Soft : Prassi CD-REP 1.0.028 (
Protection : Time Trial Protection (30 days)
Tool : Wdasm32, any version
What's the problem ?
After you've installed CD-REP 1.0.028 you can use it 30 days.And 30
days later (or 2 seconds later with the system time) you can see a message
box like : Sorry,this demo version has expired or Sorry, this
demo has expired because the system time has been changed.
You're very disapointed because you need CD-REP to record your CDs,
of course you have others softs but this one looks like CDRWIN or DAO and
you love this king of soft (I don't understand why ... )
So you decide to look at protection sheme :
First Step
Run your favorite disassembler (like w32dasm89) and look for the nasty
string : Sorry,this demo version has expired
After few seconds you find out:
* Referenced by a Jump at Address:9038(C) | :9835 8D542458 lea edx, dword ptr [esp+58] :9839 52 push edx * Reference to String Resource ID=00078: "Sorry, this demo version has expired." :983A 6A4E push 4E :983C EB0F jmp 984D * Referenced by a Jump at Address:902C(C) | :983E 8D542454 lea edx, dword ptr [esp+54] :9842 6800020000 push 200 :9847 52 push edx * Reference to String Resource ID=00269: "Sorry, this demo has expired because the system time has bee" :9848 680D010000 push 10D * Referenced by a Jump at Address:983C(U) | :984D A12C3E4600 mov eax, dword ptr [00463E2C] :9852 50 push eax * Reference To: USER32.LoadStringA, Ord:0183h :9853 FF1540F74700 Call dword ptr [0047F740] ;Display the string
You notice two offsets :
9835 : Referenced by a Conditional Jump at 9038
, and 983E : Referenced by a Conditional Jump at 902C
You found out where the strings are displayed, now let's find out why...
Second Step
We will now have a look at the code near 902C .....
:9013 E8684C0000 call DC80 ;A function that return something in EAX :9018 8BF0 mov esi, eax :901A 81E6FFFF0000 and esi, 0000FFFF ;In fact just LSB is important :9020 8BC6 mov eax, esi :9022 83E800 sub eax, 00000000 ;Strange :9025 7459 je 9080 ;Very Strange :9027 2DFEFF0000 sub eax, 0000FFFE :902C 0F840C080000 je 983E ;Display "you've changed the system time..;" :9032 48 dec eax :9033 6800020000 push 00000200 :9038 0F84F7070000 je 9835 ;Display "the demo version has expired..." :903E 8B0D2C3E4600 mov ecx, dword ptr [00463E2C] ;Ok the demo version remains available :9044 8D842458020000 lea eax, dword ptr [esp+00000258] :904B 50 push eax :904C 6A41 push 41 ;"This is a full functional demo version of the application" :904E 51 push ecx :904F FF1540F74700 Call dword ptr [0047F740] ;USER32.LoadStringA, Ord:0183h :9055 8D942454020000 lea edx, dword ptr [esp+00000254]
That's right you find out what you need. You could just change JE 983E and JE 9835 into NOPs and go back to your sleepy laziness, tomorrow you would be able to use CD-REP, and the day after as well, and so on... But we are NOT here in order to use software for free, we are here in oredr to understand the CODE! So let's now work on all this, and let's delve deeper inside our target... yeah, it's already cracked, so what? We'll still find some nice little fishes, just follow me...
In fact there is something strange at offset
9022. Why this test? Is there another solution or is it another protection?
In fact if EAX=0 the program jumps into 9080. If you look
at 9080 you will see that the message box ("This is a full functional
demo version of the application...") is not displayed and the program
runs without checking the date !!
So there is an easier solution : force EAX to be NULL ... How ? ...
Change AND ESI,0000FFFF in AND ESI,00000000 at offset 901A.
However, I'm too curious, and I wonder why this
test was used and I decided to look at DC80 : the function that returns
something in EAX.
Third Step
So what's going on ?
:DC75 81C458010000 add esp, 00000158 :DC7B C3 ret ;Ok DC80 cannot be run except by 0913 :DC7C 90 nop :DC7D 90 nop :DC7E 90 nop :DC7F 90 nop * Referenced by a CALL at Address:9013 ;This is our only call | :DC80 83EC7C sub esp, 7C :DC83 66833DE4BA450000 cmp word ptr [5BAE4], 0 ;Very interesting !! :DC8B 53 push ebx :DC8C 55 push ebp :DC8D 56 push esi :DC8E 57 push edi :DC8F 750B jne DC9C ;if [5BAE4]!=0 jump for calculous ... :DC91 6633C0 xor ax, ax ;else AX=0 :DC94 5F pop edi :DC95 5E pop esi :DC96 5D pop ebp :DC97 5B pop ebx :DC98 83C47C add esp, 7C :DC9B C3 ret ;That's all * Referenced by a Jump at Address:DC8F(C) | :DC9C 6A00 push 0 :DC9E E80DBF0000 call 00429BB0 Let's have a look at 5BAE4 .... :0045BAB8 00 00 00 00 00 00 00 00 ........ :0045BAC0 00 00 00 00 00 00 00 00 ........ :0045BAC8 00 00 00 00 00 00 00 00 ........ :0045BAD0 69 78 12 BE D5 E3 5D 3C ix....]<:0045bad8 D3 67 D4 81 FA 81 DC 77 .g.....w :0045BAE0 00 00 83 00 1E 00 02 00 ........ :0045BAE8 08 00 00 00 00 00 00 00 ........ :0045BAF0 00 00 00 00 00 00 00 00 ........
Oh ... 0x1E! So in fact 30 in decimal .... THIRTY! Ok like 30 days....
that's right if it was 0000, the test in DC8F would be false and EAX
would return a NULL value. So I have to change 1E in 00 and that' s all
But the flag inside memory location [0045BAE4] could be important for
the rest of the protection scheme! So
let's go for a "brutal" search of the text string "45BAE4"...
The first occurence is :
:8DC2 8BCA
mov ecx, edx
:8DC4 83E103
and ecx, 00000003
:8DC7 663905E4BA4500
cmp word ptr [0045BAE4], ax ; Is this test important ?
:8DCE F3
:8DCF A4
:8DD0 742B
je 8DFD ; No it displays (DEMO) in the main window
* Possible StringData Ref from Data Obj ->" (Demo)"
:8DD2 BF18C64500
mov edi, 0045C618
:8DD7 83C9FF
or ecx, FFFFFFFF
:8DDA F2
:8DDC F7D1
not ecx
Cool, I shoot the word demo in the main window ... I guess that [0045BAE4] means "type of running application": demo (of n days) or not demo... that is the question?
The second occurence takes place in a part of program which deals with RegKey, so [45BAE4] is used to calculate a value written in the register base. If you reeinstall CD-REP after 30 days the program can't run because the date of first installation is frozen in the register base. So don't worry it's classical ...
No more occurences ... I think it's over.
After testing the program (with few copies in different modes for example)
you valid your patch and you think it's too easy ... but it is so ... let's
write an article on Most Stupid Protection.
I would add that CP-REP is a very good soft, better and safer than Easy-CD, and more convinient than DAO. It can be run on windows 95 and windows NT ( althrough Dr Watson disagree ). So have fun ... Bye, See you soon for another article of Pipoman (Anyone wondering what does "Pipoman" mean?... I will tell you...) (c) PipoMan All rights reversed