I'm still having all kinds o' problems getting a simple time trial cracked. I cracked 1 of the 6 programs that came with it. The other 5 are pretty close to the same code (very similar at least).

I'm hoping someone out there could assist me in one of these 5 programs contained in the "suite". I'm not asking for you to do the work, but I really do need some advice. Since this is the first attempt for me to crack, I need to know if I'm even on the right track.

This is a pretty large app (~39MB), but I have it on my FTP and you should be able to download it pretty quick. The program is called P-CAD 2001 and is probably the most popular software used to design printed circuit boards. A single license costs around $10,000. From what I can tell, there is nothing difficult about the protection. I'm just overlooking something extreamly simple. Anybody that can offer some assistance, please help me look into one of the apps. The app that I will continue to try is "pcb.exe".

ftp://64.14.40.88:21/Revlon/graphics/pcad2001.zip (You don't need an FTP client to dl)

Anyway, I'm going to keep looking in pcb.exe and if someone could please assist and see if i've overlooked something simple!

Thanks a lot!!
CantCrack

Hi,

Maybe we can still help without having to d/l the whole suite. In your earlier threads you mentioned using Filemon and Regmon and found a few suspicious entries. Have you tried deleting them (actually a simple rename is safer) from the Registry and see if it renews your time trial? The "cryptography" and "seed" entries sound like they're more likely involved with the reg routine. When looking at Regmon output, it's easy to miss a suspicious CLSID entry or some other "hidden" in what seems like a normal Windows registry key name. Install date info is often kept in these odd keys. Looking for a cryptic string in the "Other" column of Regmon might indicate something. You can double-click on any entries you want to check out closer which will open up Regedit.

If you find the critical Registry key (assuming that's what it is), deleting it doesn't guarantee renewing the time trial, this in itself may expire the program, or it may store this info elsewhere as well. It sounds like this program is professional enough to protect itself from easy cracking (heh, heh, THAT'S no guarantee either).

You also mentioned if you set the system clock ahead, and then back it expires itself. This seems to indicate something is being written to the Registry each time it's used i.e. it's a counter of days/uses as opposed to simply comparing with the install date. In this case you could use an API monitor or set a break on RegSetValueExA (or perhaps WritePrivateProfileStringA or WriteFile) and when you close the program you may find what Registry keys are being written to. It may even call GetLocalTime again before writing.

The other thing while tracing in the code after a GetLocalTime call is to monitor the registers for the day/month/year as hex. This may help you figure out where critical comparisons may be taking place i.e. 2001 is 7D1 in hex.

Lastly, if you still can't figure out if the Regmon/Filemon output is telling you much, why not upload just the logs as a zip, either to your ftp or just attach them to your post. Maybe someone will twig on what the suspicious log entry might be.

Anyway, just a few thoughts.

Cheers,
Kayaker

Hi,
I downloaded from your FTP to my computer at work. (T3 connection, 15 min) First time around, the file did not unzip. Second time around it Unziped but gave me a "iKernel" mistake when I tried to install. Either my or your connection is allowing some rotten bytes through, or the rip that you packed is not sufficient to install a working version of your program. Also, Is it Windows NT specific?
I have win98 in the computer the file is now. I cannot do much more exploring from here, at home, because I cannot remote control computer at work and SICE in it simultaneously.
I did a sincere try to help.

I downloaded it myself just to double check. For some strange reason winrar cut the names of the files. Rename the files:

up.inx -> setup.inx
up.ini -> setup.ini
up.exe -> setup.exe
rnal.ex_ -> ikernal.ex_
out.bin -> layout.bin
a2.cab -> data2.cab
a1.cab -> data1.cab
a1.hdr -> data1.hdr

After that, it will install just fine. I will fix the pack and reup later in case anyone else wants to take a look at it. Also, thank you very much for any assistance you can provide. And thanks to kayaker for your help as well, i'm currently trying what you suggested. Anybody willing to take a look at the software, please post anything that you find that may help me on my journey!

New link to new archive:
ftp://64.14.40.88:21/Revlon/graphics/pcad2001.rar

Thanks in advance!
CC

Hola, Cant:

I took a look at your Suite.

I recognized some code I have seen before in SentinelLM protected packages. It is not completely equal to the already well (tutorial) documented schemes of the Borland Delphi, Borland C Builder, but it has several similarities. Some of the files share the same names, LICENSE.INI for example. Take a look at the tutorials at
http://www.woodmann.net/fravia/Delmaci.htm
http://www.woodmann.net/fravia/tse_cbuilder.htm
Even more, when I messed around with the Jumps in one of your files, the Sentinel Loader was activated!. So your suite invoked sentinel dll somewhere along the lines.

2 Your Apps invoke a getlocalTime, GetSystemtime containing routine no less than 30 times at loading and then esentially every time they do something thenafter. A call to the time protection routine is probably invoked as part of a heavily used routine, probably to obfuscate Sice based crackers.

Try dead listing several of your programs ind searching for the code of the routine (is the same in all of them. This does not tell you how to crack it but it surely tell you where it is.

3 There is a nag screen: "Trial has expired".
At least one of the evaluations takes place before this window is called. try backtracing this dialog.

The protection does not appear trivial to me.
but I hope I gave you some directions to explore.

Thanks for your assistance!!

I know that this package in previous versions was NOT available in a timed demo and could only be purchased with the infamous Sentinial dongle. This is no longer the case. I believe if I were to purchase the software, I would be given a dongle that would unlock the programs perminantly. I'm sure someone could crack the dongle and enable it that way, but for a noobie like myself, I think I would concentrate more on the 30-day trial portion.

The getlocaltime approach looks a little too deep, but probably doable. The messagebox "Trial Expired" and backtracking is the approach I have been using. I've looked pretty deep and I have found several places where I think that the jump is taking place. I then patch the spot and re-run it and it will only do something like change the size of the messagebox....pretty depressing. From what I can tell, I completly patched the entire call that contains the messagebox function and somehow it still breaks in on the messagebox. From the coding standpoint, I don't see how it could ever be called after what I did to it.

Being that this is THE only program I have ever attempted to crack, I really can't compare or relate the difficulty to any other protection or program. Keeping things simple, I would say that defeating the trial has expired crap is as easy as any other timetrial...but maybe not. Also, I was able to crack SR.exe by patching a few lines back from MessageBoxA...pretty easy.

Anyway thanks and if you or anyone learns or finds anything, let me know.

CC

Hi CantCrack,

I hope I'm not stating the obvious here, but since you said this is the first protection you're trying to crack, I thought I would make a mention about the back-trace Bratsch suggested in an earlier post. I have not had a personal look at the proggy in question so this is only some general related information. There is backtracing in a general sense where you look at the code preceeding a particular event like a nag screen and then attempt to determine what triggered it via single stepping through the code in an empirical way...however the drawback here is the fact that its difficult to trace too too far back if there are a lot of preceeding jumps because you simply don't know exactly where the program came from (ie. as in the case of an unconditional jump from somewhere else in the code)...And this is where the technical back-trace range feature of SICE comes in. The backtrace feature of SICE can be used to trap all of the code between 2 breakpoints and then display it in a linear fashion. This allows you to see all of the instructions in the exact order they were executed in and may also allow you to easier make comparisons between the program flow if all of your programs are using a similar routine in the protection. For the backtrace, the aim is basically to "trap" the code you're interested in by carefully set breakpoints. An API monitor alongside an API reference can be particularly useful for this. Hypothetically, speaking if your monitor shows 2 relevant calls in close proximity (GetLocalTime followed by MessageBoxA) for instance, it would make sense to choose an API just prior to these APIs as your first trap API so that the back-trace would catch all of the code leading up to and in between them. Once you've chosen your traps all you have to do is set breakpoints on them and wait for SICE to break. After SICE has broken on the first one you'll want to set a BPRW "module name" T. The module name can be determined by using the "task" and "mod" commands in SICE and the "T" stands for trace. Then you exit SICE and wait for the proggy to break again on your second "trap" API. After this occurs, you can easily show the results of the trace using the "show" command. If you have IceDump you can even do a nice screen dump of the results.

Anyway, if you haven't used this technique before its well worth investigating. +Sandman also has some more detailed information on the back-trace on his SoftICE resource centre if you're interested. I don't remember the url off the top of my head, but it shouldn't be too hard to find. If you have any troubles feel free to mail me and I'll try to dig it up for you :-)

Hope this helps a little...

Regards,
Clandestiny

Hiya,

Actually you can use BPM to your advantage here to 'backtrace' as far as you want. Say you see an address at the start of a code section but you don't know how the program got there. If it was called from an [indirect] addressed jump or call, W32Dasm won't help.

If you set a BPM address X on it, the next time you break there you'll see a FromIP and a ToIP listed in the Command window. You can now set a BPX (or BPM) on this FromIP. You can continue tracing backwards through several code sections this way until you get bored or otherwise. The only caveat is that you can only set 4 BPM breakpoints in SoftIce, so you'll need to delete the unneeded ones as you go along.

Cheers,
Kayaker

I tried the links below but just error came e-mail me a good URL so i could d/l it and help out .
Thanks
pupp6969@yahoo.com
pupp