VersList is shareware.  This copy of the program will run for 30 days after which you must register the software for a cost of only $15."
 

About this protection system

 
The protection system used for this program relies on the fact that there is no registration screen, so you can't sniff out any registration codes. Also, there are no routines within this program that display any text relating to the fact that this program has been registered, no routines to print User details etc, but that's ok, because we can make do with the ones we have at our disposal..)
 
This program will run for 30 days and that's it!.  After this period has elapsed it will refuse to run, displaying instead the 'About' screen showing that your trial period has expired and that once you've clicked on the 'OK' button to close the About screen the program will exit back to windoze.
 

The Essay

     
Since by the time I finally got round to this program it's 30 day time limit had already expired, so my first task was to disable this time check, it's no fun being locked out of a program you've never even seen before, let alone evaluate it!..:)
 
You all should now know by now that the majority of software that is 'time dependent' use the system function getlocaltime in order for it to calculate how much time you've had so far to evaluate the software with. I often use this function just to get me into a program's code, especially if the programmers have done their best to prevent me bpx'ing during the registration process.
 
As always, lets create a 'Dead Listing' of VersList in order that we may see where we can patch this babe...

Since I was being greeted with the message "Expired, please register" each time I tried running VersList this looked a good a starting point to begin our reverse assembling as any..

While in W32Dasm open up the program's String Data Resources and search for the text string "Expired, please register". We should now see this code snippet.
 
;By the time the program reaches here, register ecx holds the number of
;days you've so far have used to evaluate this program.

;Since I know that this information gets shown in the 'About' screen I
;know that were in the About screen routine.

:004054E5 83F93B           cmp ecx, 0000003B ;ecx = 59 Days?
:004054E8 7E07             jle 004054F1      ;no? then jump
:004054EA 688C934400       push 0044938C     ;->"Expired, please register"
:004054EF EB1D             jmp 0040550E      ;display mesg then exit prog.

:004054F1 41               inc ecx ;Come here if you still have days free
:004054F2 8D45F0           lea eax, dword ptr [ebp-10]
:004054F5 51               push ecx
:004054F6 687C934400       push 0044937C ;->"Day %d of 60"
:004054FB 50               push eax
:004054FC E831550100       call 0041AA32
 
OK, looking at the above code this program has only two choices to what it can display in the 'About' screen. Either that you have X amount of days left to  evaluate this program or, that your evaluation period has expired.

If we are going to make this program run for ever and look just like the *real* registered copy we're going to have to patch this routine here and now before disabling the time check routine.. The idea here is this..

We 'force' the program to always display the text message "Expired, please register" even if we've plenty of time left because we don't want the program to display how many days left because in the *real* version this doesn't happen. Once we've patched this routine we then re-write the text "Expired, please register" so that it now says "Registered Version" instead. So now this routine will look something like this:-
 
:004054E5 83F93B           cmp ecx, 0000003B ;ecx = 59 Days?
:004054E8 90               nop
:004054E9 90               nop
:004054EA 688C934400       push 0044938C     ;->"Registered Version"
:004054EF EB1D             jmp 0040550E      ;display mesg then continue.

:004054F1 41               inc ecx ;The program will NEVER come here..:)
:004054F2 8D45F0           lea eax, dword ptr [ebp-10]
:004054F5 51               push ecx
:004054F6 687C934400       push 0044937C ;->"Day %d of 60"
:004054FB 50               push eax
:004054FC E831550100       call 0041AA32
 
Next, we must track down a conditional jump somewhere within the program's code that tells the program to:-

1. Display Nag Screen informing the User they've run out of time.
2. Exit back to Windoze
 
Now lets start thinking like a programmer, how would he/she determine the chain of events that must happen each time this program is run!.

Lets see now..perhaps this is what they would do.

[ OK, as soon as as the User starts the program we want to see if the program is registered or not, yes, even though this program has no actual routines specific to being able to register itself it still needs some sort of flag, a memory location to work from.  A remnant from the original, non-sharware program.  This statement is not always true but a lot of the time it is.]

Next, once this check has been performed (will always return a value indicating that it's not been registered) the program must then check what time it is on the User's pc, hence the call to the system function getLocalTime.

Next, if the User still has some days remaining, to let the program continue on as normal. However, if the User has used all his evaluation period then to display a nag screen and exit.

So there you have it, we need to get Softice to bpx on any calls this program makes on the System function GetLocalTime, then back-track a little through the code until we come to a conditional jump that has the option of: jumping over the call instruction that checks what time it is on the User's pc!
 
Right, start up Softice by pressing the  Ctrl-D keys down together.
 
Type: bpx getlocaltime then X to leave Softice.
 
Fire up VersList and Softice should now break at the start of the system function GetLocalTime.  from here press the 'F11' once to return back into VersList program code.
 
We should now see this snippet of code:-
 

:0040C57C FF15B0194500       Call KERNEL32.GetLocalTime
:0040C582 8D4C2404           lea ecx, dword ptr [esp+04] ;We land here.
:0040C586 51                 push ecx
:0040C587 FF15A8194500       Call KERNEL32.GetSystemTime
:0040C58D 668B4C240E         mov cx, word ptr [esp+0E]
:0040C592 66390D72E34400     cmp word ptr [0044E372], cx

From here keep pressing the 'F10' until you land on a RET instruction, which you will find here..

:0040C669 7402               je 0040C66D
:0040C66B 8901               mov dword ptr [ecx], eax
:0040C66D 5E                 pop esi
:0040C66E 81C4CC000000       add esp, 000000CC
:0040C674 C3                 ret <--'F10' until here.

Once you land on the RET instruction press the 'F10' key once more.  The beauty of these RET instructions is that they will return us back to where ever this routine was original called from, which in effect allows us to back-track our way through the code a little because we will be able to see if there were any conditional jump statements that preceded the call to the previous routine we just RETurned from!.

On executing the above RET instruction we will be taken to this section of code. Don't forget we're looking for any conditional jump statements that precedes the call instruction we've just returned from!.
 
* Referenced by a CALL at Addresses: :004054AA, :004055AF, :00408B52
;Mmmm, three seperate CALL's to this routine..

:0041A4CA 6A00               push 00000000
:0041A4CC E89F20FFFF         call 0040C570 ;This calls the above routine
                                           ;we've just RETurned from!.
:0041A4D1 8B4C2408           mov ecx, dword ptr [esp+08] ;We RETurn here.
:0041A4D5 83C404             add esp, 00000004
:0041A4D8 8901               mov dword ptr [ecx], eax
:0041A4DA 8BC1               mov eax, ecx
:0041A4DC C20400             ret 0004 ;'F10' until you get here.

In the above routine, small as it is, there are no conditional jump statements to be seen, so we must once more 'F10' our way through each instruction onto the RET 004 instruction until we arrive here..
 
:0040559B E8805C0000         call 0040B220 ;This call will return either:
                                           ;EAX=0 meaning unregistered or,
                                           ;EAX=1 meaning registered.
 
:004055A0 83C408             add esp, 00000008 ;Adjust the stack
:004055A3 85C0               test eax, eax     ;EAX=1?
:004055A5 0F8585000000       jne 00405630      ;Yes? then skip time check!
:004055AB 8D45EC             lea eax, dword ptr [ebp-14];else do time check
:004055AE 50                 push eax
:004055AF E8164F0100         call 0041A4CA ;This calls the above routine
:004055B4 6A00               push 00000000 ;We RETurn here

Look!, we find our FIRST conditional jump statement just above where we RETurned from the above routine!.  If you wish to test this routine as I have already done for this essay then once Softice breaks on GetLocalTime you will need to do the following:-

1. Press the F11 key once.  This will return you back to VersList program code.
2. bc *  Clear away any old Softice breakpoints.
3. Type u 0040559B Displays the above code fragment.
4. Type bpx 0040559B Sets a new Softice Breakpoint at the start of the above code fragment.
5. Press X to leave softice and then exit from VersList.
6. Now re-run VersList and Softice now breaks on your new breakpoint.
 
Don't forget to type 'T' if you wish to trace into the call 0040B220 because pressing the F11 will skip over it and you won't see what's going off at this memory location.

For this essay we're going to patch the above routine so that we force the program to ALWAYS skip of the time checks and run directly into the main program, there-by avoiding the any time checks and any Nag Screens.  The new modified routine will now look like this:-

:004055A0 83C408         add esp, 00000008 ;Adjust the stack
:004055A3 85C0           test eax, eax     ;EAX=1?
:004055A5 E986000000     jmp 00405630      ;Jmp always & skip time checks!
:004055AA 90             nop
:004055AB 8D45EC         lea eax, dword ptr [ebp-14];The code below now
                                                    ;never gets executed!
:004055AE 50             push eax
:004055AF E8164F0100     call 0041A4CA ;This calls the above routine
:004055B4 6A00           push 00000000 ;We RETurn here
 
Job Done.
 

The Crack

     
There are three seperate patches required to make this program run and look like it's legal counterpart. The first two patches are nessasary, the third is more cosmetic but makes the final cracked results look better..:)

Load up verslist.exe into your favourite Hex-Editor.
 
Search for the following bytes:  83F93B7E07688C93
Replace with following bytes   :  83F93B9090688C93
 
Search for the following bytes: 85C00F8585000000
Replace with following bytes   : 85C0E98600000090
 
Search for the text:    Expired, please register
Replace this text with: Registered Version followed by SIX SPACES
 

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.