Cracking Tutorial for PageMill 3.0
 
 
Before we start, please read the Disclaimer section of this essay!
Coders from PageMill, click here!
Target Program: PageMill 3.0
Description: PageMill 3.0 combines advanced features for web content creation with powerful site management capabilities, allowing you to manage your Web links, search-and-replace across your site, and more, all in an intuitive environment.
Location: http://www.adobe.com
If you prefer a FTP-Search, look for PML3TRYO.EXE (13623796 Bytes).
Protection: Time Limited / NAG
Tools needed: - SoftICE 3.24
  - Hacker's View
Ob duh: Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Level: (X)Beginner ( )Intermediate ( )Advanced ( )Expert
The first step after I installed PageMill was reading the README.DOC. You can often read the limitations, etc. in such a readme file. I read the following, which is interesting for Reverse Engineering PageMill:
 
"Adobe is providing this Try-Out version of PageMill 3.0 so that you can evaluate it to create fully functional Web pages. This try-out version of Adobe PageMill 3.0 is fully functional, but will expire 15 days after it has been installed."
 
So PageMill's main protection is it's 15-day-time-limit. Now we know enough to start our cracking session:
After you've executed PageMill, you'll recognize that there's no NAG, etc displayed. Since we know this we just have to crack the time limit. Exit PageMill now. What's that? A damn Exit-NAG get's displayed - argh.
This NAG is telling us when our version of PageMill will expire and where we SHOULD ORDER it, if we're using it beyond it's free trial period. The NAG looks very like a standard-messagebox - MessageBoxA should work in this case. So set a BPX to MessageBoxA and restart & exit PageMill. SoftICE will now display something like the following code snippet, after you've pressed F11 and the "OK"-Button:
 
   :5F416F02  FF15B4F74C5F        CALL    [USER32!MessageBoxA]
   :5F416F08  891E                MOV     [ESI],EBX
   :5F416F0A  837DFC00            CMP     DWORD PTR [EBP-04],00
   :5F416F0E  89450C              MOV     [EBP+0C],EAX
   :5F416F11  0F85FA9A0000        JNZ     5F420A11
   :5F416F17  6A01                PUSH    01
   :5F416F19  8BCF                MOV     ECX,EDI
   :5F416F1B  E85EC1FEFF          CALL    5F40307E
   :5F416F20  8B450C              MOV     EAX,[EBP+0C]
   :5F416F23  5F                  POP     EDI
   :5F416F24  5E                  POP     ESI
   :5F416F25  5B                  POP     EBX
   :5F416F26  C9                  LEAVE
   :5F416F27  C20C00              RET     000C

Since SoftICE displayed the info, that this code snippet is located in MFC42.DLL, we can't patch this code snippet. We have to execute the RET instruction. Then we'll get to a location in PM3TRYOUT.EXE, where we can patch the code:

   :004A15A2  E865DD0600          CALL    0050F30C
   :004A15A7  834DFCFF            OR      DWORD PTR [EBP-04],-01
   :004A15AB  8D4D08              LEA     ECX,[EBP+08]
   :004A15AE  8BF0                MOV     ESI,EAX
   :004A15B0  E819D90600          CALL    0050EECE
   :004A15B5  8B4DF4              MOV     ECX,[EBP-0C]
   :004A15B8  8BC6                MOV     EAX,ESI
   :004A15BA  5F                  POP     EDI
   :004A15BB  64890D00000000      MOV     FS:[00000000],ECX
   :004A15C2  5E                  POP     ESI
   :004A15C3  C9                  LEAVE
   :004A15C4  C20C00              RET     000C

Now set a BPX 4115A2, disable the MessageBoxA breakpoint and restart & exit PageMill. When SoftICE pops up, do a ? ESP and then press F10 to execute that CALL 50F30C. Now do a ? ESP again, because we need to correct ESP. You'll find out, that the difference is 12 dec, which is 0C h. So we can replace that CALL 50F30C with ADD ESP,0C - NOP - NOP. Then we won't see a NAG when we exit PageMill. To make this permanent, HexEdit PM3TRYOUT.EXE using Hacker's View. Now search for
 
     E865DD0600
 
and replace it with
 
     83C40C9090
 
 
After we've removed the NAG we have to focus on removing the time limit now. So set your system clock at least 1 month ahead and set a BPX to GetLocalTime and restart PageMill. SoftICE will pop up about 4 times. Just press F11 and CTRL-D until you're in MSVCRT.DLL. Now clear the GetLocalTime breakpoint and   press F12. You'll be faced with something like the following code snippet in PM3TRYOUT.EXE:

   :004ECCEC  A1ACE85A00          MOV     EAX,[005AE8AC]
   :004ECCF1  59                  POP     ECX
   :004ECCF2  8D8880C61300        LEA     ECX,[EAX+0013C680]
   :004ECCF8  394DDC              CMP     [EBP-24], ECX
   :004ECCFB  7F05                JG      004ECD02
   :004ECCFD  3945DC              CMP     [EBP-24], EAX
   :004ECD00  7D07                JGE     004ECD09
   :004ECD02  C745EC01000000      MOV     DWORD PTR [EBP-14],00000001

If you trace forward through the code, you'll come accross the following code snippet:

   :004ECD09  685CD85A00          PUSH    005AD85C
   :004ECD0E  8D4DBC              LEA     ECX,[EBP-44]
   :004ECD11  E866220200          CALL    0050EF7C
   :004ECD16  50                  PUSH    EAX
   :004ECD17  8D45E8              LEA     EAX,[EBP-18]
   :004ECD1A  682CCC5A00          PUSH    005ACC2C
   :004ECD1F  50                  PUSH    EAX
   :004ECD20  897DFC              MOV     [EBP-04],EDI
   :004ECD23  E8DE250200          CALL    0050F306
   :004ECD28  8D4DBC              LEA     ECX,[EBP-44]
   :004ECD2B  C645FC02            MOV     BYTE PTR [EBP-04],02
   :004ECD2F  E89A210200          CALL    0050EECE
   :004ECD34  8B3D50005400        MOV     EDI,[ADVAPI32!RegOpenKeyA]
   :004ECD3A  8D45C0              LEA     EAX,[EBP-40]
   :004ECD3D  50                  PUSH    EAX
   :004ECD3E  BB00000080          MOV     EBX,80000000
   :004ECD43  FF75E8              PUSH    DWORD PTR [EBP-18]
   :004ECD46  53                  PUSH    EBX
   :004ECD47  FFD7                CALL    EDI
   :004ECD49  85C0                TEST    EAX,EAX
   :004ECD4B  7507                JNZ     004ECD54
   :004ECD4D  C745EC01000000      MOV     DWORD PTR [EBP-14],00000001
   :004ECD54  FF75C0              PUSH    DWORD PTR [EBP-40]
   :004ECD57  FF154C005400        CALL    [ADVAPI32!RegCloseKey]
   :004ECD5D  837DEC01            CMP     DWORD PTR [EBP-14],01
   :004ECD61  0F85F3000000        JNZ     004ECE5A

Have you recognized the 'flag', which is stored at [EBP-14]? Well this is the Expired-Flag. If it's true (1), PageMill has expired. If it's false (0), PageMill hasn't expired. That's all the info you need to crack the complete time limit.
The flag is set at different locations - first time, if you're trial period had expired - at 4ECD02. Then at 4ECD49 it is checked if a specific registry key exists. In this case, it has also expired, since the JNZ at 4ECD4B won't be executed then.
The final check if you're in the trial period - or not is made at 4ECD5D. If PageMill hasn't expired (JNZ), it'll jump to 4ECE5A. - So what can we do? Well, if we would make that JNZ unconditional (change it to JMP), then PageMill will run if it has expired or not. To make a permanent crack, HexEdit  PM3TRYOUT.EXE using Hacker's View. Now search for
 
     0F85F300000068
 
and replace it with
 
     E9F40000009068
 
... another target program has been Reverse Engineerd. Do you have any questions?
 

 
If you're USING PageMill BEYOND it's FREE TRIAL PERIOD, then please BUY IT.
Coders from PageMill: I don't think it's that clever just to test once a flag if we can still execute PageMill. You should at least test that flag twice. I would also erase some important files, so that it's *not* possible to restore the trial period.

Disclaimer: This essay is for EDUCATIONAL purposes only, if you wish to use the program/game then please BUY IT.
   

Info: Brand and product names are trademarks or registered trademarks of their respective holders.

Copyright © 1998 by TORN@DO and The Immortal Descendants. All Rights Reserved.