HOW TO CRACK:
Serif Drawplus 5

Introduction:  Serif Drawplus looks similar to Corel Draw and has many features similar to Corel Draw. You know the score, let's get on with it

Tools needed: Soft-ice, Wdasm, hex-editor

The Protection: This is a 30 day trial evaluation, after that it expires and you can';t use it anymore - you can't even turn the clock back either (changes registry entries). So this needs to be fixed.


Ok then, try running the program after installing it. You have to go onto their site and register it first to get a code. Simple enough. If you don't want to register it then skip to the next paragraph. Go do it then. After that enter your new code and go into the program. You get a registration type screen, close it now and exit the program. Now each time you start the program now you will get the same reg screen.........very annoying indeed. Let's fix it shall we?

Ok then, let's look at this logically.

Try searching the main exe for any text string regarding 'registration' and you will find only one.

GetRegistrationDetails SerifRegDll SrfReg20.Dll (taken from the drawplus.exe)

This is pointing to a DLL named 'srfreg20.dll'. You will find this file in the \srfdll32 folder,

Ok then disassemble the drawplus.exe and it will create a 38mb listing. Search for GetRegistrationDetails and you will find it at only one location. See below:


:00509080 8365FC00 and dword ptr [ebp-04], 00000000
* Possible StringData Ref from Data Obj ->"GetRegistrationDetails"
:00509084 6838396100 push 00613938
:00509089 8D4DEC lea ecx, dword ptr [ebp-14]
:0050908C E87E270000 call 0050B80F -------------------------------Set breakpoint here
:00509091 8B7D08 mov edi, dword ptr [ebp+08]

Load drawplus.exe into loader32 (softice loader - should know this by now!) and set a breakpoint at 50908C where this call is made.
Run (F5) and wait until SIce pops back up.

Now trace using F8 until you get to the location listed below within the srfreg20.dll

Exported fn(): GetRegistrationDetails - Ord:0001h
:10001DE0 8B442404 mov eax, dword ptr [esp+04]
:10001DE4 53 push ebx
:10001DE5 33DB xor ebx, ebx
:10001DE7 8B4814 mov ecx, dword ptr [eax+14]
:10001DEA C740041AA01D34 mov [eax+04], 341DA01A
:10001DF1 85C9 test ecx, ecx ----------------------------------------> Stop here, this is the main check
:10001DF3 7409 je 10001DFE ----------------------------------------> Ecx=0=bad, Ecx=1+=good
:10001DF5 B802000000 mov eax, 00000002
:10001DFA 5B pop ebx
:10001DFB C20400 ret 0004

Need to get rid of this jump at 10001DFE by replacing it with 2 NOPs (9090). This will then fall through to the next line of code and return to the main program again without ever checking any registration details.

So open this srfreg20.dll into your fave hex-editor and add 9090 at offset 1DF3

Now run the program again after saving the patched file and behold - no more registration check and it never runs out.

I have yet to try this with the other trail versions but i'm sure they'll all be the same.

If not then let me know......................




UPDATE:

Just got the patch 5.02 and it has changed slightly. You have to patch the drawplus.exe as well.

Change 1 byte in the exe file: offset 106766h to EB

That's all and it now runs fine..............