Symantec Visual café trial version 1.0 (1997)
Most stupid protection
Symantec Visual café trial version 1.0 (1997) by A+heist, november 1997 Here you go with a very silly protection scheme on a very interesting target, which you can have almost for nothing, since in the last months it has been published on many magazines CD-ROMs. I'm lazy, and I'll crack this very quickly :) A small explanation for all those that would like to begin their Java career: Symantec Visual Café Pro, Borland JBuilder, Lotus BeanMachine, SunSoft JDK freeware and SunSoft JavaStudio (with JavaStar, JavaScope and JavaSpec) are considered the best developer tools around. Micro$oft's J++ is NOT considered a good tool (besides: it's good netiquette to avoid any Micro$oft product independently from its intrinsic value, for reasons that should be obvious for the readers of the essays). Our target, Visual Café (Trial version 1.0, 1997) is only an update of the 1996 kit. You'll crack it here and use it to 'get the feeling', then you'll switch to Visual café Pro, let's hope that Symantec will soon release that as well with another silly protection scheme. Nice thing in our target is that you get the Sun JDK 1.02 INSIDE it, and that it carries all necessary javaAPI helpfiles within :) OK, let's crack this together in less than one minute! - start target, - run target, - set time to 1999: "Your trial version has expired", - back to now: works again (no sticky flag setting then: a really easy one) - Finetuning the OS date you will notice a MSgBox saying that "you have only 4/3/2/1 day(s) left" - Disassemble target, get dead listing - Search inside your editor... Here you are: Conditional jump here from 004126BD :004126F2 68AC454A00 push 004A45AC ;->".java" :004126F7 8D8DE4F6FFFF lea ecx, dword ptr [ebp+FFFFF6E4] :004126FD E832A10500 call 0046C834 :00412702 8D8DE4F6FFFF lea ecx, dword ptr [ebp+FFFFF6E4] :00412708 E877A30500 call 0046CA84 ;get days left :0041270D 89C3 mov ebx, eax ;save days left :0041270F 83F8FF cmp eax, FFFFFFFF ;check days left :00412712 7404 je 00412718 ;beggar off: -0 :00412714 85DB test ebx, ebx ;0=beggar off :00412716 7533 jne 0041274B ;else check how many :beggar_off :00412718 6AFF push FFFFFFFF :0041271A 6A00 push 00000000 :0041271C 6821290000 push 00002921 ; "Your trial version has expired :00412721 E8C6EB0800 Call 004A12EC ; SFC42.SFC42:NoName0537 :00412726 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF :0041272D 8D8DB0F6FFFF lea ecx, dword ptr [ebp+FFFFF6B0] :00412733 E86AED0800 Call 004A14A2 ; SFC42.SFC42:NoName0610 :00412738 31C0 xor eax, eax ; eax=FALSE :0041273A 8B4DF4 mov ecx, dword ptr [ebp-0C] :0041273D 64890D00000000 mov dword ptr fs:[00000000], ecx ... pop all :0041274A C3 ret ;expired, beggar off :from 00412716(C) ;not expired: how many days left? :0041274B 83FB05 cmp ebx, 5 ;d'you have 5? :0041274E 7D5E jge 004127AE ;more than 4: go and use it :00412750 8D8DF8F7FFFF lea ecx, dword ptr [ebp+FFFFF7F8] :00412756 E829ED0800 Call 004A1484 ;SFC42.SFC42:NoName0605 ... irrelevant code :00412777 50 push eax :00412778 6820290000 push 00002920 ; "You have only %1 days left in your trial period." :0041277D 8D85F8F7FFFF lea eax, dword ptr [ebp+FFFFF7F8] ... irrelevant code :004127AB 83C40C add esp, 0000000C from 0041274E(C), more than 5 days | :004127AE 8D8D08F8FFFF lea ecx, dword ptr [ebp+FFFFF808] ...happy work, good nice cracker Well, I don't believe you need anything at all more than this. I have done the following: I have substituted the FIRST check of the days left: :0041270F 83F8FF cmp eax, FFFFFFFF ;check days left :00412712 7404 je 00412718 ;beggar off: -0 with a 'fixed' day_left value greater than 4: :0041270F BB06000000 mov ebx, 00000007 ;7 days left eternally! And that's all, of course: now our target will 'believe' for the eternity that we still have a week trial. Why 7 days and not many more? Because 1) 7 is enough to avoid any nag screen 2) +ORC said somewhere something like 'never never maximize our patching values uselessly', and I'm a good student :) We can now use this for a long while... yet there is another protection scheme (sort of :) inside: :nobody seems to call this snippet :00416627 6AFF push FFFFFFFF :00416629 6A00 push 00000000 * Possible Reference to String Resource ID=10530: "This function is not allowed in the trial version." | :0041662B 6822290000 push 00002922 * Reference To: SFC42.SFC42:NoName0537, Ord:04AFh | :00416630 E8B7AC0800 Call 004A12EC :00416635 C3 ret This corresponds to the 'Live Update' option in the help menu, and does not seem to me to be particularly important. If you wanna crack this, you'll need to fire softice. So that's it, hope you'll enjoy java, I believe we need many more crackers (and especially +crackers) on this :) Enjoy! A+heist 1997
(c) A+heist 1997. All rights reversed