Log in

View Full Version : Photobrush


DiMX
August 6th, 2002, 19:41
I started RCE a few weeks ago, I cracked Winzip and am now trying to do the same for Photobrush..

The version has a 30 day limit and this was passed. I use W32Dasm and searched for *days left*.. after some searching I found an JLE on offset 00065871, when I changed it to EB, JMP

this is how it looks now:

:00465867 81BE54010000000F0000 cmp dword ptr [esi+00000154], 00000F00
:00465871 EB0A jmp 0046587D
:00465873 6A00 push 00000000
:00465875 8D4E5C lea ecx, dword ptr [esi+5C]
:00465878 E8067F0700 call 004DD783


the continue button to start the program was available again but when I click it nothing happens.. I tried searching for the system timer but I thats how i ended up beeing over my trial period.

Does any1 have some tips ?

nikolatesla20
August 6th, 2002, 19:52
Well, the program is exiting when you don't want it to - there are a couple of things to look at.


One way is to use SoftIce and put a bpx on ExitProcess and then try to find the call that caused the ExitProcess. This technique works pretty well because you can trace it back to the offending instruction (usually), but you have to be familiar with how to walk the stack to use it - there is no F12 (ret) ability with ExitProcess *grin*

Another way is to try and find out if that memory variable that is being compared in the code you show, is being compared anywhere else. Maybe there is more than one check , for example.

If you have SoftIce, let the program run but put a bpx on that compare line. When you get to it, stick the value that's it's comparing it with (put in a value that would change the bad jump to a good jump) into the mem location the CMP refers to, and then let the program continue to see if it keeps running. If it does, then that mem location is being referenced again. If you find that to be true, you can create a jump or call to an inline patch that just does a MOV instruction to move a good value into [esi + whatever], and then comes back.

That's all I can think of for now I guess.

-nt20

DiMX
August 6th, 2002, 20:17
I havent got softice but if its neccasery to have it, ill get it.

I tried to find other of that variables that could be compared, what i get now is that when I press the continue button it exits just like u said... guess Ill have to search some more than.

thx

foxthree
August 7th, 2002, 07:49
Fellow RCEs:

There has been a recent interest in apps that quit all of a sudden when 30 days are over or what ever *without any nags*

I present below a generic attack technique.. Many of you may know all this, but for n00bs...

1. Most apps exit using ExitProcess or FatalExit or something like that.
2. If you put a bpx on that API it would be of no help as Tesla said as there is no F12 (p RET) on ExitProcess or FatalExit
3. So, instead of bpx do a BPMB. That way you get in SoftICE the address which caused this break.
4. Now bpmb on that and so on until you see the familiar CMP blah1, blah2 and all is well

Hope this helps a bit.

Signed,
-- FoxThree