PCAnywhere Version 7.5 REVISED Crack by Hackmore Readrite Available at http://www.symantec.com PCAnywhere is a MUST HAVE program for anyone with a reason to connect two or more computers together. It allows you to connect computers using a paralel port, com port, telephone lines, or even the internet. Once connected you can transfer files, control the other computer from YOUR keyboard, run programs on the other computer, etc. You can even use it to set up one of your office computers as a gateway. Imagine being a thousand miles from home, and being able to run debug on your home computer, for the price of a local phone call, just by connecting through the internet! Or get that file you left at the office without even leaving home! It even has a chat feature so you can teach someone how to use thier own computer, while they see it happening on thier screen, and you sit at home sipping martini's explaining the program to them on the phone. I LIKE IT! Here's a short story so you'll know why I decided to crack this program. Call it "getting even" if you want. Right after I got my first computer three years ago, it became evident that I absolutely must have a way to connect two computers together via the telephone lines. So I shopped around and decided PCAnywhere was the product I needed. (For those of you who don't know me, three years ago I knew absolutely NOTHING about computers!) So I emptied my bank account and left my money at the software store. One year, and one lightning bolt later, it was time to buy a new computer. It just happened that my new computer came to me loaded with Win95! And the first thing I did was dive into my software repository to get my PCAnywhere disks. Install went fine, but when I rebooted and tried to run PCAnywhere. CRASH!!!, and Win95 was kind enough to tell me the program wouldn't run on Win95, but gave me the phone number to call to get an updated version of PCAnywhere. Win95 actually KNEW Symantecs phone number! I called the number. The nice lady on the other end said I had too much money in my bank account, and I should send some to her. There went my life's savings again. This realy pissed me off at Win95 and Symantec, but what else could I do? I got PCAnywhere Version 2.0! Just over a year later, I was helping +FRAVIA locate a piece of software. (Whitewater Resource Toolkit - if you have a version newer than version 3.01a PLEASE send it!) My search led me to Symantecs home page, where they are offering ALL of their software for a FREE 30 day trial. So I scanned the list looking for "WRT" and what do I see! PCAnywhere VERSION 7.5! Four megs of download time later, I was installing my "new" version. Just reading the display during install told me this program was WAY ahead of the "old" version I was using. Installed and rebooted, I started the program. I LOVED the new look. But, curious about what I was about to crack, I shut it down and set my clock 30 days ahead. DON'T DO THAT! The program expired, as expected, but turning my clock back did not turn back the expiration! I deleted all traces of the program from my computer and re-installed it, but it still said the time limit had expired. I downloaded a whole new four megs and re-installed again, but the time limit was still expired! It had looked SO GOOD, I wanted to TRY IT! All it would do is tell me the time limit had expired, and I should phone a number to order it. Then it would disapear from my screen. I knew I was up against one of the best. Peter Norton TAUGHT me programming. (His book "PC Programers Bible" is my entire education on computing.) I was sure he would pull a trick like this. I figured he jiggled a byte in my bios or played with my registry. A quick check of the registry came up empty, but I didn't want to waste too much time looking for something when I had no idea what it might be. So, I tried a little "social engineering" on the telephone. Peter has his ladys trained well. They told me ALL I could do was drain my life savings again! There's NO way I could "try before I buy" because "I blew it!" Send Peter more money, THEN I could try it. Peter, this means WAR! I decided to try the "dead aproach" this time, to "test" how smart I was. I loaded Winaw32.exe into Wdasm7 (thanx Frog!) and began to read. I scaned down the page, and in the section labeled "Imported Modules", under the heading "Imported module 004: AWCOMM32.DLL", was the title "TimeBombCheck@4"! I had expected a challenge! I did a search, and "TimeBombCheck@4" came up twice, in the listing I had read, and at the call to it in the program. Break out SoftIce. Bpx on the offending line and run the program. SoftIce kicks in at the following code: :00406350 FF15989D4700 CALL DWORD PTR [EBP+FFFFF728] (TimeBomb) :00406356 85C0 TEST EAX, EAX (check) :00406358 0F8521000000 JNE 0040637F (good guy) :0040635E C78520F7FFFF00000000 MOV DWORD PTR [EBP+FFFFF720], 00000000 :00406368 C745FCFFFFFFFF MOV [EBP-04], FFFFFFFF :0040636F E809010000 CALL 0040647D (bad guy) :00406374 8B8520F7FFFF MOV EAX, [EBP+FFFFF720] :0040637A E914010000 JMP 00406493 The CALL was suitably named "TimeBombCheck@4", and I usualy find all those zero's on the line after a jump mean bad news, (I DID say USUALY!) I assumed the TEST should come out "not" even IF I was registered. (For those who do not know, the TEST instruction looks for a "1" anywhere in the binary representation of the number being TESTed, and trips the zero flag accordingly.) Still in SoftIce, I began to assemble... :a cs:00406358 :00406358 jmp 0040637f (EB25)-> jump to the "good guy" address :0040635A push eax (50) -> then fill the extra 4 bytes :0040635B push edx (52) :0040635C pop edx (5A) :0040635D pop eax (58) To my total disgust, the "expired" picture was there, telling me Peter was greedy, and I should send him my money! Frustrated, (but not ready to give up yet), I lied and pushed the button that said "O.K." To my surprise, the program came up on my screen! This time I pushed some buttons to see just what this puppy could do. I LIKE IT! Thanks Peter! ---------------------------------------------------------------------------- (NOTE: This WORKED on MY computer for over a week, until I did some house cleaning in my registry, which caused the program to shut down every time I selected a function. It's a BAD crack, because there are several .exe files in this program, each with it's own CALL to TimeBombCheck, and each with its own TEST instruction after the call. Almost every .exe file would have to be cracked! Sorry to all those who have tried this crack and became angry because it did not work! The REAL fix is at the end of this page.) ---------------------------------------------------------------------------- Now, the nag screen had to go. Just a tiny bit of Zen told me it must be in the AWCOMM32.DLL module, because thats where the CALL to "TimeBombCheck@4" pointed to. A little more SoftIce-ing was needed. Reload the program, Bpx on the CALL to "TimeBombCheck@4" and SoftIce breaks at the call again, but this time trace into it. Keep tracing ("t") untill you get to a CALL instruction, then set the cursor on the line right after the call, and type "here" at the prompt, (or "F7") watching the screen closely each time to see if the "nag screen" is visible. For the begginers amoung us, tracing ("t") through code is nessesary in order to stay with the code when it branches off (JMP's). The "here" instruction, with the cursor on the next line of code after the "CALL" will process the call, then stop at the cursor, then you can "t" trace again. I had passed through about 12 calls when I saw the "nag screen" so I cancelled my breakpoint and set a new one on the call which I had just passed through. Then I let the program run its course. After the program shut down, I re-loaded it, and pressed "ctrl-d" to run it to my breakpoint. Here's the code from cs:088fB7F2... 8D8DE0F3FFFF LEA ECX, [EBP+FFFFF3E0] (load address) E8F7F30000 CALL 0890ABEE (make nag screen) C78580F2FFFF00000000 MOV DWORD PTR [EBP+FFFFF280], 00000000 Here, I just wanted to defeat this call, so the "nag screen" would leave me alone. So I re-assembled the bad call line to... "a" "jmp 088FB7F7" (EB03) -> (skip this call) "push eax" (50) -> (cover the extra bytes) "nop" (90) "pop eax" (58) ----------------------------------------------------------------------------- (NOTE: Remember, this turned out to be a dirty fix because of my dirty registry, read on for the real fix!) ----------------------------------------------------------------------------- The program ran its course without showing me that ugly "nag screen" so I broke out my old friend "HexEdit" and got to work. Load... Winaw32.exe (To fix the TimeBombCheck) Search... "0F8521000000" (The JNZ 0040637F line) and typed in... "EB2550525A58" (the "fix", JMP anyway) Save... to disk Load... AWCOMM32.DLL (To fix the NAG screen) Search... "E8F7F30000" (The CALL 0890ABEE line) and typed in... "EB03509058" (the "fix", pass right through) Save... to disk Thats it. Now a test run, and I learn that I now have a program I can test drive for as long as it takes for me to decide IF I like it. Or at least until Peter comes up with a newer version. Thanks Peter. You, and +ORC, have taught me well, but I thought YOU of all people, would have given me a more challenging puzzle. This one took less than an hour to solve! ----------------------------------------------------------------------------- Peter must have laughed when he read that last paragraph! I don't know how my registry allowed this crack to work, but when I cleaned my registry, the program did just what Peter designed it to do. SHUT DOWN! And Peter got another 30 minutes of my time. Stop laughing Peter, here's the real way to "repair" your TimeBomb! ----------------------------------------------------------------------------- As mentioned earlier, several of the .exe files call TimeBombCheck, and each .exe has it's very own CALL to TimeBombCheck and then does a "TEST EAX, EAX" right after the call. Since the TEST is looking for a "1" in the binary representation of whatever number is in EAX, it should be obvious that EAX should contain some number larger than a "0". We need to back up, into the TimeBombCheck sub, to find where the value is placed into EAX. (By the way, the second EAX in the instruction "TEST EAX, EAX" is just a "mask" that doesn't hide very much.) So I repaired my registry, re-installed PCAnywhere so I would be working with a "virgin" copy, then loaded WINAW32.EXE into SoftIce, and set a breakpoint at the call to TimeBombCheck. Then trace into the call, and each time a new CALL instruction comes up, drop the cursor down to the following line and do a "here" instruction in SoftIce to pass through the CALL. The call to the nag screen is slightly different this time, but the same "fix" will get rid of it. And after passing 16 CALLs, we see what we're looking for. The program loads EAX with a value that has been stored on the stack, then JMPs to the RET. Now let the program run itself out, and pull out HexEdit so we can REALY fix this thing! Load... AWCOMM32.DLL (To fix BOTH "problems") Search... "E8ADF40000" (The CALL NAG screen line) and typed in... "EB03509058" (the "fix", pass right through) Search... "8B8584F2FFFF" (The MOV "0" on stack to EAX line) and typed in... "B801000000" (the "fix", MOV A "1" into EAX) and... "90" (NOP to fill the extra "lost byte") Save... to disk No repairs will be nessesary on the other .exe files now since they will all find a "1" in EAX when they return from TimeBombCheck. This, of course, is a much cleaner crack, and I should have done it this way the first time. Sorry. Yes, Peter, the "cleanest" crack would have been a repair to your "time keeper", or the code that reads it, but many people hesitate to play with things they do not understand, like bios or registry files, when they know it could cause them problems with thier system. So I've tried to make this simple enough for anyone to do. After all, EVERYONE should have PCAnywhere, and EVERYONE should know how to CRACK. Happy Cracking 'till next time; Hackmore Readrite DataMiners Inc. *EOF*