How to Crack Unreal Player Max 1.29 r7

How to Crack Unreal Player Max 1.29 r7

Well, today I write another little tuts, on smashing time trial prog !
Our beloved target is Unreal Player Max 1.29 r7, download at :
http://www.303tek.com it's requested by one of our fans ;)

I use this software a long time ago, I like it, cause it's made for non
Intel Machine ;)

The protection is really simple, only a couple bytes of 30 day limited
software, so move your clock 1 year ahead, find the error message in
string reference in WDasm, you found it quickly at here :

:00484D99 A1D4D54800 MOV EAX,[0048D5D4]
:00484D9E 833801 CMP DWORD PTR [EAX],01
:00484DA1 750C JNZ 00484DAF
:00484DA3 B8F8514800 MOV EAX,004851F8 -->> "Thanx for bla
bla bla"
:00484DA8 E84F5CFDFF CALL 0045A9FC
:00484DAD EB0A JMP 00484DB9
:00484DAF B830524800 MOV EAX,00485230 -->> Expired
bullshit message ...
:00484DB4 E8435CFDFF CALL 0045A9FC
:00484DB9 33D2 XOR EDX,EDX
:00484DBB 8BC6 MOV EAX,ESI
:00484DBD E86A370000 CALL 0048852C
:00484DC2 A1D4D54800 MOV EAX,[0048D5D4]
:00484DC7 833801 CMP DWORD PTR [EAX],01
:00484DCA 750C JNZ 00484DD8
:00484DCC B864524800 MOV EAX,00485264 -->> another expired
bullshit message !
:00484DD1 E8265CFDFF CALL 0045A9FC
:00484DD6 EB0A JMP 00484DE2
:00484DD8 B8AC524800 MOV EAX,004852AC
:00484DDD E81A5CFDFF CALL 0045A9FC
:00484DE2 E891620000 CALL 0048B078
:00484DE7 6AFF PUSH FF
:00484DE9 E8BE0AF8FF CALL KERNEL32!ExitProcess -->> Go out
from our progs !
:00484DEE B805000000 MOV EAX,00000005
:00484DF3 E894DDF7FF CALL 00402B8C
:00484DF8 85C0 TEST EAX,EAX

Hmmm, it's a standard code, just scroll up a little bit :

:00484D74 E81726F8FF CALL 00407390
:00484D79 35FF000000 XOR EAX,000000FF
:00484D7E 83F81E CMP EAX,1E -->> Boooo, Booo !!!
1eh=30 days !
:00484D81 7F16 JG 00484D99 -->> jump if more than
30 days
:00484D83 A1ECD54800 MOV EAX,[0048D5EC]
:00484D88 8B00 MOV EAX,[EAX]
:00484D8A E80126F8FF CALL 00407390
:00484D8F 35FF000000 XOR EAX,000000FF
:00484D94 83F8FD CMP EAX,-03
:00484D97 7D55 JGE 00484DEE

How to crack ? Just figured it our yourself, it's really easy ...

So After run it, I decided to try it ;) Insert on of my fav CD, play,
and Bang ! The progs go out quickly, when I return my computer clock at
normal, the player run find, so Unreal, must be call the
expired?function again, somewhere ...

well, to crack it, you could simply see what ref that brings our call
407390 at 484d74, but the main subject from my little tuts this time, is
to try another approach !

We know when the progs exit , progs must call the exitprocess API from
WINAPI right ? So BPX at it, and when you try to play your CD, the
SoftIce POP suddenly, here is our problem, we only arrive at Kernel,
what should we do to return to the caller in progs code ? F12 ? NOOooo !
Cause, we already exit after we pressed F12, remember ? Search in Wdasm,
stupid idea ... ! ;)

So, just type DD ESP (We Dump the Stack Register !) :

:bpx exitprocess
Break due to BPX KERNEL32!ExitProcess (ET=2.95 seconds)
:dd esp
0167:0072FA80 004820C7 FFFFFFFF 0072FABC 004824C7 . H.......r..$H.
0167:0072FA90 0072FAB4 0040BEE8 00000000 01162CA4 ..r...@......,..

See the 4820c7 ? It's esp, we already know that esp+4 is the first
parameter in our progs, but what is the esp it self ?(top of the stack
?) Yesss, your guess is right ! It's the address of the caller in main
progs !! , not believe me ? :

:0048209B E8F052F8FF CALL 00407390
:004820A0 35FF000000 XOR EAX,000000FF -->> oh my god,
the same routine !
:004820A5 83F81E CMP EAX,1E
:004820A8 7F16 JG 004820C0
:004820AA A1ECD54800 MOV EAX,[0048D5EC]
:004820AF 8B00 MOV EAX,[EAX]
:004820B1 E8DA52F8FF CALL 00407390
:004820B6 35FF000000 XOR EAX,000000FF
:004820BB 83F8FD CMP EAX,-03
:004820BE 7D29 JGE 004820E9
:004820C0 6AFF PUSH FF
:004820C2 E8E537F8FF CALL KERNEL32!ExitProcess
:004820C7 EB20 JMP 004820E9 -->> Here !

Easy eh ? Just crack it in many ways you like, the progs is cracked !!!

C-Yaa, in another tuts, like usual, any comment, idea/suggestion, mail
to our forum ... ;)