Cracking Tutorial
#68:
Cracking Demo Software - Objectbar 1.21
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 08/2002
[difficulty:] beginner
[where:] http://www.stardock.net
[tOOLz:] Softice 4.05, W32dasm 8.93, Hiew
KANAL23 Tutorial
|
Object Bar 1.21 |
|
|---|---|
|
Download it from |
|
|
Written by |
sLeEpY¿ |
|---|
|
Tools |
|
|---|
|
Rating |
|
|---|
|
Introduction |
|---|
This is just a shareware as the enhanced version
has everything, this one is not loaded with everything but has a nag and a 30
day trial, after the trial you cant use custom skins anymore, then you will find
out after you defeat the 30 day trial you will have about 10 days or so before
you are given a beta expired message and cant use anything (the 21st and the
29th day of the month). All I'm going to
show you how to do in this one is make this demo beta thingy or whatever have
unlimited days of usage, you can screw with the nag yourself, but since there is
no way to register this version as it isnt full, it will probably be a bitch and
take some coding to make the app just startup.
This is just a demo and we are going to make it demo as long as we want.
http://www.stardock.com/products/objectbar/download.html
However I really recommend this prog as it is kool as hell and I've been using
this Breal desktop environment and must pass it on, you can get tons of skins
for it here:
http://www.wincustomize.com/skins.asp?library=4
http://www.wincustomize.com
ObjectBar 1.21
2.82MB
License: Free to try; $20.00 to buy
Minimum requirements: Windows 95/98/Me/NT/2000/XP
Uninstaller included?: Yes
This version is from:
ObjectBar 1.21 Shareware [July 2002]
|
The Essay |
|---|
Well make the usual copies and backups and disassemble one of them.
Now there are 2 ways to proceed, i did both but will only explain the softice
way as showing how to use w32dasm as a debugger will take forever, basically all
you do in w32dasm is look under the api for KERNEL32.GetSystemTime and
breakpoint them to see where and which ones get hit.
With softice set a BPX on GetSystemTime
You will land below when SI breaks press F12 to return to the caller and
write down each place as they are all listed below. If you dont break at the
place below just CTRL+D and softice will break again, press F12, ect... First we
will trash the 30 day limit so you can still use custom bars on the program even
after 30 days.
* Reference To:
KERNEL32.GetSystemTime, Ord:01AAh
:00476559 FF15C8314B00 Call dword ptr [004B31C8]
:0047655F 8B442428 mov eax, dword ptr [esp+28]
:00476563 8B4C2420 mov ecx, dword ptr [esp+20]
:00476567 25FFFF0000 and eax, 0000FFFF
:0047656C 8B54242A mov edx, dword ptr [esp+2A]
:00476570 3BC1 cmp eax, ecx
:00476572 7C38 jl 004765AC
<-Nop this as it jumps right
to the bad flag
:00476574 8B7C241C mov edi, dword ptr [esp+1C]
:00476578 3BC1 cmp eax, ecx
:0047657A 750E jne 0047658A
<-make me jump
:0047657C 81E2FFFF0000 and edx, 0000FFFF
:00476582 3BD7 cmp edx, edi
:00476584 8B54242A mov edx, dword ptr [esp+2A]
:00476588 7C22 jl 004765AC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047657A(C)
|
:0047658A 3BC1 cmp eax, ecx
<-land here from jump
:0047658C 7528 jne 004765B6
<-make me jump over the bad
flag
:0047658E 8BCA mov ecx, edx
:00476590 81E1FFFF0000 and ecx, 0000FFFF
:00476596 3BCF cmp ecx, edi
:00476598 751C jne 004765B6
:0047659A 8B4C242E mov ecx, dword ptr [esp+2E]
:0047659E 8B7C2418 mov edi, dword ptr [esp+18]
:004765A2 81E1FFFF0000 and ecx, 0000FFFF
:004765A8 3BCF cmp ecx, edi
:004765AA 7D0A jge 004765B6
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00476572(C), :00476588(C)
|
* Possible Reference to String Resource ID=00001: "10/22/2001"
:004765AC C7056CD24E0001000000 mov dword ptr [004ED26C], 00000001
<-bad flag
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047658C(C), :00476598(C), :004765AA(C)
|
:004765B6 8B4C2414 mov ecx, dword ptr [esp+14]
<-land here from above
:004765BA 3BC1 cmp eax, ecx
:004765BC 7F35 jg 004765F3
<-nop this jump as it goes
right to the bad flag
:004765BE 8B7C243C mov edi, dword ptr [esp+3C]
:004765C2 7510 jne 004765D4
<-make me jump
:004765C4 8BCA mov ecx, edx
:004765C6 81E1FFFF0000 and ecx, 0000FFFF
:004765CC 3BCF cmp ecx, edi
:004765CE 7F23 jg 004765F3
:004765D0 8B4C2414 mov ecx, dword ptr [esp+14]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004765C2(C)
|
:004765D4 3BC1 cmp eax, ecx
<-land here
:004765D6 7525 jne 004765FD
<-make me jump over the bad
flag
:004765D8 81E2FFFF0000 and edx, 0000FFFF
:004765DE 3BD7 cmp edx, edi
:004765E0 751B jne 004765FD
:004765E2 8B44242E mov eax, dword ptr [esp+2E]
:004765E6 8B4C2424 mov ecx, dword ptr [esp+24]
:004765EA 25FFFF0000 and eax, 0000FFFF
:004765EF 3BC1 cmp eax, ecx
:004765F1 7E0A jle 004765FD
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004765BC(C), :004765CE(C)
|
* Possible Reference to String Resource ID=00001: "10/22/2001"
:004765F3 C7056CD24E0001000000 mov dword ptr [004ED26C], 00000001
<-bad flag
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004765D6(C), :004765E0(C), :004765F1(C)
|
* Possible Reference to Dialog: DialogID_009F, CONTROL_ID:0006, "Yes"
:004765FD C744242006000000 mov [esp+20], 00000006
<-land here with no bad flags,
all ok
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004764B3(U)
|
:00476605 56 push esi
* Reference To: KERNEL32.CloseHandle, Ord:002Ch
:00476606 FF156C324B00 Call dword ptr [004B326C]
:0047660C 3BEB cmp ebp, ebx
:0047660E 0F85D0010000 jne 004767E4
Basically all
we are doing above is jumping over all the flags that set off the bad guy. Our bad guy flag looks like this:
:004765AC C7056CD24E0001000000 mov dword ptr [004ED26C], 00000001
or basically wherever you see this you will want to make sure you jump past it:
mov dword ptr [004ED26C], 00000001
So here are the jumps we need to change:
Change the top to what is below it =)
:00476572 7C38 jl 004765AC
:00476572 9090 NOP
:0047657A 750E jne 0047658A
:0047657A EB0E jmp 0047658A
:0047658C 7528 jne 004765B6
:0047658C EB28 jmp 004765B6
:004765BC 7F35 jg 004765F3
:004765BC 9090 NOP
:004765C2 7510 jne 004765D4
:004765C2 EB10 jmp 004765D4
:004765D6 7525 jne 004765FD
:004765D6 EB25 jmp 004765FD
OK so now we can use our custom bars past our 30 day limit, so we always must
check the crack and move the date more ahead....and crap we have another
error...beta expire...
Below is how to crack away the damn beta expire message...
When it gets system time make it think its not past the limit. You can use
softice and F12 back to the caller to see what is gonig on or use a w32dasm
deadlisting. Here I will break down everything that is happening as I spent
forever on this app it seems.
Change this:
* Reference To: KERNEL32.GetSystemTime, Ord:01AAh
<-get sys time
:00466AE4 FF15C8314B00 Call dword ptr [004B31C8]<-call
getsystemtime api
:00466AEA 668B44242C mov ax, word ptr [esp+2C]
<-put current year in ax
:00466AEF 663DD207 cmp ax, 07D2
<-07D2 = 2002, ax = current
year, compare them
:00466AF3 7721 ja 00466B16
<-jump if past 2002
:00466AF5 7515 jne 00466B0C
<-jump if not equal to 2002
:00466AF7 668B44242E mov ax, word ptr [esp+2E]
<-put current month in ax
:00466AFC 663D0900 cmp ax, 0009
<-9 is sept, ax is current
month
:00466B00 7714 ja 00466B16
<-jump if october or later
(jump if above 9)
:00466B02 7508 jne 00466B0C
<-jump if not equal to 9 (sept)
:00466B04 66837C24321C cmp word ptr [esp+32], 001C
<-1Ch = 28d, another date
check
:00466B0A 770A ja 00466B16
<-if the date is on the 28th
or later, then bad
To this:
* Reference To: KERNEL32.GetSystemTime, Ord:01AAh
:00466AE4 FF15C8314B00 Call dword ptr [004B31C8]
<-call getsystemtime api
:00466AEA 668B44242C mov ax, word ptr [esp+2C]
<-put current year in ax
:00466AEF 663DD207 cmp ax, 07D2
<-07D2 = 2002, ax = current
year, compare them
:00466AF3 9090
<-do nothing, No-OPeration
:00466AF5 9090
<-do nothing, No-OPeration
:00466AF7 B809000000 mov eax, 000000009
<-put 9 in
eax (9 is also in ax now)
:00466AFC 663D0900 cmp ax, 0009
<-compare 9 with 9
:00466B00 7714 ja 00466B16
<-jump not taken
:00466B02 7508 jne 00466B0C
<-jump not taken
:00466B04 66837C24321C cmp word ptr [esp+32], 0040
<-we make it 40 because there
is no way it will ever hit the 40th day of a month, not enough days in a month
:00466B0A 770A ja 00466B16 <-jump never taken (you could
probably nop it too)
This is just like the above...
Change this:
* Reference To: KERNEL32.GetSystemTime, Ord:01AAh
:00466670 FF15C8314B00 Call dword ptr [004B31C8]
<-call getsystemtime api
:00466676 668B44241C mov ax, word ptr [esp+1C]
<-put current year in ax
:0046667B 663DD207 cmp ax, 07D2
<-compare ax with 2002
:0046667F 0F8733050000 ja 00466BB8
<-jump if 2003+
:00466685 751D jne 004666A4
<-jump if not 2002
:00466687 668B44241E mov ax, word ptr [esp+1E]
:0046668C 663D0900 cmp ax, 0009
<-(9th month is sept)
:00466690 0F8722050000 ja 00466BB8
<-jump if past sept (9)(ja
= jump if above)
:00466696 750C jne 004666A4
<-jump if not equal to 9
:00466698 66837C242215 cmp word ptr [esp+22], 0015
<-15 is hex for 21, the expire
day, esp+22 is the current day. Yup another date check, this time the 21st
:0046669E 0F8714050000 ja 00466BB8
<-jump if above 21 (day of
month)
To this:
* Reference To: KERNEL32.GetSystemTime, Ord:01AAh
:00466670 FF15C8314B00 Call dword ptr [004B31C8]
<-call getsystemtime api
:00466676 668B44241C mov ax, word ptr [esp+1C]
<-put current year in ax
:0046667B 663DD207 cmp ax, 07D2
<-compare ax with 2002
:0046667F 909090909090
<-do nothing
:00466685 9090
<-do nothing
:00466687 B809000000 mov eax, 000000009
<-put 9 in
eax (9 is also in ax now)
:0046668C 663D0900 cmp ax, 0009
<-compare 9 with 9 (9th month is sept)
:00466690 0F8722050000 ja 00466BB8
<-jump not taken
:00466696 750C jne 004666A4
<-jump not taken
:00466698 66837C242215 cmp word ptr [esp+22], 0040
<-we make it 40 because there
is no way it will ever hit the 40th day of a month, not enough days in a month
:0046669E 0F8714050000 ja 00466BB8
<-jump never taken (you could
probably nop it too)
Another location just like the above...
Change this:
* Reference To: KERNEL32.GetSystemTime, Ord:01AAh
:0047330A FF15C8314B00 Call dword ptr [004B31C8]
<-call getsystemtime api
:00473310 668B442414 mov ax, word ptr [esp+14]
<-put current year in ax
:00473315 663DD207 cmp ax, 07D2
<-compare ax with 07D2, 07D2h is 2002d
:00473319 7730 ja 0047334B
<-jump if 2003+
:0047331B 7515 jne 00473332
<-jump if not 2002
:0047331D 668B442416 mov ax, word ptr [esp+16]
<-put current month in ax
:00473322 663D0900 cmp ax, 0009
<-ax has current month, 9 is sept,
compare them
:00473326 7723 ja 0047334B
<-jump if past sept (9)
:00473328 7508 jne 00473332
<-jump if not equal to 9
:0047332A 66837C241A1C cmp word ptr [esp+1A], 001C
<-1Ch = 28d, another date
check
:00473330 7719 ja 0047334B
<-if the date is on the 28th
or later, then bad
To this:
* Reference To: KERNEL32.GetSystemTime, Ord:01AAh
:0047330A FF15C8314B00 Call dword ptr [004B31C8]
<-call getsystemtime api
:00473310 668B442414 mov ax, word ptr [esp+14]
<-put current year in ax
:00473315 663DD207 cmp ax, 07D2
<-compare ax with 2002
:00473319 9090 NOP
<-do nothing
:0047331B 9090 NOP
<-do nothing
:0047331D 668B442416 mov eax, 000000009
<-put 9 in
eax (9 is also in ax now)
:00473322 663D0900 cmp ax, 0009
<-hey we are ok!
:00473326 7723 ja 0047334B
<-jump not taken
:00473328 7508 jne 00473332
<-jump not taken
:0047332A 66837C241A1C cmp word ptr [esp+1A], 0040
<-40h = 64d, dont think it will hit the 64th day of any
month =)
:00473330 7719 ja 0047334B
<-bad jump not taken
|
Final thoughts |
|---|
This program was a
bitch...well I'm running it now with my date set to OCT. 2003 so apparently we
patched it up. I have to say I've never seen so much protection in a demo
program that cant be registered anyway. This was an excellent target for a
lesson in time trials and expiration. If you dont wanna go through all the work
look for the warez full version, its probably out there. However this is one of
the few that I cracked that im actually gonna use.
Laterz!
|
Greetings |
|---|
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read
from everyone who writes them.
CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.