|
|
( 'Was trial ? Now it's fully functioning' ) |
Win Code Reversing |
|
|
|
|
|
|
|
|
|
Program Name: spector_eval.exe Program Type: Screen recorder Program Location: Here Program Size: 1.15mb |
||
|
Tools Used: Softice V3.23 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler |
||
|
|
|
|
|
The author of Spector v2 says :
Spector is
the first automatic screen recording software designed
for
consumers and corporations.
Spector records PC
and Internet activity, much like a camcorder,
and lets you play
back the recorded information. Spector records
all applications
loaded, all web sites visited, all chat
conversations,and
all incoming and out going e-mail activity.
You see what THEY
see.
|
|
The only way to register this tool, is to
connect online to the author website. you
will get by e-mail the url for download the registered
version.
The author tells us that
this trial version does not count the days, but it lets you
using it up to 1000 screen recordings.
With this information in our head, that's
the time to start work on it...
|
|
Since we don't have any registration screen
to type in our details, the best thing
to do is to create a dead list. I use W32dasm. After
done it, we will go to the
"String
Data References" to see if there is any string that can help us...
Can you see this : "Your Trial version of Spector will expire in %d days.
Pleas"
Hey, what's this ?? we know
that "....does not count the days, but it lets you
using it up to 1000 screen recordings." Anyway,
double-click on the string will
take
you to this part of the asm code :
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:0040877D(C)
|
:00408791
A1603F4600 mov eax, dword ptr
[00463F60]
:00408796
85C0
test eax,
eax
; eax = 0
?
:00408798
741D
je
004087B7
; jump if
eax = 0
:0040879A 8B15803F4600 mov edx, dword ptr
[00463F80]
:004087A0 8D8398000000 lea eax, dword ptr
[ebx+00000098]
:004087A6
52
push edx
* Possible Reference to String
Resource ID=00170: "Your Trial version of Spector will
expire in %d days. Pleas"
|
:004087A7
68AA000000 push 000000AA
:004087AC
50
push eax
:004087AD E8D6250200 call
0042AD88
:004087B2
83C40C add
esp, 0000000C
:004087B5
EB42
jmp 004087F9 ;jump to beggar off
message
From looking in the above code, we can tell
that if we used all our 1000 screen
recordings, EAX at location 408796 will not hold the
value '0', and we will get the
'expire' message. We can assume that we didn't used
them all by now, so we
want to check
what will happen when we jump to lcation 004087B7.
The message that inform us how many screens
left is shown in the Help/About
screen. Run Spector and click on Help. Before you
click on About, fire up Softice
by
click on 'Ctrl+D'. Type "bpx setwindowtexta', this should break in before
the
about screen pops up. Type 'X'
to leave, and click on the About option.
Softice breaks, press 'F11' once and we are in
Spector's code. Now we want
to set a
new bp, so, clear all bpx's with 'bc *', and type 'bpx 408791'. Type 'x'
and we break again in here :
:00408791
A1603F4600 mov eax, dword ptr [00463F60]; we land here !
:00408796
85C0 test eax,
eax
; eax = 0
?
:00408798
741D je
004087B7
; we jump
here !!
Press 'F10' 3 times, and we jump to this code :
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00408798(C)
|
:004087B7
8DB398000000 lea esi, dword ptr
[ebx+00000098]
:004087BD 68AC000000 push
000000AC
:004087C2
8BCE
mov ecx, esi
:004087C4 E8FE910200 call
004319C7
:004087C9 E8AC330000 Call
0040BB7A ; check windows
used (eax)
:004087CE B9E8030000 mov ecx,
000003E8 ;ecx = 1000 !!!
:004087D3
2BC8
sub ecx,
eax
; ecx =
ecx - windows used
:004087D5
85C9
test ecx, ecx ; ecx = 0
?
:004087D7
7E20
jle
004087F9
; jump if
ecx = 0
:004087D9
51
push ecx
:004087DA 8D4C240C
lea ecx, dword ptr [esp+0C]
:004087DE
6828054600 push 00460528
:004087E3
51
push ecx
Can you see what is the code above ? We see
how this protection routine is
calculating how many screens left for us to use. If
we steel have windows
recording to
use, we don't jump, and we get a message in the about window.
So, if we don't want it to show it, we need to force
the jump to take place.
To do it,
keep press 'F10' until you land on location 004087D7, and then type
in 'r fl z' to change the zero flag, now
the jump will be executed. type 'x' and we
got the about screen but this time without the
'windows left'. We found the right
place, but we steel have the 'Register' botton
enabled.
Go again in the Help/About
menu, but now, when softice break, clear the
bp 'bc *', keep going without changing the
jle 004087F9
and keep press
'F10' for 19 times, you'll be back to the location
where we have the 'call' to all
checks :
:00430398
85C0 test eax,
eax ;eax = 0 ? registered version ??
:0043039A
59
pop ecx
:0043039B
740C je
004303A9 ;jump if eax = 0 (ignore
checks)
:0043039D
8B10 mov edx,
dword ptr [eax]
:0043039F
8BC8 mov ecx,
eax
:004303A1
FF92BC000000 call dword ptr [edx+000000BC]
;all checks !!!
:004303A7
EB07 jmp
004303B0 ; we land here from 'ret'
!!!
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:0043039B(C)
|
:004303A9
6A01 push
00000001
:004303AB
58
pop eax
:004303AC
EB02 jmp
004303B0
We can see that if we jump at :0043039B 740C je
004303A9, the 'call' at
location will not be excuted !! We
can check it this way :
type 'bpx
0043039B', type 'x' and Help/About again. When SI break, type
'r fl z' and press 'x'.
WOW, we have now the 'about screen' without 'windows
left' counting and
without the
botton for 'Register' !!
But, a few days later, when i was ready to
check the program for the last time
before i remove it from my hard drive, i've got this
:
"The maximum recording time has been
reached..." so, now i was
sure that there is
another check that i missed. I decide to go to the dead list to
look for something
like checkif any register is equal to 1000. just to remind
you, number values
usualy will be in HEX VALUE, so 1000 Decimal will be
3E8 in hex. Hey, we had
this a few lines above :
* Reference To:
SHMSWNRC.?ShGetFrames@@YAKXZ, Ord:0002h ;get frames
???
|
:004087C9 E8AC330000 Call
0040BB7A ; check
windowsused.returns
; with eax
= windows used
:004087CE
B9E8030000 mov ecx,
000003E8 ;ecx = 1000 !!!
:004087D3
2BC8 sub
ecx,
eax
; ecx =
ecx - windows used
:004087D5
85C9
test ecx, ecx ; ecx = 0
? no more ?
:004087D7
7E20 jle
004087F9
; jump if
ecx = 0
The best idea is to set a bpx here :
:004087C9 Call
0040BB7A.
When you do it, press 'F8', and we land in SHMSWNRC code,
you can see this :
shmswnrc!.text+4c74at the top of the data window. Well,
search for this file in
your computer, in c:\windows\system you'll find
shmswnrc.dll. Create a dead list
of it and we will look in
"String Data References" for the good stuff. The one that
i liked, was this one that looks like an
entry in the registry file :
* Possible StringData Ref from
Data Obj ->"SOFTWARE\Classes\CLSID\{23DD4C01-A3D6-11d2-BA8C-444553540000}"
|
:10035D0C
68C8E20310
push 1003E2C8
:10035D11
6802000080
push 80000002
* Reference To: ADVAPI32.RegCreateKeyExA, Ord:015Fh
|
:10035D16
FF150CB00310
Call dword ptr [1003B00C]
:10035D1C
85C0
test eax, eax
:10035D1E
7536
jne 10035D56
:10035D20
C745F404000000 mov
[ebp-0C], 00000004
:10035D27
C745F004000000 mov
[ebp-10], 00000004
:10035D2E
8B55F0
mov edx, dword ptr [ebp-10]
:10035D31
52
push edx
:10035D32
6824000410
push 10040024
:10035D37
8B45F4
mov eax, dword ptr [ebp-0C]
:10035D3A
50
push eax
:10035D3B
6A00
push 00000000
* Possible StringData Ref from
Data Obj ->"OLERange"
|
:10035D3D
6808E30310
push 1003E308
:10035D42
8B4DF8
mov ecx, dword ptr [ebp-08]
:10035D45
51
push ecx
* Reference To: ADVAPI32.RegSetValueExA, Ord:0186h
|
:10035D46
FF1500B00310
Call dword ptr [1003B000]
:10035D4C
8B55F8
mov edx, dword ptr [ebp-08]
:10035D4F
52
push edx
We can see that the program creates an entry
in the registry file, named :
SOFTWARE\Classes\CLSID\{23DD4C01-A3D6-11d2-BA8C-444553540000}
Then it creates OLERange
this will be
the dword that holds the value of how many
screens we used, and it updates
by the function RegSetValueExA.
So, if we force
the program not to get there, it will not update the numbers of
screens we already used, and we never reach the 1000
screens !!!
This can be done in
this way :
* Reference To: ADVAPI32.RegCreateKeyExA, Ord:015Fh
|
:10035D16
FF150CB00310
Call dword ptr [1003B00C]
:10035D1C
85C0
test eax, eax
:10035D1E
7536
jne 10035D56 ;change it to jmp !!
Remember to create a backup of the dll file
before you do the patch, just in case
somthing happened !!!
* if you already
reached the 1000 screens by now, go to the registry file and
change it to a number less the that....
:)
|
|
Load up Spector.exe into your Hex-Editor ( I use hexWorkshop-32).
SEARCH FOR THE FOLLOWING BYTES :
85C059740C8B10
REPLACE WITH
HIGHLIGHTED BYTES : 85C059EB0C8B10
Load up shmswnrc.dll into your Hex-Editor
SEARCH FOR THE FOLLOWING BYTES :
B0031085C07536C7
REPLACE WITH
HIGHLIGHTED BYTES : B00310EBC07536C7
Don't forget it need to be in c:\windows\system !!!
REMEMBER, i'm doing my
cracks as a hobby and challenge, so please, if you
like this utility and want to keep
using it, support the author and pay for it.
|
|
You can protect Spector from beeing used by others
with a password, here is a
short tutorial
that cupofcoffe wrote about how to
bypass this password,
thanks
cupofcoffe :).
In this essay, i showed 2 ways how to crack a
Trial Version, so it will work like a
full
functional version.
The first one was how
to stop showing the [Trial Version] and counting the
screens left.
The
second one was how to stop updating the registry file. this one is good
for
most of 'time limited' versions as
well.
My thanks and gratitude goes to:-
The Sandman for all what he is doing for us, newbies.
Rhayader for helping me with Reverse Code Engineering and useful tips