|
|
|
|
|
|
hello to all,
i found something intresting :
if we change the date of the computer 2 years ahead before install the snwin, and then change the date back to todays date, it gives us 600 dayes to register !! if we re-install it after we install it first with today's date it remembers the original install date. when i install a new babe in my computer i make a backup of this 2 files c:windowssystem.dat and user.dat so.. to re-install we have to restore from beckup... for not "remembring" the last intalled program. that tells us that the programmer of snwin don't check for more then 30 days, it still "nag" but more days to play with..
the snake
p.s. can someone
tell me what the meaning of *grin*
D0gBytes - *grin* - Tue Oct 27 10:11:16 1998
Hello Snake,
That is an interesting bit of info about how this program handles the date. It maybe tells us alot about how the author is likely to protect future projects. *grin*
The meaning of "grin" is basically to "smile"
You might have *grinned* when you found that you could get a 600 day evaluation
period with this program. It would probably a word
similar to the european words "grennen"
or maybe "grennian"
Regards,
Bytes
The Sandman -
600 days! *grin* - Tue Oct 27 14:23:50 1998
Greetings Snake,
If your 'discovery' is true, then I congratulate
you in your keen observations, it's amazing just how much potential information
is so easily lost to crackers when they go in for the
'crack', ignoring everything else around
them.
IMHO, the actual 'crack' is no more important
as those 'ready made' cracks found in their 1000's on the web, what's really
important is the knowledge and skill I learnt from
the program!.
Well done Snake,
The Sandman
DawnRun -
Dating:-) - Tue Oct 27 12:55:19 1998
Hi,
have a close look at the registry.look
for IXOYE. See that nr.? PLAY with it. You'll get....????
L8R
DawnRun
the snake
- DawnRun : dating - Wed Oct 28 04:18:07 1998
DawnRun
please give me some more words on that, in light english. (it's not my language)
thanks
the snake
Jeff - Wow!
600 days to Register! New Version By Then! - Tue Oct 27 12:39:35 1998
Hiya Snake;
What a find! And this is possible because the author did not put in a check for AFTER 30 days??? Where; What file has been changed that holds this 600 day information?
Jeff
|
|
DawnRun - SNWIN - Tue Oct 27 06:19:56 1998
Hi
I'm stuck stuck stuck. This is how far i got:
By now most of you who havn't already cracked SNWIN agree,that the program makes a call to the registry.Looking at the ConfigFlags entry in IXOYE (as of today "36125")and manipulating them to say "999999999", we get zillions of remaining trial days but still have the nag. Setting the value even higher,there'll be an error msg stating that #9999999999999999...etc is not a valid integer value.
Pressing OK the prg will run anyway although this time WITHOUT showing the nag.
The dead listing provides for entries such as:
"USERNAME"
"USERORGANISATION"
"REGISTRATIONNUMBER"
but also
"DEFAULTUSERNAME"
Assuming that the entry ConfigFlags "36125"
in the registry is based on the systemdate (the routine entirely eludes
me :) )and likewise, that the author will send a .reg file which after
doubleclicking will fill in the above mentioned entries , then show up
in the HELP/ABOUT menu and of course remove the nag-- why "DEFAULTUSERNAME"?
Is there a "shortcut" routine that
reads for example the W95/98 reg.-values
and -after having found out how to bypass the "official" registration routine-
uses those to successfully register the program?
Registry and ASM are still a black box to me-the keys of opening them I hope to learn here.
What ,for example, does "ARPL" at :00472798 stand for? That's not ASM, or is it? Loads of other q's but i'm gonna have a break. Read u later
DawnRun
|
|
The Sandman -
Questions 5-7 - Cracking the Time Checks - Tue Oct 27 13:36:23 1998
Greetings Crackers,
Questions 5 -7 will deal solely with one aspect of 'System Notebook's' protection system, namely it's use of the 30 Day counter.
There are only THREE questions for this section of our crack..
From some of the postings already on this Forum I see some of you are already tackling this aspect so these questions should be easy enough for you to answer.
Typically, programs that function for a set period of time, as in the case of our target program, can usually be stopped in it's tracks by softice using this bpx command: bpx getlocaltime. There are of course other such Softice breakpoints you can use, I only use this as an example should some of you not already know this.
Some of you have already stated that the protection system used in System Notebook is very weak, and I agree, but to many people this is not the case. So the protectionist 'wins' using a simple and easily broken protection system. A shame really, if only people take a closer look at their software, and not be afraid to experiment with it, they might be surprised to find out that in reality, the protectionists actually count on you thinking that their software cannot be broken!.
Here are your three questions.. When you reply to these questions I ask that you explain your answers as detailed as possible so that everyone else can understand.
Question 5. Where in the computer's memory
is the 'Days remaining' value stored?. List all locations where this program
either 'reads' or 'writes' to this 'Days remaining' memory
location.
Example of a numeric value being 'read'.
Mov EAX [XXXXXXXX] ;Register EAX is being given the value 'stored' at address XXXXXXXX
Example of a 'write' being performed.
Mov [XXXXXXXX],1E ;1E = 30 Decimal, is
being stored at memory address XXXXXXXX
Question 6. Where does this program keep the 'number of days you have to evaluate this software'?.
If you uninstall this program and then re-install it again in the hope of somehow 'fooling' the program into giving you another 30 'free' days and then try and run the program, then the program will STILL know how many days left you have, or, if you've used all your 30 days then it will refuse to work there-after. How does it do this?
Question 7. Once you have been able to
find the answers to the above, explain in detail, how someone *could* disable
this 30 day counter. You MUST however, allow the nag screen
to operate as normal, that is based on
a different protection system so we will leave this alone for now.
Remember, I'm looking for ways to disable the 30 day counter ONLY.
There are a number of ways you can do this..
You can make this 30 day counter into a huge number, where it will takes
years to reach 0 days. Another way might be to stop the 30
day counter from ever being executed,
in effect, freezing it for ever. Another way you could try is to turn the
original value of 30 days and make the program start with say, -30 days.
If the counter begins with a minus value and the program decreases this
value after each day, then it will NEVER reach 0!.
Take your time on these questions and be as detailed as you can in your replies.
The Sandman
Jeff - Questions
5-7 reply - Wed Oct 28 11:10:20 1998
Hi All! Hi Sandman!
Question # 5) I am afraid that I just do not know HOW to perform the bpx getlocaltime so I have not been inside the code...(Well; no-where in the code that I recognize as being where I should be anyway) Do I bpx hmemcpy first to get Swin to pop first...I am struggeling with this one...
Before moving on to Question 6)& 7)...
I have always been extremely leary of changing anything in my registry; not owning a backup system I must always be extremely careful; There are only so many things that attrib -r-s -h in Dos will fix up...
So The Sandman explained to me many many
weeks ago how to create a REG file; So before i make any changes I will
only make one change and write it down...but before
making a change I will make sure that
I first can figure out how to make this REG file Back-up file...
I find the section of REgistry that I want to change and open it...
In this case I choose Hkey_Current_UsersoftwareSystem NoteBook1.0.0.4...
I make one change ( so I can remember;
& not have to write a bunch of stuff down...) Then click on the
Registry option menu; I see Import and export registry file...putting my
arrow on "export" tells me that this is the one I want..."exports all or
part of the registry to a text file"... I click on this and
up pops a SAVE box; I name it "SysNoteBK Test" and click save...
Dam! I forgot to see WHERE it was being
saved at!!! Okay I bring up my FIND box in Windows and type
in, for search, *.reg
(.reg being the extention that this file was saved AS)(the * will find ALL files of that extension)
The search tells me my file was saved at C:Windows
Okay I make a change in the registry window From:
RegisteredVersion (1) and I make it a value of ZERO;
I then go and find my back-up in C:Windows and double click on it watching my Registry Window and..... YES! It changed it back to my Original (1).
I am ready to proceed with tampering with
my registry...
6) The day value is stored @ Hkey_UsersDefaultConfig
It is also stored at Hkey_current_UserApp EventsConfig
By changing the value in either; it will change the value in the other...
By changing the value at IXOYE ConfigFlags, different values appear on the 30 day Nag Screen:
0 = 30 day trial
starts now
1= 30 day trial
has expired
also when you make it the value "0" and
then open and close the program; when you come back to the registry and
reopen IXOYE you will find the ZERO has been changed to a new value of
"36158" ??? (I do not
think this number will be a constant that ALL will see in their system...I
seem to remember that yesterday before taking notes that I had a different
number than "36158".)
Any value up to & including 4 didgits reveals "expired" upon reaching the 5th didgit, of any combo, you recieve billions and billions of days...*grin*
example:
999=expired
9999=expired
99999= trial
version=63,871 days to expiration. (NAG Screen Remains)
(good in this
case so that it reveals how many days you have left)
One thing i noticed is the "pattern" set forth by adding another didget in the "9" values...(I did not have time to check like 88888's)
example:
99999=63,871
days left
999999=963,871
9999999=9,963,871
99999999=99,963,871
days left
upon reaching the tenth digit you recieve
an ERROR message of "9999963871"
(notice our numbers
63871 at the end... 5 digits also...)
Your 9('s) is (are) added on to the beginning of this string value with any value over the fifth digit... Continuing to manipulate numbers brought me to another thought; How do I find where this "36158" is being called from...?
So I put in the value of "0" and opened the program; the nag pops; I go back and check the value of IXOYE; in the reg window it still says Zero; but if you click on ConFigFlags and choose "Modify" you will see that the value of 36158 has already been (called???) and is sitting waiting for the program to close...as soon as you close the program the "0" value is replaced with the new value of 36158...(?)
After a smoke and my coffee I began to wonder...wait...Is this # being generated by The PROGRAM being opened ?; OR by the NAGSCREEN itself???
Having discovered from other writtings
on this project that Typing RegisteredValue... in
Hkey_Current_UsersoftwareSystem
NoteBook1.0.0.4... and then assigning it the value of (1) the Nagscreen
goes away...So this I did and repeated the above steps...No nagscreen pops...I
check the "Modify" option...still Zero (has not changed to "36158",
I click on a few options,
checking each back to the number sitting
in the "Modify" box...each still produce the Zero. I close the program...its
still Zero...
I therefore conclude that it is THE NAGSCREEN
itself that is generating this value of "36158" in
ConfigFlags...(?)
My next thought would be to try to determine FROM WHERE this number is being called and see if there were a CMP to a GOOD number...(?)
I then could use that number to...register it??? I do not know.
1)Is it possible to perform the above test and have ICE pop on it somehow? (?)
But:
2) I'm not sure this is a CONSTANT value assigned to "0" and could waste to much of my inexperienced time chasing rainbows...
3)I do not know how to go about performing this search...if... 1) above is not an option...
(every time I s 30"0 l ffffffff "text here anything" I do not know what to do with my resulting search from there.)
Okay; I think I have gone as far as I am capable: Typing value (1) after typing in RegisteredVersion...will disable nag; Above explains changes to enable massive amounts of days left... I do not how to get value of -30 days...
Anyway; I think I may be way overboard as to answering question number 6 & 7 so I will end this here:
Sandman was this toooooooo much detail? *grin*
I think I will learn more here interactively than doing 50 more tutorials!
Can you recommend a Good bpx getlocaltime tute for me please? Thanks
Respects!
Jeff
jeff - My
answers to Q# 5 - Wed Oct 28 21:21:15 1998
Question # 5
Okay;
I have figured
out how to do a getlocaltime break
pop ice;bpx hmemcpy;
x; Open program; ice pops; f-11; bc 00;
bpx getlocaltime;
x; ice pops; f-11; You are now in SNwin getlocaltime
code.
I set my ice window
to "watch" eax by typing in:
watch eax
this enabled
another window in ice that I could watch instead of
watching only
the register window.
I also typed
in wf at input line.
This also enabled
another window...
not sure what
it's for...but it did alert me to my IXOYE ConfigFlags
number "36126"...the
number being displayed in the registry.
(Your number may be different; mine changes when I change my date)
Observing the "wf" window This number was found at line:
0047221a add esp,-08 <<----"36126"
I was able to observe the number "1E" in the watch eax window when I f-10-ed to lines:
0046f991 mov [ebp-08], eax
and @
0046f9b4 mov esp, ebp
f-10ing thru the code these two lines above did a SECOND loop (checked twice)
I don't know what the lines mean...
Jeff
DawnRun -
RE: - Thu Oct 29 10:49:40 1998
Hi Jeff and everybody,
"(Your number may be different; mine changes when I change my date)"
Don't have to change your date, just leave the date and the ConfigFlags -they are always ie 36126 minus 30 when you look at DD1C24 fstp qword ptr [esp] (36096) you'll find the number of days remaining, so 2morrow it'll be 1D, the REAL # of days remaining.
"Observing the "wf" window This number was found at line: 0047221a add esp,-08 I was able to observe the number "1E" in the watch eax window when I f-10-ed to lines: 0046f991 mov [ebp-08], eax and @ 0046f9b4 mov esp, ebp f-10ing thru the code these two lines above did a SECOND loop (checked twice) I don't know what the lines mean..."
That's where the actual # of days are stored to be l8r FSUBR'd , the code of which i havn't figured out. jump jump jump :)
look above
DawnRun
Jeff - The
Number 36158 - Wed Oct 28 14:43:41 1998
Hi;
Well; some more checking showed that the
number in ConfigFlags is variable and does change...when you change your
clock... I just screwed up my registry (somewhere; got a regsitry PROBLEM
message) when I was trying to find that #36158 while having registry
Open and using softice to try to trace it...
Okay so maybe I left my brains somewhere
today... I will wait for helpful advice on this Trace.
Cya
Jeff
Smasher -
Re to Jeff - Wed Oct 28 14:55:17 1998
Hi Jeff!
I have think, that you need "break" on reading this number from SNWIN code and after that to look what SNWIN do with this number... Or I'm misunderstood you ?
Have a nice work!
Smasher
DawnRun -
getlocaltime - Wed Oct 28 13:59:29 1998
Hi Jeff,
you wrote:
"6)The day value is stored @ Hkey_UsersDefaultConfig"
It's also stored in Hkey_Current_Users/Config. Does that has any significance?
Regarding S-Ice: I noticed it breaking
- using bpx getlocaltime- into an area using real numbers with commands
I've never come across :( , like FSTP (Store Real and Pop) FSUBP (Subtract
and pop)and FSUBR (Subtract Real Reversed),
but can't make any real thing of it...yet.It's probably part of the counter
routine,that someHOW? checks with the ConfigFlags stored in the registry.
There's no (happy)end in sight...not yet.
DawnRun
VERtiCES -
FSUBR mystery - Wed Oct 28 19:00:08 1998
After this instruction, did anyone notice
that it shows the number of days remaining in the fpu register ST(0) in
decimal form?? In case u didn't know, fpu registers can be watched by typing
'wf' at s-ice's command line.
the snake - JEFF - LOOK ABOVE !!!! - Wed Oct 28 12:45:44 1998
hello jeff,
i didn't finshed yet to read all of this
post, but i have allready wrote a note to the forum about this, read it.
happy to be helpfull
the snake
DawnRun -Timechecks
SNWIN - Wed Oct 28 09:13:55 1998
Hi everyone,
Question 5. Where in the computer's memory
is the 'Days remaining' value stored?. List all locations where this program
either 'reads' or 'writes' to this 'Days remaining' memory
location. Example of a numeric value being
'read'.
That's a tricky one, because i don't think it to be a simple "direct" countdown from 30-0. The following snippet of code points to an algorithm eventually resulting in a 5 digit number stored in the registry and used as a reference for the actual countdown. Definitely need help on this one!
Does the stringdata "%.*d4m@" has something
to do with it?
:0047202A
B928244700 mov ecx, 00472428
:0047202F
E8B01BF9FF call 00403BE4
:00472034
B205 mov dl,
05 <---?
:00472036
8B45FC mov eax, dword ptr
[ebp-04]
:00472039
8B80E0010000 mov eax, dword ptr [eax+000001E0]
:0047203F
E894D1FAFF call 0041F1D8
:00472044
B205 mov dl,
05 <---?
:00472046
8B45FC mov eax, dword ptr
[ebp-04]
:00472049
8B80E4010000 mov eax, dword ptr [eax+000001E4]
:0047204F
E884D1FAFF call 0041F1D8
:00472054
B201 mov dl,
01 <---?
:00472056
A140C44000 mov eax, dword ptr [0040C440]
:0047205B
E8800DF9FF call 00402DE0
:00472060
8B55FC mov edx, dword ptr
[ebp-04]
:00472063
898240020000 mov dword ptr [edx+00000240], eax
:00472069
8B45FC mov eax, dword ptr
[ebp-04]
:0047206C
E8EFE6FFFF call 00470760
:00472071
33D2 xor edx,
edx
:00472073
8B45FC mov eax, dword ptr
[ebp-04]
:00472076
E859FCFFFF call 00471CD4
:0047207B
33D2 xor edx,
edx
:0047207D
8B45FC mov eax, dword ptr
[ebp-04]
:00472080
8B80E0010000 mov eax, dword ptr [eax+000001E0]
:00472086
E89506FDFF call 00442720
* Possible StringData
Ref from Code Obj ->"IXOYE"
Question 6. Where does this program keep the 'number of days you have to evaluate this software'?. If you uninstall this program and then re-install it again in the hope of somehow 'fooling' the program into giving you another 30 'free' days and then try and run the program, then the program will STILL know how many days left you have, or, if you've used all your 30 days then it will refuse to work there-after. How does it do this?
A: Linked to Q5. There's this 5 digit number in the registry in folder IXOYE (result of an algorithm based on the systemdate?) HELP!
Question 7. Once you have been able to find the answers to the above, explain in detail, how someone *could* disable this 30 day counter. You MUST however, allow the nag screen to operate as normal, that is based on a different protection system so we will leave this alone for now. Remember, I'm looking for ways to disable the 30 day counter ONLY.
Say the ConfigFlags # is "36125" at installation
date,30 days remaining...By raising the last digit by 1 we get 31days trial
remaining.Or the 2 to 3 gives 40 days,1 to 2 130days etc. Putting
in any valid integer value ie "999999999" = zillions of days remaining,
nagscreen still
showing. Putting "0": trial starts now.
But how does the counter never reach zero?
One last remark. I don't believe this prg to be fully cracked. The function talked about below by the author- FILE/OPTIONS/BACKUP/UNDO is still disabled :(
"In the registered version of System Notebook, the list of named backups also contains all of the changes made to the Registry by System Notebook. You can select one of these items and press the Restore button to undo any registry-based edit made with System Notebook."
There's also a way to get the "Registered to:" in HELP/ABOUT showing. Too many empty "byteholders" in the dead listing......
This definitely is a GREAT exercise.
DawnRun
the snake
- question no. 6 - Wed Oct 28 13:11:18 1998
hello DawnRun,
when you uninstall, usualy it don't eras the info from the reg file. i'm not sure if any uninstall do that ???
the snake
Coa_chez -
Not always, but sometimes - Wed Oct 28 16:09:01 1998
Hi Snake,
It seems to me that when a uninstalling some programs the uninstall program states "removing registry entrys". And usually it does but unfortunately not always. Even if it states it will remove them, i've noticed that there still are some keys left. I always delete the keys myself if the uninstall program didn't.
Coa_chez
The Sandman - Registry Information - Wed Oct 28 16:30:17 1998
As a rule, if a program uses the System Registry to tell it wether or not it's been registered or not then it will NOT automatically delete these registry enteries when it is uninstalled.
This is so that if you re-install the program again it can 'check' to see if it's been installed previously and make the nessasary decisons based on wether or not your entitled to use it.
That's why you can't get another 30 days free evaluation period if you uninstall System Notebook and then try and re-install it again. Same applies to about 99% of all Shareware programs.
For those programs that choose to use a 'hidden' file stored in your C:WindowsSystem directory then that file won't also be deleted when you uninstall the shareware program. You would have to locate this file yourself using a program like FILEMON and manually delete it from your hard disk.
The Sandman
Anonymous - Re: Questions 5-7 - Cracking the Time Checks - Wed Oct 28 02:47:43 1998
Hello fellow newbie crackers,
This is my answer to the second set of questions.
Question 5. Where in the computer's memory is the 'Days remaining' value stored?. List all locations where this program either 'reads' or 'writes' to this 'Days remaining' memory location.
Answer 5. The only places that I could find that I was sure of are:
:0046F991 8945F8 mov dword ptr [ebp-08],
eax <---A write to the "Days Remaining" location.
:0046F9B1 8B45F8 mov eax, dword
ptr [ebp-08]<---A read to the "Days Remaining" location.
Question 6. Where does this program keep the 'number of days you have to evaluate this software'?.
Answer 6. As was discussed earlier, the value stored in the registry at HKCUConfig
Question 7. Once you have been able to
find the answers to the above, explain in detail, how someone *could*
disable this 30 day counter. You MUST however, allow the nag screen
to operate as normal, that is based on
a different protection system so we will leave this alone for now. Remember,
I'm looking for ways to disable the 30 day counter ONLY.
Answer 7. Since I knew that the program is reading and writing the days left as in answer 5 above, my first thought was to disable the read. This resulted in an error message but did disable the nag and the program ran as normal after clicking the error message. Hmmm It disables the nag, so it is not the answer we are looking for in this question.
I next decided that if the program NEVER
wrote the new date value to the registry, it would ALWAYS think that the
date had never changed. So, taking the answer to question 5
above,
:0046F991 8945F8 mov dword ptr [ebp-08], eax <---A write to the "Days Remaining" location.
I noped out the instruction by using Ultra Edit hex editor and searching for the string:
79F9FF8945F833C0
and changing it to
79F9FF90909033C0
I then started the program. The nag screen
was still intact.. I changed the system date forward and backward by several
months. The program just kept happily running along each
time thinking it was still within the
shareware limits.
Regards,
Bytes
D0gBytes - Re : Q 5-7 - Wed Oct 28 12:56:00 1998
Hello Abott,
<<"first what was it that brought
u to the conclusion that the time limit was stored at 0046f991 8945fb?"">>
======================
I forgot to include that part in my answer.
In my case, when I started the program, the popup told me that I had 27 days remaining in the evaluation period. I converted the 27 days decimal into 27 hex which is 1B. I knew that 1B would be what I was looking for.
I set SoftIce to break on BPX GetLocalTime.
X,ed out of softIce and restarted the program. When si broke on getlocaltime,
I hit F12 1 time and I could see that I was in the program code by looking
at the bottom of si. I started steping through the program with F10 and
F8ing on calls.
All of the time, I was watching the registers
at the top of the screen looking for "0000001B" which I knew was the 27
days. I found the only 2 places that used "0000001B" and they also matched
the description given by The Sandman as what the read and write instructions
should look like.
After stepping through the code for about 5 minutes, amd only seeing those 2 places I decided to play with those ans see if they were infact what The Sandman had refered to.
There probably is a method to do a search for them. Maybe The Sandman or someone else will show us.
Regards,
Bytes
VERtiCES -
number of days remaining - Wed Oct 28 05:04:08 1998
After a little bit of tracing, I found out that the number of days remaining is also put into the fpu register, ST(0), at line 46F951.
:0046F94B 9B
wait
:0046F94C E8038AF9FF call 00408354
<- calls to GetLocalTime and
<- followed by some instructions
:0046F951 DC6DE8
fsubr qword ptr [ebp-18] <- 'days remaining'
<- displayed at ST(0) here
:0046F954 83C4F4
add esp, FFFFFFF4
:0046F957 DB3C24
fstp tbyte ptr [esp]
:0046F95A 9B
wait
:0046F95B 8D45F4
lea eax, dword ptr [ebp-0C]
:0046F95E E8ED84F9FF call 00407E50
Abott - Re:
Questions 5-7 - Cracking the Time Checks - Wed Oct 28 03:23:27 1998
hello,
i have a couple of questions:
first what was it that brought u to the conclusion that the time limit was stored at 0046f991 8945fb?
i was under the impression that it would be something along the lines of mov dword ptr [-19] if u had 25 days left actually thats only 1 quetion but if u could answer it would be most grateful.....
thanx
Abott
VERtiCES -
Answer 5-8 - Thu Oct 29 02:08:52 1998
Here are my answers. I hope my explaination can be understood.
Question 5. Where in the computer's memory is the 'Days remaining' value stored?. List all locations where this program either 'reads' or 'writes' to this 'Days remaining' memory location.
My guess is that the locations are at 70FC78
and 70FC7C. There were many other locations where the 'days remaining values'
are written and erased and moved about, either in
hex form or decimal form, in registers,
memory and even fpu. I'll be assuming the number of days remaining here
to be 27 for easier explaination. These instructions are passed through
-in order- of the program.
:0046F951 DC6DE8 fsubr qword ptr
[ebp-18] ;'days remaining' written to ST0 in decimal, ie 27
;(to view the
fpu registers, use 'wf' command)
:0040AFD8 DF75E6 fbstp tbyte ptr [ebp-1A]
;decimal value of 'days remaining' written as hex
;in 70FBAA+9h,
e.g. if there's value 27 in ST0,
;then 27h is
written into 70FBAA+9h
These instructions convert the 27h to 32h
and 37h, i.e. string value "27" and put it at 70FBDB. But instead at stopping
at 37h, it continues adding about sixteen 30h at the end
of the string, making the string
"270000000000000000"
:0040AFE4 8A4415E5 mov al, byte
ptr [ebp+edx-1B]
:0040AFE8 8AE0 mov ah, al
:0040AFEA C0E804 shr al, 04
:0040AFED 80E40F and ah, 0F
:0040AFF0 66053030 add ax,
3030
:0040AFF4 66AB stosw ;final
value (string "27" stored at edi, ie 70FBDB)
:0040AFF6 4A dec edx
:0040AFF7 75EB jne 0040AFE4
These instructions truncates the string to "27"
:0040B041 C6443B0300
mov [ebx+edi+03], 00
:0040B046 4F
dec edi
:0040B047 7807
js 0040B050
:0040B049 807C3B0330
cmp byte ptr [ebx+edi+03], 30
:0040B04E 74F1
je 0040B041
These copies the string "27" to 70FC0C
:0040AAA0 AC lodsb
;copies value to edi, ie 70FC0C
:0040AAA1 0AC0
or al, al
:0040AAA3 7419
je 0040AABE
:0040AAA5 AA
stosb ;get value at esi
:0040AAA6 E2F8
loop 0040AAA0
These converts the string "27" to a hex value, 1Bh and put it at eax
:00402B9C 80EB30
sub bl, 30
:00402B9F 80FB09
cmp bl, 09
:00402BA2 772A
ja 00402BCE
:00402BA4 39F8
cmp eax, edi
:00402BA6 7726
ja 00402BCE
:00402BA8 8D0480
lea eax, dword ptr [eax+4*eax]
:00402BAB 01C0
add eax, eax
:00402BAD 01D8
add eax, ebx
:00402BAF 8A1E
mov bl, byte ptr [esi]
:00402BB1 46
inc esi
:00402BB2 84DB
test bl, bl
:00402BB4 75E6
jne 00402B9C
:0046F991 8945F8 mov dword ptr [ebp-08], eax ;moves 1Bh to 70FC7C, ie being written
:0046F9B1 8B45F8 mov eax, dword ptr [ebp-08] ;moves 1Bh back to eax, ie being read
After the final location at 70FC7C, I couldn't find anymore traces of the 'days remaining' value anymore.
Later I noticed that the above instructions are passed through for the second time and the final value is at 70FC78. Therefore, my conclusion that the locations are 70FC7C and 70FC78.
These instructions are triggered by a call at 4721E8 and 4721FD.
:004721E8 E837D7FFFF call 0046F924 <-
first call to get 'days remaining' and compare
:004721ED 85C0 test eax, eax
:004721EF 0F8EA2000000 jle 00472297 <-
if 'expired', jump
* Possible StringData
Ref from Code Obj ->"There are "
|
:004721F5 6824254700
push 00472524
:004721FA 8B45F0
mov eax, dword ptr [ebp-10]
:004721FD E822D7FFFF
call 0046F924 <- second call for displaying number of day's left
:00472202 8D55E4
lea edx, dword ptr [ebp-1C]
:00472205 E88A50F9FF
call 00407294
:0047220A FF75E4
push [ebp-1C]
Question 6. Where does this program keep the 'number of days you have to evaluate this software'?.
This one is quite easy to find out. All
I did was to compare the registry for any changes after and before the
installation. Finally, I'm pretty sure that HKEY_CURRENT_USERConfig
Question 7. Once you have been able to
find the answers to the above, explain in detail, how someone *could* disable
this 30 day counter. You MUST however, allow the nag screen to operate
as normal, that is based on a different protection system so we will leave
this alone
for now. Remember, I'm looking for ways
to disable the 30 day counter ONLY.
From my answers in Question 5, this is very easy to solve.
:004721E8 E837D7FFFF call 0046F924 <-
first call to get 'days remaining' and compare
:004721ED 85C0 test eax, eax
:004721EF 0F8EA2000000 jle 00472297 <-
if 'expired', jump
All we need to do is to just NOP out jle 00472297 and the program will just continue as long as you like. But, this method will result a -negative- number of days remaining and will keep decreasing.
Well, that's all for now. Please inform me if you think any of my solutions are buggy or wrong.
VERtiCES
jinxd - More about timecheck - Fri Oct
30 01:55:24 1998
Hi all,
Just got here a couple of days ago and really haven't had much chance
to get into it yet. Congratulations Sandman on the excellent idea! I'm
eager to learn, have seen some excellent
posts and I hope that I can add to the pile:
A couple of posts have mentioned searching for the "days remaining"
value. This can really confuse things in this program (and I assume others)
if the "days remaining" are the same
as the current date e.g days remaining=28, date=28.10.98. I've only
looked at the first "getlocaltime" breakpoint and found that it stores
the current year, month, day of the week, day, hour, minute, second and
millisecond as word parameters (I found this in the win32sdk). In this
example it is at [ebp-10]
lea eax, [ebp-10] ; this is the address for the result of the call
push eax
call [kernel32!getlocaltime]
movzx eax, word ptr [ebp-10] ; moves the year into eax
mov cx, [ebp-02]
sub eax, 0000076C
movzx ecx, word ptr [ebp-0A] ;moves current day to ecx
movzx eax, word ptr [ebp-0E] ;moves current month to eax
if we dump the address after the breakpoint occurs (d ebp-10) then the window shows this
CE 07 0A 00 03 00 1C 00 etc ; the dump
98 19 10 Wednesday 28 ; what it means
the stuff that follows manipulates the dates but I haven't worked out
how yet. Apparently it MUST do this for some reason but I don't know why.
Can anyone tell me why?
D0gBytes - Re: More about timecheck - Fri Oct 30 02:59:04 1998
Hello Jinxd,
I think that you are looking at the wrong code. You seem to be still looking at the Kernel32 rather then in the System Notebook code. We use the break on "GetLocalTime" just as a convenient breakpoint. We have no interest in it other then that. If I remember correctly, hitting F12 one time will bring you back into the SN code.
Look at the bottom of the SoftIce program to see what code you are actually in. Right above where you type into SoftIce. Again, I don't remember exactly but it might say SN or SNWIN or maybe even System Notebook. Anyway, you will see what I mean. Start your tracing from there.
You will be looking for the days remaining in the evaluation period in "Hex" form. If you have 30 days remaining, look for 0000001E. If you have 28 days remaining look for 0000001C.
If you have 27 days remaining look for 0000001B. If you have 10 days remaining, look for 000000000A. If you have 9 days remaining, look for 00000009.
What we are doing there is converting the decimal number to hex. Then we look for the hex value.
Regards,
Bytes
|
|
Smasher -
Answer for Question 7 - Wed Oct 28 14:31:10 1998
Hi everyone! I have see how boiling a work!
Sorry for late. But I had cracking one
simple prog & had writing essay about it for one interesting team,
which tries to teach Reverse Engenerring people of my country. It's funny
? Newbie write a essay... Yes, may be it's funny. But this work demands
high concentration & attention,
therefore this work is usefull for self-learning.
So I had finished this work and have a half hour! to look at question 7 (simplest question :)
5)-6) This questions I'm answer a little later.
7) How to disable days accounting, but to leave Nag screen.
There are a hundreds of places, where by patching we can disable days accounting. But I have not see reason to write about all of it :). But I'm give, f.e. 3 ways:
a) 004721ED TEST
AX,AX <- In AX Number Days We Have patch to:
004721ED INC
AX <- This is not best patch, because we will have only 4294967265 (dec)
days (I'm hope that so enough :)
b) 0046F9B1 MOV
EAX,[EBP-08] <- In AX Number Days We Have patch to:
0046F9B1 OR AL,FF
<- By this patch we always will have 255 Days Minimum
0046F9B2 NOP
<-
c) 00472297 PUSH SOMEDWORD <- Here We Will If We Havn't more Any Days.
patch to:
00472297 JMP 004721EF <- By this patch We Will Always jump to Nag Screen
O.K. It's all to this time. Sorry, I just can't devote much than a half hour to this answers.
ycnexoB! And have
a nice work!
Smasher.
Smasher -
Mistake! - Wed Oct 28 21:36:31 1998
Hi everyone!
I had found misktake in my previous post. If we will patch by case
1) there now was 4294967269 days - but only 31 days, therefore this is big mistake.
Opps...
Smasher
Smasher -
Found mistakes - Thu Oct 29 04:26:29 1998
Hi everyone!
7) How to disable days accounting, but to leave Nag screen.(Update)
a) 004721ED TEST
AX,AX <- In AX Number Days We Have patch to:
004721ED INC
AX <- This is not best patch, because we will have
only 4294967265
(dec) days (I'm hope that so enough :)
^^^^^^^^^^^^^^^
mistake: we will have only 31 days :(
bug free:
004721ED XOR AX,AX
004721F0 XOR
AX,AX
004721F3 INC
AX
b) 0046F9B1 MOV EAX,[EBP-08] <- In AX Number Days We Have patch to:
0046F9B1 OR AL,FF
<- By this patch we always will have 255 Days Minimum
0046F9B2 NOP
<- ^^^^^^^^^^^^^^^^^^mistake: no mistakes :)
c) 00472297 PUSH
SOMEDWORD <- Here We Will If We Havn't more Any Days.
patch to:
00472297 JMP 004721EF
<- By this patch We Will Always jump to Nag Screen
^^^^^^^^^^^^^^^^^^^^^mistake:
JMP 4721EF will halting you puter.
(I had just forget to change address before posted)
bug free:
00472297 JMP 004721F5
ycnexoB! Smasher.
|
|
halIfax -Peculiar
Protection/SNWin - Thu Oct 29 12:49:38 1998
I patched SNWin at 004720c2. Changing 740F
to E900 (jmp 004720c4)and it works the same as using RegisteredVersion
(1)in the registry. What's peculiar is why does the program check the time
left (or whatever it is) and test it when the next step is a mandatory
jump, no matter
the test results?
And the program does not seem to use UserName/UserOrganization/RegistrationNumber?
:004720BB E840DBFFFF
call 0046FC00 <-- Check reg
:004720C0
84C0 test al,
al
:004720C2
740F je 004720D3
<-- Jmp to nag screen if reg bad
:004720C4
8B45F0 mov eax, dword ptr
ebp-10]
:004720C7
E830DDFFFF call 0046FDFC <-- time left ck?
:004720CC
84C0 test al,
al <-- test it
:004720CE
E91D030000 jmp 004723F0 <-- mandatory jmp
| Next Page | Return | Previous Page |