Posted by zadig on 1/17/2000, 1:15 pm
, in reply to "I just arrive"
193.49.30.34
II.1- Try to get rid of The nagscreen. To do this we use softice symbol-loader and trace until we get the nag. Rapidely we arrive to this place:
0044708F call [eax+14] -> call to the nag-screen
.
.
004471C2 jz 004471D0 -> register pushed? then jump
004471C4 dec esi
004471C5 jz 004472E6 -> evaluate pushed? then jumpso to remove the nagscreen all we have to do is remove the call and force the jump at 4471C5.
II.2- bypass the "Evaluation period expired" nag.We set the time 3 months later and we have a messagebox saying that the evaluation period has expired. We
search for "expired" with w32dasm and we find one reference at 446E8A. Looking above it, we seea conditional
jump at 446E5C:
00446E54 call 00446A74 -> check for a valid serial
00446E59 pop ecx
00446E5A test al,al
00446E5C je 00446E6F ->al=0 ? then no valid serial
=>jump to period expired
00446E5E mov eax, dword ptr [ebp+FFFFFD14]
00446E64 mov dword ptr fs:[00000000], eax
00446E6A jmp 004472FC -> continue to load the softAt this point we can see that the soft already found that the period has expired, and that it is checking for
a valid key-code. We have to bypass the je 446E6F, so we replace "test al,al" by "or al,01" or we nop the je
446E6F.
II.3- Make your name and company appear in the "About screen".To find where the "unregistered" text is printed we use w32dasm again, and find two references at 42CD0C and
44678B but the first one belongs to the nagscreen (DialogId_03E8). Looking before the second one we see this:
00446774 call 00446A74 -> check for valid key-code
00446779 pop ecx
0044677A test al,al -> key-code is valid?
0044677C jne 00446868 ->then print user infosHere we will force the jump to print user informations by replacing "jne 446868" by "jmp 446868" for example.
II.4- Get a valid serial for Name:Unregistered - Company: Unregistered.As we saw before the key-check routine uses lstrcmpa to compare the code we entered with the real one. So we
bpx lstrcmpa, press F11 and looking just before the call we see two push which contain the two serials stored
in ebp-F0 and ebp-160. Looking in ebp-160 we find the correct key-code which is "AC200-52856"
II.5- Patching nagscreen, time limit, register box and About box by changing only 1 byte.As we saw previously, every check routine call the 446A74 one, and check if eax=1. So all we have to do is
force eax to 1. We can see that before the ret there is a "and eax,1"(83E001). If we replace it by "or eax,1"
(83C801) we only change 1 byte and all the checks will be faked.
That's all for this part, and this time I'm not late!
Hope you've enjoyed my work.
Zadig.