1999 |
( '30 day limit? not any more' ) |
Win Code Reversing |
|
|
|
|
|
|
Program Details Program Name: f_x86t32.exe Program Type: File Transfer client Program Location: Here Program Size: 1.5mb |
||
Softice V3.23 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler |
||
|
|
|
The author of Ftp95pro says :
WS_FTP Professional
is a Windows-based file transfer client application
that transfers
files between a userÆs local PC and another, remote
computer system
connected via a modem and telephone lines or by a
local-area network.
With WS_FTP Pro, users can connect to any remote
system that has
a valid Internet address and an FTP server program,
browse
through directories and files, and transfer files between the
two systems.
In addition, users can create, change, and remove
directories and
view, execute, rename, or delete files.
WS_FTP Pro complies
with the Windows sockets (Winsock) standard,
allowing you
to transfer files between a wide variety of systems,
including Windows,
OS/2, and UNIX systems.
|
Before we start the reverse work,
play with this tool, by changing the date of your
computer.
As we see, this program will stop
functioning after 30 days. When we run it, it rus
without any nag screen untill we
come to 7 days before expire. Then it shows us
nag screen that "evaluation is runinig",
and we have left 7,6,5,4,3,2,1 days left, BUT
IT KEEP RUN AS NORMAL.
When time is over, we get the nag
screen, that evaluation is over AND THE
PROGRAM WILL STOP RUN...
This is a good sign for us !!!
The program saves the installation
settings in file called WS_FTP.key :
create date=19990530
15:34
expire date=June
14, 1999
expiration=1999165
<<< 165 dayes from begining
of 1999.
Don't change this file before you make a backup !! (unless you want re-install it)
Ok, can we start our un-limited trip
now ?
|
Since it's not the first "time limitted"
program i'm dealing with, i can tell that this kind
of programs uses the "GetSystemTime"
function to "know" the period left...
In this one, after the program gets
the system time, it makes some checks with the
dates that were kept in the WS_FTP.key
file.
All what you're going to see and
follow here, is not a "rule". Sometimes you need to
bpx in the program, and then keep
"F10" and watch some registers to get the idea
of what's going on... we're
ready now.
Just remember to set up the clock
to the range of 7 days before end of trial time.
set a break-point in Softice :
"ctrl-d', "bpx getsystemtime" and
x to leave. Start ftp95pro.exe.
SI break, we need now the 6th time
of "getsystemtime", so type "x" 5 times, and
now 'F11' once. We want now to go
on the function that reads the installation info
from the key file. DB the
last pbx and set a new one : bpx GetPrivateProfileStringa.
This function reads string from
files...
Type x, and SI break. press 'F11'
once, and here is the code we lant at:
the dates are in format of : yyyynnn.
yyyy=year, nnn=dayes fron begining of the year.
*
Reference To: KERNEL32.GetPrivateProfileStringA, Ord:00FFh
|
:00411380 FF1510C74500
Call dword ptr [0045C710]
:00411386 6A04
push 00000004
; we
land here
:00411388 8D45AE
lea eax, dword ptr [ebp-52] ;eax=expire
date
:0041138B 50
push eax
:0041138C 8D45A4
lea eax, dword ptr [ebp-5C] ;eax=today's
date
:0041138F 50
push eax
:00411390 E8EB660200
call 00437A80
:00411395 83C40C
add esp, 0000000C
:00411398 8945FC
mov dword ptr [ebp-04], eax
:0041139B 837DFC00
cmp dword ptr [ebp-04], 00000000
:0041139F 0F8524000000
jne 004113C9
:004113A5 8D45AE
lea eax, dword ptr [ebp-52] ;eax=expire
date
:004113A8 50
push eax
:004113A9 E8426F0200
call 004382F0 ;eax=expire
date in hex format
:004113AE 83C404
add esp, 00000004
:004113B1 8BD8
mov ebx, eax ;ebx=expire
date in hex format
:004113B3 8D45A4
lea eax, dword ptr [ebp-5C] ;eax=today's
date
:004113B6 50
push eax
:004113B7 E8346F0200
call 004382F0 eax=today's date in hex format
:004113BC 83C404
add esp, 00000004
:004113BF 2BD8
sub ebx, eax ;ebx=days
left
:004113C1 895DF4
mov dword ptr [ebp-0C], ebx
:004113C4 E9D6000000
jmp 0041149F ;we
jump here
We can see that the program clculated
the days left from the system date and
the expire date in the WS_FTP.key.
Now it's kept in add [ebp-0c] in memory, and we
jump to :
* Referenced by
a (U)nconditional or (C)onditional Jump at Addresses:
|:004113C4(U), :00411432(U),
:0041147E(U)
|
:0041149F 8B45F4
mov eax, dword ptr [ebp-0C] ;eax=days
left
:004114A2 E900000000
jmp 004114A7
;jump
to next line
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004114A2(U)
|
:004114A7 5F
pop edi
;we
jump to here
:004114A8 5E
pop esi
:004114A9 5B
pop ebx
:004114AA C9
leave
:004114AB C3
ret
After we get back from the ret, we are here :
:004118FA E8F4F3FFFF
call 004112AA
;back
from this call
:004118FF 83C408
add esp, 00000008 ; we
land here !
:00411902 8945FC
mov dword ptr [ebp-04], eax ;[ebp-68]=days
left
:00411905 E907000000
jmp 00411911
;we
jump here
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:00411905(U)
|
:00411911 837DFC01
cmp dword ptr [ebp-04], 00000001
:00411915 0F8DBC000000
jnl 004119D7 ;jump
if more then 0 days left
:0041191B 6A00
push 00000000
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00411915(C)
|
:004119D7 837DFC08
cmp dword ptr [ebp-04], 00000008 ;
we
land here !
:004119DB 0F8D1C000000
jnl 004119FD ;jump
if more then 8 days left
:004119E1 8B45FC
mov eax, dword ptr [ebp-04]
:004119E4 50
push eax
* Possible Reference
to Dialog: DialogID_4E22
|
:004119E5 68224E0000
push 00004E22
:004119EA 8B4508
mov eax, dword ptr [ebp+08]
:004119ED 50
push eax
:004119EE 8B450C
mov eax, dword ptr [ebp+0C]
:004119F1 50
push eax
:004119F2 E883F5FFFF
call 00410F7A ;call
shows the days left screen
:004119F7 83C410
add esp, 00000010 ;from
here works normal !!!
:004119FA FF45A8
inc [ebp-58]
If no more days, it will keep on,
press 'F10' untill you get the screen, and press
"continue evaluation", this screen
is created at location 004119F2,
and
from then, the
program keeps runing as normal,
at location 004119F7.
Can you see what is the code above
? We see how this protection routine is
calculating how many days left for
us to use. If we steel have more then 0 days
the program will jump to location
004119D7.
All the reverse done here is just to let you
see how a trial version can check
the days. Now we go to the actual part...
Ok, from location 004119F7
keep
press 'F10' 18 times this will lead us to where
all the checks were called from
:
:00423C6D 6A00
push 00000000
:00423C6F E8A6D9FEFF
call 0041161A ;call
for checks and nag screen
:00423C74 83C410
add esp, 00000010 ;from
here works normal !!!
:00423C77 E9D0000000
jmp 00423D4C
We can 'nop' this call, so we will
not get the last 7 days warning.
Now, for making this program to
work for ever, look at this :
:00423BCF E8D6DEFEFF
call 00411AAA
:00423BD4 83C410
add esp, 00000010
:00423BD7 85C0
test eax, eax
:00423BD9 0F849D000000
jz 00423C7C
:00423BDE 00837DE4000F
add byte ptr [ebx+0F00E47D], al
If we change the 'jz 00423c7c' to 'jmp 00423c74', this will make it...
job done.
|
SEARCH FOR THE FOLLOWING BYTES
: 6A00E8A6D9FEFF83
REPLACE WITH HIGHLIGHTED
BYTES : 6A00909090909083
SEARCH FOR THE FOLLOWING BYTES
: 85C00F849D0000
REPLACE WITH HIGHLIGHTED
BYTES : 85C0E996000000
REMEMBER, i'm
doing my cracks as a hobby and challenge, so please, if you like
this utility and
want to keep using it, support the author and pay for it.
|
This was kind of a long tutorial,
full of asm code, but it was important to follow it. We
could see different ways for program
to check days, dates and strings beeing read
from file that keeps the installation
info. Usualy it took some time to locate to the
"real" location that there our "crack
job" will take place.
My thanks and gratitude goes to:-
The Sandman for all what he is doing for us, newbies.
Rhayader for helping me with Reverse Code Engineering and useful tips