Posted by ManKind on 1/17/2000, 7:12 am
202.188.46.175
Hi again, my little solution for Task 2 Now...The intermediate tasks:II. Intermediate Tasks
II.1 Try to get rid of the nagscreen. Find a patch that removes the nagscreen (the one that appears at startup.My answer:Hmm, this is rather hard. I don't quite feel secure when dealing with nags. Let us analyse how the program runs, firstly, check how many days we have used the program, save that info, put that on the nag, display the nag and finally display the expired message if we are expired. With this info, find "The evaluation period has expired" text in W32Dasm(I actually find for the "you are using this program for x days"(something like that) first but that doesn't give good code to me) and you will find it. As you may have known, the "expired" nag is pretty close to the first nag and is probably called by the nag, we scroll around the "expired" text. Scroll up a little and you will see a conditional jump at address 00446E78, patch it from 0F85A9010000 to 0F84A9010000. Start the program and see what happens. The nag is missing...
II.2 Change your date and bypass the "Evaluation period expired" nag Find a patch that makes the program never expire.My answer:I won't explain how I get to the location where the check whether we are expired or not is done. In my last solution, I mention the expire decision codes are all in address 00446C70. Important codes in the call is at below:
:00446C74 MOV [004A8DF6],ECX
:00446C7A CMP ECX,1E ;;ecx contain how many days we have used the program and 1E is the hex number of 30
:00446C7D SETLE AL ;; set AL if lower or equal to, i myself don't quite understand this instruction
Anyway, after the call, the following code is important:
:00446E76 TEST AL,AL
:00446E78 JNZ 00447077 ;; this will jump if not expired and will not jump if expired
To bypass the nag, just change the JNZ to JMP. I do it in SoftIce. For your information, JZ = JE while JNZ = JNE.
II.3 Make your name and company appear in the "About screen". In registered versions, the name and company replace the "Unregistered" in the nagscreen - Find a patch for it.My answer:Through several people's solutions for Task 1.x, I know that our registration info will be put into the registry no matter its wrong or not. With this info, wouldn't it nice if we let the program retrieve our registration info, patch some bytes to let it think the info is valid ones and if we succeed, surely its gonna display our name in the About screen or at least, display registered text. With W32Dasm, find "Unregistered". There's two references, and above two of these there is a conditional jumps and one of them will jump to the codes of the name and company retrieving(0044677C). The two conditional jumps are:
:0042CD06 7514 jne 0042CD1C
:0044677C 0F85E6000000 jne 00446868
I will tell you what, don't patch the one at 0042CD06, patch the one at 0044677C to JMP 00446868(E9E700000090), start the program, open the about box and you will see that it's registered.
II.4 Get a valid serial for Name:Unregistered - Company: Unregistered Now, the serial-stuff begins. Get a valid serial for the specified name and company.My answer:I set a breakpoint on hmemcpy, let it read my name, company and code and then trace through it until i come to this loop(well, part of the loop), I am not sure whether I get this by tracing into any calls or not:
:00446B75 cmp ebx,eax
:00446B77 jbe 00446B52
I think this loop will generate the valid code for name and company(heh, not our job yet). I go out of this loop by setting a breakpoint at the next address of 00446B77(this reminds me of unpacking) which is 00446B79. I then trace till the following address:
:00446BA0 lea ecx,[ebp-0160] ;; do d ecx
It is here where I fish out the correct code for Name:Unregistered and Company:Unregistered which is AC200-52856
II.5 Find the "best" patch for nagscreen, time limit, register box (accept all serials) and About box. Patch the file in a way that you remove all limits by changing less than 7 bytes - 3 bytes are my solution, so go for the 2 ;)My answer:Since we know the important place of determining our registration info is near where we fished out our serial, we will work near there. Patch from offset 461B4 to 461B5(change 5F5E to B001). Well, it works and as what LaZaRuS told us to do(go for 2 bytes).
Extra notes:If this crack is to be used by end user, he will have to register with a fake name first, then run the patch which make this not so convenient. Hopefully LaZaRuS will ask us to make a fully 100% crack for extra part of the project.
Service for Mankind
ManKind
mankind001@bigfoot.com