|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
My comments: "It
is not as good as it says it is..."
Installation: Install
everything except for the Command Centre(might need more patches) and the
ScreenSaver Scanner (Buggy).
|
|
1. Deep within your System Registry it uses the following branch to store the User Registration information.
HKEY_LOCAL_MACHINE\Software\Network
Associates\ECare
2.
It's a 30 day, time limited program that will 'expire' after 30 days of
being installed.
3.
When expired, there will be a nag screen telling you the time is up and
you have to register. If you don't, it will exit.
4.
A self-check is done when the program starts to see if there is any changes
to it's codes.
When first run, an entry is placed in
HKEY_LOCAL_MACHINE\Software\Network
Associates\ECare\LM\FDX5-KAA
This is what the program uses to calculate
when the expiry date is.
|
|
In my dead listing I always go straight into the String Data Resources of the target program, we can gain a lot of valuable info just by noting down what we see and what looks interesting..
Mem Location
String
-------------------------------------------------------------
0040F913 "The program license has expired. You must purchase to conti"
004014FB
"About McAfee VirusScan OEM Edition"
00401518
"About McAfee VirusScan"
00401524
"About McAfee VirusScan Evaluation Copy"
0042A939 "The validation code for %s does not match. Please reinstall "
There are many other interesting strings but these will do for us. These are the places that I did patches on.
OK, lets start with the easiest part first.
In the "About" box, you will see "Evaluation
Copy" on the title. So in our String Data Resources locate "About McAfee
VirusScan Evaluation Copy" and double-click on it..
You should see this code fragment...
* Possible Reference to Dialog: DialogID_0067,
CONTROL_ID:0452, "McAfee VirusScan"
:004014CD 6852040000 push 00000452
---------snip-----------
:004014E5 E816E70000
call 0040FC00
:004014EA 83C408
add esp, 00000008
:004014ED 85C0
test eax, eax
:004014EF 7411
je 00401502 -> Jump over the "OEM version"
:004014F1 8D4C246C
lea ecx, dword ptr [esp+6C]
:004014F5 6804010000
push 00000104
:004014FA 51
push ecx
* Possible Reference to String Resource ID=40120: "About McAfee VirusScan OEM Edition"
:004014FB 68B89C0000
push 00009CB8
:00401500 EB27
jmp 00401529
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:004014EF(C)
:00401502 8B842488040000 mov eax, dword
ptr [esp+00000488]
:00401509 6804010000
push 00000104
:0040150E 83F801
cmp eax, 00000001
:00401511 750C
jne 0040151F -> Jump to the "Evaluation version"
:00401513 8D542470
lea edx, dword ptr [esp+70]
:00401517 52
push edx
* Possible Reference to String Resource ID=40102: "About McAfee VirusScan"
:00401518 68A69C0000
push 00009CA6
:0040151D EB0A
jmp 00401529
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:00401511(C)
:0040151F 8D442470
lea eax, dword ptr [esp+70]
:00401523 50
push eax
* Reference to String Resource ID=40103: "About McAfee VirusScan Evaluation Copy"
:00401524 68A79C0000 push 00009CA7
---------snip-----------
1) At :004014EF if we change "je 00401502" (7411) to "jmp 00401502" (EB11), we will jump over the "OEM version".
2) At :00401511 if we change "jne
0040151F" (750C) to prevent the jump, then we will not go to the "Evaluation
version". (I don't have to teach you how to NOP(90), right?)
The next part involves patching the program so that it won't exit nor show the nag splash when 30 days is up. It is a bit more tricky and I must apologise first if my explanation is not comprehensive.
When 30 days is up, you will see the nag "The program license has expired. You must purchase to continue... blah blah". So in our String Data Resources locate this string and double-click on it..
You should see this code fragment...
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040F88C(C)
* Possible StringData Ref from Data Obj ->"ECLicenseFunction"
:0040F898 68D4794300
push 004379D4
:0040F89D 55
push ebp
* Reference To: KERNEL32.GetProcAddress, Ord:0116h
:0040F89E FF1578E84300
Call dword ptr [0043E878]
:0040F8A4 8BE8
mov ebp, eax
:0040F8A6 85ED
test ebp, ebp
:0040F8A8 0F84BA000000
je 0040F968 -> Tried changing but did not work
:0040F8AE E8AD020000
call 0040FB60
:0040F8B3 85C0
test eax, eax
:0040F8B5 7510
jne 0040F8C7 -> Patch here
:0040F8B7 8B842408020000 mov eax,
dword ptr [esp+00000208]
:0040F8BE 85C0
test eax, eax
* Possible Reference to String Resource ID=00002: "In Folder"
:0040F8C0 B802000000
mov eax, 00000002
:0040F8C5 7405
je 0040F8CC -> Tried changing to 7505 (jne 0040F8CC)
-> and the program exits when it is within 30 days. This
-> will be skipped when the jump above is patched.
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:0040F8B5(C)
* Possible Reference to String Resource
ID=00005: "&Clean File"
|
:0040F8C7 B805000000
mov eax, 00000005
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:0040F8C5(C)
:0040F8CC 8D542430
lea edx, dword ptr [esp+30]
---------snip-----------
:0040F8E2 FFD5
call ebp
:0040F8E4 8B44242C
mov eax, dword ptr [esp+2C]
:0040F8E8 83C418
add esp, 00000018
:0040F8EB 85C0
test eax, eax
:0040F8ED 7410
je 0040F8FF -> Jump to Expired notice
:0040F8EF 837C243803
cmp dword ptr [esp+38], 00000003
:0040F8F4 7509
jne 0040F8FF -> Jump to Expired notice
* Possible Reference to String Resource ID=00100: "YES"
:0040F8F6 C7400864000000 mov [eax+08],
00000064
:0040F8FD EB69
jmp 0040F968
* Referenced by a (U)nconditional or
(C)onditional Jump at Addresses:
|:0040F8ED(C), :0040F8F4(C) ->
Take note of these two locations
:0040F8FF 837C243001
cmp dword ptr [esp+30], 00000001
---------snip-----------
* Possible Reference to String Resource
ID=03145: "The program license has expired.
You must purchase to conti"
:0040F913 68490C0000 push 00000C49
---------snip-----------
So, what I understand
from the code is this:
1) At :0040F8B5,
the program checks to see if 30 days is up
2) At :0040F8C5,
the program checks to see if it is still within 30 days.
*Take note of the
locations they jump to*
3) At :0040F8ED
and :0040F8F4, two more checks are done.
1) and 2) have
something to do with the program exiting
3) will show
the expiration notice
To get rid of the notice, simply "nop" the two lines. (I don't have to teach you how to do it, right?)
To prevent the program from exiting, I observe that :0040F8C5 jumps to location 0040F8CC if it is still within 30 days. While :0040F8B5 jumps to 0040F8C7 if 30 days is up. Between them, there is an extra instruction:
:0040F8C7 B805000000 mov eax, 00000005So, I decided to change :0040F8B5 to mimic the actions of :0040F8C5 ie. to jump to location 0040F8CC but this time, it will jump regardless of the "test" result above it. I counted the number of bytes to jump and change that to Hex. I have to jump 15 bytes in Hex.
If you patch these locations and run the program, you will come to the final protection. That is the self-check done by the program.
Go to our String
Data Resources, locate "The validation code for %s does not match. Please
reinstall " and double-click on it..
You should see this
code fragment...
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0042A958(C)
:0042A8E0 83FD01
cmp ebp, 00000001
:0042A8E3 7575
jne 0042A95A -> Jump if Self-Check is valid
---------snip-----------
:0042A91B E8A0460000
Call 0042EFC0
:0042A920 85C0
test eax, eax
:0042A922 742C
je 0042A950 -> Go to the Self-Check
:0042A924 8D442424
lea eax, dword ptr [esp+24]
:0042A928 50
push eax
* Reference To: MCUTIL32.Ordinal:009D, Ord:009Dh
:0042A929 E890480000
Call 0042F1BE
:0042A92E 85C0
test eax, eax
:0042A930 741E
je 0042A950 -> Go to the Self-Check
:0042A932 8B0E
mov ecx, dword ptr [esi]
:0042A934 8D542410
lea edx, dword ptr [esp+10]
:0042A938 52
push edx
* Possible Reference
to String Resource ID=40151: "The validation code for %s does not match.
Please reinstall
"
:0042A939 C7442420D79C0000
mov [esp+20], 00009CD7
:0042A941 894C241C
mov dword ptr [esp+1C], ecx
:0042A945 897C2424
mov dword ptr [esp+24], edi
:0042A949 E8C277FEFF
call 00412110
:0042A94E 33ED
xor ebp, ebp
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042A922(C),
:0042A930(C)
:0042A950 8B4604
mov eax, dword ptr [esi+04]
:0042A953 83C604
add esi, 00000004
:0042A956 3BC3
cmp eax, ebx
:0042A958 7586
jne 0042A8E0 -> Go to the "start" of the Self-Check
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042A8CE(C),
:0042A8E3(C)
:0042A95A 5F
pop edi
---------snip-----------
:0042A966 C3
ret
This is a sort of loop which I don't understand. Anyway, there are two locations which you can do the patch:
1) :0042A8E3 7575 jne 0042A95A
2) :0042A958 7586 jne 0042A8E0I did the patch on the 2nd one so that there won't be a check at all. So, by changing "jne 0042A8E0" (7586) at :0042A958 to "NOP NOP" (9090), I stopped the self-check.
Job Done.
|
|
|
|
My thanks and gratitude
goes to:-
The Sandman
All the writers
of Cracks tutorials
|
|
Ripping off software
through serials and cracks is for lamers..
If your looking
for cracks or serial numbers from these pages then your wasting your time,
try searching elsewhere on the Web under Warze, Cracks etc.
| Return |