HOW TO CRACK TOGGLE MOUSE 4.5.2

Tutorial by UmE

Introduction: it's time for another time trial program. In this case we will use W32Dasm to find
the fatidical jump that let our program work forever.

Necessary tools: W32Dasm version 8.9, SoftIce 3.24.

Program description: Toggle Mouse 4.5.2, Togglemouse.exe, 778.240 bytes.

Let's start!!!

Step 1: as I've said before this is a time trial program with a limit of 30 days usage. So after
installing it change your system date and put it at least 30 days later the installation date. 
Now if you run the program a nag screen will appear telling you that your evaluation period is 
over and you've got to buy the retail version. Mmmm.....we'll try another way to use the program!
:-)

Step 2: the method that I've used to crack this program is divided in two steps:

			 1- Intercept with SoftIce the call to the nag screen.
			 2- Go back in the code from this point to find the place where the
		          utility jumps to the NON-WORKING message. Changing this jump we will
			    make this program working forever!!

Ok let's go ahead...press Ctrl+D to enter in SoftIce and place a brakpoint to the GetSystemTime
function. Press Ctrl+D to return to the system and run the program.....
BINGO!! You're in SoftIce!!! Press F11 and the nag screen appear. Now
push the OK button in the nag screen and you'll be in SoftIce again. Let's observe the code
snippet that we see on the screen:

:00413B37 8D8D50FFFFFF            lea ecx, dword ptr [ebp+FFFFFF50]
:00413B3D E8A0470100              call 004282E2			<--- This calls the nag screen!
:00413B42 83F802                  cmp eax, 00000002		     Remember this address!!
:00413B45 7507                    jne 00413B4E
:00413B47 8BCE                    mov ecx, esi

Ok, now let's go in W32Dasm: open it and dissasemble the file Togglemouse.exe. Click on the
"Goto -> Goto Code Location" menu and enter the address where we have found the call to the nag
screen. You'll see the same code snipped reported above. Now with up arrow key go back in the
code until you find a jump or a call reference. Scrolling a little bit you'll find:

* Referenced by a CALL at Address:
|:00413BA1   
|
:00413AC0 55                      push ebp
:00413AC1 8BEC                    mov ebp, esp
:00413AC3 81ECB0000000            sub esp, 000000B0

As you've notice the part of the code that you've scrolled is the one that prepares the nag 
screen (in fact you can also notice the string "You've reached the end of your trial period...")
This part is referenced by a call at the address 00413BA1 as illustrated in the previous code 
snippet. Click on the "Goto -> Goto Code Location" menu again and enter the 00413BA1 address. 
You'll be here:

:00413B96 E815F5FFFF              call 004130B0
:00413B9B 85C0                    test eax, eax			<- Make a compare
:00413B9D 7F0B                    jg 00413BAA			<- Jump if greater to 00413BAA
:00413B9F 8BCE                    mov ecx, esi
:00413BA1 E81AFFFFFF              call 00413AC0			<- The nag screen appear
:00413BA6 6A01                    push 00000001
:00413BA8 EB02                    jmp 00413BAC			<- unconditional jump to 00413BAC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413B9D(C)
|
:00413BAA 6A02                    push 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413BA8(U)
|
:00413BAC 58                      pop eax
:00413BAD 5E                      pop esi  

From the above code snippet you can notice that the jg 00413BAA is not significant for our 
target because it jumps to the a piece of code where the program jump unconditionally after the 
call to the nag screen (see the jmp instruction at 00413BA8). If you change this jump (jb for
example) the nag screen will not appear but the program will not work. So we must go back more
to find another significant jump or call!! Continue moving with the up arrow key until you find
this:

* Referenced by a CALL at Address:
|:00413BB3   
|
:00413B90 56                      push esi
:00413B91 8BF1                    mov esi, ecx
:00413B93 8B4E0C                  mov ecx, dword ptr [esi+0C]
:00413B96 E815F5FFFF              call 004130B0
:00413B9B 85C0                    test eax, eax
:00413B9D 7F0B                    jg 00413BAA

Click on the "Goto -> Goto Code Location" menu and enter the 00413BB3 address. You'll see:

* Referenced by a CALL at Address:
|:0041571E   
|
:00413BB1 6A00                    push 00000000
:00413BB3 E8D8FFFFFF              call 00413B90
:00413BB8 C3                      ret

Nothing of interesting.....go to the 0041571E address. You'll land here:

:004156F7 E8B4D9FFFF              call 004130B0		<- Sospicious call!!
:004156FC 85C0                    test eax, eax		<- Sospicious test!!
:004156FE 0F8F89000000            jg 0041578D		<- Sospicious jump!!
:00415704 8BCE                    mov ecx, esi
:00415706 E84BFCFFFF              call 00415356
:0041570B 53                      push ebx
:0041570C 8D4C2424                lea ecx, dword ptr [esp+24]
:00415710 E8FAE2FFFF              call 00413A0F

* Reference To: TogUTIL._RemoveHook@0, Ord:000Dh
                                  |
:00415715 E860260000              Call 00417D7A
:0041571A 8D4C2420                lea ecx, dword ptr [esp+20]
:0041571E E88EE4FFFF              call 00413BB1		<- This call the nag screen!!

The jg above is very sospicious because it jumps away from the nag screen call. The jump is 
related from the eax value that depends from the call 004130B0 instruction. Go inside this call
and start to trace it!! After a little bit of traceing you'll be in this piece of code. Let's 
see togheter what the program do if the time limit is over:

:004130CA 6A1E                    push 0000001E		<- Push 1E (30dec)in the stack
:004130CC 99                      cdq
:004130CD F7F9                    idiv ecx
:004130CF 59                      pop ecx			<- ECX = 1E
:004130D0 5E                      pop esi
:004130D1 2BC8                    sub ecx, eax		<- Sub EAX from ECX: EAX is the number of
									   days you've used the program. After the
									   time limit the resul is a negative num!
:004130D3 7902                    jns 004130D7		<- Jump if the result is not signed.
									   In this case NO JUMP!!
:004130D5 33C9                    xor ecx, ecx		<- ECX now is equal to 0.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004130D3(C)
|
:004130D7 83F928                  cmp ecx, 00000028	<- Compare ECX (0) with 28h
:004130DA 7E1D                    jle 004130F9		<- Jump if ECX is less: NOW JUMP!!
:004130DC E818D90100              call 004309F9
:004130E1 8B4004                  mov eax, dword ptr [eax+04]
:004130E4 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"ScrollSensitivity"
                                  |
:004130E6 68902D4400              push 00442D90

* Possible StringData Ref from Data Obj ->"Settings"
                                  |
:004130EB 688C144400              push 0044148C
:004130F0 8BC8                    mov ecx, eax
:004130F2 E899B20100              call 0042E390
:004130F7 33C9                    xor ecx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004130DA(C)
|
:004130F9 8BC1                    mov eax, ecx		<- Moves ECX in EAX. Now EAX = 0
:004130FB C3                      ret

At this point the function retrives EAX = 0 so the JG at the 004156FE address is not verified
and the program execute the call to the nag screen (0041571E address).
Now you can understand that this is tha critical jump: change it in JMP 0041578D and the program
will work forever!!! 
As you've seen during this tutorial, the method I've used is a little stranger for a time limit
program but it works well in cases of recursives calls!!

I hope this tutorial could be useful for someone!!!

Greetings to Volatility and all the Immortal Descendants!!

Contact me at: ume15@hotmail.com