WRQ's @Guard is software that runs on your PC
and monitors network traffic going in and out of your computer. Depending on how you have
@Guard configured, it can also step in and intervene in network connections and block data
on your behalf. Specifically, it can: Block images (usually advertisements) that
you don't want to see, Speed up web page loading, Block refer fields and cookies to reduce
the amount of targeted advertising you receive, Allow you to customize web pages that you
visit often, Stop animated GIFs from cycling endlessly, reducing cache disk thrashing,
Keep track of various statistics as you surf the web, like how much data you've downloaded
and how many cookies you would have sent back to web sites, Prevent software from
communicating with your computer or with remote computers without your knowledge or
permission.
I decided to crack this application, because I think 30 days are not enough to try
out the application completly and I'm currently using the Internet just once/twice a
month, so I can't try it out in this short time. Now you know enough to start with
Step 1
We saw the icon from IAMAPP.EXE in the explorer and then, after we rebooted, in the
bottom of our screen. So we know that it must have to do something with that file. So
let's start W32DASM and have a look at the string reference. I found the following strings
interesting:
"The trial period for %s
has expired "
"The trial period for %s will expire " |
I want to extend the trial period, so I've double-clicked on "The trial period
for %s will expire ". Then I scrolled up a few lines to see where this function was
called from. It was called from 403ED0. But it was an unconditional jump. So go to 403ED0.
You'll get the following:
| * Referenced by a
(U)nconditional or (C)onditional Jump at Address: |
| |:00403E88(C) |
|
|
| | |
|
|
| :00403EC5 |
cmp eax, 0000000A |
|
| :00403EC8 |
jg 00403ED2 |
|
| :00403ECA |
mov dword ptr [0040A534], esi |
|
| :00403ED0 |
jmp 00403EE0 |
|
If you don't change that JG at 403EC8 to a JMP, there will always a NAG be
displayed, saying, your trial will expire in ..., so change that JG to a JMP. After you've
seen that, jump to 403E88, because it's a conditonal jump and we're going close to the
protection now. You'll get something like this:
| :00403E86 |
cmp eax, esi |
; compare eax (30) with esi
(days left) |
| :00403E88 |
jg 00403EC5 |
; if there were some days
left, jump |
| |
|
|
| * Possible
StringData Ref from Data Obj ->"@Guard" |
| |
| |
|
| :00403E8A |
push 0040A370 |
|
| |
|
|
| * Possible
StringData Ref from Data Obj ->"The trial period for %s has expired " |
If there were no days left for the trial it won't jump and so, it will display the
message "expired". But we don't want that. So change that JG to JMP (I won't
give you the hex-values, etc. any longer, because I think you know them - if not: read
"Cracker's Notes"). So let's make the changes to IAMAPP.EXE, because we
don't want to do the same all the time! If you've done this, continue with
Step 2
If we click on the icon of IAMAPP.EXE in the taskbar with the right-mouse-button
and choose Setting, we got "Trial has expired" in the about tab. So let's fix
this too. In the about tab you also see what modules are being used. So let's look for
interesting ones ... IAMEVENT.DLL, IAMCPL.CPL. So let's load IAMEVENT.DLL in W32DASM and
look in the string reference. I found no interesting strings, so I decided to load
IAMCPL.CPL in W32DASM (you should have recognized, that it's in your
Windows-System-Directory). Now look at the string reference, if you can find
interesting strings. I found the following strings interesting:
String Resource ID=00032:
"You have changes that have not been applied.
Do you want to "
"Trial expires in %d day."
"Trial expires in %d days."
"Trial has expired." |
What changes have not been applied? Do you know what this is trying to tell us?
Yeah, you right! It detects, that we've cracked it ... ups! So let's double-click on that
one. You'll get something like this:
| * Referenced by a
(U)nconditional or (C)onditional Jump at Address: |
| |:10006E11(C) |
| | |
| ... |
| |
| * Possible Reference to
String Resource ID=00032: "You have changes that have not been applied. Do you want
to " |
Let's find out why this was called, so goto 10006E11. You'll get something like
this:
| :10006E05 |
mov ecx, dword ptr
[esp+00000080] |
|
| :10006E0C |
cmp eax, 0000001E |
; compare days used (EAX) with
1E (30) |
| :10006E0F |
mov dword ptr [ecx], eax |
|
| :10006E11 |
jle 10006E15 |
; if there weren't and days
left, jump |
| :10006E13 |
mov dword ptr [ecx], ebx |
|
Ah! It detects, that we've changed the IAMAPP.EXE to extend the trial and this is a
second check. So we need to change this JLE with NOP, NOP or better: INC EAX, DEC EAX! If
you want, you can also change this "Trial has expired", but it's not important,
it's just an info. The lesson is over ... |