Posted by ShADe on 1/17/2000, 12:05 am
, in reply to "Task2: Using the deadlisting 1"
203.57.68.10
II.3 Make your name and company appear in the "About screen".
In registered versions, the name and company replace the "Unregistered"
in the nagscreen - Find a patch for it.
Ok once again I will try to use nothing but the dead listing and will also try to follow
the task to the letter. In other words I won't register the program I will just put my
name and company in the about box without just editing the text in a hex editor ;-).So in the dead listing we search "Unregistered" and find two occurances. I must be honest
here, this one:
* Possible Reference to Dialog: DialogID_03E8, CONTROL_ID:00C7, "Unregistered"
|
:0042CD0C 68C7000000 push 000000C7
:0042CD11 8B00 mov eax, dword ptr [eax]
:0042CD13 8B480C mov ecx, dword ptr [eax+0C]
:0042CD16 51 push ecx* Reference To: USER32.SetDlgItemTextA, Ord:0000h
Followed by the setdlg looked best to me at first and I did try it, but when having failed
and only having one other choice, I naturally moved on. So we have:
:0044677A 84C0 test al, al
:0044677C 0F85E6000000 jne 00446868
:00446782 66C785FCFDFFFF0800 mov word ptr [ebp+FFFFFDFC], 0008* Possible StringData Ref from Data Obj ->"Unregistered"
:0044678B 681E9F4900 push 00499F1E
:00446790 83C4FC add esp, FFFFFFFC* Possible Reference to Dialog: DialogID_03E8
Just before it we see a jump over the "Unregistered" bit lets make it jump and see what
happens.
So we can easily change the 0F85E6000000 to 0F84E6000000 and try it, we still get the
startup nag of course, evaluate, about and there it is. (you must of course have tried to
register at least once so that there is something in the registry to put here)This way is not ideal however because (although I never checked this) if we do register
the program it will then display 'unregistered' in the about box again.
I struggled with this one for a while and learnt quite a lot myself. I could not figure
out how to make the program jump everytime using the two byte opcodes (0f85) EB (jump)
would not work. There is probably a way to do this but I don't know it, so alternatives
again.
I looked up the test function in my mnemonics reference.
Usage: TEST dest,src
Modifies flags: CF OF PF SF ZF (AF undefined)
We know that in test al,al the two values will always be the same so there will never be
any leftovers from the test. ie the carry flag will always be zero from this operation
regardless of the value of AL. So next check out our jumpifcondition options.
0F 83 cw/cd JNC rel16/32 Jump near if not carry (CF=0)
So lets change the value 0F85E6000000 to 0F83E6000000. Bingo now we will always have our
name displayed.II.4 Get a valid serial for Name:Unregistered - Company: Unregistered
Now, the serial-stuff begins. Get a valid serial for the specified
name and company.
This will no doubt be covered by many other posts so I will not bother, and there is
obviously no way to do it with the deadlisting alone. Although reading the deadlisting we
can make the decision of what to set our breakpoint on much easier and more reliable.
II.5 Find the "best" patch for nagscreen, time limit, register box (accept all serials)
and About box.
Patch the file in a way that you remove all limits by changing
less than 7 bytes - 3 bytes are my solution, so go for the 2 ;)
So this is the big one, full registration. If you have done task II.4 then you now know
where all the registration checks go on so I will assume this and go straight there:
* Possible StringData Ref from Data Obj ->"AC200-%d"
|
:00446B85 68A39F4900 push 00499FA3
:00446B8A 8D85A0FEFFFF lea eax, dword ptr [ebp+FFFFFEA0]
:00446B90 50 push eax
:00446B91 E8DA880300 call 0047F470
:00446B96 83C40C add esp, 0000000C
:00446B99 8D9510FFFFFF lea edx, dword ptr [ebp+FFFFFF10]
:00446B9F 52 push edx
:00446BA0 8D8DA0FEFFFF lea ecx, dword ptr [ebp+FFFFFEA0]
:00446BA6 51 push ecx* Reference To: KERNEL32.lstrcmpA, Ord:0000h
|
:00446BA7 E8AE460400 Call 0048B25A
:00446BAC 85C0 test eax, eax
:00446BAE 0F94C0 sete al
:00446BB1 83E001 and eax, 00000001
:00446BB4 5F pop edi
:00446BB5 5E pop esi
:00446BB6 5B pop ebx
:00446BB7 8BE5 mov esp, ebp
:00446BB9 5D pop ebp
:00446BBA C3 ret
You know by now from your breakpoint that the program uses this function both when a
registration attempt is made and at startup so any changes we make here will be good for
the whole protection scheme.There are three main patches (I am sure there are more) we could do here. Firstly the
least elegant patch.1
:00446BAC B801000000 mov eax, 00000001
Here we simply make sure eax is equal to 1 whatever the result of the string compare.The second patch:
2
:00446B99 8D95A0FEFFFF lea edx, dword ptr [ebp+FFFFFEA0]
Here we are moving the good string into both registers so the result of the compare
operation will always be 0 (equal). This bieng Lazarus's 3 bytes I assume.Either one of patches 1 or 2 will do the whole thing, it will register your program remove
the nag and set the about box to registered.
3.
Still the challenge was to do it in 2 bytes. Lets go one better than that lets do it in
one byte ;-) change:
:00446BA0 8D8DA0FEFFFF lea ecx, dword ptr [ebp+FFFFFEA0]
:00446BA6 51 push ecxto
:00446BA0 8D8DA0FEFFFF lea ecx, dword ptr [ebp+FFFFFEA0]
:00446BA6 52 push edx
Bingo, now we are having fun :-)Finally back to:
II.1 Try to get rid of the nagscreen
Find a patch that removes the nagscreen (the one that appears
at startup.
Ok I left this one till last because we need the knowledge from the previous tasks to help
us here.
Remember I am trying to do this using the deadlisting alone and I want only to remove the
nag none of the other functions.So what do we know about our program?
It checks its registered state at startup.
Then if it is not registered it checks the date.
Then if it is within the trial period it displays the nag otherwise it diplays
'expired...'So lets look out the search string 'expired' in our deadlisting.
Only one instance:
* Possible StringData Ref from Data Obj ->"The evaluation period has expired."
|
:00446E8A 680EA04900 push 0049A00Eand once again just above it we see a conditional jump. The programmers are to kind to us.
So lets make the jump::00447027 84DB test bl, bl
:00447029 0F84C1020000 je 004472F0Straight into another jump. If we look below this we see some interesting references to
dialog 3EA. We know this is our dialog from the lines at the top of your deadlisting:Name: DialogID_03EA, # of Controls=006, Caption:"", ClassName:""
001 - ControlID:07D0, Control Class:"STATIC" Control Text:""
002 - ControlID:0002, Control Class:"BUTTON" Control Text:"Evaluate"
003 - ControlID:0065, Control Class:"BUTTON" Control Text:"Purchase..."
004 - ControlID:FFFF, Control Class:"STATIC" Control Text:"This is a shareware
version of Acoustica 2.0. After an evaluation period of 3"
005 - ControlID:0001, Control Class:"BUTTON" Control Text:"Register..."
006 - ControlID:0066, Control Class:"STATIC" Control Text:"Day 0 on your 30 days
trial period."So lets make this jump and not go to the dialog box, change
:00447029 0F84C1020000 je 004472F0
to
:00447029 0F85C1020000 jne 004472F0
Run our program and no nag. The date check and registered checks still go on though.Try
changing your date forward. Expired.And thats our lot.
I hope this is of help to some, after Task1 I noticed a lot of our threads were identical
so I thought I would try to do something a little different. I also wanted to make a point
about the importance of deadlistings. We have completed this task entirely with a
deadlisting only (with the exception of the serial sniffing of course).
While some of the items I have covered might have been easier with softice and a couple of
well placed breakpoints we should take the time to get to know our way round our
deadlistings, after all every bit of information helps.