http://www.equisys.com/download/index1a.htm
- Webpage.
Installation Size: 7.1Mb.
SoftICE v3.24.
Hex Workshop v2.54.
I'm short of comments, because I'm not good at English. I'll try to explain as much as I can, hope you all can understand. Onto ZetaFax, a very useful utility, a server fax for a network. Documents can be faxed through mail, API, and DDI. This tutorial is for educational purposes ONLY. The software author deserves your support! So, buy it if you use it!.
Changes that can be made to 'Licence.dat'
-----------------------------------------
First, make a copy of the original 'Licence.dat' in folder (mine is in)
C:\Program Files\zfax\SYSTEM\Z-DB, then edit it with a HEX-EDITOR (Hex WorkShop v2.54 will do).
Here is the original listing of 'Licence.dat' :
Offset HEX DUMP ASCII DUMP
0000 - 30 30 30 30 30 30 30 30 0D 0A 45 76 61 6C 75 61 00000000..Evalua
0010 - 74 69 6F 6E 20 73 79 73 74 65 6D 20 28 30 30 2D tion system (00-
0020 - 30 34 2D 30 31 29 20 20 0D 0A 5A 65 74 61 66 61 04-01) ..Zetafa
0030 - 78 20 65 76 61 6C 75 61 74 69 6F 6E 20 73 79 73 x evaluation sys
0040 - 74 65 6D 20 20 20 20 20 0D 0A 20 20 20 20 20 20 tem ..
0050 - 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0060 - 20 20 20 20 20 20 20 20 0D 0A 1A 41 41 58 4D 44 ...AAXMD
0070 - 50 43 5A 45 54 41 46 41 58 20 20 20 20 20 20 20 PCZETAFAX
0080 - 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0090 - 30 30 30 30 30 30 30 30 80 AC E5 38 05 00 01 00 00000000...8....
00A0 - 01 00 01 00 01 00 30 37 31 20 33 37 38 20 36 38 ......071 378 68
00B0 - 38 36 20 20 20 20 20 20 20 20 00 00 00 00 00 00 86 ......
00C0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00D0 - 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
00E0 - 00 00 00 00 7E 2B 00 00 00 00 4C 4B 42 41 42 44 ....~+....LKBABD
00F0 - 51 57 4B 58 4A 42 DD FE 48 37 QWKXJB..H7
----------------------------------------------------------------------------
Number Offset Descriptions of offset :
----------------------------------------------------------------------------
1. 00h upto 07h Licence Key. Eight byte long. Ended with 0Dh and 0Ah
2. 0Ah upto 29h Description of registered capacity
3. 2Bh upto 67h Organisation Name
4. 4Ah upto 66h Contact name. The default is empty
Fill with space char. (20h)
4a. 6Ah Not used
5. 6Bh upto 70h password
6. 71h upto 97h keyword
7. 98h upto 9Bh expired time of software
8. 9Ch upto 9Dh Number of User (= 05 00)
9. 9Eh upto 9Fh Number of line (= 01 00)
10. A0h upto A1h Number of API (= 01 00)
11. A2h upto A3h Number of DDI (= 01 00)
12. A4h upto A5h Number of Mail (= 01 00)
13. A6h upto B9h registration FAX number
14. BAh upto D7h Not used
15. D8h upto D9h Registered the licence key (= 00 00)
16. DAh upto E3h Not used (future use)
17. E4h upto E7h Operating System.
7E2B = default = Windows
FF2F = OS/2
18. E8h upto E9h Not used
19. EAh upto F5h Password
20. F6h upto F9h Time saved of last time running
----------------------------------------------------------------------------
Let's make a few changes :
1. Can be changed to any number. 'U' = upgrade if at the front. 2. The description of registration. Change it if you want to. Ends with 0Dh (enter) and 0Ah (Ctrl-J). e.g. 12 users, 2 lines, API,DDI,MAIL. 3. Change it to your organisation name. Ends with 0Dh and 0Ah. 4. Personal contact name. Your name. Ends with 0Dh and 0Ah. 5. Leave it. I will tell you how to generate the password later. 6. May change it, as you wish. But only in that limition. Better use the default. 7. This is the max (expired) time minus localtime = days left. Leave it. Changing to FF FF FF FF will error. Better leave it. 8. Change no. of users. 17 users = 0011h, reverse order, offset 9Ch = 11, offset 9Dh = 00. 9. Offset 9Eh = 17, offset 9Fh = 00 10. Offset A0h = 17, offset A1h = 00 11. Offset A2h = 17, offset A3h = 00 12. Offset A4h = 17, offset A5h = 00 13. This will be used when you are upgrading through a fax machine. May change. Better leave it. 15. Change to D8h = 7Fh, software registered. 17. Leave it. Depends on the operating system. 19. Password. Leave it. 20. Leave it.
There is no registration dialog box. Before cracking any target, I usually look at the list of files inside the program folder. It is here I found 'Licence.dat'.
The other important things to do are as follows:
1. Find out "how to register".
2. Read any "readme.txt's".
3. Read any "whatsnew.txt".
4. Read the disclaimer.
OK it uses a license file so lets get into SoftICE :
:BPX GetProfileStringA
Run the application. You may choose which to run. There are two main programs. One, is 'ZetaFax Client' and the other is 'ZetaFax Server'. Let's choose 'ZetaFax Client' for now. You'll break into SoftICE so hit F12 to get back to the caller.
:S 0 L FFFFFFFF 'LICENCE.DAT' <-- search for 'LICENCE.DAT'.
Pattern found at 017F:0049ED78.
:BPM DS:0049ED78 RW <-- breaks on read/writes.
After this break you'll need to do some tracing, there is a subcall which analyzes the registration code. Use breakpoints as necessary in order to make easier tracing. Here is the relevant code.
:0047FC98 PUSH EBX <-- Break here.
:0047FC99 CALL 0047FD20 <-- Analyze 'licence.dat'.
:0047FC9E ADD ESP,04
:0047FCA1 TEST AX,AX <-- EAX > 0 ? (Match ?).
:0047FCA4 JZ 0047FCBE <-- OK, proceed to go !.
:0047FCA6 PUSH 0049ED08
:0047FCAB PUSH 06
:0047FCAD CALL 0044CF80
:0047FCB2 MOV AX,F024
:0047FCB6 ADD ESP,08
:0047FCB9 POP EBP
:0047FCBA POP EDI
:0047FCBB POP ESI
:0047FCBC POP EBX
:0047FCBD RET
:0047FCBE XOR AX,AX <-- Match !.
:0047FCC1 POP EBP
:0047FCC2 POP EDI
:0047FCC3 POP ESI
:0047FCC4 POP EBX
:0047FCC5 RET
:0047FEB6 LEA EDI,[ESP+14] <-- Next break.
<-- Dump it [ESP+14].
:0047FEBA MOV ECX,00000006 <-- Preparing to compare ONLY six.
:0047FEBF LEA ESI,[EBP+6B]
:0047FEC2 SUB EAX,EAX
:0047FEC4 LEA EDX,[EBP+71]
:0047FEC7 REPZ CMPSB <-- Comparing address DS:0078E83B (ESI)
<-- Place the bar tracer here (F8), view EDI then edit ESI.
Look at ESI & EDI. It is comparing memory @ ESI with memory @ EDI. So, replace
the contents of address DS:0078E83B (ESI) with the code in [ESP+14]. Six bytes.
:D EDI <-- Dump address EDI, remember the code then,
:E ESI <-- Edit address DS:0078E83B (look at display)
<-- Press 'TAB' key to go to ASCII area, type exactly the same as in
[ESP+14].
Why do change the contents of ESI?, in order to fool the program into thinking that the compare is correct.
:0047FF64 CMP BYTE PTR [ESI],20 <-- Break here. :0047FF67 JNZ 0047FFF2 <-- Is it a space?. :0047FFF2 LEA EDI,[ESP+14] <-- Dump [ESP+14], see the code?. :0047FFF6 MOV ECX,00000006 <-- Preparing to compare 6 bytes. :0047FFFB REPZ CMPSB <-- Comparing (edit this again). :0047FFFD JZ 004800AA <-- All matched, Yes, exit. :0047FFFF MOV AX,F024 <-- No, thenset bad flag.
Continue tracing :).
:004800AE LEA EDX,[EBP+000000F0] <-- Break here. :004800B4 CMP BYTE PTR [EDX],20 <-- Is it a space char? No, goto 004800F8. :004800B7 JNZ 004800F8 :004800F8 LEA EDI,[ESP+14] <-- Dump [ESP+14] again. :004800FC MOV ECX,00000006 <-- 6 bytes again. :00480103 REPZ CMPSB <-- Here! (edit memory contents yet again). or [ESP + 14] :00480105 JZ 0048010F <-- All equal?, goto 0048010F.
Lets now dump the entire 'Licence.dat' file :
:WD 19 <-- Make data window 19 lines. :D DS:0078E7D0 <-- Display Licence.dat. At DS:78E83B (the default 'AAXMDP' is transformed into a new code 'XXXXXX'). At DS:78E8BA (the default 'LKBABDQWKXJB'is a new code 'YYYYYYYYYYYY'). Note down 'XXXXXX' and 'YYYYYYYYYYYY'.
Now grab your HEX Editor and edit 'Licence.dat', replacing the following :
Offset 6Bh 'XXXXXX'.
Offset EAh 'YYYYYYYYYYYY'.
This keyfile is now registered. Run the program, select the Help - About option. You have been registered!. If you want to examine 'ZetaFax Server', here are the list of bpx's I set :
:BC * <-- Clear all break point
:BPX GetProfileStringA <-- As per 'ZetaFax Client'.
:BPX CS:40B359
:BPX CS:40B3C0
:BPX CS:40B404
:BPX CS:40B46E
:BPX CS:40B53F
:BPX CS:40B5A6
To see the current local time use these bpx's ('ZetaFax Client') :
:BPX CS:41002D <-- Start the program, first break is local time. See ESI.
Here is the formula of days left before the program expires :
Look again at offset 98h upto 9Bh = 80 AC E5 38 (= 38E5AC80), which I represent
as S, L = local time :
(S-L)
Days left = -------
15180
You can see 15180h = 86400 decimal. Try dividing by 3600 seconds (24hrs).
So, today May 22nd 1999, this program will expire about one year later.
1. Why did I use so many breakpoints?
A1. There is a very long loop. Tracing with F8 will be very tedious.
It generates a code which is placed at address [ESP+10], by using
the keyword ('CZETAFAX'), a table and some constants.
2. Why not just use a patch?.
A2. Yes, you could patch but understanding the scheme is better.
1. Always view address [ESP+14] both in 'ZetaFax Client' and
'ZetaFax Server'.
2. Don't forget to replace the contents at the CMPSB (if running
'ZetaFax Client') DS:78E83B, DS:78E8BA, DS:78E8C0 with the content
of [ESP+14]. This fools the program into thinking everything is
valid otherwise it will generate an error then terminate.
3. Edit 'License.dat' accordingly.
OK, thats all for now.
22/05/99 friendship.
1. Many thanks to +ORC, this wonderful website and the tutorials.
2. This tutorial is for educational purposes ONLY. The software
author deserves your support!.