TORN@DO's Cracking
Tutorial for |
| Tools you need: For tools you need
WinIce and a Hex-Editor. My recommendation on a Hex-Editor is Hacker's View. If you can't
get these tools yourself, ask for it in a Cracker-Channel.. |
| Babylon is Freeware but does still expire after
a trial (?) period of 100 days. You can update this trial period, by downloading an update
from the Babylon Ltd. Website. People like you and me don't want to update Babylon always.
You should know why I cracked a Time Limited Freeware Program - the first program with
time limitits in a freeware program I've ever seen. I think you've read the
"Cracker's Notes", so that we can start now. Don't ask me for the notes, find it
yourself or ask in a cracker-channel ... Step 1 Install Babylon and have a look at the about-window. You've seen the message "You've x Days left ...". Ok. Exit Babylon. Set your date at least 101 days ahead. Have you seen the error message that Babylon has expired? Press OK and then let's go. From my other tutorials, you know that I always have a look at the imports and exports, because it saves me much time. ADAVPI32.RegCloseKey ADAVPI32.RegOpenKeyExA ADAVPI32.RegQueryValueExA This are the most interesting functions. But we know that they can't check a date. They can just restore program settings. Ok now look at the CAPTLIB.DLL. IsBabylonPastExpiryDate Kernel32.GetLocalTime Kernel32.GetSystemTime Have you seen this "IsBabylonPastExpiryDate"? Ok course you have. You know what this means? Yeah! Copy CAPTLIB.DLL to C:\. Edit your WINICE.DAT and add a line with EXP="C:\CAPTLIB.DLL" to load CAPTLIB.DLL with WinIce. Restart your computer and don't forget to load up WinIce. Step 2 Let's go! Press CTRL-D to pop up WinIce. Place a breakpoint to that interesting function IsBabylonPastExpiryDate (BPX IsBabylonPastExpiryDate). If you get an error message, that this is not defined, you haven't changed your WINICE.DAT or you haven't restarted your PC. Load Babylon and you'll be kicked back to WinIce at the place where the function is called. Press F10 to step through it. When Babylon has expired, a dialog pops up. You know that you've to place a breakpoint on MessageBoxA. Press F11 to return to the line, which calls this function. Now you should see something like this: 0137:00AA141B FF75E8 PUSH DWORD PTR [EBP-18] 0137:00AA141E E8BFC60000 CALL ADAVPI32!RegCloseKey 0137:00AA1423 85DB TEST EBX, EBX 0137:00AA1425 7431 JZ 00AA1458 ... 0137:00AA1442 BD95C4FDFFFF LEA EDX, [EBP-023C] 0137:00AA1448 52 PUSH EDX 0137:00AA1449 E9C4C60000 CALL USER32!GetFocus 0137:00AA144E 50 PUSH EAX 0137:00AA144F E8A6C60000 CALL USER32!MessageBoxA 0137:00AA1454 33C0 XOR EAX,EAX 0137:00AA1456 EB04 JMP 00AA145C 0137:00AA1458 0FBF45F2 MOVSX EAX,WORD PTR [EBP-0E] ... Now you know that the value is compared and if it's there are no days left, the message box will be displayed. So crack this first. Change the conditional JZ 00AA1458 to JMP 00AA1458. You can try what happens, if the zero flag is set/not set with R FL Z. Run Babylon again. Have you seen the message box again? No of couse not. In the next step we've to remove the date check IsBabylonPastExpired. Exit Babylon. Step 3 You've seen this IsBabylonPastExpiryDate-Function in the exports of CAPTLIB.DLL. When a program exports something it's normaly used. So we place a breakpoint on IsBabylonPastExpiryDate. You were kicked back to WinIce. Step through the code (F10) until you see something like this 0137:00AA11F0 E851C80000 CALL KERNEL32!GetSystemTime Now you know that the time is checked here. Now have a look at the ESI-Register while you step through the code (F10). You'll notice that the ESI-Register suddenly changes his value. Type "? VALUE" and you'll see the date you set ahead after you've run Babylon the first time. Now somewhere ESI must be checked of course. Scroll down. You'll see a line with something like this: 0137:00AA12B9 7D0A JGE 00AA12C5 0137:00AA12BB BB01000000 MOV EAX,00000001 0137:00AA12C0 E956010000 JMP 00AA141B This JGE means: If the Date is the expired-date or if it's later, don't enable Babylon ... and if it's not, go ahead and enable Babylon (JMP 00AA141). So you can change the ESI-register to test if it works or you can type "A" and then "NOP" (Enter) "NOP" (Enter) (Enter). Then Babylon will be full functionally. Step 4 Now you know where the MessageBox appers and where the date is checked. You can circumvent the messagebox with a simple change of JZ to JMP (74 to EB). And you can circumvent the Date-Check with a replace of JGE 00AA12C5 with JMP 00AA141B or you can NOP out this JGE 00AA12C5. So compare the CAPTLIB.OLD with the CAPTLIB.DLL with FC and save the differences to a file called PATCH.TXT (FC /B CAPTLIB.OLD CAPTLIB.DLL > PATCH.TXT). Now edit your patcher-file, compile it. Ren CAPTLIB.DLL to CAPTLIB.CRK and CAPTLIB.OLD to CAPTLIB.DLL. Run your patch. Compare CAPTLIB.DLL to CAPTLIB.CRK and repeat those steps until there were no differences. Enjoy the translation tool. Don't forget to erase this C:\CAPTLIB.DLL and the EXP="C:\CAPTLIB.DLL" in the WINICE.DAT. I recommend to read my cRACKER's n0TES. |