|
|
|
|
|
|
|
|
|
|
||
|
||
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
With the explosive growth of the Internet,
travel on the information highway can be slow. Net.Medic helps you recognize
and avoid many of the Internet roadblocks by:
Optimizing your online connections
Identifying many Internet ailments in
seconds
Tracing the cause of these ailments to
their source
Offering suggestions about how to solve
the problems, and whenever possible automatically fixing them.
Net.Medic is an easy-to-use browser companion that animates your online connections, and tracks the vital signs of your online activity. It also provides clear and simple reports that can help you transform your online experience.
This
is IMO, a very useful program for anyone with Internet access and well
worth buying if you choose to use this program beyond it's evaluation period.
Highly Recommened so BUY IT!
|
The One we're interested in is the \Email
key, which contains the following values:-
MAIL_SERVER
MAIL_SYSTEM
SERIAL_NUM= "Demo Version"
;You can place any sequence of numbers here!
YOUR_EMAIL_ADDRESS=""
YOUR_NAME= "The Sandman"
YOUR_PHONE= ""
Interestingly, the programmers, having
made the program a 30 day demo either disabled or took out the serial number
checking routines from their program so now anyone can type in any sequence
of number/characters into the SERIAL_NUM entry and the program will use
it without any problem. In order to make good use of this we have
to make the program into a fully 'Registered' version first, but at least
when we do we won't have to worry about disabling the serial number checking
routines because the programmers have already done this for us!. Gee thanks
guys..:)
|
Now re-run Net Medic and again try and
access the 'Call Log' function via the Window menu option. A nice
message box appears telling you that this feature is no longer available..
This now applies to all the features accessible from the menu bar..
Don't change your pc's date back yet,
this is the BEST time to *crack* a program, when it's been disabled because
you've gone over your evaluation period.. It's now easier for us
to see exactly what has been disabled and what we must do to correct this..
At this point we can create a 'Dead Listing'
of Net Medic so that we can find out where the text message "The
feature you have requested is available only in the retail version"
is located so that we see how the program knows when the User goes past
his evaluation period...
While in W32Dasm open up the 'String
Data Resources' option and locate the text:
"The feature
you have requested is available only in the retail version",
once found double click on this text.. You will be taken to this
section of code:-
:0043F273 E8A0BB0400
Call 0048AE18
:0043F278 8B45E8
mov eax, dword ptr [ebp-18]
:0043F27B C645FC01
mov [ebp-04], 01
:0043F27F 83B8C800000005
cmp dword ptr [eax+000000C8], 00000005
:0043F286 7550
jne 0043F2D8 ;jmp if eax+c8 <> 5
* Reference to String
Resource ID=57882: "The feature you have requested is available only in
the reta"
|
:0043F288 681AE20000
push 0000E21A
Basically, what this code snippet says is that if the comparison with eax+c8 does NOT equal '5' then User has full rights to access ALL the reports available within the program!. However, should eax+c8 result in a value equaling 5 then the User has run out of time and therefore the reports are disabled.
Lets now test this out..
Fire up Net Medic then Start up Softice
with Ctrl-D keys pressed together..
Type: bpx messageboxa then
x to leave Softice. We should be back in Net Medic.
Make sure you do NOT have a Web
Browser opened, if so CLOSE it now.
Right Click with your mouse on one
of the information panels shown in Net Medic then select "Snap to Browser".
Softice will now break..
Press 'F11' once, click on the
'OK' messagebox that now appears then follow this by pressing the
'F10' key THREE TIMES.
Softice should now be telling you that
your now in Net Medic's code at:
:0044835B E89A2A0400
Call 0048ADFA
:00448360 6A01
push 00000001
:00448362 8B0DCC864A00
mov ecx, dword ptr [004A86CC]
:00448368 E8D30BFCFF
call 00408F40
Now we need to create a new breakpoint
on the section of code we suspect prevents us from accessing the reports
if our evaluation period has expired.
First, lets clear away any previous Softice
breakpoints we may still have active and set a new breakpoint:-
Type bc *
Type u 43F286
Type bpx 43F286
Type x to leave Softice.
Now try and access one of the reports in Net Medic, or any feature
that has been disabled by Net Medic.
Softice now breaks on our set breakpoint.
:0:0043F27F 83B8C800000005
cmp dword ptr [eax+000000C8], 00000005
:0043F286 7550
jne 0043F2D8 ;Our Softice Breakpoint
* Possible Reference
to String Resource ID=57882: "The feature you have requested is available
only in the reta"
:0043F288 681AE20000
push 0000E21A
:0043F28D 8D4DF0
lea ecx, dword ptr [ebp-10]
:0043F290 E88FBB0400
Call 0048AE24
:0043F295 57
push edi
:0043F296 8B45F0
mov eax, dword ptr [ebp-10]
:0043F299 50
push eax
:0043F29A 8D4DEC
lea ecx, dword ptr [ebp-14]
:0043F29D 51
push ecx
:0043F29E E82FBC0400
Call 0048AED2
:0043F2A3 83C40C
add esp, 0000000C
:0043F2A6 8B4DEC
mov ecx, dword ptr [ebp-14]
:0043F2A9 6A41
push 00000041
:0043F2AB 68E0954A00
push 004A95E0
:0043F2B0 51
push ecx
:0043F2B1 56
push esi
:0043F2B2 FF15B4D64A00
Call USER32.MessageBoxA ;Display message
:0043F2B8 83F801
cmp eax, 00000001 ;User
press OK?
:0043F2BB 753F
jne 0043F2FC
;No? then jump
:0043F2BD E87E01FEFF
call 0041F440 ;else give
extra 30 days
:0043F2C2 8B45E8
mov eax, dword ptr [ebp-18]
:0043F2C5 C745E401000000
mov [ebp-1C], 00000001 ;tell rest of program
:0043F2CC C780C800000001000000
mov dword ptr [ebx+000000C8], 00000001
:0043F2D6 EB24
jmp 0043F2FC
OK, if we now type r eip=43F288 you'll see softice ignore this
jump and highlights the next line below the jne 0043F2D8 instruction.
Now press the x key to leave softice..
Now the program asks us if we want to have 30 more days to evaluate
Net Medic!. If we wanted to know how to keep the program alive after
each 30 day period then this is how we would do it. However,
this is NOT what we want to do, we want everything the program has
to offer when running as a fully registered copy so click on the
CANCEL button.
Now once more try and access one of the disabled reports or features..
Softice once more breaks on our single breakpoint.
If you take a closer look at the lines of code below our single breakpoint
you might notice that after the messagebox call there is a conditional
jump instruction, then after that three lines of code that places a value
of '1' into two memory locations. Think out it.. When we skipped over that
jne 0043F2D8 instruction the program gave us the option to evaluate this
software for a further 30 days, we could choose either the 'OK' or 'CANCEL'
button.
So here's where we want our conditional
jump that Softice breaks on to jump to, which will then skip over the message
that the program shows and straight into telling the rest of the program
that we have full access to all the functions within the program..:)
:0043F27F 83B8C800000005
cmp dword ptr [eax+000000C8], 00000005
:0043F286 EB35
jmp 0043F2BD ;Automatically enable ALL Reports
Is that it now?..
Well no, not really because if you select the 'About' screen you'll
see some ugly looking Shareware type messages regarding 30 day trial period
and where your serial number goes is the text "Demo Version" Yuck!..
It's time to go
back to our Dead Listing again..
Search
for the text "Your advanced feature trial
license has expired."
Once you've found
this location take a look a dozen or so lines above this text message and
you will now see the follow code Snippet:-
:00406A13
83F801 cmp
eax, 00000001
:00406A16 0F8555020000
jne 00406C71 ;Shareware
mode? then jump
:00406A1C E87F870100
call 0041F1A0
:00406A21 8BF8
mov edi, eax
:00406A23 8D4DC4
lea ecx, dword ptr [ebp-3C]
:00406A26 E8ED430800
Call 0048AE18
:00406A2B C645FC03
mov [ebp-04], 03
:00406A2F 837DD800
cmp dword ptr [ebp-28], 00000000
:00406A33 0F8452010000
je 00406B8B ;Shareware mode? then jump
:00406A39 83FF01
cmp edi, 00000001
If you were *cracking*
this yourself without help from an essay such as this then you would be
testing this section of code to see how it works and what conditions make
those two conditional jump 'active'. However, since I've already
done this for you I can tell you that we need to patch BOTH jumps in order
that the About screen behaves just like in the registered version of Net
Medic.
Here's what the above section of code SHOULD look like after we patched it..
:00406A13
83F801 cmp
eax, 00000001
:00406A16
0F8500000000
jnz 00406A1C ;Jump to the next line instead
of
;to the shareware message routine!
:00406A1C
E87F870100 call 0041F1A0
:00406A21
8BF8
mov edi, eax
:00406A23
8D4DC4 lea
ecx, dword ptr [ebp-3C]
:00406A26
E8ED430800 Call 0048AE18
:00406A2B
C645FC03 mov [ebp-04],
03
:00406A2F
837DD800 cmp dword ptr
[ebp-28], 00000000
:00406A33
E953010000
jmp 00406B8B ;Always jump away from showing
days
;remaining.
:00406A39
83FF01 cmp
edi, 00000001
Job Done.
|
2.
Change the text from "Demo Version"
to anything that 'looks' like a serial No.
3.
Close REG-EDIT.
4.
Load up netmedic.exe into your favorite Hex-Editor ( I prefer hexWorkshop-32)
but just about any hexeditor will do..
5.SEARCH
FOR THE FOLLOWING BYTES : 057550681AE20000
REPLACE WITH HIGHLIGHTED
BYTES : 05EB35681AE20000
6.SEARCH
FOR THE FOLLOWING BYTES : 0F8555020000E87F
REPLACE WITH HIGHLIGHTED
BYTES : 0F8500000000E87F
7.SEARCH
FOR THE FOLLOWING BYTES : OF845201000083FF
REPLACE WITH HIGHLIGHTED
BYTES : E9530100009083FF
|
|
Next | Return to Essay Index | Previous |