Function Disabled Protections are very comman now days and are one of
the most popular among high priced software or specialty software. But
there days of stoping us are over........ Now !!!!!!
Target:
WinScan ver 2.0.06
WinScan is an intelligent scan, trace and vector editing program designed for use with TWAIN compliant scanners and popular vector illustration packages such as CorelDRAW. This is a very handy program
if you are in the graphics industry or if you make vinyl signs with plotters (As i Do)...
Where to get it :
http://www.airmark.com/
Tools Needed:
SoftIce (SI) (Required)
W32dasm ( optional)
Hiew Hexeditor (included with Tutorial) (Required)
Borland Resource Work Shop (optional)
Pre Crack Notes:
Ok there are several different steps in this crack and there are really 3 cracks that will be done
each one of them will have several steps each. If you dont have the optional Tools above
you will only be able do complete the first 2 parts of this tutorial. (The important ones)
the Last section of the crack only removes the DEMO messages at start and in the about box.
it will change them to the registered Messages instead.. ( Big Deal i know)...
The Crack..........
Ok you should have gotten the programs you need by now so lets start the crack.
Step #1 :
Fire up your program (WinScan) and have a look at it, You should see the Big ugly blue box that
says this is a DEMO version of the program (Like we didnt know this) it is not that big of a deal
because it goes away if you click on it . But now open one of the sample .bmp files that
are in the WinScan Dir. Now try to save the file, you will get a box that says
" This Command is not Allowed Blah Blah Blah" ok so it dont want us to save, But we want to
I mean shit how can you evalutate software if you cant save the work to see its quality?
well I dont think you can so we will cure this problem :-).
Just remember that this little message came to us in the form of a message box.
Step #2:
Now we have a good idea that we are getting the nag from a message box so
if we can break at the message we can see what calls it right. or we could use
W32dasm and located the point that the message is called. well that would take
a bit longer to trace out the code that calls it so we will save that for later or for those
that want to learn a bit more about finding this type of protection calls.
so for now we are just gonna use SI (as it is all that is really needed) to break on the
message that we get when we try to save. So lets start....
First press Ctrl-D to get in SI(Softice) and lets see what we have here, Lets see if we
have any breakpoints left over from a project that you was working on before you
started this one so do this BL This will give you a listing of all breakpoints you
have set in SI. Well we dont want those to cause us problems in this crack so we
will do one of 2 things (1) Clear them with BC * (2) disable them with BD * if you
dont need the BP's (BreakPoints) you can clear them, if you will need them for
another project then just disable them for now. Ok now that we have that out of the
way( Bare in Mind i write my tut's so anyone can follow them even if they have
never cracked before) Lets set our BreakPoints that we will need for this crack
so lets Do this BPX MESSAGEBOXA <--- This will make SI break when the
call to the Messagebox is made. For now that is the only one we need so lets
Ctrl-D back to our target WinScan.
Step #3:
Ok now lets set all this in motion, So try to save this file with the [SAVE] from the menu
or the Disk Icon in the Toolbar. Boom to softice we go Now we are in SI at the
point our program is ready to show us the nag. Now lets think about what we
want to do here (1) we want to find out where this call came from (2) we want to
make it go to the real save Dlg Box and not this nag. So we will do a F11 so we
can get back to what called this function. You will pop back into WinScan where
you will see the Nag. Press Ok and you will pop back to SI Now we are not there yet
cause if you look on the Line between the Command window and the Code window
you will see MFC blah blah blah well this is the place that our message box was called
but this is not our program, Our program called this to get the box so what we will do is
press F10 (single Step) till we get back to our program so press F10 till you see
WinScan on the line between the command and code windows. when you get there
you should see somthing like the following
(note the addresses may not be the same on yours)
0137:00455AF5 CALL 0045D800 <----- This is what calls our little MessageBox
0137:00455AFA JMP 00455B1E <---- Ok we told him he cant save so lets go back
0137:00455AFC MOV ECX, [EBP-14] <---- not important.
ok now we found the call so lets scroll up a few lines and see what we can see. Should like like this
(note the addresses may not be the same on yours)
0137:00455AE0 MOV EAX,[EAX+4] <--- set demo flag
0137:00455AE3 CMP DWORD PTR [EAX + 000000C4] ,00 <-- check and see if this is a demo ver
0137:00455AEA JZ 00455B16 <---- if Zero then this is a Full ver else this is a Demo
0137:00455AEC PUSH FF <--- save some info
0137:00455AEE PUSH 10 <--- save some more info
0137:00455AF0 PUSH 0000009D <--- yup save even more info
0137:00455AF5 CALL 0045D800 <----- This is what calls our little MessageBox
0137:00455AFA JMP 00455B1E <---- Ok we told him he cant save so lets
go on working
0137:00455AFC MOV ECX, [EBP-14] <---- not important.
ok if you look real close i think you can see what we need to do now and if you cant i will
tell you:
0137:00455AEA JZ 00455B16 This jump here will send us to the real save dialog that we
want .
So we need to change the JZ to a JNZ so that the program will think that if we are a DEMO
we should jump to the real Save Dialog and not the Nag. But before we do this lets get some info
that we will need for part 2 of the crack so Do a D xxxx:00455AEA (xxxx is the address you see)
now look in your data window for something like this
