Target Program: Ecco 4.01 32-bit Protection: Nag(s), 30 day time limit Cracked by: drlan [Me'97/C4N]! Location: http://www.shareware.com or http://www.download.com Tools needed: - SoftICE Win95 3.01 - Hex Editor (I like PSEdit and Hex Workshop) Conventions used: > denotes a SoftICE command Download the target and run it a few times to get a feel for what's going on. You'll notice a nice little reminder that the program will expire in 30 days. That doesn't sound like quite enough time for a thorough evaluation, so let's see what we can do... First, let's see what happens once we're past the point of no return. Set your date ahead by more than 30 days. Now run the target and see what it does. Try to load a file. Hmm, now our friendly reminder has turned nasty on us and says that the program has expired and that we should contact the vendor to purchase a copy. Bummer. Set the date back to normal and run one more time. Try to load a file. Hey, it works. That's good. So, it hasn't left behind any kind of nasty marker that would keep us from our work. So, let's get to work! We could try setting a breakpoint in SoftICE on system date functions, like GetLocalTime and GetSystemTime. However, this is a calendaring program and makes many, many calls to GetLocalTime which would make this difficult. Instead, let's investigate the nag screen a little further. There are lots of different ways to breakpoint and try to pinpoint the nag screen. I think I used HWND ecco32 when the nag was displayed to find out what windows were open. Then I set a breakpoint on the most likely window function. It was something like this: >TASK ; let's find our target's name (it is ecco32) >HWND ecco32 ; let's see what windows our target has open >BMSG 164 wm_command ; now set a breakpoint on the likely window NOTE: You may see 2 other windows called Mauishooter and Mauipowerpal. These aren't the ones we're interested in... Look for the first one after these. Then click on the OK button. SoftICE will pop. Press F12 several times until you're back in the Ecco32 code. You should see something like this: :004331E5 FF1508657400 CALL USER32!DialogBoxParamA 837DF400 CMP DWORD PTR [EBP-0C], 00 8945F0 MOV [EBP-10], EAX 740E JZ 00433202 So, it's the call to DialogBoxParamA that places the friendly reminder on the screen. Let's follow the code for a while and see where we go. Press F10 several times. You should hit 2 RET functions (RETurn). After you return from the second one, you should see some code that looks like this: :005C59DA E84EACF2FF CALL 004F062D ; go get some date information 662BC6 SUB AX, SI ; subtract install date from current 663D1E00 CMP AX, 001E ; is it less than 1E (hex), 30 (dec) 7218 JB 005C5A00 ; jump if still in evaluation period Now, our goal is to "extend" our evaluation period. Why not just make AX equal zero? Zero is an aweful lot less than 30, so we can evaluate forever. To do this, we'll change the SUB AX, SI into XOR EAX, EAX (this is a 32 bit program, so let's use 32 bit registers). When you XOR (eXclusive OR) any number with itself, the result is always zero. Setting EAX to zero will take care of AX. You can try this live in SoftICE by assembling in our new stuff. F10 until you are on the SUB AX, SI line. Then do this: >A ; to assemble in our new instructions >XOR EAX, EAX ; set EAX/AX to zero >NOP ; fill the remaining 1 byte space >(press ESC) We have to add a NOP (No OPeration) because the XOR EAX, EAX is only 2 bytes. We need to fill the extra space because SUB AX, SI is 3 bytes. Your code should now look like this: :005C59DA E84EACF2FF CALL 004F062D ; go get some date information 33CO XOR EAX, EAX ; set EAX/AX to zero 90 NOP ; do nothing for 1 instruction 663D1E00 CMP AX, 001E ; is AX less than 1E (hex), 30 (dec) 7218 JB 005C5A00 ; you bet it is, so continue eval!!! Now we've defeated the 30 day time limit. How about getting rid of the nag screen, too? I think we can do that! Clear any existing breakpoints in SoftICE. >BC * Remember earlier we discovered that the nag was being called by the DialogBoxParamA function? Set a breakpoint on this. >BPX DialogBoxParamA Then press Ctrl-D or F5 to run the program. Try to open a file. SoftICE will pop on the DialogBoxParamA function. Press F12 to return from the function. Click on OK on the friendly reminder and you will drop back into SoftICE on the line of code right after the CALL USER32!DialogBoxParamA. I initially thought I could just wipeout this CALL to USER32!DialogBoxParamA. Boy was I wrong! It looked like it worked, but it de-stabilized the program. I guess other funtions call this function from the same place. They load all their setup stuff first, then call it. So, we can't just wipe this call out. So, let's backtrack a little and find out how we got here (who called this). To do this, press F12 again to RETurn to where this call came from. You should see a section of code that looks like this: :00432FAE C20C00 RET 000C 55 PUSH EBP 8BEC MOV EBP, ESP 6A00 PUSH 00 6A00 PUSH 00 FF7518 PUSH DWORD PTR [EBP+18] FF7510 PUSH DWORD PTR [EBP+10] FF750C PUSH DWORD PTR [EBP+0C] FF7508 PUSH DWORD PTR [EBP+08] E824000000 CALL 00432FF0 ; nasty call 5D POP EBP ; F12 brings you here C21400 RET 0014 I tried blasting this call too, but this still isn't the right one. When I got rid of this one, other functions stopped working (ones that needed the dialogbox function, I guess). So, let's keep backtracking. Press F12 again and you should land at a code segment that looks like this: :005C5978 E839D6E6FF CALL 00432FB1 ; nasty call 83F8FF CMP EAX, -01 ; F12 brings you here JNZ 005C5982 ; set to jump Ok, this looks a little easier (and lots cleaner). We don't want to make the CALL 005C5982. We know the conditional jump (JNZ 005C5982) is set to jump. So, let's just change the CALL 00432FB1 into JMP 005C5982 and pad the remaining spaces with INC EAX, NOP, DEC EAX. This makes it a 5 byte for 5 byte code change. So we change: E839D6E6FF CALL 00432FB1 ; nasty call into: EB0D JMP 005C5982 ; no more nasty call 40 INC EAX ; just filling space 90 NOP ; ditto 48 DEC EAX ; ditto You can try this live in SoftICE by placing a breakpoint on the CALL line. Do this using BPX address, where address equals the segment:offset of the instruction line. Or, simply double-click on the line to set the breakpoint. Then press Ctrl-D or F5 to continue running the program. Try to load a file. SoftICE will pop on your breakpoint. Let's assemble in our new instructions. >A ; to assemble in our new instructions >JMP 005C5982 ; let's blow away the call and just move on >INC EAX ; fill the remaining space from the old 5 byte call >NOP ; ditto (but we don't want 3 NOPs in a row) >DEC EAX ; so we INC EAX, DEC EAX and stick a NOP in between >(press ESC) Then press Ctrl-D or F5 to continue running the program. Try to load a file. The file should load, sans nag screen. Cool! Time to transfer our live crack into something more useful and longer lasting. We need to hex edit the ecco32.exe program to replace the bad old instructions with our nice new ones. Nag screen(s): Search for: E839D6E6FF ; was the CALL 00432FB1 Replace with: EB0D409048 ; now INC EAX, NOP, DEC EAX 30 day time limit: Search for: E84EACF2FF662BC6 ; need a long string to be unique Replace with: 33C090 NOTE: Only change the last 3 bytes (662BC6 into 33C090). Leave the rest (E84EACF2FF) alone. That's it for this lesson. Hope this was fun and instructional. Disclaimer: THIS ESSAY IS FOR EDUCATIONAL PURPOSES ONLY. ANY USE, MIS-USE OR ILLEGAL ACTIVITY IS THE SOLE RESPONSIBILITY OF THE READER. GreetZ: Everyone in [Me'97/C4N], PC'97, UCF, fravia and +ORC, Razzia! drlan