123 ZIP! v2.0 - Tutorial

http://www.atlastitan.com - Webpage.

Welcome once again, I'm going to use this tutorial to highlight another protection commonly used by software authors, the 'limited trial run'. In the case of 123 ZIP! we are restricted to only 25 uses of the application before the application 'disables' itself or in this case displays a polite message box saying Expired. Lets launch the program and note the message box which politely informs you how many times you have run the application, just relaunch the program a few times to gain a feel of what is going on.

The zen approach here (as with time trials) would be to feel how this code might be implemented, 19h = 25 dec, maybe sniff with the HEX editor for some likely bytes, however in this case a disassembly is most likely your best approach (I hope you remembered the text in that message box). You should easily locate this code inside W32Dasm.

:0045B6BA INC EBX <-- Counter of some description.
:0045B6BB CMP EBX,06 <-- Compare counter variable.
:0045B6BE JNZ 0045B546 <-- Loop.
:0045B6C4 CMP BYTE PTR [004628D4],00 <-- Check_1st_time_program_run.
:0045B6CB JZ 0045B7D9 <-- Jump_1st_time_run.
:0045B6D1 CMP DWORD PTR [004628D8],1A <-- Check_times_run (1A = 26dec).
:0045B6D8 JGE 0045B72A <-- Jump_bad_guy.
:0045B6DA PUSH 00000000 <-- Continue_and_display_nag_box.
:0045B720 CALL 0043D380 <-- Tell_user_how_many_times_program_has_been_run.
:0045B725 JMP 0045B7D9 <-- Launch_program.

In this scheme you should easily see our 2 important flags, 004628D4 decides whether this is the programs first run, where as 004628D8 will flag the number of times the program has been run. Note that the program compares the number of times run with 26 decimal, a minor trick to fool our HEX searching. You should be able to see many ways of beating this scheme, you could for example settle for increasing 1A (26) to say FF (255), thats a fairly weak change but may help you fully evaluate the program, or you could NOP away the JGE 0045B72A, that would beat the 26 run time check altogether, or maybe you could force the JZ 0045B7D9 into a JMP.

Make whichever patch serves you best, as a cosmetic change you may also like to remove the message box that appears when you are still evaluating, although I'd advise locating the precise API responsible for displaying this nag, it would seem that you can safely NOP away the entire function call 0043D380, should you feel so inclined NOP away the same call for first time users also.

Most 'run time limit' schemes are similar in operation to this one and they are usually fairly weak location counters (although sometimes programs may increment a counter hidden inside the program file itself or a dll), you should pay particular attention to locations being used as flags as these can be potentially malicious and be very sure to check that there isn't a mirror location checking the same flag.

Well here's how I patched the program.

83 3D D8 28 46 00 1A 7D 50 <-- CMP DWORD PTR [004628D8],1A - JGE 0045B72A
83 3D D8 28 46 00 FF 40 48 <-- Increase compare from 1A to FF and INC EAX, DEC EAX.

E8 5B 1C FE FF <-- CALL 0043D380 (display message box).
40 48 90 40 48 <-- Do absolutely nothing.

© 1998 CrackZ. 26th June.