program STEGANOS 1.5e
location http://www.steganography.com
about the protection 30 days trial version
about the program Steganos encrypts files and hides them within BMP, DIB, VOC, WAV, ASCII, and HTML files.
tolls neaded softice 3.x-4,W32Dasm 8.93,a hex editor,exescope (457KB)
rating cracking difficulty easy

 

FIRST WAY OF CRACKING

load steganos.exe in the W32Dasm and look for "This is a trial version of Steganos" There are 7 places that you can find this string reference .To find the one which inderest us we have to put bpeakpoints in each one of it and see in which softice will break .Softice will break here : 




  
 
     
      
* Possible Reference to String Resource ID=00242: "This is a trial version of Steganos.
You are on day %i of yo"
                                  |
:0040F745 68F2000000              push 000000F2
:0040F74A 50                      push eax
:0040F74B E810F8FFFF              call 0040EF60
:0040F750 8B0D707F4300            mov ecx, dword ptr [00437F70]
:0040F756 8B00                    mov eax, dword ptr [eax]
:0040F758 83C11E                  add ecx, 0000001E
:0040F75B 8D9698000000            lea edx, dword ptr [esi+00000098]
:0040F761 51                      push ecx
:0040F762 50                      push eax
:0040F763 52                      push edx
:0040F764 C744242800000000        mov [esp+28], 00000000
:0040F76C E8D6D00000              call 0041C847
:0040F771 83C414                  add esp, 00000014
:0040F774 8D4C2408                lea ecx, dword ptr [esp+08]
:0040F778 C7442414FFFFFFFF        mov [esp+14], FFFFFFFF
:0040F780 E81A150100              call 00420C9F
:0040F785 A1707F4300              mov eax, dword ptr [00437F70]
:0040F78A 83C01E                  add eax, 0000001E  are we still in the       
:0040F78D 83F81E                  cmp eax, 0000001E  30 days limit? 1E=30 in hex
:0040F790 7E0A                    jle 0040F79C       if yes then JUMP         
:0040F792 6A00                    push 00000000
:0040F794 8D4E5C                  lea ecx, dword ptr [esi+5C]
:0040F797 E81E0D0100              call 004204BA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F790(C)
|
:0040F79C 6A00                    push 00000000

    		
  




As you see the jle 0040F79C must 
  change into jmp 0040f79C

Now using a Hex editor find and change 
  the 

83F81E7E0A 
  with 

83F81EEB0A

 

From the dead listing we can find where the nag "You have been using Steganos 
  for mare than 30 days" is

  


  
 
     
      
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040DFF4(C), :0040DFF9(C)
|
:0040E009 83FF1E                  cmp edi, 0000001E
:0040E00C 7E0E                    jle 0040E01C    we mast change that into JMP
:0040E00E 6A00                    push 00000000
:0040E010 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"You have been using Steganos for "
                                        ->"more than 30 days now."
                                  |
:0040E012 684C644300              push 0043644C
:0040E017 E85A600100              call 00424076
:0040E01C 6A00                    push 00000000



    		
  




 


 

Again in the hex editor change 

83FF1E7E0E with 

83FF1EEB0E 




If you want to change the 


 
  
 
    
 
      

        
 This is a trial 
          version of Steganos.

          You are on x day of your 30 days trial period. 
          

        

    

  





 
 

you can use the exescope 
  (457KB) .Open the Steganos.exe 
  and Resource ,String ,16 and change the 242 This is a trial ... ,with whatever 
  you want ,update the file without permiting changing it's size. 

In the same way you can change the 
  "start trial version" botton and the "Order now" botton 
  you can make it disapear Dialog 272



SECOND WAY OF CRACKING 

By noping the 2 nag screens.We can 
  find then by using softice . 

Set a hmemcpy breakpoint and F12 
  till you are in the steganos code then F10 till you will go out from softice 
  press OK and you will go again inside softice the last CALL you will see will 
  be the CALL of the nag screen "You have been using Steganos for" one 
  way to eliminate that is to nop it. Set a breakpoint at this CALL and nop it 
  5 times .Why 5 times ?,cause this is the distance from 0040E017 to 0040E01C 
  . So do a 'a' and 

:0040E017 nop

:0040E018 nop
:0040E019 nop
:0040E01A nop
:0040E01B nop 



 (the numbers can be different in your    computer)




  with the same logic we find 
  and the secont nag 


When you will do all that u will 
  see that by pressing the Cancel button a fault is appearing .To correct this 
  you mast change the


:0040E0D7 E824CBFFF         CALL 0040AC00         with
:0040E0D7 E89E460000        CALL 0041277A 
How do I know this ?.By using softice the   CALL 0040AC00 is the CALL which is causing the fault ,in the 
uncracked version  the CALL 0041277A  is the CALL which makes the program to exit.





  
 
     
      
* Possible StringData Ref from Data Obj ->"You have been using Steganos for "
                                        ->"more than 30 days now."
                                  |
:0040E012 684C644300              push 0043644C
:0040E017 E85A600100              call 00424076   -here is the 1st nag, nop it 5 times
  
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E00C(C)
|
:0040E01C 6A00                    push 00000000
:0040E01E 8D4C241C                lea ecx, dword ptr [esp+1C]
:0040E022 E869150000              call 0040F590
:0040E027 8D4C2418                lea ecx, dword ptr [esp+18]
:0040E02B C68424980F000012        mov byte ptr [esp+00000F98], 12
:0040E033 E829F40000              call 0041D461     -here is the second nag nop it 5 times
:0040E038 83F802                  cmp eax, 00000002
:0040E03B 7508                    jne 0040E045
:0040E03D 6A01                    push 00000001

* Reference To: KERNEL32.ExitProcess, Ord:007Dh
                                  |
:0040E03F FF1578B24200            Call dword ptr [0042B278]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E03B(C)
|
:0040E045 8B06                    mov eax, dword ptr [esi]
:0040E047 8BCE                    mov ecx, esi
:0040E049 89751C                  mov dword ptr [ebp+1C], esi
:0040E04C FF90B8000000            call dword ptr [eax+000000B8]
:0040E052 E8090D0000              call 0040ED60
:0040E057 8D8C24B4000000          lea ecx, dword ptr [esp+000000B4]
:0040E05E C78424B400000060E14200  mov dword ptr [esp+000000B4], 0042E160
:0040E069 894C240C                mov dword ptr [esp+0C], ecx
:0040E06D 8D8C24B4000000          lea ecx, dword ptr [esp+000000B4]
:0040E074 C68424980F000016        mov byte ptr [esp+00000F98], 16
:0040E07C E8F45A0100              call 00423B75
:0040E081 8D8C24B0000000          lea ecx, dword ptr [esp+000000B0]
:0040E088 C68424980F000014        mov byte ptr [esp+00000F98], 14
:0040E090 E80A2C0100              call 00420C9F
:0040E095 8D4C2474                lea ecx, dword ptr [esp+74]
:0040E099 C68424980F000013        mov byte ptr [esp+00000F98], 13
:0040E0A1 E850750100              call 004255F6
:0040E0A6 8D4C2418                lea ecx, dword ptr [esp+18]
:0040E0AA C68424980F000010        mov byte ptr [esp+00000F98], 10
:0040E0B2 E8EBEF0000              call 0041D0A2
:0040E0B7 8D4C2410                lea ecx, dword ptr [esp+10]
:0040E0BB C68424980F00000F        mov byte ptr [esp+00000F98], 0F
:0040E0C3 E8D72B0100              call 00420C9F
:0040E0C8 8D8C243C080000          lea ecx, dword ptr [esp+0000083C]
:0040E0CF C68424980F00000E        mov byte ptr [esp+00000F98], 0E
:0040E0D7 E824CBFFFF              call 0040AC00   -change it to CALL 0041277A
:0040E0DC 8D8C244C090000          lea ecx, dword ptr [esp+0000094C]
:0040E0E3 C68424980F00000D        mov byte ptr [esp+00000F98], 0D
:0040E0EB E8E0D0FFFF              call 0040B1D0


    		
  




  



Please do 
  not use this information to make cracks . 




  

tutorial 
  by :




page created :september 99