http://www.microsoft.com/office/photodraw - Webpage.
Well I thought it was about time I damaged our friends at M$ (the undisputed kings of poor software). I'm using the PhotoDraw 30-day trial obtained from PC Direct's subscribers CD-ROM, in fact just installing this program ought to prove a bad enough experience, especially if you've not yet subjected yourself to the combined horrors of Internet Explorer and the Active Desktop, kiss goodbye to 45Mb's of HD space as well.
Triggering the time-out nag and establishing its location should prove easy enough. You'll find it with a bpx on MessageBoxA at address 5F45C4D4, the relevant file is the rather small pd1oc.dll (932k). MS actually seem to have finally learnt something here, using W32Dasm on the file won't work, sadly whatever tricks they used to kill W32Dasm don't appear to fool IDA. You might like to try several things whilst you wait, W32Dasm will disassemble photodrw.exe without any problems, you could also investigate why pd1oc.dll fails.
Fishing through the imports from pd1oc.dll you'll find a long list of Ordinal:XXXX exports, this is eminently similar to some applications using the MFC's where W32Dasm is unable to assign recognised names to functions exported by ordinal, you'll realise pretty quickly that W32Dasm isn't going to help you at all. Lets try loading pd1oc.dll's exports into SoftICE's loader before we move in with some date API's.
MS trial software throughout its history has always been susceptible to date API's and this one is no exception, GetLocalTime, GetSystemTime or GetTimeZoneInformation all provide a convenient entry point and only break once, called inside msvcrt.dll. Once you gain this entry point, hit F12 once to get inside photodrw.exe (address 30002072). In fact the really interesting code is another F12 away but I recommend you just trace through this level and observe. You'll reach this code eventually and as we have suspected the real checking will be done by the dll.
:3000ADBB LEA EAX,[ESI-01] <-- Key value of EAX.
:3000ADBE CMP EAX,05 <-- Suggests EAX < 5 is bad (defines acceptable range).
:3000ADC1 JA 3000AE00 <-- Jump_on value_of_EAX.
:3000ADC3 JMP DWORD PTR [4*EAX+3000B6D8] <-- Familiar DWORD jump table.
:3000ADFB CALL 3000C98E <-- PD1OC.Ordinal:1040 <-- The real check.
:3000AE00 TEST ESI,ESI <-- Check ESI=0.
:3000AE02 JZ 3000AE23 <-- Good_jump.
:3000AE04 CMP ESI,07 <-- Check ESI=7.
:3000AE07 JZ 3000AE23 <-- Also_good_otherwise_nag_box.
This code is actually pretty interesting, the DWORD jump table is very strange indeed, you'll recall from the HASP scheme that the JA is usually a quick exit from the real code path, however in this scheme I traced to 3000ADBE and noted that EAX=3 and ESI=4. If we actually jump here ESI's value gets immediately tested and we know already that only a 0 or 7 will do. In fact the JA is quite possibly good, especially if you took my advice and traced the code before this.
You can of course now modify the program in any number of ways to ensure that the code jumps to 3000AE23, a simple XOR ESI,ESI at 3000AE00 would work. I decided at this point to restore my BIOS clock back to the correct date and see what difference (if any) that made. In fact the result surprised me, most decent software will reject any BIOS cheating, PhotoDraw sadly doesn't. Its now a simple matter to trace through the code we identified earlier and see how it differs from the expired version, this "checking" is actually a good way of improving your skills.
In fact as I suggested the JA is indeed good, I traced to 3000ADBE and found EAX=FFFFFFFF (-1) and ESI=0. Thus the call to Ordinal:1040 (a 2nd check) seems rather strange, why confirm the program expiration is bad for a second time, unless of course this function doesn't actually do anything that affects ESI. Patching correctly then is pretty simple. We'll firstly fix EAX to -1 by replacing 3000ADBB with XOR EAX,EAX and DEC EAX (33 C0 48). Next we'll ensure ESI is 0 by XORing it at 3000AE00.
All that remains is for you to enjoy the uninstallation of this software, which is perhaps its most appealing feature.