123 ZIP! v2.0 & DropConvert v2.2 - Tutorial

http://www.atlastitan.com - (123ZIP! v2.0).
http://members.ozemail.com.au/~launch/ - (DropConvert v2.2).

Welcome once again, I'm going to use this tutorial to highlight another protection commonly used by software authors, the 'limited trial run'. In the case of 123 ZIP! we are restricted to only 25 uses of the application before the application 'disables' itself or in this case displays a polite message box saying Expired. Lets launch the program and note the message box which politely informs you how many times you have run the application, just relaunch the program a few times to gain a feel of what is going on.

The zen approach here (as with time trials) would be to feel how this code might be implemented, 19h = 25 dec, maybe sniff with the HEX editor for some likely bytes, however in this case a disassembly is most likely your best approach (I hope you remembered the text in that message box). You should easily locate this code inside W32Dasm.

:0045B6BA INC EBX <-- Counter of some description.
:0045B6BB CMP EBX,06 <-- Compare counter variable.
:0045B6BE JNZ 0045B546 <-- Loop.
:0045B6C4 CMP BYTE PTR [004628D4],00 <-- Check_1st_time_program_run.
:0045B6CB JZ 0045B7D9 <-- Jump_1st_time_run.
:0045B6D1 CMP DWORD PTR [004628D8],1A <-- Check_times_run (1A = 26dec).
:0045B6D8 JGE 0045B72A <-- Jump_bad_guy.
:0045B6DA PUSH 00000000 <-- Continue_and_display_nag_box.
.....
:0045B720 CALL 0043D380 <-- Tell_user_how_many_times_program_has_been_run.
:0045B725 JMP 0045B7D9 <-- Launch_program.

In this scheme you should easily see our 2 important flags, 004628D4 decides whether this is the programs first run, where as 004628D8 will flag the number of times the program has been run. Note that the program compares the number of times run with 26 decimal, a minor trick to fool our HEX searching. You should be able to see many ways of beating this scheme, you could for example settle for increasing 1A (26) to say FF (255), thats a fairly weak change but may help you fully evaluate the program, or you could NOP away the JGE 0045B72A, that would beat the 26 run time check altogether, or maybe you could force the JZ 0045B7D9 into a JMP.

Make whichever patch serves you best, as a cosmetic change you may also like to remove the message box that appears when you are still evaluating, although I'd advise locating the precise API responsible for displaying this nag, it would seem that you can safely NOP away the entire function call 0043D380, should you feel so inclined NOP away the same call for first time users also.

Most 'run time limit' schemes are similar in operation to this one and they are usually fairly weak location counters (although sometimes programs may increment a counter hidden inside the program file itself or a dll), you should pay particular attention to locations being used as flags as these can be potentially malicious and be very sure to check that there isn't a mirror location checking the same flag.

Well here's how I patched the program.

83 3D D8 28 46 00 1A 7D 50 <-- CMP DWORD PTR [004628D8],1A - JGE 0045B72A
83 3D D8 28 46 00 FF 40 48 <-- Increase compare from 1A to FF and INC EAX, DEC EAX.

E8 5B 1C FE FF <-- CALL 0043D380 (display message box).
40 48 90 40 48 <-- Do absolutely nothing.

DropConvert v2.2

Another time-trial, but this time I'll introduce you to some real 'zen' fast cracking. For this protection we won't even bother using SoftICE or a disassembler, in fact we won't even bother moving the BIOS clock (maybe just to verify our theory), in most of these protections you can feel the code. DropConvert allows us 30 days trial (from the documentation) so lets just think about how a lazy programmer might check this or how it might look in assembly, perhaps something like this:

CMP DWORD PTR register, 1E <-- 1E of course is 30 days.
JLE/JGE address <-- Most likely these conditional jumps.

So lets think in terms of opcodes, we have 83 for CMP, only several likely register options (when you've seen lots of time-trials you'll begin to feel which registers are used more commonly), then 1E for the 30 days and either 7E (JLE) or 7D (JGE) for the conditional jump.

So lets grab our HEX editor and perform a little searching, I'll cut to the chase and tell you to look for 83 38 1E 7E, thats a CMP DWORD PTR [EAX],1E followed by a JLE. Incredibly the only location you'll find performs this exact comparison. Immediately this location feels as if it must be our time-trial check.

I would advise verifying this approach, lets make the JLE (7E 33) that we've found into an unconditional jump (EB 33), now lets see if the program will ever expire (see below). As a project you might like to try replacing all of the nasty 'Shareware' and 'Unregistered' strings contained in the program executable, I had some success with the title bar and About box with my HEX editor, just overwriting with 20h but be careful with your editing.

Verification

Well, I did move my BIOS date forward and although DropConvert did successfully start I did receive a message box which looks like a standard call anyhow. That however is easily fixed by changing the following instruction:

:00445B1F JLE 00445B52 <-- Fix this to jump or change the instruction before.

7E 31 68 24 5D 44 00 8D
EB 31 68 24 5D 44 00 8D

Software authors please take note. This is a very poor way to implement a date check, even for just $20 of shareware. As a final note, this program is in my opinion worth its registration fee so if you use it take the time to support the author. I don't use it so won't be registering my copy.


Return to Time Trials


© 1998,1999,2000 CrackZ. 6th & 26th June 1998.