Clockwise 3.03

Nag-Busting and Time-limit Removal

Written by anTiHerO

Introduction

Protection: Nags and 30 day time limit

About: ClockWise is a unique and powerful scheduling utility from RJ Software that helps make your computer more productive – even when you’re not there!

ClockWise puts an entire toolbox of time-related features at your fingertips. From the simple clock to the advanced scheduling system, ClockWise offers a sharp, user-friendly interface that beginners and experts alike will find easy to use.

The event scheduler allows you to run just about anything whenever and as often as you choose. Up to 100 program executions, reminder alarms, and built-in functions (such as rebooting, setting the system clock or terminating an Internet session) can be scheduled with ClockWise.

Dual count-down timers, a stopwatch, a handy calendar with custom information for many different countries, local times of sunrise and sunset, alternate time zone information, and a dial-up networking on-line timer are also included. ClockWise can even detect new Internet dial-up connections and automatically set the system clock to any NTP server in the background. And it even maintains an activity log of everything it does.

Rounding out the many useful features of ClockWise is the new screen saver – nothing fancy but at last your monitor can provide some useful information while your computer sits idle!

Tools required

Hex Editor

Disassembler

Debugger (Softice or TRW2000)

Half a brain

Target's URL

http://www.rjsoftware.com

Essay

Before we start, lets take a look at the protection on this baby! Fire it up, and we see “Unregistered Shareware” in the title box. Now, if we try and close the program, we are confronted with a nag screen, how annoying! It can be registered with a serial number and registration code, but for a change, I fancied patching it!

I also know that this thing will run out in 30 days time, so lets get rid of the time limit! Set your system clock forward past the 30 day mark and try running the program. We receive a nice msg box telling us that “Clockwise trial limit exceeded”. Write this error msg down, it will soon come in handy. If we now click on OK, we are again greeted by that damn nag screen! But first things first, lets get rid of that time limit.

Dissassemble the program, and look through the String Data References. We need to look for our error msg that we just received (“Clockwise trial limit exceeded”), and sure enough, its there! If we double click on it, we will be taken to the relevant portion of code, and we should be looking at;

:00405922 03C1 add eax, ecx
:00405924 2BC3 sub eax, ebx
:00405926 83F83C cmp eax, 0000003C
:00405929 7E6B jle 00405996
:0040592B 6A00 push 00000000
:0040592D 8D8C2484000000 lea ecx, dword ptr [esp+00000084]
:00405934 E897AD0100 call 004206D0
:00405939 6810100100 push 00011010

* Possible StringData Ref from Data Obj ->"UNREGISTERED"
\|
:0040593E 68CC0C4500 push 00450CCC

* Possible StringData Ref from Data Obj ->"ClockWise trial limit exceded!"
\|
:00405943 68AC0C4500 push 00450CAC
:00405948 8BCF mov ecx, edi
:0040594A C68424F000000001 mov byte ptr [esp+000000F0], 01
:00405952 E8F7170300 call 0043714E
:00405957 6A40 push 00000040

* Reference To: USER32.MessageBeep, Ord:01BDh
\|
:00405959 FF15A4344400 Call dword ptr [004434A4]

Too easy! We can see the eax being compared to 60 (the hex value of 60 is 3C) at 00405926, and if it it less than or equal to 60, it will jump passed the error msg! If the value of eax ( the number of days the program has been installed ) is greater than 60, no jump will occur, and we receive the error message. So, the obvious solution is to make the conditional jump (JLE) into an unconditional jump (JMP). This means that it will ALWAYS jump past the error message. Lets try it out! Note the hex offset of the jump command at 405929, and open up the program in your hex editor. Go to the offset location, and change 7E6B to EB6B. This has has now changed the JLE to a JMP. Lets try it!

Start up the prog……..no time limit! But that damn NAG screen is still there! We really need to get rid of it.

I aint gonna list all the code, because it just takes too long! The way I got to the following section of code is by starting up the program with the symbol loader and tracing through the code until I found the CALL that pops the nag screen, stepping into it using F8, finding the next CALL that pops the nag and stepping into that, and so-on, until it was obvious we didn’t need to go any further. Using this method, I eventually came to the following section of code;

:00405994 EB18 jmp 004059AE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
\|:00405929(C)
\|
:00405996 83F81E cmp eax, 0000001E
:00405999 7E13 jle 004059AE
:0040599B 6A01 push 00000001
:0040599D E8FEC70000 call 004121A0
:004059A2 83C404 add esp, 00000004
:004059A5 EB07 jmp 004059AE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
\|:00405805(C)
\|
:004059A7 C7476C01000000 mov [edi+6C], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
\|:004057D8(C), :00405994(U), :00405999(C), :004059A5(U)
\|
:004059AE 8B4C2420 mov ecx, dword ptr [esp+20]

* Reference To: ADVAPI32.RegQueryValueExA, Ord:017Bh
\|
:004059B2 8B2D18304400 mov ebp, dword ptr [00443018]

The CALL at 40599D pops the nag, but what do we see just before? Compare eax to 30 (the hex value of 30 is 1E), if eax is less than or equal to 30, jump past the nag screen! Cool, lets make the conditional jump (JLE) at 405999 into a conditional jump (JMP). You have already done this once, so I don’t need to tell you how again! Once you have done this, start up the program…..no nag!!!

Hold on a minute! Try shutting down the prog…..that damn NAG again! We need to get rid of this one too. Select Options/Close/Exit Clockwise, But don’t actually click on it! Just have your mouse pointer on it. Ctrl+D to bring up softice, set a breakpoint on hmemcpy (bpx hmemcpy), and Crl+D again out of softice. Now click on Exit Clockwise, and you should be booted straight back into softice. Type bc * to clear the breakpoint, and trace through the code to find the CALL that pops the nag screen. We are going to use the exact same method we used to kill the first nag. So, eventually, you should arrive at the following portion of code;

:004125E5 8B84248C010000 mov eax, dword ptr [esp+0000018C]
:004125EC 85C0 test eax, eax
:004125EE 7416 je 00412606

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
\|:00412686(U)
\|
:004125F0 8B1590514500 mov edx, dword ptr [00455190]
:004125F6 6A00 push 00000000
:004125F8 6A00 push 00000000
:004125FA 689A050000 push 0000059A
:004125FF 52 push edx

* Reference To: USER32.SendMessageA, Ord:0214h
\|
:00412600 FF15B8344400 Call dword ptr [004434B8]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
\|:0041257B(C), :004125EE(C)

The call at 00412600 is the one that calls the nag screen, but if we look a few lines up, there is a conditional jump at 004125EE. If we were to jump here, it would take us past the CALL that pops the nag screen. If that’s the case, lets just make it into an unconditional jump (JMP). Note the hex offset, open it up in your hex editor, and go to that offset. We now need to change the je 00412606 into jmp 00412606, so change the bytes 7416 to EB16 ( just like we did to bust the first nag ). Lets try it! Boom! NO NAG on shutting down the program!

There are a few more things we really need to do to this program, as when we run it, we still see Clockwise - UNREGISTERED SHAREWARE in the title bar. I will give you a hint how to remove this, but I wont tell you how (you really should be able to tackle something like this!). In your disassembler, use String Data References to find our Clockwise - UNREGISTERED SHAREWARE text, and double click on it. If you double click on it again, you will be taken to another location. All-in-all, there are 4 locations that contain a reference to this text string, so there are 4 commands we need to change. This is my final clue: There are 4 JNE commands at the four locations connected to the string. Three of them need changing from JNE to JMP, and one simply needs a NOP! That’s your lot! If you don’t know how to do that, you should be ashamed of yourself! Hehe…….

Final Notes

Pat yourself on the back, grab a beer and a cigar, and relax, safe in the knowledge that you just learnt something usefull!!

My Greetz Goes to:

[T]urb0z – For introducing me to these infernal machines

The TRES2000 Crew
My mum

When ever there is a door,
there is an entrance.
And behind an entrance can no secret hide,
when a cracker takes his knowledge for a ride
McCodEMaN

ObDuh

The information in this essay is for educational purpose only!
You are only allow to crack, reverse engineer, modify code and debugg programs that you legaly bought and then for personal use only!!
To ignore this warning is a criminell act and can result in lawful actions!

So please note!
I take no responebility for how you use the information in this essay, i take NO responebility for what might happen to you or your computer!
You use this information on your own risk!!

What i mean is: Please buy the software!

My Greetz Goes to:

When ever there is a door, there is an entrance. And behind an entrance can no secret hide, when a cracker takes his knowledge for a ride McCodEMaN

When ever there is a door,
there is an entrance.
And behind an entrance can no secret hide,
when a cracker takes his knowledge for a ride
McCodEMaN