|
( 'Was trial ? Now it's fully functioning' ) |
Win Code Reversing |
|
|
|
|
|
|
Program Name: spector_eval.exe Program Type: Screen recorder Program Location: Here Program Size: 1.15mb |
||
Tools Used: Softice V3.23 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler |
||
|
|
|
The author of Spector v2 says :
Spector
is the first automatic screen recording software
designed
for
consumers and corporations.
Spector
records PC and Internet activity, much like a camcorder,
and
lets you play back the recorded information. Spector records
all
applications loaded, all web sites visited, all chat
conversations,and
all incoming and out going e-mail activity.
You
see what THEY see.
|
The only way to register this tool,
is to connect online to the author website. you
will get by e-mail the url for download
the registered version.
The author tells us that this trial
version does not count the days, but it lets you
using it up to 1000 screen recordings.
With this information in our head,
that's the time to start work on it...
|
Since we don't have any registration
screen to type in our details, the best thing
to do is to create a dead list.
I use W32dasm. After done it, we will go to the
"String Data References" to see
if there is any string that can help us...
Can you see this : "Your
Trial version of Spector will expire in %d days. Pleas"
Hey, what's this ?? we know that
"....does not count the days, but it lets you
using it up to 1000 screen recordings."
Anyway, double-click on the string will
take you to this part of the asm
code :
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040877D(C)
|
:00408791 A1603F4600
mov eax, dword ptr [00463F60]
:00408796 85C0
test eax, eax
; eax
= 0 ?
:00408798 741D
je 004087B7
; jump
if eax = 0
:0040879A 8B15803F4600
mov edx, dword ptr [00463F80]
:004087A0 8D8398000000
lea eax, dword ptr [ebx+00000098]
:004087A6 52
push edx
* Possible Reference
to String Resource ID=00170: "Your Trial version
of Spector will expire in %d days. Pleas"
|
:004087A7 68AA000000
push 000000AA
:004087AC 50
push eax
:004087AD E8D6250200
call 0042AD88
:004087B2 83C40C
add esp, 0000000C
:004087B5 EB42
jmp 004087F9 ;jump
to beggar off message
From looking in the above code, we
can tell that if we used all our 1000 screen
recordings, EAX at location 408796
will not hold the value '0', and we will get the
'expire' message. We can assume
that we didn't used them all by now, so we
want to check what will happen when
we jump to lcation 004087B7.
The message that inform us how many
screens left is shown in the Help/About
screen. Run Spector and click on
Help. Before you click on About, fire up Softice
by click on 'Ctrl+D'. Type "bpx
setwindowtexta', this should break in before the
about screen pops up. Type 'X' to
leave, and click on the About option.
Softice breaks, press 'F11' once
and we are in Spector's code. Now we want
to set a new bp, so, clear all bpx's
with 'bc *', and type 'bpx 408791'. Type 'x'
and we break again in here :
:00408791 A1603F4600
mov eax, dword ptr [00463F60]; we land here !
:00408796 85C0
test eax, eax
; eax
= 0 ?
:00408798 741D
je 004087B7
; we
jump here !!
Press 'F10' 3 times, and we jump to this code :
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00408798(C)
|
:004087B7 8DB398000000
lea esi, dword ptr [ebx+00000098]
:004087BD 68AC000000
push 000000AC
:004087C2 8BCE
mov ecx, esi
:004087C4 E8FE910200
call 004319C7
:004087C9 E8AC330000
Call 0040BB7A
; check
windows used (eax)
:004087CE B9E8030000
mov ecx, 000003E8 ;ecx
= 1000 !!!
:004087D3 2BC8
sub ecx, eax
; ecx
= ecx - windows used
:004087D5 85C9
test ecx, ecx
;
ecx = 0 ?
:004087D7 7E20
jle 004087F9
; jump
if ecx = 0
:004087D9 51
push ecx
:004087DA 8D4C240C
lea ecx, dword ptr [esp+0C]
:004087DE 6828054600
push 00460528
:004087E3 51
push ecx
Can you see what is the code above
? We see how this protection routine is
calculating how many screens left
for us to use. If we steel have windows
recording to use, we don't jump,
and we get a message in the about window.
So, if we don't want it to show
it, we need to force the jump to take place.
To do it, keep press 'F10' until
you land on location 004087D7, and then type
in 'r fl z' to change the zero flag,
now the jump will be executed. type 'x' and we
got the about screen but this time
without the 'windows left'. We found the right
place, but we steel have the 'Register'
botton enabled.
Go again in the Help/About menu,
but now, when softice break, clear the
bp 'bc *', keep going without changing
the
jle 004087F9
and
keep press
'F10' for 19 times, you'll be back
to the location where we have the 'call' to all
checks :
:00430398 85C0
test eax, eax ;eax
= 0 ? registered version ??
:0043039A 59
pop ecx
:0043039B 740C
je 004303A9 ;jump
if eax = 0 (ignore checks)
:0043039D 8B10
mov edx, dword ptr [eax]
:0043039F 8BC8
mov ecx, eax
:004303A1 FF92BC000000
call dword ptr [edx+000000BC] ;all
checks !!!
:004303A7 EB07
jmp 004303B0 ; we land here from 'ret' !!!
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043039B(C)
|
:004303A9 6A01
push 00000001
:004303AB 58
pop eax
:004303AC EB02
jmp 004303B0
We can see that if we jump at :0043039B
740C je 004303A9, the
'call' at
location will not be excuted !!
We can check it this way :
type 'bpx 0043039B', type 'x' and
Help/About again. When SI break, type
'r fl z' and press 'x'.
WOW, we have now the 'about screen'
without 'windows left' counting and
without the botton for 'Register'
!!
But, a few days later, when i was
ready to check the program for the last time
before i remove it from my hard
drive, i've got this :
"The
maximum recording time has been reached..."
so, now i was sure that there is
another check
that i missed. I decide to go to the dead list to look for something
like checkif
any register is equal to 1000. just to remind you, number values
usualy will
be in HEX VALUE, so 1000 Decimal will be 3E8 in hex. Hey, we had
this a few
lines above :
*
Reference To: SHMSWNRC.?ShGetFrames@@YAKXZ, Ord:0002h ;get
frames ???
|
:004087C9 E8AC330000
Call 0040BB7A
; check
windowsused.returns
; with
eax = windows used
:004087CE B9E8030000
mov ecx, 000003E8 ;ecx
= 1000 !!!
:004087D3 2BC8
sub ecx, eax
; ecx
= ecx - windows used
:004087D5 85C9
test ecx, ecx
;
ecx = 0 ? no
more ?
:004087D7 7E20
jle 004087F9
; jump
if ecx = 0
The best idea is to set a bpx here
: :004087C9
Call 0040BB7A.
When you do
it, press 'F8', and we land in SHMSWNRC code, you can see this :
shmswnrc!.text+4c74at
the top of the data window. Well, search for this file in
your computer,
in c:\windows\system you'll find shmswnrc.dll. Create a dead list
of it and we
will look in "String Data References" for the good stuff. The one
that
i liked, was this one that looks
like an entry in the registry file :
* Possible StringData
Ref from Data Obj ->"SOFTWARE\Classes\CLSID\{23DD4C01-A3D6-11d2-BA8C-444553540000}"
|
:10035D0C 68C8E20310
push 1003E2C8
:10035D11 6802000080
push 80000002
* Reference To: ADVAPI32.RegCreateKeyExA,
Ord:015Fh
|
:10035D16 FF150CB00310
Call dword ptr [1003B00C]
:10035D1C 85C0
test eax, eax
:10035D1E 7536
jne 10035D56
:10035D20 C745F404000000
mov [ebp-0C], 00000004
:10035D27 C745F004000000
mov [ebp-10], 00000004
:10035D2E 8B55F0
mov edx, dword ptr [ebp-10]
:10035D31 52
push edx
:10035D32 6824000410
push 10040024
:10035D37 8B45F4
mov eax, dword ptr [ebp-0C]
:10035D3A 50
push eax
:10035D3B 6A00
push 00000000
* Possible StringData
Ref from Data Obj ->"OLERange"
|
:10035D3D 6808E30310
push 1003E308
:10035D42 8B4DF8
mov ecx, dword ptr [ebp-08]
:10035D45 51
push ecx
* Reference To: ADVAPI32.RegSetValueExA,
Ord:0186h
|
:10035D46 FF1500B00310
Call dword ptr [1003B000]
:10035D4C 8B55F8
mov edx, dword ptr [ebp-08]
:10035D4F 52
push edx
We can see that the program creates
an entry in the registry file, named :
SOFTWARE\Classes\CLSID\{23DD4C01-A3D6-11d2-BA8C-444553540000}
Then
it creates OLERange
this
will be the dword that holds the value of how many
screens we
used, and it updates by the function RegSetValueExA.
So,
if we force the program not to get there, it will not update the numbers
of
screens we already used, and we
never reach the 1000 screens !!!
This can be done in this way :
*
Reference To: ADVAPI32.RegCreateKeyExA, Ord:015Fh
|
:10035D16 FF150CB00310
Call dword ptr [1003B00C]
:10035D1C 85C0
test eax, eax
:10035D1E 7536
jne 10035D56 ;change
it to jmp !!
Remember to create a backup of the
dll file before you do the patch, just in case
somthing happened !!!
* if you already
reached the 1000 screens by now, go to the registry file and
change it to a number
less the that.... :)
|
Load up Spector.exe into your Hex-Editor ( I use hexWorkshop-32).
SEARCH FOR THE FOLLOWING BYTES
: 85C059740C8B10
REPLACE WITH HIGHLIGHTED
BYTES : 85C059EB0C8B10
Load up shmswnrc.dll into your Hex-Editor
SEARCH FOR THE FOLLOWING BYTES
: B0031085C07536C7
REPLACE WITH HIGHLIGHTED
BYTES : B00310EBC07536C7
Don't forget it need to be in c:\windows\system !!!
REMEMBER, i'm
doing my cracks as a hobby and challenge, so please, if you
like this utility
and want to keep using it, support the author and pay for it.
|
You can protect Spector from beeing used
by others with a password, here is a
short tutorial
that cupofcoffe wrote about
how to bypass this password,
thanks cupofcoffe
:).
In this essay, i showed 2 ways how to crack
a Trial Version, so it will work like a
full functional version.
The first one was how to stop showing
the [Trial Version] and counting the
screens left.
The second one was how to stop updating
the registry file. this one is good for
most of 'time limited' versions as well.
My thanks and gratitude goes to:-
The Sandman for all what he is doing for us, newbies.
Rhayader for helping me with Reverse Code Engineering and useful tips