Target Program: Ecco 4.01 32-bit
Protection: Nag(s), 30 day time limit
Cracked by: drlan [Me'97/C4N]!
Location: http://www.shareware.com or http://www.download.com
Tools needed:
- SoftICE Win95 3.01
- Hex Editor (I like PSEdit and Hex Workshop)
Conventions used:
> denotes a SoftICE command
Download the target and run it a few times to get a feel for what's going on.
You'll notice a nice little reminder that the program will expire in 30 days.
That doesn't sound like quite enough time for a thorough evaluation, so let's
see what we can do...
First, let's see what happens once we're past the point of no return. Set
your date ahead by more than 30 days. Now run the target and see what it
does. Try to load a file. Hmm, now our friendly reminder has turned nasty
on us and says that the program has expired and that we should contact the
vendor to purchase a copy. Bummer. Set the date back to normal and run one
more time. Try to load a file. Hey, it works. That's good. So, it hasn't
left behind any kind of nasty marker that would keep us from our work. So,
let's get to work!
We could try setting a breakpoint in SoftICE on system date functions, like
GetLocalTime and GetSystemTime. However, this is a calendaring program and
makes many, many calls to GetLocalTime which would make this difficult.
Instead, let's investigate the nag screen a little further. There are lots
of different ways to breakpoint and try to pinpoint the nag screen. I think
I used HWND ecco32 when the nag was displayed to find out what windows were
open. Then I set a breakpoint on the most likely window function. It was
something like this:
>TASK ; let's find our target's name (it is ecco32)
>HWND ecco32 ; let's see what windows our target has open
>BMSG 164 wm_command ; now set a breakpoint on the likely window
NOTE: You may see 2 other windows called Mauishooter and Mauipowerpal.
These aren't the ones we're interested in... Look for the first one
after these.
Then click on the OK button. SoftICE will pop. Press F12 several times
until you're back in the Ecco32 code. You should see something like this:
:004331E5 FF1508657400 CALL USER32!DialogBoxParamA
837DF400 CMP DWORD PTR [EBP-0C], 00
8945F0 MOV [EBP-10], EAX
740E JZ 00433202
So, it's the call to DialogBoxParamA that places the friendly reminder on
the screen. Let's follow the code for a while and see where we go. Press
F10 several times. You should hit 2 RET functions (RETurn). After you
return from the second one, you should see some code that looks like this:
:005C59DA E84EACF2FF CALL 004F062D ; go get some date information
662BC6 SUB AX, SI ; subtract install date from current
663D1E00 CMP AX, 001E ; is it less than 1E (hex), 30 (dec)
7218 JB 005C5A00 ; jump if still in evaluation period
Now, our goal is to "extend" our evaluation period. Why not just make AX
equal zero? Zero is an aweful lot less than 30, so we can evaluate forever.
To do this, we'll change the SUB AX, SI into XOR EAX, EAX (this is a 32 bit
program, so let's use 32 bit registers). When you XOR (eXclusive OR) any
number with itself, the result is always zero. Setting EAX to zero will take
care of AX. You can try this live in SoftICE by assembling in our new stuff.
F10 until you are on the SUB AX, SI line. Then do this:
>A ; to assemble in our new instructions
>XOR EAX, EAX ; set EAX/AX to zero
>NOP ; fill the remaining 1 byte space
>(press ESC)
We have to add a NOP (No OPeration) because the XOR EAX, EAX is only 2 bytes.
We need to fill the extra space because SUB AX, SI is 3 bytes. Your code
should now look like this:
:005C59DA E84EACF2FF CALL 004F062D ; go get some date information
33CO XOR EAX, EAX ; set EAX/AX to zero
90 NOP ; do nothing for 1 instruction
663D1E00 CMP AX, 001E ; is AX less than 1E (hex), 30 (dec)
7218 JB 005C5A00 ; you bet it is, so continue eval!!!
Now we've defeated the 30 day time limit. How about getting rid of the nag
screen, too? I think we can do that!
Clear any existing breakpoints in SoftICE.
>BC *
Remember earlier we discovered that the nag was being called by the
DialogBoxParamA function? Set a breakpoint on this.
>BPX DialogBoxParamA
Then press Ctrl-D or F5 to run the program. Try to open a file. SoftICE
will pop on the DialogBoxParamA function. Press F12 to return from the
function. Click on OK on the friendly reminder and you will drop back
into SoftICE on the line of code right after the CALL USER32!DialogBoxParamA.
I initially thought I could just wipeout this CALL to USER32!DialogBoxParamA.
Boy was I wrong! It looked like it worked, but it de-stabilized the program.
I guess other funtions call this function from the same place. They load all
their setup stuff first, then call it. So, we can't just wipe this call out.
So, let's backtrack a little and find out how we got here (who called this).
To do this, press F12 again to RETurn to where this call came from. You
should see a section of code that looks like this:
:00432FAE C20C00 RET 000C
55 PUSH EBP
8BEC MOV EBP, ESP
6A00 PUSH 00
6A00 PUSH 00
FF7518 PUSH DWORD PTR [EBP+18]
FF7510 PUSH DWORD PTR [EBP+10]
FF750C PUSH DWORD PTR [EBP+0C]
FF7508 PUSH DWORD PTR [EBP+08]
E824000000 CALL 00432FF0 ; nasty call
5D POP EBP ; F12 brings you here
C21400 RET 0014
I tried blasting this call too, but this still isn't the right one. When I
got rid of this one, other functions stopped working (ones that needed the
dialogbox function, I guess). So, let's keep backtracking. Press F12 again
and you should land at a code segment that looks like this:
:005C5978 E839D6E6FF CALL 00432FB1 ; nasty call
83F8FF CMP EAX, -01 ; F12 brings you here
JNZ 005C5982 ; set to jump
Ok, this looks a little easier (and lots cleaner). We don't want to make
the CALL 005C5982. We know the conditional jump (JNZ 005C5982) is set to
jump. So, let's just change the CALL 00432FB1 into JMP 005C5982 and pad
the remaining spaces with INC EAX, NOP, DEC EAX. This makes it a 5 byte
for 5 byte code change.
So we change:
E839D6E6FF CALL 00432FB1 ; nasty call
into:
EB0D JMP 005C5982 ; no more nasty call
40 INC EAX ; just filling space
90 NOP ; ditto
48 DEC EAX ; ditto
You can try this live in SoftICE by placing a breakpoint on the CALL line.
Do this using BPX address, where address equals the segment:offset of the
instruction line. Or, simply double-click on the line to set the breakpoint.
Then press Ctrl-D or F5 to continue running the program. Try to load a file.
SoftICE will pop on your breakpoint. Let's assemble in our new instructions.
>A ; to assemble in our new instructions
>JMP 005C5982 ; let's blow away the call and just move on
>INC EAX ; fill the remaining space from the old 5 byte call
>NOP ; ditto (but we don't want 3 NOPs in a row)
>DEC EAX ; so we INC EAX, DEC EAX and stick a NOP in between
>(press ESC)
Then press Ctrl-D or F5 to continue running the program. Try to load a file.
The file should load, sans nag screen. Cool!
Time to transfer our live crack into something more useful and longer lasting.
We need to hex edit the ecco32.exe program to replace the bad old instructions
with our nice new ones.
Nag screen(s):
Search for: E839D6E6FF ; was the CALL 00432FB1
Replace with: EB0D409048 ; now INC EAX, NOP, DEC EAX
30 day time limit:
Search for: E84EACF2FF662BC6 ; need a long string to be unique
Replace with: 33C090
NOTE: Only change the last 3 bytes (662BC6 into 33C090). Leave the rest
(E84EACF2FF) alone.
That's it for this lesson. Hope this was fun and instructional.
Disclaimer: THIS ESSAY IS FOR EDUCATIONAL PURPOSES ONLY. ANY USE, MIS-USE
OR ILLEGAL ACTIVITY IS THE SOLE RESPONSIBILITY OF THE READER.
GreetZ: Everyone in [Me'97/C4N], PC'97, UCF, fravia and +ORC, Razzia!
drlan