| Target Program: |
FireWorks 2 |
| Description: |
FireWorks creates the smallest, highest-quality JPEG
and GIF graphics in the fewest number of steps. It is a total solution for creating and
producing web graphics. Fireworks simplifies and streamlines the process of making web and
screen graphics, while providing the ultimate in flexibility and editability. FireWorks
also makes it easy to minimize file size without sacrificing quality, which results in
faster web sites and higher satisfaction among web site visitors. |
| Location: |
http://www.macromedia.com |
| Protection: |
Time Limit / NAG (SalesAgent) |
| Tools needed: |
- SoftICE 3.24 |
| |
- lcc Win32 c-compiler |
| Ob duh: |
Do I really have to remind you
all that by BUYING and NOT stealing the software you use will ensure that these software
houses will continue to produce even *better* software for us to use and more importantly,
to continue offering even more challenges to breaking their often weak protection systems.
BTW, It's illegal to use cracked Software!
If you're looking for
cracks or serial numbers from these pages then your wasting your time, try to search
elsewhere on the Web under Warez, Cracks, etc. |
| Info: |
Brand and product names are trademarks or registered
trademarks of their respective holders. |
| Level: |
(X)Beginner (X)Intermediate ( )Advanced ( )Expert |
|
More and more programs are
using SalesAgent as it's protection. Programs
that have been protected with SalesAgent have been packed and there is a loader (also
known as unpacker). If you modify anything within the EXE file of this loader, SalesAgent
crashs. I will circumvent the crash by using a PROCESS PATCHER!
Well, first of all we need to start the program. So do this now. As you can see a
screen like the one for VBox pops up. Now you have three choices: BUY
- TRY - ORDER. If you press on
BUY nothing real happens. So we can assume that there's no way to register this program.
This dialog box seems to be an advanced one, so a BPX
DialogBoxParamA will work. Exit FireWorks and restart it. SoftICE will pop up. This
is at the DialogBoxParamA function. Press F10 to step over this CALL. Now the TRIAL
SCREEN pops up. Press on TRY. SoftICE will pop up and
after you've pressed F12 the following code snippet will be displayed:
:00408C53 E8E8D1FFFF CALL 00405E40
; check time limit and display NAG
:00408C58 83F8FF CMP EAX,-01
:00408C5B 55 PUSH EBP
:00408C5C 750B JNZ 00408C69
:00408C5E FF154C924200 CALL [USER32!PostQuitMessage]
:00408C64 E981000000 JMP 00408CEA
:00408C69 8B7C2418 MOV EDI,[ESP+18]
:00408C6D 57 PUSH EDI
:00408C6E FF1534924200 CALL [USER32!ShowWindow]
:00408C74 57 PUSH EDI
:00408C75 FF153C924200 CALL [USER32!UpdateWindow]
:00408C7B 55 PUSH EBP
:00408C7C 55 PUSH EBP
:00408C7D 68208D4000 PUSH 00408D20
:00408C82 E8557F0100 CALL 00420BDC
|
Now we can circumvent
the time limit by just changing the JNZ instruction at 408C5C to a JMP instruction, right?
No! If your time limit has expired, the program will be quited before returning
from that CALL. However we can bypass the NAG and time limit by just chaning one
instruction. If you don't know why, think again ... then read on!
If we change the CALL 405E40 at 408C53, where the NAG is generated, into JMP 408C69
then we will bypass the NAG and also the time limit check. Now we know that the memory
address of our patch is 408C53 and that we want to execute JMP 408C69 there! So exit and
restart the FireWorks. At 408C53, do the following:
A <ENTER>
JMP <408C69>
<ENTER>
Now SoftICE displayed EB14 as the code ... so we know everything for our PROCESS
PATCHER, didn't we?
I'm almost sure that you will remember the thing with the CRC check I told you at
the beginning of that essay. Well it has a CRC check - but we can still overwrite the code
in memory (we could also use Victor Porguen's technique, but this essay is for
Newbies!!). This sounds as if we can use a PROCESS PATCHER! If you have enough free
time, code your own process patcher - otherwise use the one Gi0 coded and change it.
// *
================================================================== *
// * MANY THANKS TO Gi0 FOR RELEASING HIS PROCESS PATCHER SOURCE CODE!! *
// * IT SAVED ME THE TIME FOR CODING MY ONE!
*
// * ================================================================== *
#include <windows.h>
void main(void)
{
STARTUPINFO si;
char* cl;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
cl = GetCommandLine();
if (CreateProcess("FIREWORKS 2.EXE", cl, NULL, NULL,FALSE,
NORMAL_PRIORITY_CLASS,
NULL, NULL, &si, &pi))
{
// PATCH IT IN MEMORY
WriteProcessMemory (pi. hProcess, (LPVOID) 0x408C53, "\xEB\x14", 2, NULL);
CloseHandle (pi.hProcess);
CloseHandle (pi.hThread);
}
else
MessageBox(NULL,
"FIREWORKS 2.EXE not found!\nRun process patcher in the program directory!",
"Macromedia FireWorks 2 CRACK by TORN@DO", MB_OK);
} |
You can crack most of the
programs out with the usage of a process patcher. Altough I just recommend patching packed
files or files with a not so easy to circumvent CRC check with such a patcher.
Another target has been Reverse Engineerd. Any questions (no crack requests)?
|