Removing shareware limits in TransMac 2.4ß

© 1997 by Pero / MiB


Software: TransMac 2.4ß
Tools: Softice, W32Dasm (well, acctually not needed)

The target:

TransMac is a cute little proggie from Acute Systems, that can read/write Mac disks from a PC like CDrom, floppy, Hdd, Zip... The limit of the shareware version is that we cannot copy directories and we can't copy files longer than 1.4 MB (well larger than 1.474.560 acctually) :-)


Ok, after finishing the setup, let take a look at out traget and let it run. a nasty Message box pops up, telling us that we are running a shreware version of the program (like we didn't know it) and that we should send the registration fee to the company if we decide to keep using it... We have two buttons : 'YES' and 'NO'. If we press 'NO' we are immediately thrown out of the program and if we choose YES, we are rewarded with another message box (disclaimer) and again we have two buttons (Yes/No), the result is the same as before, No, throws us out, and Yes, lets us to continue...

So let get rid of this messageboxes first:

Fire up your SoftICE and set a breakpoints on eg. MessageBoxA and DialogBoxParamA and some others you usually do....

Press [Ctrl-D] to get out from SoftIce and start TransMac

You are immediately thrown back into SoftICe (yes, our nag is responsible for this! :)) so we press [F12] to land back in the TransMac's code and we land here...



	.
	.
   Some Memory filling with nag screen text (encoded for now)
	.
	.

:00411C08 8D85D8FCFFFF	lea eax, dword ptr [ebp+FFFFFCD8]	<- eax points to the start of this text
:00411C0E 50		push eax			     	<- store eax
:00411C0F 8D85D8FCFFFF	lea eax, dword ptr [ebp+FFFFFCD8]  	<- point again
:00411C15 50	     	push eax                           	<- and store again
:00411C16 E8754D0000	call 00416990			     	<- this call decodes the nag text
:00411C1B 83C408	add esp, 00000008
:00411C1E 6A04		push 00000004

* Possible StringData Ref from Data Obj ->"TransMac"
                                  |
:00411C20 6810864200	push 00428610
:00411C25 8D85D8FCFFFF	lea eax, dword ptr [ebp+FFFFFCD8]  	<- address of nag text in eax...
:00411C2B 50		push eax
:00411C2C 6A00		push 00000000

* Reference To: USER32.MessageBoxA, Ord:0188h			****** HERE ******
                                  |
:00411C2E FF1530844300	Call dword ptr [00438430]          	<- call 1st message box
:00411C34 83F807	cmp eax, 00000007		     	<- did user pres yes?
:00411C37 0F8505000000	jne 00411C42			     	<- ok, let him in
:00411C3D E950130000	jmp 00412F92			     	<- NO?! throw him out!!!


So as we can se if we press |YES|, EAX become 7 and we can continue to the next dialog (disclaimer) where the situation is just the same

Press [F5] to return to TransMac and after SoftIce pops up again press [F12] to go out of the Messageboxa routine...


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411C37(C)
|
:00411C42 8D85DCFAFFFF            lea eax, dword ptr [ebp+FFFFFADC]	<-- Here is all this
:00411C48 50                      push eax				<-- happening again,
:00411C49 8D85DCFAFFFF            lea eax, dword ptr [ebp+FFFFFADC]     <-- exactly the same
:00411C4F 50                      push eax				<-- just for the 2nd
:00411C50 E83B4D0000              call 00416990				<-- message box
:00411C55 83C408                  add esp, 00000008
:00411C58 6A04                    push 00000004

* Possible StringData Ref from Data Obj ->"TransMac Disclaimer"
                                  |
:00411C5A 68FC854200              push 004285FC
:00411C5F 8D85DCFAFFFF            lea eax, dword ptr [ebp+FFFFFADC]
:00411C65 50                      push eax
:00411C66 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0188h				*** WE LAND HERE ***
                                  |
:00411C68 FF1530844300            Call dword ptr [00438430]		<-- call 2st message box
:00411C6E 83F807                  cmp eax, 00000007			<-- AGREE?!
:00411C71 0F8505000000            jne 00411C7C				<-- ok, let him pass
:00411C77 E916130000              jmp 00412F92				<-- DISAGREE?? go out!

OK everything is exactly the same as before, just the text of the messagebox changed...

But look at the next piece of code, just following the code where we landed....


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411C71(C)
|
:00411C7C C7055481420000000000    mov dword ptr [00428154], 00000000   <- !!! set the shareware flag
:00411C86 A154814200              mov eax, dword ptr [00428154]        <- and copy it
:00411C8B A350814200              mov dword ptr [00428150], eax	       <- to some
:00411C90 A150814200              mov eax, dword ptr [00428150]        <- other
:00411C95 A34C814200              mov dword ptr [0042814C], eax        <- locations
:00411C9A B801000000              mov eax, 00000001		       <- Eax=1 so we can continue
:00411C9F E9F9150000              jmp 0041329D			       <- Go to the program...

Well, Well, Well now, isn't that interesenting? :-) If we are 'allowed' to continue the program set the Shareware Flag and the this flag is copied to some other places... (the default flag is 1 - the full version)

So the crack is obvious isn't it?

We could jump (instead calling the string decoding routine - CALL 00416990) over the Messageboxes..


example:
:00411C16 E8754D0000  CALL 00416990    <---  change it to:   JMP 00411C42

:00411C50 E83B4D0000  CALL 00416990    <---- change it to:   JMP 00311C86
We could also patch the code to:
:00411C16 E8754D0000  CALL 00416990    to JMP 00311C86 so we would jump over 2 message boxes at once...
But why are we jumping to 00411C86 instead to 00411C7C ? Well, (as you probably guessed) just to bypass setting the 'Shareware' flag

So after we do all this, we run the program and there are no Message boxes at the startup and we can copy sub directories and also the files which all together exceed the size of 1.4 Mb, BUT (well i was surprised when i notice this) we can't copy a single file, which is greater than 1.474.560 bytes....

Hmmm....

Let's think for a while...

If the program don't check the size of the all files together we want to copy then it just compare the size of every single file with the 1.4 Mb So somewhere in the program it must be a compare (actually there are two).

so let bpx again on DialogBoxParamA and fire TransMac once again...

Select the file to copy and press the 'Copy Files' icon and we are thrown into SoftICE again.. Press [F12] and the copy dialog pops up... Now, press OK and we are back in SofICE..,

Here we land if we choose to copy from PC to MAC


* Reference To: USER32.DialogBoxParamA, Ord:008Ah
                                  |
:00413455 FF15A4844300            Call dword ptr [004384A4]
:0041345B 8945EC                  mov dword ptr [ebp-14], eax
:0041345E 837DEC00                cmp dword ptr [ebp-14], 00000000
:00413462 0F8507000000            jne 0041346F
:00413468 33C0                    xor eax, eax
:0041346A E993050000              jmp 00413A02
and here we land if we choose to copy from MAC to PC
* Reference To: USER32.DialogBoxParamA, Ord:008Ah
                                  |
:00413E95 FF15A4844300            Call dword ptr [004384A4]
:00413E9B 8945EC                  mov dword ptr [ebp-14], eax
:00413E9E 837DEC00                cmp dword ptr [ebp-14], 00000000
:00413EA2 0F8507000000            jne 00413EAF
:00413EA8 33C0                    xor eax, eax
:00413EAA E948070000              jmp 004145F7

Again, as we see quite similar pieces of code... So let's trace the code for a while with [F10] until we come to the following parts:

COPY PC to MAC:


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041353F(C), :0041354E(C), :004135A6(C)
|
:004135B1 A152AD4200              mov eax, dword ptr [0042AD52]
:004135B6 8B4DE4                  mov ecx, dword ptr [ebp-1C]
:004135B9 8B0488                  mov eax, dword ptr [eax+4*ecx]
:004135BC 813800801600            cmp dword ptr [eax], 00168000  *** HERE *** ($168000 = 1474560)
:004135C2 0F8644000000            jbe 0041360C                  if the file is larger - begger off!
:004135C8 8B45E4                  mov eax, dword ptr [ebp-1C]
:004135CB 50                      push eax
:004135CC 6A00                    push 00000000
:004135CE 6885010000              push 00000185
:004135D3 8B45F4                  mov eax, dword ptr [ebp-0C]
:004135D6 50                      push eax


COPY MAC to PC:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00413F69(C), :00414010(C), :00414072(C)
|
:0041407D A13CAD4200              mov eax, dword ptr [0042AD3C]
:00414082 8B4D94                  mov ecx, dword ptr [ebp-6C]
:00414085 8B0488                  mov eax, dword ptr [eax+4*ecx]
:00414088 8B4004                  mov eax, dword ptr [eax+04]
:0041408B 8B0D3CAD4200            mov ecx, dword ptr [0042AD3C]
:00414091 8B5594                  mov edx, dword ptr [ebp-6C]
:00414094 8B0C91                  mov ecx, dword ptr [ecx+4*edx]
:00414097 034108                  add eax, dword ptr [ecx+08]
:0041409A 3D00801600              cmp eax, 00168000                 *** HERE!!! ***
:0041409F 0F8644000000            jbe 004140E9                  begger off, if filesize > 1.4 Mb
:004140A5 8B4594                  mov eax, dword ptr [ebp-6C]
:004140A8 50                      push eax
:004140A9 6A00                    push 00000000
:004140AB 6885010000              push 00000185
:004140B0 8B45F4                  mov eax, dword ptr [ebp-0C]
:004140B3 50                      push eax

So now just NOP the cals after compare or compare size with FFFFFFFF so we can copy a file long up to 4.29 Gb (FFFFFFFF = 4.294.976.295 bytes).

So that's all....

I didn't spend much time to explain how to crack this, because it's very very easy and the way i did it isn't qute a 'clean crack' like +ORC taught us, so experiment and do it YOUR WAY!


Summary:

The 1st part: get rid of the 2 dialogs at startup and enabling copy directory function
The 2nd part: cracking filesize limits
It took me cca 15 min with all the corrections i made...


If you wanna send any feedback to me, pero75@hotmail.com is my email!.

Back to Tutor page!Back to tutorial page.

Copyright © MiB 1997. All rights reversed.