Miscreant's Reverse Engineering

22 Oct 1999 - Cracking Merlyn 2.1 by Miscreant
Rating: Easy

Program Details
---
Program Name: Merlyn 2.1 - By Hyland Software
Program Type: Mathematics Equations Utility
Program Location: http://www.hylandsoftware.com/
Program Size: 3.35mb

Tools used
---
SoftIce 3.25 (use 4 if you like)
W32Dasm 8.93
A Hex Editor (I used HIEW/UltraEdit)

Intro:
From the Merlyn help file -
We created Merlyn to do two things. First, we wanted to be able to create mathematical expressions.
We wanted it to be fast and flexible; and we wanted the equations to look just like they do in a textbook.
Second, we wanted to be able to manipulate those equations. What do we mean by manipulating equations?
If you look at any problem that's been done in detail, step by step, in a textbook, the difference between one step
and the next is that some part of the expression has been rearranged, simplified, canceled, etc.
This is just what Merlyn does. You select the part of the expression you want to change, then you tell Merlyn what kind of
change you want. You apply commands like simplify, cancel, commute, and so on, and the expression changes accordingly.
If there is more than one possibility you're offered a list of options. Pick the one you want and the result will appear in your document.

We designed Merlyn for everyday calculations. Our goal was to create software that would be just as fast and flexible, and a whole
lot less error prone, than that paper and pencil method you currently use. We also designed Merlyn with students in mind. Merlyn not
only gets you to the answer, but it takes you through the steps to help you understand whatÆs happening along the way.

IMPORTANT NOTE: If you download the trial from the Hyland website, install it and find that it says Merlyn 2.0 on the Start Menu,
do not worry - they didn't update the setup program - check the About Box for the true version.

About This Protection System:
Registration is not possible, after 30 days you must buy the program.
The program is not compacted/encrypted in any way.

No nag screens, except when trial is over. Title bar of main application displays days remaining, about box displays Trial Version.

The Essay:
OK, first thing I did was to set my date forward (at least 30 days) and run the program, then note down important strings. I noticed:

Merlyn - this trial version has expired
^-- this appears in the title bar of both the main window and the nag screen.

Then I opened up W32Dasm, disassembled it, chose string references and looked for this string...
I found:
Merlyn - this trial version has

The word 'expired' has lost itself somewhere, but if you double click on the string you will find it underneath.
Here is what I found:

:004BB897 A150DE4B00 mov eax, dword ptr [004BDE50]
:004BB89C 8B00 mov eax, dword ptr [eax]
:004BB89E E8A988FAFF call 0046414C
:004BB8A3 85C0 test eax, eax
:004BB8A5 7D21 jge 004BB8C8

* Possible StringData Ref from Code Obj ->"Merlyn - this trial version has "
->"expired"
|
:004BB8A7 BAE4B94B00 mov edx, 004BB9E4
:004BB8AC 8BC3 mov eax, ebx

How convenient :) A crackers gate :)
So whats a crackers gate? A nice little test and then a compare routine.

So whats it mean?
LINE 1:004BB89E E8A988FAFF call 0046414C <-- Check amount of days remaining
LINE 2:004BB8A3 85C0 test eax, eax <-- Look at results
LINE 3:004BB8A5 7D21 jge 004BB8C8 <-- If its more than or equal to something then jump to 4BB8C8

I labelled the 3 lines 1,2 and 3 to make it easier for me to talk about them.
Now load up Symbol Loader (the proggie that comes with softice), choose file, open then choose merlyn.exe
Once it has loaded click on Module, Load and it will ask if you are sure, choose yes and softice should pop up.
WHAT TO DO IF IT DOESN'T POP UP: Choose Module, Settings and make sure that Load Executable and Stop at Winmain... are both checked!
SoftIce pops up at the start of the program.
Type: bpx 4BB8A5
This sets a breakpoint on that line.
Now type: X [ENTER]
Softice should flash off then on, this is because it broke in where we set the breakpoint!
We can see that softice doesn't want to jump, so we therefore do want it to jump.
Type: A
Once you hit enter you will be able to modify that line of code. So type: JMP 4bb8c8
Hit enter twice to finish editing.

Notice the 7D21 changes to EB21.
Now type BC * [ENTER]
This clears all breakpoints.
Type: X [ENTER]

Softice will now exit and the program will load with no problems - how convenient :)

Now we need to hex edit the code.
So load up your favourite hex editor (I recommend Hackers View or UltraEdit) - some people prefer hex workshop - which I personally hate.

Search for 85C07D21 - Where did I get this number from?

LINE 2:004BB8A3 85C0
LINE 3:004BB8A5 7D21

You can see the numbers were at the end of the above two lines.

Now change the 7D21 to EB21, run the program and voila - it works forever :)

Now we have one last problem. The title bar says the amount of days still.
So note down the string in the titlebar:
Merlyn - this trial version expires in xx days

Load up W32Dasm again, and look for the string. Heres what I found:
:004BB828 C7803402000048AB4B00 mov dword ptr [ebx+00000234], 004BAB48
:004BB832 80BB4503000000 cmp byte ptr [ebx+00000345], 00
:004BB839 0F84E3000000 je 004BB922

* Possible StringData Ref from Code Obj ->"Merlyn - this trial version expires "
->"in "
|
:004BB83F 68A4B94B00 push 004BB9A4

hmmm, the jump looks very interesting :) Lets change it to JMP instead of JE, so it always jumps.
JE = Jump if equal (Conditional)
JMP = Always Jump (Unconditional)

Wahoo! It worked, now just the finishing touches.
Open up a hex editor and search for the strings in the about box, and change them to Full Version etc.
(You could also use a resource editor if you wish).

DON'T FORGET TO SET YOUR DATE BACK TO NORMAL!!! - IT WRECKS HAVOC WITH EMAIL ;)

If you managed to crack the proggie, go and have a well deserved cuppa.

The Crack
---
I'm not making it that easy - read the essay you lazy person :)

Final Notes
---
Well this is my first essay, I hope it helps someone out there. You can find me on EFNet under the nickname Miscreant - mostly at weekends.
Feel free to send me constructive critisism or nice comments. I made this essay because I saw way to many essays on serial number cracking,
but not enough on programs that don't allow serial #'s to be entered. If I get enough feedback I may write some more essays.

I would like to thank in no particular order:
#Cracking4Newbies - For their kind patience
BubbleGun - Who brought me into the scene
WAKKeHACK - For recording futurama for me - hehehe
The Sandman - For his great essays
Fravia - For having perhaps the largest, yet messiest website on the entire web
Numega - For the greatest debugger ever
Slide - For trying this essay for me and telling me what didn't work - all fixed now ;)
Duelist - For helping me so much on hard cracks
MisterE - ditto.
And anyone else I forgot.

Disclaimer
---
If you like and use this program then please buy it. The authors deserve the money. If you don't like spending money, get Linux.
Essay written on 22-Oct-1999.

Printing
---
This essay is best printed using Verdana font on size 8.

I would like to thank
---
Slide for pointing out my mistakes - well complaining when the tutorial didn't work. Should have ironed out all the bugs ;)
#cracking4newbies for all their help