A friend of mine going to college for electronics challenged me to this program.  This essay doesn't outline a complete crack, just the re-enabling of some functions my friend needed :)

There are many other interesting things that can be done with this program, so if you'd like to continue on, I'll gladly add your additions to this essay (with full credit to you of course).  Read my notes on some of the things I found at the end of this essay if you're interested.

This is not a complete newbie's essay, so it assumes you have some general cracking knowledge, such as dead-listings, conditional jumps, assembly etc.

Prepare To Crack

If you're like me, you won't even remotely understand how this program works.  So, I had to badger my friend to tell me what the disabled functions were.  He told me that in the Student version, you can only place 50 components on the board (.ckt file), and additionally, you cannot "Run" the simulation.

Since I also didn't know how to work the program, I had him send me a .ckt file that already had 50 components on it.  I also had him teach me how to add components to the board.  Now I have enough info -- time to rock :)

You can add components by typing r or c, or by highlighting and right-clicking one, and choosing "duplicate".  Once you get up to 50 components on the board and try to add another one, you'll get a nasty little message box that says "The Student version's schematic limit of 50 devices has been reached".  Make a note of this string.

Make The Crack

Let's disassemble this sucker, and look for our string.  Open the program in Wdasm ("Disassembler", "Open file to disassemble").  This will take awhile (or at least it does on my tiny old 75mhz cpu).  Once disassembled, open up the SDR (String Data References) window ("Refs", "String Data References").

There are a TON of strings listed, but we're interested in finding "The Student version's schematic limit of 50 devices has been reached".  Once you find it, double-click it, and you should land here:
 

:00427194 83F832              cmp eax, 00000032   :compare something or other :00427197 7C1C                    jl 004271B5         :jump to good routine :00427199 56                      push esi            :otherwise continue on to error :0042719A A1BCB75100              mov eax, dword ptr [0051B7BC] :0042719F 6A30                    push 00000030 * Possible Reference to String Resource ID=05827: "Student Version-The student version's schematic limit of 50 "                                   | :004271A1 68C3160000              push 000016C3 :004271A6 50                      push eax :004271A7 E844B70900              call 004C28F0 :004271AC 89742434                mov dword ptr [esp+34], esi :004271B0 83C410                  add esp, 00000010 :004271B3 EB75                    jmp 0042722A

Now, obviously we want to jump to the "good guy" routine, not continue on to the error... so let's change the condtional jump above from jl, to jne -- this should ensure that we always jump to the "good guy" routine.

1)  Highlight the line "jl 004271B5", and get the offset from below (should be 26597).
2)  Open the program in HIEW (c:\whatever\hiew c:\whatever\cirmaker.exe.
3)  Press F4 to get to hex view.
4)  Press F5 to search.
5)  Enter the offset (26597) and hit enter.
6)  Press F2 to get to code view.
7)  Press F3 to edit the code.
8)  Change the bytes 7C1C to 751C.
9)  Press F9 to save.
10) Press F10 to exit.

Now we should always jump to the "good guy" routine, so let's run the patched program and try to add more than 50 components to the board.  If we press r and/or c, we can sucessfully add over 50 components!  Now let's highlight one, right-click it, and choose "duplicate".  Uh oh!!! there's that nasty message again...  looks like we have more work to do.

Open up the SDR window in Wdasm again, and find the string again.  Double-click it, and we'll find another instance of this string here:
 

* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B4341(C) | :004B44E2 56                      push esi :004B44E3 FFD5                    call ebp :004B44E5 6A00                    push 00000000 :004B44E7 A1BCB75100              mov eax, dword ptr [0051B7BC] :004B44EC 6A30                    push 00000030 * Possible Reference to String Resource ID=05827: "Student Version-The student version's schematic limit of 50 "                                   | :004B44EE 68C3160000              push 000016C3

Hmm... nothing interesting here, but as we can see, the string is referenced by a jump... so let's follow this reference.  Scroll up until you get to the jump at 004B4341.  You should now be here:
 

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004B430D(C), :004B431A(C) | :004B432A 85FF                    test edi, edi :004B432C 7E19                    jle 004B4347 :004B432E A1CC5C5100              mov eax, dword ptr [00515CCC] :004B4333 50                      push eax :004B4334 E837EBF6FF              call 00422E70 :004B4339 83C404                  add esp, 00000004 :004B433C 03C7                    add eax, edi :004B433E 83F832                  cmp eax, 00000032 :004B4341 0F8F9B010000            jg 004B44E2

Now we could try patching this jump, but we see a better jump above this one (you should always follow jumps first to see what the routine they land at looks like).  Let's patch the line "jle 004B4347" by following the same steps as the previous patch (of course changing the offset, and changing the bytes from 7E19 to 7519).

Now, let's run the patched program again, and try to add more than 50 components again.  We can still add over 50, but let's try the "duplicate" function again.  Great!  Works like a charm!

After patching these two jumps, I created a patch file, and sent it to my friend, but NOOOOO, this wasn't good enough for him, he had to have the cake and eat it too!  Now he wanted to be able to run his simulation - picky leech :)

So, let's try to run the circuit board? we created (must have over 50 components).  Choose "Simulation", "Run" from the menu bar.  Now we get another nasty message that says "Modified circuits containing more than 50 devices cannot be simulated in the student version"

Again, let's open the SDR window in Wdasm, and look for this string.  Once we find it, double-click it, but this time, let's be safe.  Once you land at an instance of it, double-click the string again.... good, only one instance.  You should be here:
 

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004CE7FA(C), :004CE803(C), :004CE80C(C) | :004CE839 833D9C5D510000          cmp dword ptr [00515D9C], 00000000 :004CE840 742F                    je 004CE871 :004CE842 A1CC5C5100              mov eax, dword ptr [00515CCC] :004CE847 50                      push eax :004CE848 E82346F5FF              call 00422E70 :004CE84D 83C404                  add esp, 00000004 :004CE850 83F832                  cmp eax, 00000032 :004CE853 7E1C                    jle 004CE871 :004CE855 6A00                    push 00000000 :004CE857 A1BCB75100              mov eax, dword ptr [0051B7BC] :004CE85C 6A30                    push 00000030 * Possible Reference to String Resource ID=05828: "Student Version-Modified circuits containing more than 50 de"                                   | :004CE85E 68C4160000              push 000016C4

We see two conditional jumps in the code above.  To save you time, the jump that leads to the "good guy" routine is at the line "jle 004CE871", and again, you should always follow the jumps to see where they land.

Patch this line just as we did the previous two times (again changing the offset, and patching the bytes from 7E1C to 751C).

Now run the patched program, add more than 50 components to the board, and choose "Simulation", "Run" again.  Well, I don't think our circuit runs, but the sucker sure would if we knew how to design one.  Job done!

Interesting Notes

As I stated in the preface of this essay, this crack is not complete.  In fact, I think there is MUCH more that can be done with this program.  If you want to continue on, and make any progress, send me your work, and I'll add it to this essay (with full credit to you).  Here are some potentially interesting things I found:

More disabled functions (like the "Macro" button on the toolbar)
Three instances of the string "This feature is not available in the student..."
A "*** Full Version ***" string (is it possible this program could be patched to perform as the full version?)
Several strings referring to "Demo version" (this isn't the demo version, so maybe this single executable contains all the coding necessary to run as Demo, Student, or Full!)

I'm sure you can find more interesting things, but have fun with these!