Each time you run this program your greeted with the 'About Screen', which also displays the number of days left of your evaluation period.
 
On successful installation the program creates the following entries in your System registry file:-

HKEY_CURRENT_USER\Software\iWin Software\SAFEINSTALL\Settings

HKEY_CURRENT_USER\Software\iWin Software\SAFEINSTALL\Registration

Organization = Your Win'95 default value for Organisation.
Serial               = Trial
User                =   Your Name/Handle
 
The program also creates a file (52 bytes long) called Safeinstall.dat in the same directory as the program itself with the follow information.
 
FFFF000010004353616665496E7374616C6C4461746100000000
*** Values might be different on your pc ***

If you delete this file then the program will then  'think' you've used up all your 21 days evaluation period.
 

The Essay

     
For this essay we will need to create a 'Dead Listing' of this program using our old favorite W32Dasm.

Once created, open up the program's String Data Resources' and check out where all the 'Shareware' type messages are, in particular, those messages that deal with 'how many days the User has left', since it will be around these messages that the program has to access the memory location where it stores exactly how many days the User has left to evaluate this program..
 
Since their are quite a few references to this type of message lets try and narrow down our criteria a little further.  OK, if you've run this program several times then you'll know that the program accesses the 'Days left to evaluate this software' every time it is run, where it shows the 'About' Screen and since we're *crackers* we can visualize that the registered program will also display the 'About' Screen but without the 'Days left to evaluate this software' message. Now, because this section of the program is run FIRST, it makes sense to attack this section of code, so that the rest of the program will run as normal, just like the registered version in fact. See where I'm going here?.

Right, while still in W32Dasm search for the following text string:-
 
"You have %d days left in the trial."
 
 

:004013B2 0F8E82000000     jle 0040143A ;Jump if program has already
                                         ;already been run.

:004013B8 DB44243C         fild dword ptr [esp+3C]
:004013BC 6A01             push 00000001
:004013BE 8BCE             mov ecx, esi
:004013C0 DA742420         ffidiv dword ptr [esp+20]
 
.. Snip .....  Snip
.....
..
.
* Referenced by a (C)onditional Jump at Address :004013B2(C)
 
:0040143A B80000803F       mov eax, 3F800000
:0040143F 8986A0000000     mov dword ptr [esi+000000A0], eax
:00401445 89869C000000     mov dword ptr [esi+0000009C], eax
:0040144B 8B86B8000000     mov eax, dword ptr [esi+000000B8];eax =days left
:00401451 85C0             test eax, eax ;eax =0?
:00401453 7520             jne 00401475  ;No? then check if eax=1 (days=1)
 
:00401455 50               push eax      ;else times up.
:00401456 6A01             push 00000001
:00401458 8BCE             mov ecx, esi
:0040145A E80D650200       call 0042796C
:0040145F 8BC8             mov ecx, eax
:00401461 E870670200       call 00427BD6
:00401466 6A2E             push 0000002E ;"Your Trial has Expired!" 
:00401468 8D8EB4000000     lea ecx, dword ptr [esi+000000B4]
:0040146E E841750200       call 004289B4
:00401473 EB26             jmp 0040149B 
 
:00401475 83F801           cmp eax, 00000001 ;eax=1 (days=1) ??
:00401478 750F             jne 00401489  ;No? then see how many days left.
:0040147A 6A2F             push 0000002F ;="You only have 1 day left!"
:0040147C 8D8EB4000000     lea ecx, dword ptr [esi+000000B4]
:00401482 E82D750200       call 004289B4
:00401487 EB12             jmp 0040149B
 

:00401489 50               push eax ;Come here to display days left...
:0040148A 8D86B4000000     lea eax, dword ptr [esi+000000B4]

* Reference to String Resource ID=00048: "You have %d days left in the trial."
 
:00401490 6A30             push 00000030
:00401492 50               push eax
:00401493 E8ED180200       call 00422D85
:00401498 83C40C           add esp, 0000000C
:0040149B 8B4E1C           mov ecx, dword ptr [esi+1C]
:0040149E 6A00             push 00000000
:004014A0 68F4010000       push 000001F4
:004014A5 6A19             push 00000019
:004014A7 51               push ecx
:004014A8 FF153C954300     Call USER32.SetTimer
:004014AE 8986BC000000     mov dword ptr [esi+000000BC], eax
:004014B4 5F               pop edi ;restore register values then exit
:004014B5 5E               pop esi
:004014B6 5D               pop ebp
:004014B7 B801000000       mov eax, 00000001
:004014BC 5B               pop ebx
:004014BD 83C434           add esp, 00000034
:004014C0 C3               ret

Once you've found the string: "You have %d days left in the trial." you'll see that this section of code handles just about everything from display the number of days remaining to the text message informing you that your 21 days trial period has expired.
 
Looking at this section of code we can make some 'educated' guesses based on our observations. For instance, we can assume that once the program reaches this particualar section of code it has already processed the user's Organisation and Name details that will get displayed in the 'About' Screen so all that the program then has to do is to work out how many days if any, are left to the User and to display the relevant message at the bottom of the 'About' Screen.  We can't be sure at this stage wether or not the program also decreases the 'Trail days left' value but it seems likely.
 
When I first saw this section of code, having found the message "You have %d days left...." message I immediately scrolled up the code listing until I found the FIRST conditional jump statement that came BEFORE the first check that the program does to see wether or not all our 'Trail Days' has been used up.

Remember, it makes SENSE to check for the User using all his evaluation days up BEFORE spending time working out how many he has left!.. No point spending time to work out if he/she has 5 days left if he/she has already used them up!.
 
If all that made sense then lets continue..
 
OK, the first conditional jump I found was at memory offset: 004013B2, which simply jumps if the program has already been run, if not then it creates the safeinstall.dat file and gives the User his 21 days free evaluation period.

Below this jump are the three checks the program makes before it can display anything:

1.  If days left = 0 then display "Your trial has expired"
2.  If days left =1 then display "You have only 1 day left!"
3.  If days >1 then display remaining days left to the User.

If you look closer at each checking stage then you'll notice they all finish with Call then a jmp 0040149B instruction that then goes onto setting storing the results in the eax register from executing the  SetTimer system function into a memory location at [esi+000000BC]. We don't need to concern ourselves why this is happening, but the few lines of code after this procedure does concern us.
 
Look!, once the program has completed it's three checks it then stores a value into a pre-determined memory location after calling the system function SetTimer THEN restores the registers back to their original values before it started these program checks then exits this routine.

Here's that sequence of instructions that restore the program's registers before it exits this routine:-

:004014B4 5F               pop edi ;restore register values then exit
:004014B5 5E               pop esi
:004014B6 5D               pop ebp
:004014B7 B801000000       mov eax, 00000001
:004014BC 5B               pop ebx
:004014BD 83C434           add esp, 00000034
:004014C0 C3               ret     ;Registers restored, exit this routine.
 
So what's to stop us from bypassing these three program checks on our 'Trial days left'  variable and send the program directly to these sequence of assembly instructions that restores the pc's registers before exiting!

We can therefore alter our FIRST conditional jump instruction to do this!:

BEFORE:

:004013B2 0F8E82000000     jle 0040143A ;Jump if program has already
                                         ;already been run.

:004013B8 DB44243C         fild dword ptr [esp+3C]
:004013BC 6A01             push 00000001
:004013BE 8BCE             mov ecx, esi
:004013C0 DA742420         ffidiv dword ptr [esp+20]
 

AFTER:
 
:004013B2 0F8EFC000000     jle 004014B4 ;Jump over ALL program checks if
                                         ;program has already been run.

:004013B8 DB44243C         fild dword ptr [esp+3C]
:004013BC 6A01             push 00000001
:004013BE 8BCE             mov ecx, esi
:004013C0 DA742420         ffidiv dword ptr [esp+20]
 

We don't have to worry about wether this jump [ jle 004014B4] is not 'set' the first time we run this program because if that happens we will be given 21 days free trial period then after that it will then always carry on as though it is running in 'Registered Mode'. This is a good thing because this allows the safeinstall.dat file to be created and if the program then expects this to be present when run it a second or third time etc then it will always find it.
 
Job Done.
 

The Patches

     
Load up safeinstall.exe into your favorite Hex-Editor ( I prefer hexWorkshop-32) but just about any Hex-Editor will do..
 
SEARCH FOR THE FOLLOWING BYTES : 3BD10F8E82000000
REPLACE WITH HIGHLIGHTED BYTES : 3BD10F8EFC000000
 
Then...

Open up your RegEdit Win'95 utility go into this registry Key:

HKEY_CURRENT_USER\Software\iWin Software\SAFEINSTALL\Registration

Once found, change the User ="Trail' to something like: User ="1234-987654-4321"

This new 'serial number' will then show up in SafeInstall each time it is run and because this program is a demo, the programmers didn't bother inserting any routines to check the validity of this *fake* serial number so we can put what ever we like in here!.
 

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.