmp eax, 1
jz all_OK1
call message_box_it_is_a_demo_no_saving_allowed
retn
:all_OK1
; continue saving the file
...
save_proc endp

Assembly


somewhere_else proc
mov eax, is_demo
cmp eax, 1
jz all_OK
; check if the program has been running for 15 minutes
; exit if this happened
; or show nagging screen
:all_OK2
; continue
somewhere_else endp

The beginning of the function

check_protection_or_license_file()

Can be patched so that it always returns 1,

Or if this is better for some reason, you can also patch all

JZ / JNZ instructions.

And there will be more information about patching later

1.20 Impossible shutdown practical joke (Windows7)

The author explained that he found the function ExitWindowsEx() in the user32.dll file of Windows 98

And then he tried to stop it by modifying its beginning and putting the byte 0xC3 (RETN instruction)

Then Windows 98 became impossible to shut down and he also tried it on Windows 7

And the function ExitWindowsEx() is still present in the user32.dll file

And it does the same purpose.

The first thing he did was disable Windows File Protection

By adding this line in the registry

(Because otherwise Windows would restore the modified system files automatically without you noticing):

Text


Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]
"SFCDisable"=dword:ffffff9d

After that he renamed c:\\windows\\system32\\user32.dll to user32.dll.bak.

He found the export entry of ExitWindowsEx() using Hiew

(And IDA also works), and put the byte 0xC3 in that place. And then he restarted Windows 7

And now it completely refuses to shut down. The Restart and Logoff buttons became non-functional.

Reverse, Books

Reverse Books

This post is licensed under CC BY 4.0 by the author.