cracking calligrapher 5.3 for win CE (german version) -------------------------------------------------------- used tools: IDA pro 4.04 starting -------- after installing calligrapher 5.3 we just copy the .exe file from our win CE H/PC to our PC. just start IDA pro and select the .exe file (called calligrapher.exe hereafter). IDA pro starts to disassemble the file and it takes some minutes to finish it. after everything has been disassembled, we look for the string "probe", since when we start calligrapher on our H/PC it says that we have the "probeversion" (means testversion) and displays how many days we have left testing it. so, searching for the text "probe" (alt+t) we find it on 00024c3c: .text:00024C3C loc_24C3C: # CODE XREF: WinMain+54C j .text:00024C3C la $a0, aIhreProbeversi # "Ihre Probeversio n von CalliGrapher ist "... .text:00024C44 jal sub_29180 .text:00024C48 move $a1, $0 .text:00024C4C li $t3, 0xFFFFFFFF .text:00024C50 lui $1, 4 .text:00024C54 lui $a0, 4 .text:00024C58 sw $t3, dword_438EC .text:00024C5C jal j_UpdateWindow .text:00024C60 lw $a0, dword_438F0 .text:00024C64 b loc_2542C .text:00024C68 move $v0, $0 .text:00024C6C # -------------------------------------------------------------- ------------- .text:00024C6C .text:00024C6C loc_24C6C: # CODE XREF: WinMain+554 j .text:00024C6C la $a1, aDiesIstEinePro # "Dies ist eine PR OBE-Version von Calligr"... .text:00024C74 jal j_wsprintfW .text:00024C78 move $a0, $s0 .text:00024C7C move $a0, $s0 .text:00024C80 jal sub_29180 .text:00024C84 move $a1, $0 .text:00024C88 lui $1, 4 .text:00024C8C jal j_UpdateWindow .text:00024C90 lw $a0, 0x38F0($1) we see that at location loc_24c3c calligrapher displays the message "ihre probeversion von calligrapher ist abgelaufen" which means that the evaluation period has expired. the other location we see there is loc_24c6c, where calligrapher just prints that it is an evaluatation version, and that there are some days left to evaluate it. looking closer to the code before these both locations reveals the following: .text:00024BF0 move $a2, $0 .text:00024BF4 sw $v0, dword_438F0 .text:00024BFC jal j_UpdateWindow .text:00024C00 move $a0, $v0 .text:00024C04 lw $a0, dword_438F0 .text:00024C0C jal j_ShowWindow .text:00024C10 li $a1, 5 .text:00024C14 lw $t2, dword_438EC .text:00024C1C blez $t2, loc_24C94 .text:00024C20 nop .text:00024C24 jal sub_2A630 .text:00024C28 addiu $a0, $sp, 0x680+var_2F0 .text:00024C2C beqz $v0, loc_24C3C .text:00024C30 lw $a2, 0x680+var_2F0($sp) .text:00024C34 bgtz $a2, loc_24C6C .text:00024C38 addiu $s0, $sp, 0x680+var_4E8 what does interest us if the code-line 24c14: "lw $t2, dword_438ec". here calligrapher loads the dword at 438ec into its $t2-register. if it is equal or less than zero (that is the "blez" instruction) it jumps just below the both upper messages regarding the evaluation period. so, we ask ourself what this dword at 438ec could mean. so we scroll down at 438ec and see: .data:000438EC dword_438EC: .word 0x1E # DATA XREF: sub_1382C+3 4r .data:000438EC # sub_138D4+94r ... obviously this data is being address from different points in the code, not just the location we found above. pressing the right button of our mouse and selecting "jump to cross reference" shows us 6 addresses where the code loads and one address where calligrapher stores the data at 438ec. we are first interested in the "store" code, which we find at location 24c58: .text:00024C3C loc_24C3C: # CODE XREF: WinMain+54C j .text:00024C3C la $a0, aIhreProbeversi # "Ihre Probeversio n von CalliGrapher ist "... .text:00024C44 jal sub_29180 .text:00024C48 move $a1, $0 .text:00024C4C li $t3, 0xFFFFFFFF .text:00024C50 lui $1, 4 .text:00024C54 lui $a0, 4 .text:00024C58 sw $t3, dword_438EC .text:00024C5C jal j_UpdateWindow .text:00024C60 lw $a0, dword_438F0 .text:00024C64 b loc_2542C .text:00024C68 move $v0, $0 we see that calligrapher displays that the evaluation period has expired and then it stores the value 0xFFFFFFFF via the $t3-register into our dword at 438ec. so clearly this dword has something to do with the evaluation of calligrahper... so we go back (the back button in the task bar above) and select another cross reference, this time at 13860: .text:00013854 jal sub_38220 .text:00013858 sw $a2, 0x20+arg_0($sp) .text:0001385C beqz $v0, loc_138A0 .text:00013860 lw $t6, dword_438EC .text:00013868 lw $t7, 0x20+arg_0($sp) .text:0001386C beqz $t6, loc_1388C .text:00013870 lw $a1, 0x20+arg_4($sp) .text:00013874 la $a0, aDasBenutzerw # "Das Benutzerw" .text:0001387C jal sub_29180 .text:00013880 move $a1, $0 .text:00013884 b loc_138A0 .text:00013888 nop we see that it again loads the word (this time into the $t6 register), checks it against zero and if it is not zero, it displays the string "das benutzerwörterbuch ist nur in der registrierten version..." (the user-dictionary is available only in the registered version)- so here it is! if 438ec==0 then we obviously have a registered version, if not, we are still evaluating it, and it is FFFFFFFF our evaluation period has expired! going back to 438ec reveals that the stored value there is 1e. so we use a hexeditor to change it to 0 (if we point the mouse to 438ec we see in the status bar below that the address in the file is 31eec). copying it back to our H/PC and starting it makes us to a owner of a wonderful program!! ;) hope it was fun reading this proggy, and hope to see YOUR H/PC cracks soon!! ;) happy mipsing! drunkeneye (das_epsilon@gmx.net)