Posted by [Op2]BTS on 1/18/2000, 3:36 am
, in reply to "Task II, my understandings"
192.71.20.27
II.5 Find the "best" patch for nagscreen, time limit, register box (accept all serials)
and About box.
Patch the file in a way that you remove all limits by changing
less than 7 bytes - 3 bytes are my solution, so go for the 2 ;)This is some how challenging. Try to sum up all the findings through all tasks we've been working on
(Thanks to LaZaRuS for being such a wonderful tutor) one can get some 'feeling' about the proggie and its
protection scheme. Here is mine ...Start
|Read Registry keys, RegisterInfo ...
|
Compare the Key in registry with the real one (The interesting routine @ 00446A74)
(al = 1)Match | Does not match (return al = 0) ; je @ 00446E5C
----------------------------
| |
Registered Ver.(No Nag) Check Time(30-day Expired?) ; test @ 00446E76
No | Yes
---------------
| |
Nag Screen Expired Nag screenAbout Box ...
al = 0 | al = 1 ; The interesting routine @ 00446A74
----------------
| |
Unregistered Registered, display Name, Company
Alright, enough here. Now we can think about this, How to make routine @ 00446A74 return al=1 all the
time? If we can manage to do so, then the Nag, Time trial, About Box, Accept all key will become true
since it is the only place this proggie checks if it's registered or not. Bear this in mind, we set our
breakpoint like bpx getdlgitemtexta, and go to registration screen, enter our fake name/company/key, and try
to fish out the real key and find the place where the fake is compared to the real one. After endless F11 and F10
pressing,( It's the fun part although it's sometimes the pain in the ass, one seems to be drowned in the sea
of ASM codes...) I finally(Grin) land here:00446B99 lea edx, [ebp-00f0] ; Load edx with our fake Key
00446B9F push edx ; Pass this parameter to the call by pushing it to the stack
00446BA0 lea ecx, [ebp-0160] ; Load ecx with the REAL Key(AC200-xxxxx)
00446BA6 push ecx ; Pass this to the call
00446BA7 Call lstrcmp ; Compare the real with the fake
00446BAC test eax,eax
00446BAE sete al ; If equal al=1, if not al=0
00446BB1 and eax,00000001 ; 1 and 1 = 1, 0 and 1 = 0
00446BB4 pop
:
:
00446BBA retMy patch to make it return al = 1 all the time is to change the 'and' instruction to 'or', 1 or 1 = 1, 0 or 1 = 1
so, we can keep the same result when lstrcmp returns equal and at the same time reverse the result when lstrcmp returns
not equal. And the patch is just 1 byte long.Change
00446BB1 83e001 and eax,00000001
to
00446BB1 83c801 or eax,00000001Although, you have to enter your name/company/key by editing windoze registry. Any better idea? Is there a way
to keep the registration screen and accept any key?