Deneba Cad v2.0.2 - 30 day Trial

A tricky timeout

  
06/30/00
by Sojourner
 
 
There is a crack, a crack in everything. That's how the light gets in.
  
Rating
()Beginner (x )Intermediate ( )Advanced ( )Expert
  


A little food for thought. You will have to work for this one and a little experience will help alot.

Up-to-Date CAD Program
Persevere and You Shall Overcome

Written by Sojourner

Introduction 

 This is a fun little prog to play with, because we get to see how some people make their own .dll's and functions!
Tools required

w32dasm 8.x--your choice of flavors

hex editor needed- UltraEdit 7.xx or whatever you want to use

possibly a resource editor, not absolutely needed. I use Restorator 2.5.

Target's URL/FTP

www.deneba.com

Just go to this site and then to their download section and get what you need or have them send you a free demo disk..

Program History
History lesson - no history here. I don't know anything about this program. Just thougth I'd give it a try. I'm always looking for free material to check out.
Essay 
Here we go guys and girls. Go get the prog and download it, then run the installation setup. Now let's go ahead and 
disassemble it with w32dasm. This should go off without a hitch. Now before you run the installation of your program I 
will tell you a secret, if you set your computer clock way ahead to some unreal date, say ten years in the future, you can 
go ahead and install it and then turn the clock back and it will work perfectly. Now if that is all you're looking for 
then you can quit now and the rest of us will go on with the lesson. I really want you to stay, though, and work through
this with me. Otherwise, you'll never grow in your learning. I must admit though, that I truly like the simplicity of the
date change mechanism and it is nice to know that it works if you need it. I have found another program, a backup program
that has that exact same mechanism and it still works too. Let's move along, though. Our destiny calls us forward into the
new millenium. Go ahead and run through the prog with a good date and see what she looks like. You'll notice that you get 
a splash screen with a lot of junk loading, just like in the Deneba Canvas 7 prog. Once everything initializes, the 
program opens up and you're in free. If you want to play around a bit, go right ahead. There's even a helpful tutorial to
help you get started. If you have a resource editor, you might want to have a look around inside of Deneba CAD and see if
there are any useful references--dialogs, bitmaps, strings. You know all kinds of juicy things could be hidden in there.
Oddly enough the "Sorry, you're out of time messages" are not to be found there. They are in DenebaCad.rsr and can be
viewed with Ultraedit, but they can't be unfolded with w32dasm because they show up as a binary file. Truly a bummer, but
not the end of our rope, as you'll see.
Let's go ahead and set the computer clock ahead since we know we can always return to home base with a simple change. Just
for reference, I always make a backup copy of my .dll or .exe before I screw something up, and believe me I have many
times friends. Now just run the prog without going through w32dasm. Follow the flow again and you'll see the splash screen
with all the initializing going on and then, "Boom!," you'll see a little messagebox that says "Sorry, you lamer. You're 
time is up!" "Ha, I've got that little sucker now. I'll just set a few breakpoints on the messageboxes in User32 and catch
it red-handed." So, what are you waiting for? Go ahead and set them and then run it, baby! Naturally, you won't catch
anything at all, because there aren't any of those fish to catch in this pond. "Boom," you get the same lame message as
before. Now remember, I told you earlier that the expired message is really in the DenebaCad.rsr, so what are you trying 
to do in the executable trying to catch a resource listing? Think about that future cracker. The reality is that it might
entirely be possible to catch that little dude. The reason is because the executable may call the resource directly or may
use another file, such as a .dll to do the call. We don't know at this point, so let's keep going.
Of course, we could search the string listing and it doesn't show up. So what do we do? We think. That's all. Just think.
Think about the environment in the program and what it may be doing. Think like a programmer and what they may have done
to make this prog work in the manner that it is. Think aboupt why the time doesn't matter when we reset it, especially
when we set it way far into the future and then go back. Incidentally, if you just install it in normal time and back track
a few days, the program doesn't keep a count of it, that is, it will not time you out like some other progs do. The 
program doesn't keep a static timer function. Ok, so now that you've had time to think a bit. What can we do? I began by
looking for some kind of calls to time type functions. There is a .dll that is used frequently by this program and it is:
asintppc.dll. There are tons of function calls in this file, but, of course, I was only interested in a couple:
       1. GetDateTime
       2. GetTime
Now we're getting somewhere, maybe. I'll tell you up front that it isn't necessary to disassemble this file although I
thought seriously about the need to do so. What we need to do to test our time idea is to set all the breakpoints we can
that deal with these two functions. They actually show up in several places, but only one is important to us, and not
actually directly, but rather as a pointer close by. Let's load some code and have a peek. Oh yes, you may ask why didn't
I use the GetSystemTime and GetLocalTime functions. It's because they aren't used. These guys made there time function 
calls. 

* Reference To: ASINTPPC.GetDateTime, Ord:028Ch  <---Not used to catch target. Hits before splash screen loads.
,                                   |
:00635B5C E8A9CB0200              Call 0066270A
:00635B61 FF75F8                  push [ebp-08]
:00635B64 E866780700              call 006AD3CF
:00635B69 83C404                  add esp, 00000004
:00635B6C 8D65FC                  lea esp, dword ptr [ebp-04]
:00635B6F 5B                      pop ebx
:00635B70 5D                      pop ebp
:00635B71 C3                      ret

This next section is where all the relevant checks take place! The jumps at:
004096BD and
004096D4
are very important! If you follow the call through into asintppc.dll, you'll see what is actually going on. In a 
convoluted way, there is a time check going on that checks current time. I say convoluted because there is a simple
mathematical manipulation that takes place. You can single step through it in the asintppc.dll as it's happening
and look at the changes to the times as they occur. You'll later realize that's it's mostly academic, that is, the
studying of that .dll, but who knows, we may have needed it's vital info. We need to always keep our eyes open when
we work. As I mentioned above, the really important ares are the two jumps. In order to check this out, you must 
keep good notes as I am want to do. I went through all this routine with good time left on the prog and found out
that at 004096BD, the jl never jumped. It just fell through. Now at 004096D4, on the other hand, it jumped with
time left and did not jump when the time was expired! So if you weren't paying attention to these little details,
then how would you have trapped that beast? Answer--you wouldn't have. You know what to do now don't you? Get the
offset from w32dasm and go into your hexeditor and make the minor little change:
:004096D4 7C41   change to EB41 and you're home free. Another way around this would possibly have gone into the
asintppc.dll and force it to load a fictitious date of your own choosing, so it would always be happy. But this 
way it doesn't matter. The choice is up to you. 

* Reference To: ASINTPPC.GetTime, Ord:0416h
                                  |
:00409633 E8E6882500              Call 00661F1E
:00409638 66C785DEFDFFFFCC07      mov word ptr [ebp+FFFFFDDE], 07CC
:00409641 66C785E0FDFFFF0100      mov word ptr [ebp+FFFFFDE0], 0001
:0040964A 66C785E2FDFFFF0100      mov word ptr [ebp+FFFFFDE2], 0001
:00409653 BA00000000              mov edx, 00000000
:00409658 668995E4FDFFFF          mov word ptr [ebp+FFFFFDE4], dx
:0040965F BA00000000              mov edx, 00000000
:00409664 668995E6FDFFFF          mov word ptr [ebp+FFFFFDE6], dx
:0040966B BA00000000              mov edx, 00000000
:00409670 668995E8FDFFFF          mov word ptr [ebp+FFFFFDE8], dx
:00409677 BA00000000              mov edx, 00000000
:0040967C 668995EAFDFFFF          mov word ptr [ebp+FFFFFDEA], dx
:00409683 EB00                    jmp 00409685

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409683(U)
|
:00409685 8D85F0FDFFFF            lea eax, dword ptr [ebp+FFFFFDF0]
:0040968B 50                      push eax
:0040968C 8D85DEFDFFFF            lea eax, dword ptr [ebp+FFFFFDDE]
:00409692 50                      push eax
:00409693 E8BDF7FFFF              call 00408E55
:00409698 83C408                  add esp, 00000008
:0040969B 8D85ECFDFFFF            lea eax, dword ptr [ebp+FFFFFDEC]
:004096A1 50                      push eax
:004096A2 8D85D0FDFFFF            lea eax, dword ptr [ebp+FFFFFDD0]
:004096A8 50                      push eax
:004096A9 E8A7F7FFFF              call 00408E55
:004096AE 83C408                  add esp, 00000008
:004096B1 8B95ECFDFFFF            mov edx, dword ptr [ebp+FFFFFDEC]
:004096B7 3B95F0FDFFFF            cmp edx, dword ptr [ebp+FFFFFDF0]
:004096BD 7C17                    jl 004096D6 <-- HERE    Return
:004096BF 8B95ECFDFFFF            mov edx, dword ptr [ebp+FFFFFDEC]
:004096C5 2B95F0FDFFFF            sub edx, dword ptr [ebp+FFFFFDF0]
:004096CB 83C201                  add edx, 00000001
:004096CE 3B95CCFCFFFF            cmp edx, dword ptr [ebp+FFFFFCCC]
:004096D4 7C41                    jl 00409717 <-- and HERE  Return

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004096BD(C)
|
:004096D6 6830057200              push 00720530
:004096DB 8D85F4FDFFFF            lea eax, dword ptr [ebp+FFFFFDF4]
:004096E1 89C1                    mov ecx, eax
:004096E3 E899322200              call 0062C981
:004096E8 83C404                  add esp, 00000004
:004096EB 8D85F4FDFFFF            lea eax, dword ptr [ebp+FFFFFDF4]
:004096F1 6A4E                    push 0000004E
:004096F3 68A2000000              push 000000A2
:004096F8 50                      push eax

* Reference To: ASINTPPC.GetIndString, Ord:012Eh
                                  |
:004096F9 E8061E2400              Call 0064B504
:004096FE 8D85F4FDFFFF            lea eax, dword ptr [ebp+FFFFFDF4]
:00409704 50                      push eax
:00409705 E8B5E2FFFF              call 004079BF
:0040970A 83C404                  add esp, 00000004
:0040970D C785C8FCFFFF4E000000    mov dword ptr [ebp+FFFFFCC8], 0000004E

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00409586(C), :004096D4(C)
|
:00409717 8B85C8FCFFFF            mov eax, dword ptr [ebp+FFFFFCC8]
:0040971D 8D65F4                  lea esp, dword ptr [ebp-0C]
:00409720 5F                      pop edi
:00409721 5E                      pop esi
:00409722 5B                      pop ebx
:00409723 5D                      pop ebp
:00409724 C3                      ret
Final Notes 

 I hope you enjoyed this lesson. It was fun! I actually have a patch available for those of you who may not be able or
willing to reverse. Ask for it. I'll email it to you only after you have read the tutorial. Until later.

If you have any questions please feel free to contact me at jomamameister@yahoo.com
Oh Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one.