WillowTALK lets your computer read text from documents created by popular Windows applications, in a variety of computer voices. With WillowTALK you can, for example:

This shareware program will expire 30 days after the installation date.

The following entries are created in the registry:
HKEY_CURRENT_USER\Software\Willow Pond\WillowTALK\2.02.001\Key
HKEY_CURRENT_USER\Software\Willow Pond\WillowTALK\2.02.001\License

This program uses the registry just like Microsoft recommend: Company name\Product\Version

Note: Use Regmon to find out what is written to/read from the Windows Registry.
 

The Essay

 

Before we start I must confess that I only started reversing/cracking a couple of weeks ago - Christmas 1998! After reading a lot of tutorials and cracking two programs I came to this program and decided to write a tutorial. Here it is:

To get an overview of the program create a deadlisting using W32Dasm. This will show you which .dlls (Dynamic Link Libraries) and functions the program uses. The deadlisting also shows the entire code and maybe also which routines are called from where.
You can also open the deadlisting in a wordprocessor and print the interesting places. This makes it easier to follow the code and you can also comment the code while analysing and debugging.

W32Dasm has a button called 'String Data References'. By clicking on 'Str Ref' you'll get a long list of possible string references. Take you time looking through them. Look for any strings containing words which might be displayed when the program expires. Something like 'Evaluation period over', 'this evaluation copy has expired', or 'this program will expire in two days'.
Hey, the string 'The trial period license has expired' sounds like it has something to do with the expiration check.
Double click on the string and you will see the code that has a reference to our newly found string.

Now we need to find a good breakpoint for SoftIce - a powerfull debugger which will show us the memory contents and register contents while tracing through the code.
We have to break somewhere before the reference to the string 'The trial period license has expired', so we can avoid this message. Scrolling some lines up from the string reference we see a reference by a call. There is no need scroll any further up because a reference by a call usually means that this is the first line in a function. The code above the reference by a call is probably something totally different.
 

Here is the W32Dasm listing:
 
* Referenced by a CALL at Address: 0042682A
 
:00419510 8B442404        mov eax, dword ptr [esp+04]   ; good breakpoint
                                                        ; (bpx ?:00419510)
:00419514 81EC3C010000    sub esp, 0000013C
:0041951A A384044300      mov dword ptr [00430484], eax
:0041951F 56              push esi                      ; save parameters for call on
                                                        ;stack
:00419520 57              push edi
:00419521 50              push eax 
:00419522 E87946FFFF      call 0040DBA0          ; call to 'no of days left function'
:00419527 83C404          add esp, 00000004
:0041952A 85C0            test eax, eax          ; what does eax contain?
                                                 ; ffffffff = expired,
                                                 ;1e = not yet expired
                                                 ; 1e (30 decimal) must be the number
                                                 ;of days left!
:0041952C 7D21            jge 0041954F 
:0041952E 6A10            push 00000010
 
* Possible StringData Ref from Data Obj ->"WillowTALK"

:00419530 680CD44200      push 0042D40C
:00419535 68F8D34200      push 0042D3F8          ;->"Invalid license key"
:0041953A 6A00            push 00000000
:0041953C FF15B01C4300    Call USER32.MessageBoxA
:00419542 33C0            xor eax, eax
:00419544 5F              pop edi
:00419545 5E              pop esi
:00419546 81C43C010000    add esp, 0000013C
:0041954C C21000          ret 0010
:0041954F 7521            jne 00419572
:00419551 6A10            push 00000010
:00419553 680CD44200      push 0042D40C
 
Possible StringData Ref from Data Obj ->"The trial period license has expired. "
 
Now it's time to load wiltalk.exe (not yet expired) in SoftIce with a breakpoint at 015F:00419510 - 015F might be different on your computer.
Trace (Using F10 - Step over) through this routine a couple of times. Write down the values before all TEST/CMP instructions. We don't get any expiration message. All well.
Quit Wiltalk and set the computer's clock a couple of months ahead so the program will expire;-) Fire up wiltalk in SoftIce again and write down the values before TEST/CMP instructions once more. Now you'll get the message 'The trial period license has expired'. What went wrong?

Well, looking over my written values before compares I noticed the line "0041952A 85C0 test eax, eax! Here eax = FFFFFFFF if expired and 1e if not expired! The call to 0040DBA0 must have found out that we sat the clock a couple of months ahead.

When not expired eax = 1e and we jump to 0041954. Why don't we allways do that!?

Let's try it a possible fix:

:00419527 83C404                 add esp, 00000004     ; before the fix
:0041952A 85C0                    test eax, eax
:0041952C 7D21                    jge 0041954F
:0041952E 6A10                    push 00000010
:00419530 680CD44200        push 0042D40C
:00419535 68F8D34200         push 0042D3F8

:00419527 83C404                 add esp, 00000004     ; after the fix
:0041952A B81E000000         mov eax,0000001e      ; now we *allways* have 30 (1e hex) days left
:0041952F EB1E                     jmp 0041954F
:00419531 90                          nop
:00419532 90                          nop
:00419533 90                          nop
:00419534 90                          nop
:00419535 68F8D34200         push 0042D3F8

This patch forces the program to behave as if it allways had 30 days left of the trial period by setting eax to 1e and make the jump unconditional.
Notice that this patch don't changes any memory contents or any registers other than eax!? This is important because if you change registers or memory contents it's very hard to predict the results... could be a page fault or something like that.
 

Final Notes

 

There are many ways to crack this program. The call 0040DBA0 could perhaps have been replaced by mov eax,1e and you could also try to debug the call to see what it does.

Only after I made the crack, I discovered that 1e hex (= 30 decial) was the number of days left. So be aware of the hex value of days left when cracking protection schemes like this.
 

Greetings/thanks to The Sandman, Razzia, Volatility, Eternal Bliss, and all other tutorial writers!
 

Ob Duh

 

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one.