February 1999

"CommonLaw v3.0"

(Deadlisting and patching to get around a protection scheme)

Win '95/'99 PROGRAM

Win Code Reversing

 

 

by Punisher 

 

 

Cracking 4 Newbies 

 

 

Program Details

Program Name: clinst.exe

Program Type: Legal Assistant

Program Location: http://www.softseek.com/

Program Size: 755 KB 

   Tools Used:
W32Dasm -- Disassembler
Hacker's View -- HexEditor

Rating

Easy ( )  Medium ( X )  Hard (    )  Pro (    ) 

There is a crack, a crack in everything. That's how the light gets in.

 


CommonLaw v3.0

(Deadlisting and Patching)

Written by Punisher

  

Introduction

 
The author(s) of this program can be found at:
http://www.BLCorp.com
 
The author says:

"CommonLaw allows you to write up 8 commonly used legal agreements. They are:-

Bill of Sales, Commercial Real Estate Lease, Residential Real Estate Lease, Sublease, Contractor Agreement, Promissory Note, Personal Guarantee, Lottery Pooling Agreement

About this protection system

 

This program uses the pvplus.dll file to house its protection scheme. I tried using soft-ice but finally decided to patch the program because I needed some more practice in deadlisting.

THE ESSAY

Install CommonLaw 3.0 and run it. The first thing you are hit with is a nasty nagscreen telling you that this was a Trial Edition. The nag also tells you the amount of days you have remaining in the trial period. As a matter of fact there are two messages on the nag screen about the number of days remaining in the trial period.

The nag also has a number of buttons, example OK, Activate etc. The activate button brings up a registration dialog for entering your registration code which you will receive after paying the authors of the program. There is also an order code for ordering the registered version.

Click the OK button and the main program window comes up. Select from the File menu New and choose any document you want to create. up pops another nagscreen telling you about some kind of license. On this nag box there are two button, One saying I Accept and I Don't Accept. Selecting the I Accept then loads your document for you to work with. Selecting the I Don't Accept returns you to the main program window without loading the document.

Go to the help menu and select about. The same startup nag screen pops up as the about dialog box.

So What have we here. Three things 1. Startup nagscreen, 2. License nagscreen and 3. About nagscreen. Tese three we have to get rid of.

Close CommonLaw and make a copy of it, this we will use to test our findings. Call the copy CLaw.exe.

Fire up W32Dasm and disassemble ComnLaw.exe. Select String data references from the refs menu. Scroll down this window until you see " TRIAL DAYS REMAIN! *** ". Do you remember this, yes it was in the startup nagscreen and the about nagscreen. Double click on it and W32Dasm will to you to where it is refered to in the code. You will land in this snippet of code.

* Possible StringData Ref from Data Obj ->" TRIAL DAYS REMAIN! ***"
  |
:0043481F 6880244400 push 00442480 ; <- you land here
:00434824 6850F14400 push 0044F150

* Reference To: KERNEL32.lstrcatA, Ord:0000h
  |
:00434829 E8CAC10000 Call 004409F8

Minimize the String Data References window and scroll up W32Dasm's main window. We are looking for a call from which the nagscreen routines and executed. After scolling up a bit you will come to this snippet of code.

* Referenced by a CALL at Addresses:
|:0043A602 , :0043B707 ;<- possible calls for nag screens
|

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00435323(U), :0043532D(U)
|
:00434575 55 push ebp
:00434576 8BEC mov ebp, esp

From here we see that there two possible calls that may be the nagscreens calls. Let's try the first one at :0043A602. Click the Goto menu and type in the address of the first call, it is 0043A602, and click OK. W32Dasm takes you to that address and we see this snippit of code.
:0043A601 51 push ecx
:0043A602 E86E9FFFFF call 00434575 ;<- you are now here
:0043A607 83C408 add esp, 00000008

You can click the call button on the toolbar to take you to the address called and trace the code down to see if that call is one that calls the nagscreen. When you are done tracing the code click the RET button to return to the call.

After tracing the code I found that this call does call the nagscreen. So I hit the ret and returned to the call. Since the nagscreen is called from this call we want to bypass this call. Let's scroll up W32Dasm window to look for a jump that takes us pass the call at 0043A602. Scrolling up we see this piece of code with a jne.

:0043A5BD 85C0 test eax, eax
:0043A5BF 7549 jne 0043A60A ; we must patch here
:0043A5C1 66C7852CFFFFFF0800 mov word ptr [ebp+FFFFFF2C], 0008

Place the cursor on the jne and doubleclick it. The yellow high light is now on jne look at the bottom of W32Dasm on the staus bar and you will see the offet of the jne, that is where we will patch it in Hacker's View. Write down that offset. When patching we must change the jne to je.

Let's now check the second call. Goto to 0043B707 by using the goto menu. You will land in this piece of code.

:0043B706 51 push ecx
:0043B707 E8698EFFFF call 00434575 ;<-call to about nagscreen
:0043B70C 83C408 add esp, 00000008
:0043B70F EB49 jmp 0043B75A

This call at 0043B707 calls the about nagscreen which we want to get rid of. scroll up until you meet the first jump. You will see this code.

:0043B6C2 85C0 test eax, eax
:0043B6C4 754B jne 0043B711 ;<- we need to patch here.
:0043B6C6 66C7857CFEFFFF0800 mov word ptr [ebp+FFFFFE7C], 0008
:0043B6CF 6A00 push 00000000

The jne at 0043B6C4 takes us past the call so we will patch this piece of code. Place the the cursor on the jne and doubleclick it so that the yellow highlight bar is on jne. Look for the offset on the W32Dasm status bar and write it down. this is the location we will patch in Hacker's View. We will change the jne to a je. I will tell you the patches later.

So far the two nagscreens are taken care of now for the License nag. Go to String data References and look for "You should carefully read the" this is the first few words that is presented in the license agreement presented everytime you try to load a new document. Double click on it and W32Dasm takes you to it's reference in the code. You will land here.

:0043A2DE 59 pop ecx

* Possible StringData Ref from Data Obj ->"You should carefully read the "
  ->"following terms and conditions "
  ->"before using this software. Unless "
  ->"you have a different license agreement "
  ->"signed by Business Logic Corporation, "
  ->"your use of the software indicates "
  ->"your acceptance of this license "
  ->"agreement and warranty. IF YOU "
  ->"DO NOT AGREE TO ANY OF THE TERMS "
  ->"OF THIS AGREEMENT, DO NOT USE "
  ->"THE SOFTWARE."
  |
:0043A2DF 68383B4400 push 00443B38 ;<- You will land here
:0043A2E4 6A00 push 00000000

Scroll up until you get to this piece of code.
* Referenced by a CALL at Addresses:
|:0043BEB2 , :0043BED4 <- here we see tow calls
|

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043A50C(U), :0043A516(U)
|
:0043A1B7 55 push ebp

Lets try the first one. Go to the address of the first call, 0043BEB2, if you don't know how to do that by now better try something other thatn cracking.

You will be here.

:0043BEB1 51 push ecx
:0043BEB2 E800E3FFFF call 0043A1B7 ;<- This call brings up the license nag
:0043BEB7 83C408 add esp, 00000008
:0043BEBA 8B8524FFFFFF mov eax, dword ptr [ebp+FFFFFF24]
:0043BEC0 64A300000000 mov dword ptr fs:[00000000], eax

Scrolling up aboe the call we come to this jump which jumps past the call we want to skip.

:0043BE5A 85F6 test esi, esi
:0043BE5C 7E7E jle 0043BEDC ;<- change jle to jg
:0043BE5E C70520F6440001000000 mov dword ptr [0044F620], 00000001
:0043BE68 66C78534FFFFFF0800 mov word ptr [ebp+FFFFFF34], 0008
:0043BE71 6A00 push 00000000

High the jle and look in the status bar of W32Dasm for the offset to patch in Hacker's View. Write down the offset. we must change the jle to jg.

Ok for the nice part.


PATCHING COMMANLAW


Run Hacker's View and load up ComnLaw.Exe. press F4, then F3 to get in assembly code mode.

1. First Patch --Startup Nagscreen.

Press F5 and type in the offset you wrote down for the startup nagscreen. It should be 39BBF and press enter. Hiew will take you to that address. You will see 7549. Press F3 to edit and change the 5 to a 4

eg 7549 to 7449

Press F9 to save.

2. Second Patch -- The About Nag screen

Press F5 and type in the offset you wrote down for the startup nagscreen. It should be 3ACC4 and press enter. Hiew will take you to that address. You will see 754B. Press F3 to edit and change the 5 to a 4.

eg:- 754B to 744B

Press F9 to save.

3. Third Patch -- The License Nag.

Press F5 and type in the offset you wrote down for the startup nagscreen. It should be 3B45C and press enter. Hiew will take you to that address. You will see 7E7E. Press F3 to edit and change the E to a F

eg:- 7E7E to 7F7E

Press F9 to save and F10 to exit Hiew.

Now run the program. No annoying startup nag, No License nag and the About nagscreen screen has change to an about dialogbox telling you the version of the program etc.


I will like to say thanks to +Fravia, Sandman, CrackZ, Cruehead, Iczelion and all the others out there who help by providing the knowledge to make this possible.


You should buy this program if you intend to use it longer than the evaluation period.

  Index