TORN@DO's Cracking Tutorial for
Babylon Translator 3.50
   
 

Tools you need: For tools you need WinIce and a Hex-Editor. My recommendation on a Hex-Editor is Hacker's View. If you can't get these tools yourself, ask for it in a Cracker-Channel..

 
Babylon is Freeware but does still expire after a trial (?) period of 100 days. You can update this trial period, by downloading an update from the Babylon Ltd. Website. People like you and me don't want to update Babylon always. You should know why I cracked a Time Limited Freeware Program - the first program with time limitits in a freeware program I've ever seen. I think you've read the "Cracker's Notes", so that we can start now. Don't ask me for the notes, find it yourself or ask in a cracker-channel ...
 
Step 1
Install Babylon and have a look at the about-window. You've seen the message "You've x Days left ...". Ok. Exit Babylon. Set your date at least 101 days ahead. Have you seen the error message that Babylon has expired? Press OK and then let's go. From my other tutorials, you know that I always have a look at the imports and exports, because it saves me much time.

  ADAVPI32.RegCloseKey
  ADAVPI32.RegOpenKeyExA
  ADAVPI32.RegQueryValueExA


This are the most interesting functions. But we know that they can't check a date. They can just restore program settings. Ok now look at the CAPTLIB.DLL.

  IsBabylonPastExpiryDate
  Kernel32.GetLocalTime
  Kernel32.GetSystemTime


Have you seen this "IsBabylonPastExpiryDate"? Ok course you have. You know what this means? Yeah! Copy CAPTLIB.DLL to C:\. Edit your WINICE.DAT and add a line with

  EXP="C:\CAPTLIB.DLL"


to load CAPTLIB.DLL with WinIce. Restart your computer and don't forget to load up WinIce.

 
Step 2
Let's go! Press CTRL-D to pop up WinIce. Place a breakpoint to that interesting function IsBabylonPastExpiryDate (BPX IsBabylonPastExpiryDate). If you get an error message, that this is not defined, you haven't changed your WINICE.DAT or you haven't restarted your PC. Load Babylon and you'll be kicked back to WinIce at the place where the function is called. Press F10 to step through it. When Babylon has expired, a dialog pops up. You know that you've to place a breakpoint on MessageBoxA. Press F11 to return to the line, which calls this function. Now you should see something like this:

0137:00AA141B    FF75E8                        PUSH           DWORD PTR [EBP-18]
0137:00AA141E    E8BFC60000                CALL             ADAVPI32!RegCloseKey
0137:00AA1423    85DB                            TEST            EBX, EBX
0137:00AA1425    7431                             JZ                 00AA1458
...
0137:00AA1442    BD95C4FDFFFF           LEA              EDX, [EBP-023C]
0137:00AA1448    52                                PUSH           EDX
0137:00AA1449    E9C4C60000                CALL            USER32!GetFocus
0137:00AA144E    50                               PUSH           EAX
0137:00AA144F    E8A6C60000                CALL            USER32!MessageBoxA
0137:00AA1454    33C0                            XOR             EAX,EAX
0137:00AA1456    EB04                           JMP              00AA145C
0137:00AA1458    0FBF45F2                    MOVSX        EAX,WORD PTR [EBP-0E]
...

Now you know that the value is compared and if it's there are no days left, the message box will be displayed. So crack this first. Change the conditional JZ 00AA1458 to JMP 00AA1458. You can try what happens, if the zero flag is set/not set with
R FL Z. Run Babylon again. Have you seen the message box again? No of couse not. In the next step we've to remove the date check IsBabylonPastExpired. Exit Babylon.

 
Step 3
You've seen this IsBabylonPastExpiryDate-Function in the exports of CAPTLIB.DLL. When a program exports something it's normaly used. So we place a breakpoint on IsBabylonPastExpiryDate.
You were kicked back to WinIce. Step through the code (F10) until you see something like this

0137:00AA11F0    E851C80000                CALL            KERNEL32!GetSystemTime

Now you know that the time is checked here. Now have a look at the ESI-Register while you step through the code (F10).
You'll notice that the ESI-Register suddenly changes his value. Type "? VALUE" and you'll see the date you set ahead after you've run Babylon the first time. Now somewhere ESI must be checked of course. Scroll down. You'll see a line with something like this:

0137:00AA12B9    7D0A                          JGE              00AA12C5
0137:00AA12BB   BB01000000                MOV             EAX,00000001
0137:00AA12C0    E956010000                JMP              00AA141B

This JGE means: If the Date is the expired-date or if it's later, don't enable Babylon ... and if it's not, go ahead and enable Babylon (JMP 00AA141). So you can change the ESI-register to test if it works or you can type "A" and then "NOP" (Enter) "NOP" (Enter) (Enter). Then Babylon will be full functionally.

 
Step 4
Now you know where the MessageBox appers and where the date is checked. You can circumvent the messagebox with a simple change of JZ to JMP (74 to EB). And you can circumvent the Date-Check with a replace of JGE 00AA12C5 with JMP 00AA141B or you can NOP out this JGE 00AA12C5. So compare the CAPTLIB.OLD with the CAPTLIB.DLL with FC and save the differences to a file called PATCH.TXT (FC /B CAPTLIB.OLD CAPTLIB.DLL > PATCH.TXT). Now edit your patcher-file, compile it. Ren CAPTLIB.DLL to CAPTLIB.CRK and CAPTLIB.OLD to CAPTLIB.DLL. Run your patch. Compare CAPTLIB.DLL to CAPTLIB.CRK and repeat those steps until there were no differences. Enjoy the translation tool. Don't forget to erase this C:\CAPTLIB.DLL and the EXP="C:\CAPTLIB.DLL" in the WINICE.DAT.

I recommend to read my cRACKER's n0TES.