Posted by Bonkers on 1/17/2000, 12:08 am
216.41.29.177
Here is my task 2 solution. Was it me or did anyone else notice that this program was a 31 day trial since it started on day 0 or was that just me? Anyways here all this stuff is and also a nice small one byte patch for task 5 :) Hope this all works that there are no mistakes. II.1
I had already noted a procedure at 446a74 that looked like a IsAppRegged function in my I.2 explanation, so I went to IDA, and I xrefed that procedure and found where it was used right before a DaysRemaining check which I had also noted in I.5 and I just patched a je to a jne right below the IsAppRegged call and all worked. So the patch was: 0x4645C 0x74 -> 0x75II.2
For this one I looked at the spot where I had patched to get rid of the nag and I went to the DaysRemaining call. I looked at the DaysRemaining procedure and saw that it returned 0 if no days left or 1 if there were days left. At 446e78 it jump if the return is not 0, or in other words days left. From this I knew that the message box came up next, but I didn't want that, so I just modified the jnz to make it a jz so the program always thinks that days are left. This patch is: 0x46479 0x85 -> 0x84
I also realize that my II.1 patch works as well for this task, but that's really doing a little more, and that would be cheating to use the same patch twice now wouldn't it?II.3
First I knew that if I just faked regging it and put in anything that it would put my Name and Company into the registry where it stores it, so I did this first. I see the string ref "Unregistered", so I zoom right there since I knew that this is where I want my name and company to be. Right before this is a call to IsAppRegged, so I change the jnz right after it to a jz and voila. This patch is: 0x45D7D 0x85 -> 0x84II.4
To get a valid reg key, I know I need to look in the IsAppRegged function since I have already noted that it validates the key. When I look through this function I see some manipulation(this would be used for a keygen) and then I see a lstrcmpa near the end and off that result it sets the return value so I will now go trace in sice and see what it is comparing. To trace this I set a bp on lstrcmpa and enter in the info and a fake key since this is the easist way to get where we want. And bingo, sice breaks at the call and I just do "d ebp-00f0" and I see my key and *drum roll please* I do "d ebp-160" and bingo, there is my code "AC200-52856".II.5
Now for the all purpose patch. I already know that in all 3 of these cases that the IsAppRegged function is called in each of these cases, so we zoom right to the end of this function for this patch. I know that I want to make it so that it will return 1 so for the least amout of patched bytes to do this I just made it so the program pushed the same value twice before the lstrcmpa. This also showed up Lazarus's _LARGE_ 3 byte patched since I did it in one. Here is that patch: 0x461A6 0x51 -> 0x52
The only thing with this patch is that it doesn't let you see if it will accept any serial because you can never get there since it gets rid of the nag and that's the only way to get there, but I have faith that it will work.