Cracking Tutorial for PageMill 3.0
|Before we start, please read
the Disclaimer section of this essay!
Coders from PageMill, click here!
|The first step after I
installed PageMill was reading the README.DOC. You can often read the limitations, etc. in
such a readme file. I read the following, which is interesting for Reverse Engineering
"Adobe is providing this Try-Out version of PageMill 3.0 so that you can evaluate it to create fully functional Web pages. This try-out version of Adobe PageMill 3.0 is fully functional, but will expire 15 days after it has been installed."
So PageMill's main protection is it's 15-day-time-limit. Now we know enough to start our cracking session:
After you've executed PageMill, you'll recognize that there's no NAG, etc displayed. Since we know this we just have to crack the time limit. Exit PageMill now. What's that? A damn Exit-NAG get's displayed - argh.
This NAG is telling us when our version of PageMill will expire and where we SHOULD ORDER it, if we're using it beyond it's free trial period. The NAG looks very like a standard-messagebox - MessageBoxA should work in this case. So set a BPX to MessageBoxA and restart & exit PageMill. SoftICE will now display something like the following code snippet, after you've pressed F11 and the "OK"-Button:
Since SoftICE displayed the info, that this code snippet is located in MFC42.DLL, we can't patch this code snippet. We have to execute the RET instruction. Then we'll get to a location in PM3TRYOUT.EXE, where we can patch the code:
Now set a BPX 4115A2, disable the MessageBoxA breakpoint and
restart & exit PageMill. When SoftICE pops up, do a ? ESP and then press F10 to
execute that CALL 50F30C. Now do a ? ESP again, because we need to correct ESP. You'll
find out, that the difference is 12 dec, which is 0C h. So we can replace that CALL 50F30C
with ADD ESP,0C - NOP - NOP. Then we won't see a NAG when we exit PageMill. To make this
permanent, HexEdit PM3TRYOUT.EXE using Hacker's View. Now search for
If you trace forward through the code, you'll come accross the following code snippet:
Have you recognized the
'flag', which is stored at [EBP-14]? Well this is the Expired-Flag. If it's true (1),
PageMill has expired. If it's false (0), PageMill hasn't expired. That's all the info you
need to crack the complete time limit.
|Coders from PageMill: I don't think it's that clever just to test once a flag if we can still execute PageMill. You should at least test that flag twice. I would also erase some important files, so that it's *not* possible to restore the trial period.|
Info: Brand and product names are trademarks or registered trademarks of their respective holders.
Copyright © 1998 by TORN@DO and The Immortal Descendants. All Rights Reserved.