Well, here we are. This is the first essay I got... i hope others will be added in the future :) Well, to tell you the truth, this should not be considered as an essay, because NiKai here doesn't explain HOW he reached the "hot" places and WHY he changed the code in that way... from the other side, this text isn't intended as a ready crack, you should work on it and try to understand how the program works and why this crack works... well, at least I HOPE it works O:-)) This is also a good chance for you: if you explain me how this crack works and send me another solution to this problem, I'll publish your tute, plus another NEW one :)
Target: Free Space 1.0
Protection: 30-day-trial
Tools:
Wdasm8.9
Softice 3.01
For this program i had to patch 2 programs: Frespace.exe and fs32.exe.
Both have self-modifying code (i suggest).
First Frespace.exe:
* Reference To: KERNEL32.CloseHandle, Ord:0018h
|
:00406A28 FF1538544200 Call dword ptr [00425438]
:00406A2E 8B84247C010000 mov eax, dword ptr [esp+0000017C]
:00406A35 50 push eax
:00406A36 FF15F8254100 call dword ptr [004125F8]; *here
I replaced this call at 406a36 with a "call 404770" (the original code):
* Referenced by a CALL at Address:
|:0040219D
|
:00404770 8B442404 mov eax, dword ptr [esp+04]
:00404774 83EC70 sub esp, 00000070
:00404777 89442408 mov dword ptr [esp+08], eax
:0040477B 53 push ebx
:0040477C 56 push esi
:0040477D 57 push edi
:0040477E 8BB42484000000 mov esi, dword ptr [esp+00000084]
:00404785 55 push ebp
:00404786 56 push esi
Second: fs32.exe
* Reference To: KERNEL32.CloseHandle, Ord:0018h
|
:00404AC4 FF1548034100 Call dword ptr [00410348]
:00404ACA 8B842480010000 mov eax, dword ptr [esp+00000180]
:00404AD1 50 push eax
:00404AD2 FF1568D24000 call dword ptr [0040D268]; *here
I replaced this call at 404ad2 with a "call 408540" (the original code):
* Referenced by a CALL at Address:
|:00408130
|
:00408540 8B442404 mov eax, dword ptr [esp+04]
:00408544 83EC10 sub esp, 00000010
:00408547 3B05D0F84000 cmp eax, dword ptr [0040F8D0]
:0040854D 53 push ebx
:0040854E 56 push esi
:0040854F 57 push edi
:00408550 55 push ebp
That's all.
NiKai
(c) NiKai 1998. WARNING: this tutorial is published for EDUCATIONAL PURPOSES only! Nobody except you is responsible for what you do with the things you read here. Also, if you intend to use shareware programs for a period longer than the allowed one remember that you have to BUY them!