Well, what can I say... I'm not much more then a newbie and I cracked it in a few minutes. If you need a little help: just follow the instructions.
- A nag shows up telling us we're unregistered. We can
use it only for 40 minutes and it's ILLEGAL to use it more than 21 days.
(I guess this means it doesn't disable itself after that period :o)
Let's continue unregistered.
- We notice a 'REGISTER!' menu.
Let's click it. It asks a name, reg code and key. Fill in something click OK. If you are very lucky you are now registered, but in most cases (in my case too)
you are told the code is incorrect. That's enough for now. Close VTT and fire up W32Dasm.
Disassemble the main program file 'VTT.exe'.
We have 4 things to look for.
1) a nag
2) a register menu
3) the register dialog
4) a time limit
First: the nag. Look in the 'Dialog Information' section for the 'you are unregistered' nag. (It's DialogID_0095, find it by searching for 'unregistered') Click the 'DLG ref' button and select DialogID_0095. You land on the place were the dialog is referred.
CODE SNIPPET 1
...
:0042C755 8B83C4000000 mov eax, dword ptr [ebx+000000C4]
:0042C75B 8B88BC0B0000 mov ecx, dword ptr [eax+00000BBC]
* Reference To: OutputLib.?CheckRegistered@OutputManager@@QAEHXZ, Ord:001Bh
<== suspicious call !!!
|
:0042C761 E8BEAA0000 Call 00437224 ; call CheckRegistered
function
:0042C766 83F801 cmp eax, 00000001 ; check if eax = 1 (= true)
:0042C769 7430 je 0042C79B
; if so, jump away, else continue
:0042C76B 6A00 push 00000000
* Possible Reference to Dialog: DialogID_0095
<== you land here !!!
|
:0042C76D 6895000000 push 00000095
:0042C772 8D8D00FFFFFF lea ecx, dword ptr [ebp+FFFFFF00]
* Reference To: MFC42.Ordinal:0144, Ord:0144h
|
:0042C778 E8B9950000 Call 00435D36
:0042C77D 8D8D00FFFFFF lea ecx, dword ptr [ebp+FFFFFF00]
:0042C783 C645FC13 mov [ebp-04], 13
...
If you look a bit above you see a suspicious call to
OutputLib.?CheckRegistered@OutputManager@@QAEHXZ. Then the eax
register is checked, and if it's 1 we jump away, else the nag is
displayed. So, it looks like the CheckRegistered function checks if we are
registered (what else did you expect with that name) But even if
it didn't had such a suspicious name, we would have known that this is the
function we're interested in. We could now patch the code je 0042C79B
into jp 0042C79B so we would always jump, but first we look a bit
further.
Second: the 'REGISTER!' menu. Search for the string
"REGISTER!", and you'll find it at address 0042C73D.
(and yes, that's just above the code in listing 1)
CODE SNIPPET 2
...
* Reference To: OutputLib.?CheckRegistered@OutputManager@@QAEHXZ, Ord:001Bh
<== again the same suspicious call !!!
|
:0042C720 E8FFAA0000 Call 00437224 ;
call CheckRegistered function
:0042C725 83F801 cmp eax, 00000001
; check if eax = 1 (= true)
:0042C728 742B je 0042C755
; if so, jump away, else continue
:0042C72A 8B4E20 mov ecx, dword ptr [esi+20]
:0042C72D 51 push ecx
* Reference To: USER32.GetMenu, Ord:011Ch
|
:0042C72E FF1590CF4300 Call dword ptr [0043CF90]
:0042C734 50 push eax
* Reference To: MFC42.Ordinal:0B2F, Ord:0B2Fh
|
:0042C735 E8E6930000 Call 00435B20
:0042C73A 8B5004 mov edx, dword ptr [eax+04]
* Possible StringData Ref from Data Obj ->"REGISTER!"
<== this is were you land !!!
|
:0042C73D 68C4684500 push 004568C4 ; push the offset of the "REGISTER" string
:0042C742 6821800000 push 00008021 ; push other parameters for InsertMenuA
:0042C747 6800040000 push 00000400 ;
:0042C74C 6A08 push 00000008
;
:0042C74E 52 push edx
;
* Reference To: USER32.InsertMenuA, Ord:0174h
|
:0042C74F FF15ECCE4300 Call dword ptr [0043CEEC] ;
insert the menu
...
It's clear what's happening here: if the user isn't registered, the 'REGISTER!' menu is added. Then the dialog from listing 1 is displayed and so on. We know enough by now...
How do you mean 'we know enough'?? We didn't look for register
dialog and we skipped the time limit!! Why?? Well, the explanation is simple: there's no need to.
I'll tell you why. We can patch in 2 ways!
1) change the je instruction after all the CheckRegistered calls
into jp so we always jump.
No... We would have to patch every time a call is made to the
CheckRegistered function. Too much work... ;o)
2) modify the CheckRegistered function so we're always registered !!
Yes!! We only have to patch one place of code: making the function return 1
in the eax register. Let's do it!
If we look at the reference OutputLib.?CheckRegistered@OutputManager@@QAEHXZ
we see that the CheckRegistered function is imported from a library
called OutputLib. That isn't exactly the name of a system DLL, so let's
look into the VTT folder. And yes: that's what we wanted: the file
'OutputLib.dll" Open it in W32Dasm, click the "Exp FN" button and
select '?CheckRegistered@OutputManager@@QAEHXZ - Ord:001Ch'.
You'll jump to address 10003280.
CODE SNIPPET 3
Exported fn(): ?CheckRegistered@OutputManager@@QAEHXZ - Ord:001Ch
:10003280 55 push ebp
:10003281 56 push esi
:10003282 8BF1 mov esi, ecx
:10003284 57 push edi
:10003285 33FF xor edi, edi
...
Write down the address of the function. On this place we are going change the code. We have to set the eax register to 1 (= we are registered !) and exit the function. Don't worry if you don't know much ASM, it isn't hard to understand. (even if 'nop' is the only instruction you've ever used ;o)
THE PATCH
:10003280 mov eax, 1 ; move 1 into the
eax register
:10003285 ret ;
return to the caller (= exit the function)
I hope it wasn't too easy :o) Now we're going to patch the file.
- Open 'OutputLib.dll' in Hiew.
- Press F4 (Mode), F3 (Decode) and you'll see the code
listing.
- Press F5 (Goto) , type '.10003280' (a decimal point and
the address).
- Enter the ASM code. Press F3 (Edit), F2 (Asm).
Clear the text field, type 'mov eax,1' and press Enter. Now
we are at the next line of code. Clear the text field, type 'ret'
and press Enter again.
We don't have to edit any more code, so press Escape. Press F9
to update the file and F10 to quit Hiew.
Rerun VTT and watch... No nag and no 'REGISTER!' menu! We did it!
(Just one more thing if you want it perfect... The about dialog will use
'UNREGISTERED' as user name, reg code and key. But that's easy to change
with a resource editor. Just figure it out yourself if you really want to
change it. But there's no need to: the program works fine with the patch.)