Find a quick way back to more documents with this link.
Return to Main Index
http://www.kaetron.com - Webpage (2.43Mb).
I'm here once again doing another time-trial tutorial (this program was recommended to me by good friend Zappa) and ought to demonstrate to all software authors that a badly implemented time-trial is as good as no protection. You ought to know the drill by now, trigger the time trial by advancing your system time and disassemble persinv.exe (the nagstrings are clear to see).
:00423FF2 PUSH 00487A84 <-- "Demo Expired".
:00423FF7 PUSH 00487A84 <-- "This demonstration copy of Personal....."
Quoting more code here is pretty pointless, these are the bad nag strings which we don't want the code to reach under any circumstances so lets trace the code tree upwards and see how we might avoid this.
:00423FC0 FSTSW AX <-- Store FPU status register in AX (16-bit).
:00423FC2 TEST AH, 41 <-- Test AH.
:00423FC5 JNZ 0042407D <-- Jump_nag_strings.
Evidently this test determines whether our trial is over, however lets see what happens when the code resumes at 0042407D, the nag string at 004240A0 confirms what we know already and also shows that another message box is on its way informing us how much time we have left. Note that there is no convenient way of "jumping over" this nag screen so lets take a little trace higher than our time expiry check and see if we can avoid this code altogether.
You'll find that CALL 00423F57 is referenced in 3 other places, all of which are surprisingly close together. Lets take a look at the earliest in the code tree.
:00423EEB CMP DWORD PTR [EBP-18], EAX <-- Check.
:00423EEE JGE 00423F0F <-- Maybe_good.
:00423EF7 CALL 00423F57 <-- Call_checking_function.
:00423F0F CMP DWORD PTR [EBP-10], 00000000 <-- 2nd check (assuming JGE 00423F0F jumped).
:00423F13 JLE 00423F26 <-- Jump_and_we'll_call_check_at_00423F43.
:00423F1C CALL 00423F57 <-- Else_perform_check_here.
Tracing any higher is pretty pointless, you can't avoid reaching 00423EEB period so
whatever patches we make the checking routine must be called, thats actually
quite surprising when you consider how awful the protection really is. As an
aside you'll notice after the time trial expiry that the program prompts for a
password to renew the time-trial period, cracking this is trivial but the
password ought to provide some amusement.
* Possible StringData Ref from Data Obj ->"dle97m30"
:0042400C PUSH 004879E8 <-- You won't believe what this is.
You guessed it, just keep entering the nice string reference and you too can extend your trial period every 30 days. Lets return to our editing. The first change we'll make is too force the JNZ 0042407D, we could also XOR AH,AH in place of the TEST AH,41 as well, although in reality it makes little difference.
In fact I made a pretty elegant patch here because I didn't really like using 2 NOP's. So I XOR'ed AH,AH (32 E4), then XOR'ed ECX,ECX (33 C9) and forced the JMP 0042407D (E9 B2 00 00 00). The reason I could safely XOR ECX was twofold, firstly its storing a bad value and secondly after the jump its value is immediately changed. Next we'll fix the MessageBoxA that informs us how much time we have left, we'll settle for removing the API call altogether and correcting the stack.
The time-left nag box before the F11 return had ESP = 0086FC94, after clicking O.K ESP returned as 0086FCA4, so we'll need a stack correction of 10h (16dec). We can easily replace the 6 bytes of MessageBoxA for (ADD ESP,08 and ADD ESP,08) - 83 C4 08 83 C4 08.
For aesthetic purposes we'll also remove the Demo strings using our old friend Borland Resource Workshop. So launch BRW and drag persinv.exe onto its Window. Now navigate through the resource Window and locate STRINGTABLE 128, that reference looks interesting and ripe for editing as text. The final string DEMO COPY in the about menu can also be changed easily, check out DIALOG 100 and you'll see what I mean. The reference beneath VERSIONINFO only effects the file Properties information not this string.
Sadly using BRW to make these changes renders most simple byte patchers ineffective as most rely on the file size remaining the same. You are advised therefore to try this yourself :).
Return to Main Index