Posted by Joseph on 1/15/2000, 11:12 am
, in reply to "Joseph's Thread"
209.179.250.123
Greetings to you all, After downloading the program and installed it in its directory, I decided to do some exploration before running the program and within the scope of the task at hand. This is what I did:
1. Examined the target Acoustica.exe with a Hex editor and found nothing of special interest at this stage.
2. Disassembled the target with Wdisasm32 and found the following:
A. In the import function menu I found the following function s which I thought might be good braking points in future tasks:GetLocalTime, GetSystemTimeAsFileTime, GtDlgItemTextA, GtWindowTextA, GetWindowTextLengthA
B. In the string reference menu I found 2 interesting references:
1. The key does not match the license. This one is found a 2 locations and in each case is referenced by a conditional jump. The jumps in both places look like Bad-Good jumps and might be very useful in cracking the target by patching at one or both of these locations. The snippet of code showing all of this follows:
First snippet:00446F62 57 push edi
:00446F63 E80CFBFFFF call 00446A74
:00446F68 59 pop ecx
:00446F69 84C0 test al, al
:00446F6B 7432 je 00446F9F
:00446F6D 8B4F66 mov ecx, dword ptr [edi+66]
:00446F70 8B01 mov eax, dword ptr [ecx]
:00446F72 6A00 push 00000000
:00446F74 6886A04900 push 0049A086
:00446F79 683BA04900 push 0049A03B
:00446F7E 8B500C mov edx, dword ptr [eax+0C]
:00446F81 52 push edx
:00446F82 8B4868 mov ecx, dword ptr [eax+68]
:00446F85 51 push ecx
:00446F86 E8EFD80100 call 0046487A
:00446F8B 83C414 add esp, 00000014
:00446F8E 8B8514FDFFFF mov eax, dword ptr [ebp+FFFFFD14]
:00446F94 64A300000000 mov dword ptr fs:[00000000], eax
:00446F9A E95D030000 jmp 004472FC* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00446E5C(C):00446F9F 8B5766 mov edx, dword ptr [edi+66]
:00446FA2 8B02 mov eax, dword ptr [edx]
:00446FA4 6A00 push 00000000
:00446FA6 68B6A04900 push 0049A0B6*"The key does not match license "
|
:00446FAB 6890A04900 push 0049A090The second snippet
:00447293 57 push edi
:00447294 E8DBF7FFFF call 00446A74
:00447299 59 pop ecx
:0044729A 84C0 test al, al
:0044729C 7425 je 004472C3
:0044729E 8B4F66 mov ecx, dword ptr [edi+66]
:004472A1 8B01 mov eax, dword ptr [ecx]
:004472A3 6A00 push 00000000
:004472A5 684DA14900 push 0049A14D
:004472AA 6802A14900 push 0049A102
:004472AF 8B500C mov edx, dword ptr [eax+0C]
:004472B2 52 push edx
:004472B3 8B4868 mov ecx, dword ptr [eax+68]
:004472B6 51 push ecx
:004472B7 E8BED50100 call 0046487A
:004472BC 83C414 add esp, 00000014
:004472BF 33DB xor ebx, ebx
:004472C1 EB25 jmp 004472E8* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044729C(C)
|
:004472C3 8B4766 mov eax, dword ptr [edi+66]
:004472C6 8B00 mov eax, dword ptr [eax]
:004472C8 6A00 push 00000000
:004472CA 687DA14900 push 0049A17D*"The key does not match license "
:004472CF 6857A14900 push 0049A157
2. The evaluation period has expired. It is found at locations:004472CF and reference by a conditional jump from location :00446E5C. The jump looks like a good-bad jump and might be useful in a patch crack. Here is the snippet of code where this reference is found
:00446E53 57 push edi
:00446E54 E81BFCFFFF call 00446A74
:00446E59 59 pop ecx
:00446E5A 84C0 test al, al
:00446E5C 7411 je 00446E6F
:00446E5E 8B8514FDFFFF mov eax, dword ptr [ebp+FFFFFD14]
:00446E64 64A300000000 mov dword ptr fs:[00000000], eax
:00446E6A E98D040000 jmp 004472FC* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|: (C)
|
:00446E6F 57 push edi
:00446E70 E847FDFFFF call 00446BBC
:00446E75 59 pop ecx
:00446E76 84C0 test al, al
:00446E78 0F85A9010000 jne 00447027
:00446E7E 8B5766 mov edx, dword ptr [edi+66]
:00446E81 8B02 mov eax, dword ptr [edx]
:00446E83 6A00 push 00000000 :00446E85 6831A04900 push 0049A031*"The evaluation period has expired."
|
:00446E8A 680EA04900 push 0049A00E3.Using Regview I found that the target had placed some information in the registry file at:
HKEY_USER\USER\Default\Software\Acon AS\Acoustica\2.0\General
HKEY_CURRENT_USER\Software\Acon AS\Acoustica\2.0\General
In both cases General had a Dword item C and had the value 00024bcb (150475). The sub directory 2.0 did not have any other folders besides General. Remember, I have not run the target yet, this will change later.Running the target
Now it is time to run the program Acoustica.exe and find out what might be learned.
I will skip the description of the nag screen and its contents and significance since this was covered in details by many others. In stead I will concentrate on the registry where I found some thing interesting.
After the target was run the information I noticed in the registry has changed.
The sub directory 2.0 in HKEY_USER\Default\Software\Acon As\Acoustica now in addition to General it contains two additional folders: RegiterInfo and Reverb. The RegiterInfo folder is empty but the Reverb folder contains a DWord item named Cross and has certain value, in my case it is 0x01bf5f34 (29318964). More about this later. The Dword in General has also changed from 0x00024bcb (150475) to 0x0000015a (346).
What is the significance of this number named Cross? First this value is determined by the time of the first time the program is run, thus it is a date time reference which is used to calculate the time remaining in the evaluation period. I was able to change the time remaining by changing the value of the third and/or the fourth digits of this number. Each time the third digit is decremented the time remaining is reduced by 30 hours thus decrementing it by 4 reduces the time remaining by 5 days. Once the third digit reaches 0 and decrements the it borrows 1 from the fourth digit.
Since advancing the system clock did not cause the numbers to change, thus it is obvious that the system time is converted to a similar for and compared with this number to produce the remaining days number.This grew much longer than I thought, but it might be worth it.
Best regards,
Joseph