Reversing Erazer 98 v 3.22.
By reading the enclosed documentation, we find out the following: the program is written on Delphi 4, it works 30 days, in nonregistered variant all options are disconnected. The program is intended for deleting garbage from the hard disk, has the original interface and is simple in tunings, than me has involved, downloading it it is possible from here: www.intermedia.pp.se
So, the time has come to start the program and to look, with what to us will be reached to struggle. Yes, for want of start is visible nag-screen, completely unnecessary window with an irritant inscription SHAREWARE Violation-PLEASE REGISTER.., we shall go in the tools/register menu, try to be registered, has failed?, not a trouble store the message on any case, now we press a button "about", here too all is bad "SHAREWARE VERSION PLEASE REGISTER", now in tools/options section files to ignore is at all not active, therefore we shall begin.Are you ready? Let's go!!!
To us the FOLLOWING TOOLS WILL BE NECESSARY:
1)W32Dasm v8.93
2)ÍÅÕ-Editor, I used HEXWORKSHOP 32
So, we create a backup copy of the åõå-file, on any case and we shall begin. I shall describe the operations just in that order, in what I made them itself, it is made to show errors to which sometimes can reduce protective algorithm of researched object. Disasembled the program, we shall look what we have in String Data References, will look the message about incorrect registration, have not found?, but I have come across such here an interesting phrase:"Thanks for registering!".We start for the built-in debugger and we pass to a code, whence this message is called, we shall look at a code hardly above
ðèñ.1
I see a comparison, and then jump, we put bpx on it, We press F9 in the debugger and we try to be registered, and we have not stayed on transition shall look closely at a code in Figure 1, see above inscription "Referenced by a (U)nconditional or (C)onditional Jump at Adress: 0046DF2E(C),click to the address 2 times by the left mouse button also we shall appear here
ðèñ.2
We put bpx on jump and we try again, now we have stayed to the address 46DF2E, we look at a flag of zero (Z), it is equal 1, signifies of transition will not be, and it to us is necessary, therefore in debuger we press Patch Code, and we change "jne" on "je", we are executed and we are stopped to the address: 46DF7C, we press a toolbar Jump also we shall appear here
ðèñ.3
see a green inscription at the very bottom, proceeding from it of a sense, I have decided, that I here have nothing to catch, all on the same toolbar we press return and we look at a flag of zero, it is equal 0, therefore there will be a jump, and it is not necessary to us, again patch "jne"on "je",now F8 before emerging the message with thanks for registration. The message it is called CALL to the address 0046DF9E, and hardly the following code below is visible
ðèñ.4
see an inscription green, I so think, that in a code after this inscription we have nothing to catch, we go up to "jne" and change on the "je", we are executed, we press in the researched program"About" also I see, that an information there has appeared which we entered for want of registration. Now patch Åõå HEX-editor also is started, we are registered, all like normal, but restart the program again we shall see NAG-screen and all remaining attributes of the nonregistered version, but it is not necessary to despair. Again start W32Dasm and now we shall look at the list of imported functions, I there have found interesting function: Valid _ licens also is imported she(it) from e98add1.dll, you know such system library?, I personally was not present, therefore immediately we shall set on it of W32Dasm and we shall look in String Data References, I have found 2 interesting links: PLEASE REGISTER and SHAREWARE VERSION.
ðèñ.5
Jump to 43C5E6 transition also is visible, we change on "je" In the hex-editor, we delete spoilen exe-file, we restore it from a backup copy, we start for it we are registered also all has earned as it is necessary. To check up a regularity of this supposition deliver bpx on call function Valid _ licens, to the address 00469740 in the åõå-file and trasing it is a little, you will see that the transition, found by us, in library works bringing to nothing all our diligence in the åõå-file. Here so sometimes it is possible to go in dock, when the guard is realized in the external file, and all indications in the åõå-file.
Given, the article is written for the educational purposes. The research and writing of the given material was executed by GoKs.
If there will be any problems or you will detect errors in a research can write me to address: