DropConvert v2.2 - Tutorial

http://www.ozemail.com.au/~launch/ (190k).

I thought it was about time that I did another time-trial tutorial, but this time I'll introduce you to some real 'zen' fast cracking. For this protection we won't even bother using Softice or a disassembler, in fact we won't even bother moving the BIOS clock (maybe just to verify our theory), in most of these protections you can feel the code.

DropConvert allows us 30 days trial (from the documentation) so lets just think about how a lazy programmer might check this or how it might look in assembly, perhaps something like this:

CMP DWORD PTR register, 1E <-- 1E of course is 30 days.
JLE/JGE address <-- Most likely these conditional jumps.

So lets think in terms of opcodes, we have 83 for CMP, only several likely register options (when you've seen lots of time-trials you'll begin to feel which registers are used more commonly), then 1E for the 30 days and either 7E (JLE) or 7D (JGE) for the conditional jump.

So lets grab our HEX editor and perform a little searching, I'll cut to the chase and tell you to look for 83 38 1E 7E, thats a CMP DWORD PTR [EAX],1E followed by a JLE. Incredibly the only location you'll find performs this exact comparison. Immediately this location feels as if it must be our time-trial check.

I didn't even feel the need to verify this, lets make the JLE (7E 33) that we've found into an unconditional jump (EB 33), I'm sure this program will never expire (in fact I did check just in case, see below). As a project you might like to try replacing all of the nasty 'Shareware' and 'Unregistered' strings contained in the program executable, I had some success with the title bar and About box with my HEX editor, just overwriting with 20h but be careful with your editing.

Verification

Well, I did move my BIOS date forward and although DropConvert did successfully start I did receive a message box which looks like a standard call anyhow. That however is easily fixed by changing the following instruction:

:00445B1F JLE 00445B52 <-- Fix this to jump or change the instruction before.

7E 31 68 24 5D 44 00 8D
EB 31 68 24 5D 44 00 8D

Software authors please take note. This is a very poor way to implement a date check, even for just $20 of shareware. As a final note, this program is in my opinion worth its registration fee so if you use it take the time to support the author. I don't use it so won't be registering my copy.

© 1998 CrackZ. 6th June 1998.