Security Administrator for Wni95/98 v5

The Non-Secure fix

Date 11/8/00
by Sojourner
There is a crack, a crack in everything. That's how the light gets in.
(x)Beginner ( )Intermediate ( )Advanced ( )Expert

This one took some decent brainpower but was well worth it if you use this sort of prog.




Tools required

w32dasm 8.x--your choice of flavors

hex editor needed- UltraEdit 7.xx or whatever you want to use

Target's URL/FTP or

Just go to this site. Do a search and then download what you need. Or use the homepage url I gave above.

To Do List
What to do - 
 1. Get rid of lame nags
 2. Breathe easier with the time limit gone

Alright, it's been awhile since I've printed anything, altough I nevertheless have been extremely busy. I'm always farting around with security junk, this is one, Password Protected Lockup, Steganos Security, Go Back, etc. Some of them have unique features, such as the Steganos Suite, for message encryption via a carrier file such as a picture. Very slick tool to have. Anyway, I had seen an earlier incarnation of this prog and saw that it had some good potential for me since I have young ones at home. Unfortunately, it had some problems at that time that caused some concern for me. Nobody wants to get locked out of their system when you have the keys, right? This version 5 is much better and the security features have been improved. My goal is not to promote these guys,'cause I don't even know them, but only to give a little info about the prog. Now, since you obviously have already dowenloaded the prog, I'll shut up and cut to the chase. One more little word. These days I usually turn on my trial protection software, Trialblazer before doing any installations. It saves me a lot of hassle on down the line. Just a word to the wise. Go ahead and install the Security Administration software wherever you want to. Once that is done, use w32dasm to disassemble the prog and run it.

1. Getting rid of lame nags

You will have a nag come up that tells you this is a 30 days trial, etc. and to register it now. It looks suspiciously like a dialog box, but there is no direct reference to either user32.dialogboxparama or user32.createindirectdialogboxparam. Maybe it's an user32.updatewindow. I looked in my resource tool, Restorator 2.5, and saw references to the nagscreen, but nothing that I could break in on in w32dasm, ie, no api reference. Now, interestingly enough, if I accelerate my time past expiration, and then run the prog, I will get a nag with the expiration warning. If you do not register at this time, the prog shuts down immediately. Hmm. Now I reset my time and I still get the nag box, but not the dire warning!! Ah, this is better. It doesn't keep a static timer counter, nor a reverse time checker. So, what is the prog doing? That is the question to answer friends. When you answer it correctly, you will be much closer to solving this mystery. I thought for a moment and suspected that maybe there was a kernel32.dll call to either getlocaltime or getsystemtime. Hah! My hunch paid off. At least there was a call to the kernel32.getlocaltime. I set my breakpoints accordingly and caught this:

* Referenced by a CALL at Addresses: |:00495CCD , :00495D1C , :00499677 , :0049A516 , :0049EFA8 |:0049F737 | :00409ED8 83C4E0 add esp, FFFFFFE0 :00409EDB 8D442408 lea eax, dword ptr [esp+08] :00409EDF 50 push eax * Reference To: kernel32.GetLocalTime, Ord:0000h | :00409EE0 E857CCFFFF Call 00406B3C :00409EE5 668B4C240E mov cx, word ptr [esp+0E] :00409EEA 668B54240A mov dx, word ptr [esp+0A] :00409EEF 668B442408 mov ax, word ptr [esp+08] :00409EF4 E8DFFDFFFF call 00409CD8 :00409EF9 DD5C2418 fstp qword ptr [esp+18] :00409EFD 9B wait :00409EFE 668B442416 mov ax, word ptr [esp+16] :00409F03 50 push eax :00409F04 668B4C2418 mov cx, word ptr [esp+18] :00409F09 668B542416 mov dx, word ptr [esp+16] :00409F0E 668B442414 mov ax, word ptr [esp+14] :00409F13 E8E8FBFFFF call 00409B00 :00409F18 DC442418 fadd qword ptr [esp+18] :00409F1C DD1C24 fstp qword ptr [esp] :00409F1F 9B wait :00409F20 DD0424 fld qword ptr [esp] :00409F23 83C420 add esp, 00000020 :00409F26 C3 ret Looking at the cluster of instructions at: :00409EE5 668B4C240E mov cx, word ptr [esp+0E] :00409EEA 668B54240A mov dx, word ptr [esp+0A] :00409EEF 668B442408 mov ax, word ptr [esp+08] you can follow the flow while the prog is running. [esp+0E] is the day of the month. [esp+0A] is the month, and [esp+08] is the year, all in hex. Important, but not the end all and be all. We need to follow this call back to it's origin. Set your breakpoint on the ret at 00409F26 and you will end up back here: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0049EF31(C), :0049EF97(C) | :0049EFA8 E82BAFF6FF call 00409ED8 :0049EFAD 83C4F8 add esp, FFFFFFF8 <--Here :0049EFB0 DD1C24 fstp qword ptr [esp] :0049EFB3 9B wait :0049EFB4 A11C4E4A00 mov eax, dword ptr [004A4E1C] :0049EFB9 E856AAF6FF call 00409A14 :0049EFBE 83C4F8 add esp, FFFFFFF8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049EF4D(C) | :0049EFC1 DD1C24 fstp qword ptr [esp] :0049EFC4 9B wait :0049EFC5 E8DE50FDFF call 004740A8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049EF56(C) | :0049EFCA 3DD0020000 cmp eax, 000002D0 :0049EFCF 7E19 jle 0049EFEA :0049EFD1 B001 mov al, 01 :0049EFD3 E808CCFEFF call 0048BBE0 :0049EFD8 803D144E4A0000 cmp byte ptr [004A4E14], 00 :0049EFDF 7510 jne 0049EFF1 :0049EFE1 8BC3 mov eax, ebx :0049EFE3 E818DAFAFF call 0044CA00 :0049EFE8 EB07 jmp 0049EFF1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049EFCF(C) | :0049EFEA 33C0 xor eax, eax :0049EFEC E8EFCBFEFF call 0048BBE0 <--Important call * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0049EFDF(C), :0049EFE8(U) | :0049EFF1 A1E8324A00 mov eax, dword ptr [004A32E8] :0049EFF6 803800 cmp byte ptr [eax], 00 :0049EFF9 7407 je 0049F002 :0049EFFB 8BC3 mov eax, ebx :0049EFFD E8FED9FAFF call 0044CA00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049EFF9(C) | :0049F002 5B pop ebx :0049F003 C3 ret /////////////////////////////////////////// If you piddle around long enough, you'll get all the way back to the actual call that set up this whole mess. Right here: :00454BB8 53 push ebx :00454BB9 6683783200 cmp word ptr [eax+32], 0000 :00454BBE 740A je 00454BCA :00454BC0 8BD8 mov ebx, eax :00454BC2 8BD0 mov edx, eax :00454BC4 8B4334 mov eax, dword ptr [ebx+34] :00454BC7 FF5330 call [ebx+30] <--This call starts it all * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00454BBE(C) | :00454BCA 5B pop ebx :00454BCB C3 ret Lucky for us. Look what's just above us here in this code mess. A cmp and a conditional jump! What more could we ask for? Hmm, why is this here? I suspect it's here to check the registration status, and if [eax+32] has zero in its field value, then there won't be any question about a nag and registration following. If you look around a little in the [eax+ values], you'll see as I did that you can find one of the eax+ addresses that do indeed have a zero value. I used [eax+2A] and it worked just fine. All you do is change: :00454BB9 6683783200 cmp word ptr [eax+32], 0000 to :00454BB9 6683782A00 cmp word ptr [eax+2A], 0000 Oh my, are we done yet? Well we did get rid of the nag. Try it, Mikey likes it! As a secondary benefit, we did away with the time limit. So now we can run this prog to our hearts content, almost. There is one slight problem. The program is in use and doesn't like to be tampered with while running. Your job is to find a way to turn this off to give you the opportunity to change the code values, then you can use it to your hearts content. I will give you one hint though, Security Administration hides itself, so look diligently fellow crackers.
Final Notes

 This was a fun lesson, and worth having to search to figure things out. Until later.

If you have any questions please feel free to contact me at

Oh Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one.