Posted by D0gBytes on 1/24/2000, 7:00 pm
, in reply to "Task2 thread"
216.110.36.120
Greetings Crackers, II.1 Try to get rid of the nagscreen Find a patch that removes the nagscreen (the one that appears at startup.
==========================
Since the program either shows the initial nag at start up OR shows the "The evaluation period has expired." message, I reasoned that the nag could be found by finding the jump that displayed the "Expired" message. The "The evaluation period has expired." message, was easilly found in the string ref using W32dasm. The jump above that message had to lead to where the Nag was created.:00446E78 0F85A9010000 jne 00447027 <----HERE
:00446E7E 8B5766 mov edx, dword ptr [edi+66]
:00446E81 8B02 mov eax, dword ptr [edx]
:00446E83 6A00 push 00000000* Possible StringData Ref from Data Obj ->"Acoustica"
|
:00446E85 6831A04900 push 0049A031* Possible StringData Ref from Data Obj ->"The evaluation period has expired."
:00447027 84DB test bl, bl
:00447029 0F84C1020000 je 004472F0Reversing the jump at 00447029, removed the nag.
================================II.2 Change your date and bypass the "Evaluation period expired" nag. Find a patch that makes the program never expire.
========================
I first advanced the date to trigger the expired message when starting the program.
Starting again for the "Evaluation period expired" meaasge in W32dasm, I noticed several lines above that:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00446E5C(C) <----This.Looking at the code near this jump at 00446E5C, I found that the test above that, determined if the program was expired or not.
To bypass the "Evaluation period expired" nag, I noped out the jump below.
:00446E5A 84C0 test al, al
:00446E5C 7411 je 00446E6F
:00446E5E 8B8514FDFFFF mov eax, dword ptr [ebp+FFFFFD14]To
:00446E5A 84C0 test al, al
:00446E5C 90 nop
:00446E5D 90 nop
:00446E5E 8B8514FDFFFF mov eax, dword ptr [ebp+FFFFFD14]
================================II.3 Make your name and company appear in the "About screen". In registered versions, the name and company replace the "Unregistered" in the nagscreen - Find a patch for it.
=========================================
The clue here is the word "Unregistered". It is found in two places. From the dead listing, we see that in one of those places, the program makes a choice just before this string.:0044677A 84C0 test al, al
:0044677C 0F85E6000000 jne 00446868 <---HERE
:00446782 66C785FCFDFFFF0800 mov word ptr [ebp+FFFFFDFC], 0008* Possible StringData Ref from Data Obj ->"Unregistered"
Forcing this jump, makes the program use a routine that gathers the info that is placed in the registry under "Name" "Company" and puts them into the About screen.
==================================II.4 Get a valid serial for Name:Unregistered - Company: Unregistered Now, the serial-stuff begins. Get a valid serial for the specified name and company.
===================================
I used the clue of AC200-%d in the dead listing to find a good BP. I decided that I would see what was happening before that since it looked like it was probably part of a valid Key.:00446B79 8BC6 mov eax, esi
:00446B7B B9A0860100 mov ecx, 000186A0
:00446B80 33D2 xor edx, edx
:00446B82 F7F1 div ecx
:00446B84 52 push edx* Possible StringData Ref from Data Obj ->"AC200-%d"
I decided that 0044b79 might be a good place to start.
I started the program and at the nag screen choose "Register". I entered "Unregistered" and "Unregistered" in the Name and Company boxes. Started Softice and set a BPX on hmemcpy and closed Softice. I then clicked the register button. Softice broke. I cleared the BP then F12 until I saw I was in the Accoustica code. I set a new BPX at 00446b79 as I had planned. Closed softice and it broke as expected. Using F10 and dumping the registers, I found the program had created a valid Key of AC200-52586 in the ECX register at 00446ba0.
===========================II.5 Find the "best" patch for nagscreen, time limit, register box (accept all serials) and About box. Patch the file in a way that you remove all limits by changing less than 7 bytes - 3 bytes are my solution, so go for the 2 ;)
=====================================
This problem was solved by reversing the two jumps below.:00446E5C 7411 je 00446E6F
To 7511:0044677C 0F85E6000000 jne 00446868
To 0f84e60000
Regards,
Bytes