http://home.flash.net/~jmosier/ - Webpage (1.13MB).
It seems a long time since I wrote a tutorial, but I'm back with a vengeance with another time-trial. In fact FileNotes provides an interesting target, a 45 day trial may look trivial but we also have some interesting string references which begs the question as to how much this time-trial is really the full version crippled in a hurry. I'll start with fnmon.exe, the theory being that once I reverse that, fnexp.exe should easily follow. The opening message box is unsurprisingly created with MessageBoxA (address 004028E1), tracing back the code leads to this seemingly obvious code snippet.
:00402865 SUB ECX,EDX <-- Sub days evaluated from
:00402867 CMP ECX, 2D <-- Compare ECX with 2D (45 days).
:0040286A MOV DWORD PTR , ECX <-- Set the memory pointer.
:00402870 JG 004028A0 <-- Jump_time_expired.
:00402872 CMP ECX,EBX <-- Check ECX against EBX.
:00402874 JL 004028A0 <-- Jump_time_expired.
This code is obviously interesting, in fact just muse through the earlier code in the function. Note C22E4507h, (that looks almost certainly like some sort of default, which of course it is). Beneath CALL 00404370 the program uses our standard GetLocalTime, GetSystemTime, GetTimeZoneInformation API's to retrieve the date and then fixes those results with arithmetic. The JL filters out those BIOS cheaters. Obviously its desirable to patch this code so that the time-trial never activates and also disable the message box.
I elected to replace the SUB ECX,EDX with an XOR ECX,ECX and also kill the 2 critical jumps, note that the CMP ECX,EBX is also unnecessary (for patching etiquette you might like to ensure that EDX is MOVed to a value which indicates time left (say 28D9h). In theory, this means that the time used is never subtracted from ECX, and also that EDX is MOVed to a value which we know is desirable. Fixing the message box is a much simpler affair, remember to correct the stack by 10. Note: It may well be desirable to fix EAX as well.
We move now to the application. Clicking the program icon from the taskbar displays another Unregistered string (created with MessageBoxA). In fact its easy to fix this by just hacking the fnmon.exe with a HEX editor, though I suspect it is also possible to force the code to the correct string, note how all the references are null-terminated if you HEX edit. Moving on to fnexp.exe, it seems that the programmer didn't see fit to include another time-trial check (laziness no doubt), instead it looks like a hurried patch of the registered version. Examine these code snippets.
:0043A2B8 MOV EDX,0043A314 <-- "FileNotes Explorer
:0043A2C6 MOV EDX,0043A340 <-- "FileNotes Explorer (Expired Unregistered)".
:0043A2D4 MOV EDX,0043A374 <-- "FileNotes Explorer".
Its fairly easy to trace the code back and see how each of these references gets triggered. Note the use of the function GetStatus (exported from fnexp.dll), and note that EAX is decremented twice. This perhaps indicates that when you fix this code, at the jump it would be desirable to have EAX=1.
:0043A2B0 DEC EAX <-- Decrement EAX by 1.
:0043A2B1 JZ 0043A2B8 <-- Unregistered.
:0043A2B3 DEC EAX <-- Decrement EAX by 1 again.
:0043A2B4 JZ 0043A2C6 <-- Expired Unregistered.
:0043A2B6 JMP 0043A2D4 <-- Jump_FileNotes_Explorer.
Note that you could also have just HEX edited these strings as I suggested for fnmon.exe. Making all of these changes results in a fully working unspoiled FileNotes, I believe the author obviously set out with good intentions when he protected fnmon.exe but was too lazy when it came to fnexp.exe.