|
|
|
|
|
|
|
|
|
|
||
|
||
|
|
|
|
With this information in our head,
that's the time to start work on it...
|
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040877D(C)
|
:00408791 A1603F4600
mov eax, dword ptr [00463F60]
:00408796 85C0
test eax, eax
; eax
= 0 ?
:00408798 741D
je 004087B7
; jump
if eax = 0
:0040879A 8B15803F4600
mov edx, dword ptr [00463F80]
:004087A0 8D8398000000
lea eax, dword ptr [ebx+00000098]
:004087A6 52
push edx
* Possible Reference
to String Resource ID=00170: "Your Trial version
of Spector will expire in %d days. Pleas"
|
:004087A7 68AA000000
push 000000AA
:004087AC 50
push eax
:004087AD E8D6250200
call 0042AD88
:004087B2 83C40C
add esp, 0000000C
:004087B5 EB42
jmp 004087F9 ;
jump to beggar off message
From looking in the above code, we
can tell that if we used all our 1000 screen
recordings, EAX at location 408796
will not hold the value '0', and we will get the
'expire' message. We can assume
that we didn't used them all by now, so we want
to check what will happen when we
jump to lcation 004087B7.
The message that inform us how many
screens left is shown in the Help/About
screen. Run Spector and click on
Help. Before you click on About, fire up Softice
by click on 'Ctrl+D'. Type "bpx
setwindowtexta', this should break in before the about
screen pops up. Type 'X' to leave,
and click on the About option.
Softice breaks, press 'F11' once
and we are in Spector's code. Now we want to set
a new bp, so, clear all bpx's with
'bc *', and type 'bpx 408791'. Type 'x' and we break
again in here :
:00408791 A1603F4600
mov eax, dword ptr [00463F60]; we land here !
:00408796 85C0
test eax, eax
; eax
= 0 ?
:00408798 741D
je 004087B7
; we
jump here !!
Press 'F10' 3 times, and we jump to this code :
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00408798(C)
|
:004087B7 8DB398000000
lea esi, dword ptr [ebx+00000098]
:004087BD 68AC000000
push 000000AC
:004087C2 8BCE
mov ecx, esi
:004087C4 E8FE910200
call 004319C7
:004087C9 E8AC330000
Call 0040BB7A
; check
windows used (eax)
:004087CE B9E8030000
mov ecx, 000003E8 ;
ecx = 1000 !!!
:004087D3 2BC8
sub ecx, eax
; ecx
= ecx - windows used
:004087D5 85C9
test ecx, ecx
; ecx
= 0 ?
:004087D7 7E20
jle 004087F9
; jump
if ecx = 0
:004087D9 51
push ecx
:004087DA 8D4C240C
lea ecx, dword ptr [esp+0C]
:004087DE 6828054600
push 00460528
:004087E3 51
push ecx
Can you see what is the code above
? We see how this protection routine is
calculating how many screens left
for us to use. If we steel have windows recording
to use, we don't jump, and we get
a message in the about window. So, if we don't
want it to show it, we need to force
the jump to take place. To do it, keep press
'F10' until you land on location
004087D7, and then type in 'r fl z' to change the
zero flag, now the jump will be
executed. type 'x' and we got the about screen
but this time without the 'windows
left'. We found the right place, but we steel have
the 'Register' botton enabled.
Go again in the Help/About menu,
but now, when softice break, clear the bp 'bc *',
keep going without changing the
jle 004087F9 and
keep press 'F10' for 19 times,
you'll be back to the location where
we have the 'call' to all checks :
:00430398 85C0
test eax, eax ;
eax = 0 ? registered version ??
:0043039A 59
pop ecx
:0043039B 740C
je 004303A9 ;
jump if eax = 0 (ignore
checks)
:0043039D 8B10
mov edx, dword ptr [eax]
:0043039F 8BC8
mov ecx, eax
:004303A1 FF92BC000000
call dword ptr [edx+000000BC] ;
all checks !!!
:004303A7 EB07
jmp 004303B0 ; we land here from 'ret' !!!
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043039B(C)
|
:004303A9 6A01
push 00000001
:004303AB 58
pop eax
:004303AC EB02
jmp 004303B0
We can see that if we jump at :0043039B
740C je 004303A9, the
'call' at
location will not be excuted !!
We can check it this way :
type 'bpx 0043039B', type 'x' and
Help/About again. When SI break, type
'r fl z' and press 'x'.
WOW, we have now the 'about screen'
without 'windows left' counting and without
the botton for 'Register'
!!
But, a few days later, when i was
ready to check the program for the last time
before i remove it from my hard
drive, i've got this :
"The
maximum recording time has been reached..."
so, now i was sure that there is
another check
that i missed. I decide to go to the dead list to look for something like
check
if any register is equal
to 1000. just to remind you, number values usualy will be
in
HEX VALUE, so 1000 Decimal
will be 3E8 in hex. Hey, we had this a few lines
above :
*
Reference To: SHMSWNRC.?ShGetFrames@@YAKXZ, Ord:0002h ;
get frames ???
|
:004087C9 E8AC330000
Call 0040BB7A
; check
windows used.returns
; with
eax = windows used
:004087CE B9E8030000
mov ecx, 000003E8 ;
ecx = 1000 !!!
:004087D3 2BC8
sub ecx, eax
; ecx
= ecx - windows used
:004087D5 85C9
test ecx, ecx
; ecx
= 0 ? no
more ?
:004087D7 7E20
jle 004087F9
; jump
if ecx = 0
The best idea is to set a bpx here
: :004087C9
Call 0040BB7A.
When you do
it, press 'F8', and we land in SHMSWNRC code, you can see this :
shmswnrc!.text+4c74
at the
top of the data window. Well, search for this file in your
computer,
in c:\windows\system you'll find shmswnrc.dll. Create a dead list
of it and
we will look
in "String Data References" for the good stuff. The one that i liked,
was
this one that looks like an entry
in the registry file :
* Possible StringData
Ref from Data Obj ->"SOFTWARE\Classes\CLSID\{23DD4C01-A3D6-11d2-BA8C-444553540000}"
|
:10035D0C 68C8E20310
push 1003E2C8
:10035D11 6802000080
push 80000002
* Reference To: ADVAPI32.RegCreateKeyExA,
Ord:015Fh
|
:10035D16 FF150CB00310
Call dword ptr [1003B00C]
:10035D1C 85C0
test eax, eax
:10035D1E 7536
jne 10035D56
:10035D20 C745F404000000
mov [ebp-0C], 00000004
:10035D27 C745F004000000
mov [ebp-10], 00000004
:10035D2E 8B55F0
mov edx, dword ptr [ebp-10]
:10035D31 52
push edx
:10035D32 6824000410
push 10040024
:10035D37 8B45F4
mov eax, dword ptr [ebp-0C]
:10035D3A 50
push eax
:10035D3B 6A00
push 00000000
* Possible StringData
Ref from Data Obj ->"OLERange"
|
:10035D3D 6808E30310
push 1003E308
:10035D42 8B4DF8
mov ecx, dword ptr [ebp-08]
:10035D45 51
push ecx
* Reference To: ADVAPI32.RegSetValueExA,
Ord:0186h
|
:10035D46 FF1500B00310
Call dword ptr [1003B000]
:10035D4C 8B55F8
mov edx, dword ptr [ebp-08]
:10035D4F 52
push edx
We can see that the program creates
an entry in the registry file, named :
SOFTWARE\Classes\CLSID\{23DD4C01-A3D6-11d2-BA8C-444553540000}
Then
it creates OLERange
this
will be the dword that holds the value of how many
screens we
used, and it updates by the function RegSetValueExA.
So,
if we force the program not to get there, it will not update the numbers
of
screens we already used, and we
never reach the 1000 screens !!!
This can be done in this way :
*
Reference To: ADVAPI32.RegCreateKeyExA, Ord:015Fh
|
:10035D16 FF150CB00310
Call dword ptr [1003B00C]
:10035D1C 85C0
test eax, eax
:10035D1E 7536
jne 10035D56 ;
change it to jmp !!
Remember to create a backup of the
dll file before you do the patch, just in case
somthing happened !!!
* if you already
reached the 1000 screens by now, go to the registry file and change
it to a number less
the that.... :)
|
REMEMBER, i'm
doing my cracks as a hobby and challenge, so please, if you like
this utility and
want to keep using it, support the author and pay for it.
|
My thanks and gratitude goes to:-
The Sandman for all what he is doing for
us, newbies.
Rhayader for helping me with Reverse Code
Engineering and useful tips