Posted by ShADe on 1/17/2000, 12:02 am
203.57.68.10
Hi Had to split it due to the word limit imposed by the board. It also wouldn't let me post it at first telling me that a duplicate exists. I couldn't reload a duplicate so I changed the subject. If a bunch of duplicates show up please delete them Lazarus, ta.
This is a long and slightly unorthodox post. Long because of the 200 post limit so I
thought I would keep it all in one. Unorthodox because I try to offer what I hope is
something a little different while at the same time sticking to the parameters of the
task.This post does include solutions and offsets so if you prefer to continue on your own
please don't read it. (Hah saying don't to reversers what a mistake :)II.1 Try to get rid of the nagscreen
Find a patch that removes the nagscreen (the one that appears
at startup.
I will answer this one last at the end, I appologise for the re-ordering but If we take
this task in its litteral meaning and remove just the nag and nothing but the nag I think
we can do it easier with the benifit of what we learn in the other parts.
II.2 Change your date and bypass the "Evaluation period expired" nag
Find a patch that makes the program never expire.
With this one there are many ways to do this I will try to address some of them. I agoing
to follow all the parts of this task letter. By this I mean I will try to do exactly as is
asks, in other words I will change my date and bypass this nag only, a patch to make the
program so that it never expires will do just this it will not get rid of the startup nag.
Where possible I will also try to do as much as possible using the deadlisting ALONE.Part1 bypassing the 'Evaluation..." nag.
Set your date forward!!
In W32Dasm double click the string "Evaluation period expired", do it again to see if
there are any more occurances. Only one.
At the code above this occurance we can see the W32Dasm comment:* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00446E5C(C)
|
This means the jump here was conditional so we can easily make it not jump here.
If we go to this reference::00446E5A 84C0 test al, al
:00446E5C 7411 je 00446E6F
:00446E5E 8B8514FDFFFF mov eax, dword ptr [ebp+FFFFFD14]We see the offending jump if zero flag is set. Open your BACKUP copy of Acoustica in your
hex editor. Search for the string C074118B8514FDFFFF repeat the search to make sure there
is only one location for the string. Now edit 7411 to 7511 (jump if not zero flag set)
save and run your program.
Your evaluation nag is no more. In this case it makes no difference but an improved patch
would be changing 7511 to 9090 (nop nop) this way the box will never execute.The program is now effectively cracked and working, accept the about box unregistered.
This is part one, however since this project is about teaching and learning I will try
another patch for part2, 'Find a patch that makes the program never expire.'Part2
Still with the deadlisting alone, we know that the jump we just fixed (and have now put
back to normal) is dependant on the result of the call 00446BBC so lets go to this
location and see what we have.Scrolling down from this point we see all our date related registry keys from task1. The
program is getting its information.If we scroll just a little more then we see:
* Reference To: KERNEL32.GetSystemTimeAsFileTime, Ord:0000h
|
:00446C03 E8EA440400 Call 0048B0F2Now it has the time too.
Just below this we have:
:00446C0B 81F9CB4B0200 cmp ecx, 00024BCB
:00446C11 754E jne 00446C61
The value 00024BCB I recognise from playing around with the registry entries in task1. It
is the value of the key 'C' when the program is first installed. If you delete all the
keys and reinstall then check the keys before running the program. This is the only value
that the install program sets. It is in fact a first time run indicator, the install
doesn't set the date which is used for the days used comparisions, the program sets the
date to the first time it is run.
Having watched the registry keys we know that this value becomes 0000015a after the first
run. So what if we make the program think it is running for the first time everytime?Change the bytes 754e (jne) to 9090 (nop nop) run it, damm expired, why? If we look at the
deadlisting we see this check is followed by another check. What is it checking this time?We can run up W32dasm, Load process, goto this line,Press F2 to set a breakpoint press F9
to run the program and see what it checks. But I want to try to do this with just the
deadlisting so a little assembler.....If we look up the deadlisting we can see these important addresses:
:00446C08 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00446C13 8B45F0 mov eax, dword ptr [ebp-10]
As we know what this function is doing (getting registry information) we know (from our
W32Dasm imp functions) that it uses:function RegQueryValue(Key: HKey; SubKey: PChar; Value: PChar;
var cb: Longint): Longint;For this. (it in fact uses RegQueryValueEx the 32bit function the definition above is the
16bit function (I still haven't got round to installing my 32bit API reference yet snake
;-) so it is slightly different)In assembler we push the required values onto the stack in reverse order before we call
the function:
:00446BC2 6A00 push 00000000
:00446BC4 8D45F4 lea eax, dword ptr [ebp-0C]
:00446BC7 50 push eax* Possible StringData Ref from Data Obj ->"C"
|
:00446BC8 68B49F4900 push 00499FB4* Possible StringData Ref from Data Obj ->"General"
|
:00446BCD 68AC9F4900 push 00499FAC
:00446BD2 8B15E68B4A00 mov edx, dword ptr [004A8BE6]
:00446BD8 52 push edx
:00446BD9 E8FACEFCFF call 00413AD8
So we see (reading upwards) the key, the subkey, and our address for the return value.
(the push edx is probably a 32bit function I wouldn't know but who cares :)So the value of the key 'C' is stored in address:
:00446BC4 8D45F4 lea eax, dword ptr [ebp-0C]
So we now know what is in the other address too, so back to our second test:
:00446C13 8B45F0 mov eax, dword ptr [ebp-10]
:00446C16 85C0 test eax, eax
:00446C18 7547 jne 00446C61
We know this is checking to see if there is a value for 'Cross' if there is it jumps. The
first time the program is run this value is not there of course. So lets make it think it
is not there now. Change 7547 to 9090.Now we always have 30 days left. We still have the nag of course so this is useless I just
thought I would show something a little different.
Just as an extra play, lets say the thing is not running for the first time and it does
jump at our first check, next it needs to calculate the date. Lets go have a look...We jump to here:
:00446C61 8B45FC mov eax, dword ptr [ebp-04]
:00446C64 8B55F0 mov edx, dword ptr [ebp-10]
:00446C67 2BC2 sub eax, edx* Possible Reference to Dialog: DialogID_0072, CONTROL_ID:00CA, ""
|* Possible Reference to String Resource ID=00202: "Analyses selection containing pure
noise"
|
:00446C69 B9CA000000 mov ecx, 000000CA
:00446C6E 33D2 xor edx, edx
:00446C70 F7F1 div ecx
:00446C72 8BC8 mov ecx, eax
:00446C74 890DF68D4A00 mov dword ptr [004A8DF6], ecx
:00446C7A 83F91E cmp ecx, 0000001E
:00446C7D 0F9EC0 setle al
:00446C80 83E001 and eax, 00000001
Here we see yet another compare this time with the value 1E. This is of course 30d, so we
have our date check. Register AL is set to 1 if the date is in bounds, so we could do
plenty here. We can change 1E to FF for 255 days, we could mov eax,00000001 etc etc.
Another way to give us unlimited days.