(Hic sunt tabulae: Best viewed with good old Courier New 8)
Well well well, my dear friends, it's April, the "opening"
month, when trees unfold and the womb of nature opens with young life...
about time we start with the REAL work, and what I mean is that we
begin damaging Microsoft interests... the real ones. I will therefore
teach you here how to crack Microsoft's ubiquitous "trial version
time protection".
The typical Micro$oft's trial limit (of three months) is a
clever marketing approach per se: I'm speaking of the "trial" version
of their programs that you are supposed to use and enjoy for 90 days,
until a screen reminds you that you WILL not be able to use it any more,
coz the 90 days are over, please pay. Note the clever touch of 90 (instead
of 30) days: three months are more than enough to get you real hooked on a
program, especially huge monstrosities of the complexity of MS overbloated
applications... it's a much better period than the usual "30 days"
flavour that we find around in common shareware.
Since Micro$oft makes the bulk of its money from software
sold to corporate executives, senior sparer and assorted yuppies, it
suits us well to crack as first example of this lesson, Microsoft PROJECT,
one of those ridiculous "yuppie" programs that allow you to "plan"
and "schedule" an activity or a project of your "team"... as if we
were all time-slaves like those idiots... besides I may as well use this
crap to program the nice "activities" of my +HCU's cracking units :=)
I'm therefore cracking here the 90 days trial version of
MSOFFICE WINDOWS PROJECT Version 4.1 of august 1995 which has the
protection hidden inside the monstrous WINPROJ.EXE (4.240.896 bytes of
overbloated bad programming). The error and protection messages dwell inside
winproj.DLG (overbloated dialogues of 1.179.822 bytes).
We'll begin with this somewhat "older" example of the ubiquitous
"MS-trial" protection scheme (from 1995), since, as I have already told
you elsewhere, the *history* and the *evolution* of protection schemes
are powerful additional WEAPONS, that a cracker can use to defeat
more complex schemes that may not be so evident if you cannot recognise
their "physiognomy" at the first glance (or if you do not yet "feel" them :=)
We'll crack in this lesson a Microsoft program from 1994, another one from
1995 (this first one) and two from 1997. I believe this should give you a
wide enough palette of MS-protections, and that with this knowledge you
should be able to crack every single piece of software Microsoft may throw
at you in the next couple of years (at least :=)
You'll see for instance that the "cmp eax,ecx" instruction
at the heart of some of these MS-schemes is a constant characteristic,
that you'll meet again and again, which differs from the typical "beggar off
on bad flag ax" setting that the shareware authors usually use.
A SMALL THEORETHICAL DIGRESSION
First of all, before entering the guts of MS-cracking, a small "theoretical"
digression.
From a cracker's point of view, the new "trend" to give away full time
limited versions of a software packages is extremely interesting:
once you defeat the time checking routines (... plural coz there may
be much more than one inside the same program) your work is done and
you'll immediately enjoy the full application.
The reason behind this trend (from password to time-trial)
is quite simple: password-serial number protections are useless on a Web
which abounds with free pirated serial number listings (I saw one with 54.000 different serial numbers-registration strings couples!) that anybody with intelligence level "amoeba" can easily find. I do not like serial number collectors: they do not teach anything, in my (admittely biased) opinion they just steal... fact is anyway, that the mere existence of such huge ready-made password listings has nuked any programmer's confidence in the serial/string protection approach (whose cracking techniques I have explained elsewhere in this tutorial), and this is the more true for "commercial" (i.e. "non toy") applications.
You will find therefore, for big commercial application, the
"Cinderella" protections (you may use this app for 30 days) or
the "quiver" protections (you may use this app 30 times), or a combination of these two kinds, or a combination of both kinds PLUS the registration
string/serial number protection method.
One of the (minor) problems for us nice crackers is that
with this kind of protections we may have some surprises later on... i.e. you crack your target and it works fine... well past the date it should have
been crippled upon, WHEN YOU SET this DATE INSIDE YOUR OS but -alas!- it stops miserably working WHEN THE REAL TIME "of the world" has passed that cap... this has to do with OTHER protections, checking randomly, for instance, the date of some UNRELATED FILES on your hard disk.
Obviously this does not concern us much... as soon as this
happen we crack this "second level" protection scheme too, happily drinking
another Martini-Wodka (use only Moskowskaja and add some Indian tonic
Schweppes and a zest of lemon if you want to taste something
that's really good) and forget the whole incident... but I had
to mention it right now because I honestly DO NOT KNOW YET if
some of the programs that I'll crack in these lessons do have or
not such additional protections, nor have I the time to feel if
there are other protections inside overbloated 5 million bytes
horrors once I have already found the first (and maybe only) one,
nor have I envy to wait 90 days just to see if something else
snaps... should it happen (which I DO NOT believe, seen how
primitive MS-protections look like) I'll then simply add the new
crack to this section, we'll see.
---------------------------------------------
Some elementary MUST KNOW when you crack time protections:
Date and Time stamps in the root directory (old flavour)
The root directory (in DOS) is a simple table of 32-byte
entries, defining each file on the root directory. Bytes 0-7 have
the file name, 8-10 have the file extension, 11 hydes the
attribute flags, 12-21 are at times used for other protection
tricks, 22-23 have the *TIME* stamp, 24-25 have the *DATE* stamp,
26-27 the starting cluster number and 28-31 the file size.
The date and time stamps can record any date from January
1, 1980 through December 31, 2099. The time stamp is accurate to
two seconds. The date and time stamps are each 2 byte values that
are recorded by using the following equations:
DATE = DAY+64*MONTH+512*(YEAR-1980)
TIME = SECONDS/2+32*MINUTES+2048*HOURS
In the time entry, the hour occupies the first 5 bits, the
minutes the next 6, and the second the last 5. The seconds are
actually stored as the number of seconds divided by 2, so the
clock is accurate to 2 seconds. In the date entry, the year
(subtracted from 1980... that is 0x7bc) is stored in the first
7 bits, the month in the next 4 and the day in the last 5 bits.
How do we recover these values? Here the commonest tricks:
seconds AND byte 22 with 11111; then multiply by 2
Minutes AND byte 23 with 111; then shift left 3 and
add byte 23 shifted right 5
Hours Shift byte 23 right 3
Day AND byte 24 with 11111
Month AND byte 25 with 1, Multiply by 8 and
add byte 24 shifted right 5
Year Add byte 25 to 1980 (0x7cb) and shift right 1
I hope you have the intelligence to understand by yourself
why these methods work... the point is that as soon as you see
something like that going on in the code you are examining, you
will know that they are fiddling with date or time stamps (may
be necessary, for instance, in order to reset the date and time
stamps of an opened file without leaving any trace behind).
How does a programmer fetch the date? He uses the _dos_getdate
function.
The _dos_getdate function uses system call 0x2A to get the
current system date. The date information is returned in a