|
|
( 'Time limit removal and how to register' ) |
Win Code Reversing |
|
|
|
|
|
|
|
|
|
Program Name: Flash32e.zip Program Type: Cupture utility Program Location: Here Program Size: 1.87MB |
||
|
Softice V4.0 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler |
||
|
|
|
|
|
The author of Flash32 v3.05 says :
Flash32 is running under
windows 95, windows 95, windows NT 4 and 2000 used to capture
and save windows screens
(or parts of screens), images from files, images from Internet
WenCams, images from
Internet Explorer cache.
The captures can be saved
with several graphic formats, modified, printed...
Flash32 also allows
the creation of icons, cursos, animations (ANI, AVI, FLI, FLC and GIF),
Wallpapers, logos...
A screen capture can
be saved or printed with or without interaction with the user.
|
|
This program uses a file called Flash
32.lic to save the registration information. This file will be
created after successful registration.
You will find the file in same folder as flash32.exe.
My original essay was about to show
how to find the real serial number, but from the time the program was
installed, until I found the time
to sit down to write it, my trial 30 days passed, so, I thought it will
be
a good idea to show how to bypass
this check, too.
I'm not going to get too deep in
it, I didn't put too much attention how the program checks the time passed,
I will just show how to recognize
where the check is done, and how to byepass it.
|
|
The TIME LIMIT removal :
Adjust your machine clock to one
month ahead, or more.
Run the program. After you get
the splash screen, a message-box pops up :
"The evaluation period is finished".
The only way to use this program is to register it.
Its time to use W32Dasm to create
the assembly dead-list for our program.
Look for this error message in
the "string data references", the strings are in alphabetical
order, so scroll down until you
fing the string we're looking for. Now, when you found it, we
want to know from where in the
program it came from, and what to do to prevent it.
Here is the programs code looks
like :
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:00411CCE(C)
|
* Possible StringData
Ref from Data Obj ->"The evaluation period is finished."
:00411CFB 6828C44500
push 0045C428
If we read the line above of where
this string is coming from, we can see that the program jumped
to this location due to
"a (U)nconditional or (C)onditional
Jump at Address: 00411CCE"
The program made a check to
see if the trial 30 days passed, and since it was passed, we got
this message and the program will
quit. Now we want to see the condition that brought us here,
from location 00411cce, remember
?
:00411CC2
E8096A0200 call 004386D0
; where the checks done
:00411CC7 83C448
add esp, 00000048
:00411CCA 48
dec eax ;
subtract 1 from eax
:00411CCB 7456
je 00411D23 ;
if eax=0, jump (program crash)
:00411CCD 48
dec eax ;
subtract 1 from eax
:00411CCE 742B
je 00411CFB ;
if
eax=0, jump (end of 30 days)
:00411CD0 8B9424BC010000
mov edx, dword ptr [esp+000001BC] ;
run as evaluation
:00411CD7 6A00
push 00000000
:00411CD9 6890D64000
push 0040D690
If we try to think about the logic
above, we can assume that if the 30 days are over, we will come back
from the call and eax will hold
the value of 2. Why ? we subtract 1 from eax twice, and then if eax=0
we jump to the quitting message.
In simple words, if we want to use this program beyond the 30
days, there are 2 ways to do that,
change the value of eax so it won't be 0 when it comes to this
2 checks, or the easiest way,
not to jump at location 00411CCE.
To check this theory, we need to
set up a breakpoint (BP) in Soft-Ice (SI), so we can break in the
programs code, and to check the
value of eax, so we can decide what to do.
The program use the API "MessageBoxA"
to show the "Evaluation Period" message, so, to set
the BP in SI, Type "ctrl + D" and
SI pops up. Type "bpx messageboxa" hit the "Enter" and "x"
to leave SI.
Run the program. Right after the
splash screen, Soft-Ice pops up, just before executing the
"MessageBoxA" API and showing the
message. Hit the F11 once and the "Evaluation Period"
message pops up, hit the "OK" button,
and you're back in SI.
We made all this so we will break
in the programs code and then we can set up a BP in the *real*
location, where the days check
is made. In SI ("ctrl + D") disable the previous BP, "bd 00"
and type " u 00411cc2" this will
bring this location to the upper line in the code window, take
a look, is this the "call 004386D0"
? If it is, set a BP on this line, double click on it or type
"bpx 411cc2" and "x".
Run the program again, SI break
on 00411CC2
E8096A0200 call 004386D0
Press F10 once, so the call 4386D0
will be executed, and take a look at eax, it contains the value
of 00000002. Great, we're on our
way. Press F10 2 times, you're on 00411CCB
7456 je 00411D23
but SI will not jump here since
eax=1 and not zero.
Press F10 2 times again, you're
on 00411CCE 742B
je 00411CFB BUT
now we see the <jump>
sign in SI, the program wants to
jump to the "Evaluation Period" message.
Here is wherewe want to prevent
the jump so the program will continue to run, in SI type "r fl z",
this will change the Zero flag
(false) and you'll see the <no jump> in SI. Type "x" to leave
SI,
and nothing, we didn't got the
"Evaluation Period" message, but we can't see the main window
of the program either...
Take a look at your tray bar, can you see a camera icon down there ?
Yap, Flash32 is running beyond
the 30 days..
The bypass of the jump is not permanent,
if you try to run the program again, you'll have to do all
this again. To make a permanent
change, see the Pach Section.
How to find the REAL SERIAL NUMBER :
Now, when the program is running,
right-mouse-click on the camera icon and choose the
"register" option.
What we're going to see here, is
the same method of how to bypass the check for the
correct serial number. You will
see the corrext one, you can do what ever you like...
The program use the API "GetDlgItemTextA"
to read the details you type in the registration screen,
set the BP in SI, Type "ctrl +
D" and SI pops up. Type "bpx setdlgitemtexta" hit the "Enter" and "x"
to leave SI.
Type in name, first name and serial,
remember that you enter 3 inputs, so SI should break 3 times,
hit the "Ok" button" and SI pops
up, hit "Enter" on the first 2 pop-ups of SI, we're interested on the
3rd one, after the program have
all the 3 fields in memory. Press "F11" once, here is how the
program's code looks, you should
see this :
:00421918 FFD6
call esi
; GetDlgItemTextA
:0042191A 85C0
test eax, eax ;
eax=0 ?
:0042191C 7538
jne 00421956 ;
if eax>0, jump
:0042191E 6A10
push 00000010 ;
No serial entered
----- snip snip -----
:00421953 C21000
ret 0010
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:0042191C(C)
|
:00421956 8D542414
lea edx, dword ptr [esp+14] ;
edx point to name
:0042195A 8D442468
lea eax, dword ptr [esp+68] ;
eax point to first name
:0042195E 52
push edx
:0042195F 6870804500
push 00458070
; "Flash 32"
:00421964 50
push eax
:00421965 8D8C24B8060000
lea ecx, dword ptr [esp+000006B8]
:0042196C 6818D34500
push 0045D318
:00421971 51
push ecx
:00421972 FFD3
call ebx
; add "first name+Flash 32+name"
:00421974 8DBC24C0060000
lea edi, dword ptr [esp+000006C0]
----- snip snip -----
; not important code...
; from here start the actual serial calculation
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:004219D1(C)
|
:004219B4 80385F
cmp byte ptr [eax], 5F ; is next char
= "_" ???
:004219B7 7503
jne 004219BC
; not "_", jump
:004219B9 C60020
mov byte ptr [eax], 20 ; replace "_"
with " "
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:004219B7(C)
|
:004219BC 0FBE08
movsx ecx, byte ptr [eax] ;
move next char to ecx
:004219BF 334C2410
xor ecx, dword ptr [esp+10] ; xor this char
:004219C3 81F1CE9A5713
xor ecx, 13579ACE
; xor ecx with 13579ACE
:004219C9 40
inc eax
; point to next char
:004219CA 894C2410
mov dword ptr [esp+10], ecx ; move the xor
value
:004219CE 803800
cmp byte ptr [eax], 00 ;
end of name ??
:004219D1 75E1
jne 004219B4
; not end, loop again
:004219D3 8B442410
mov eax, dword ptr [esp+10] ; eax = xor
value from before
:004219D7 8D9424BC000000
lea edx, dword ptr [esp+000000BC]
:004219DE 35F0BD6824
xor eax, 2468BDF0
; xor eax with 2468BDF0,
; this will be real serial
:004219E3 52
push edx
:004219E4 A3D4A94600
mov dword ptr [0046A9D4], eax ; keep real serial
:004219E9 E81B090200
call 00442309 ; convert fake serial
to hex value, in eax
:004219EE 8B0DD4A94600
mov ecx, dword ptr [0046A9D4] ; ecx = real serial
:004219F4 83C404
add esp, 00000004
:004219F7 3BC1
cmp eax, ecx
; compare fake and real serial
:004219F9 742E
je 00421A29
; if correct serial, jump
:004219FB 6A10
push 00000010
; wrong serial, error message
:004219FD 68ACC24500
push 0045C2AC
* Possible StringData
Ref from Data Obj ->"Invalid key"
|
:00421A02 681CE14500
push 0045E11C
:004151AD 8D4C2420
lea ecx, dword ptr [esp+20]
Looking at the code above, I don't
think there is much to say, you can see how the real serial number
is being calculated, character
by character, from the name entered. At the end, the program compares
the entered serial with the real
one, 004219F7 3BC1
cmp eax, ecx if
both serials ar equal, then
a .lic file will be created, but
there is no "thank you" message or any other sign that you've registered
successfully. If the serial
is wrong, the is a "Invalid key" message.
I hope to have the time to code
a key-gen for this program, it should be easy, look in my key-gen section
in a few days, so you can learn
how to do that, and how do I use the program's assembly code to
help me with that.
Job done..
|
|
Load up Flash32exe into your Hex-Editor ( I use hexWorkshop).
For the time limit removal :
SEARCH FOR THE FOLLOWING
BYTES : 83C44848745648742B
REPLACE WITH HIGHLIGHTED
BYTES : 83C448487456489090
For method no. 2 :
Nothing is needed.
REMEMBER,
i'm
doing my cracks as a hobby and challenge, so please, if you
like this
utility and want to keep using it, support the author and pay for it.
|
|
It's been a long time since I wrote my last essay, real life
used most of my free time, I've started a new
function at work, so I had to put in it all my efforts.
Anyway, I couldn't let this year to end up without writing another
essay, so I hope this one will help
newbies to "jump" into the codes and to start to get the idea.
Christmas is over, but i think that it's never too late to wish
you all out there a Happy New Year, and
for the Jewish community, that i'm part of them, we celebrate
today the 5th day of "Hanuka", I wish
Happy Hanuka.
My thanks and regards to all my "web" friends, +Sandman, Rhayader
(where is he ?), Jeff, ShADe,
Lord_Soth, Eternal_Bliss, Hobgoblin,
D0gBytes and all others.