Kro_ baR Tutorial 12 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
HexDecOctBin Converter....get it from http://home.pacific.net.sg/~robinch
I got this program and found it very useful. What I didnt find useful was the snag (shit nag) when you start AND stop the program. The author tell us that "on registering, you will get a registration key that will uncripple this copy and run it as a registered and fully functional copy", but I could find nowhere to register (maybe a key file???). The fact that there doesnt seem to be anywhere to register was a problem to me, but I noticed that the only reference to registered or shareware copy, was on the nag before and after. When you got past the nag and into the program there was nothing to indicate if you had registered or not. My thought was, that if I disable the nag, the program should be registered, so I decided to try out the method the tKC has mentioned in some of his tuts...using hiew (or other hex editor). The first thing to do is check out some of the words that appear on the nag screen...theres a few...and remember them. I took note of the word "shareware", because when we get to search for words in hiew, we'll notice that we can only put in limited letters. MAKE A BACKUP of robhdob.exe and load in hiew (check out this tut if you dont know how), and go to hex mode...F4/up arrow to Hex Mode/enter. Now we gonna search for some text that appears in the program...on the nag actually...so push F7 (search) and a box will appear. You notice that the top line allows entry of ascii characters and should be flashing, while the bottom line is labelled hex. Now we gonna type in the word we noted earlier...we try shareware. The thing is, we cant just enter all the letters in a row (cant remember why, see some of tKc's earlier tuts), we gotts enter a letter in the ascii box, then two zeros in the hex box, then another letter in the ascii box etc. This is how we do it.
You get the idea? Keep entering letters and zeros till we have spelt s h a r e w a r e in the ascii box (in the hex box youll have 73 00 68 00 61 00 72 00 65 00 77 00 61 00 72 00 65) then push enter, and we be taken to a place in the program where the word shareware is. You see two columns...bigger one on the left with numbers and letters (hex), smaller one on the right with bits of text. Youll see the cursor square in the left column on a number, and a corresponding cursor square in the right column on the s of shareware?? Ok, what we looking for is FF FF FF FF 82 in the left column, coz according to tKc this often is used for calling a nag. Sometimes we also see FF FF 82 used for the same thing, and, this is what we see in our case...to the left of our cursor square in the left column. So what we do is change the 82 to 7E. Use your left arrow key to move the cursor square over the 82, and push F3 (edit). The square turns into a line and starts flashing. Now type 7E, yeah, changing 82 to 7E, and push F9 to make the changes permanent. Now click Esc to exit hiew, and we ready to see what happens. Hey hey no nag. Better try it a few times to make sure, but yeah, seems to be ok. I think we done it!! Well the nag seems to be gone, but before we get too excited, I wonder if we got rid of the time limit. We put our computer clock forward a month to see. Shit, program expired. Well we deal to that now! We gonna use W32dasm and check out the string references. You know what we looking for, coz when we put our clock forward, we were greeted with a message saying Sorry, this copy of the program has expired and other shit. So we gonna look for this message in W32dasm. Load up Robhdob.exe in W32dasm (check out this tut if you dont know what to do), and go to string references. We look for Sorry, this copy of the program has expired because we dont want to see this message when we start the program. We gonna try to change it so we never see it. When you found it in string references, double click it, and you get taken to the place in the code where it is. Now I not going to drivel out lots of code coz I cant comment on it anyway, but you should end up at address: * Possible Reference to String resource ID=04100: Sorry, this copy of the program has expired.[][][][]" Now obviously, if our program moves through this piece of code, we gonna get the program expired message. We gotta look for a place that we can change the code so we miss this bit of code. Again thanks to tKc, what sometimes works is to scroll upwards and see if there a jump that either makes us hit or miss this code. Normally it a JNE (jump if not equal), or a JE (jump if equal). Often, just above the code where you at, youll see: * Referenced by a (U)nconditional or (C)onditional Jump at Address blah blah blah and this is the jump that gets us to the shit code. Unfortunately, in our particular case, there nothing like that close by, so we gonna see if there any other jumps nearby. Use your up arrow key to move upwards the program, and see if we can find one. You got to scroll up quite a bit and youll see lots of JMP (jump) on the way, but these jumps are unconditional jumps (means we gonna jump anyway) so they not what we looking for. Eventually we find one at address: : 004028FD 0F8453FFFFF je 00402856 which means we gonna jump if equal. Now like I mention about my tuts, I not comment much...at my stage I can only say what I did, but I figure that maybe if I change the JE to JNE, I might miss the expired message. I gonna try it. Take a note of the address...thats 004028FD, or the offset. I just note down the address. If you followed previous tuts you know that you should have made a copy before loading program in W32dasm. Then you got one for W32dasm and one for Hiew. This is good because if you got program loaded in W32dasm, youll have to exit it, before you can make changes in hiew. Whatever, load program into hiew AFTER putting your computer date back to correct time (I explain why soon) and
Well we ready to see what happen. Hmmmm seems to work ok, but we gotta test it. Put your clock forward again...a month or so...and try program now. Yep still works. I think we might have done it! So put ya clock back, and lets see what this program do. I mean it useful and we may as well use it. What this??? Program expired!! SHIT. I gotta confess, I fucked around with this program a lot and I know there lots of better, cleaner ways to crack it, but this how I ended this particular one. Since then I found better ways but that for other tuts. To finish this one spark up regedit (read this if you dont know how to do this). Go to HKCU\Software\Robin Choo\ROBHDOB\1.00 and change the date of first launch to a month earlier, F5 to update registry, and check out what happens. Works ok...put clock forward...still works...back to correct time...still works. Cool. I think we might have done it. I dunno if we can say that we Kro_baR'd it to death, but I think we gave it a good Kro_baRing anyway. We try another way for the same program a other time, until then SEE YA!!
|