Cracking a timelock and writing a patch for File-Ex v2.12c


Version 1.23 Download [tutorial 3] and read it offline


Our target: "File-Ex"

File-Ex adds file management functions like Find, Copy, Delete, Rename, and MakeDir to the Open and Save dialogs of Windows applications automatically. File-Ex also enlarges file dialogs to any size desired, adds Recent and Favourite file/folder lists, and allows long file names to be used with 16-bit applications.
You can try this program out for 30 days. After using it for 30 days, some of the functions will be unavailable, unless you read this tutorial...
[File-Ex v2.12c].


Tools and help

For this session I used W32Dasm v8.93 to disassemble our target, Hacker's View v6.02 to patch the file and Base Calculator v1.3 to do some calculations, but previous or later versions should do the job too.
If you can't find these programs at the Programmer TOOLS page:

Protools

just perform a ftp search and look for the strings w32dasm, hiew and bcalcns1.zip.
Unzip the hiew archive and you'll obtain another zipped file. Unzip it, the only file you need in order to crack File-Ex is Hiew.exe. Place it wherever you want on your hard disk, but be sure that its path is in your autoexec.bat file.


Cracking the file

Install File-Ex. I'm sure you're smart enough to discover the sentence "You have 30 days remaining in your free evaluation period". Press "OK" and change your system date. Enlarge File-Ex again by clicking on the system tray icon: only 29 days left! After 30 days you'll read "Your free evaluation period has expired!". Some nice options will be gone and I don't like that, do you?

When you look in the File-Ex directory, you'll see a lot of files. Which one do we have to crack? Well, it's fxcomn.dll. How do I know that? Well, if there is a timelock, there must be a function inside the program checking the time remaining in the free evaluation period and you'll only find this function in... fxcomn.dll.

It's time to use our disassembler (W32Dasm). Let's disassemble fxcomn.dll: Disassembler, Open File to Disassemble.. and select fxcomn.dll.
The file should be disassembled after a few seconds.

How do we find this function? We don't know the function name.
Well, there's a way to see a list of exported functions: Functions, Exports and there you have it!
Remember what we are looking for: a function checking the time in the free evaluation period. Couldn't that be FILEEXCHECKEVALTIME? Let's try!
We're going to perform a search: Search, Find Text and fill in FILEEXCHECKEVALTIME.
Search untill you reach:


Exported fn(): FILEEXCHECKEVALTIME - Ord:0011h
:0002.05CE 8CD8                   mov ax, ds
:0002.05D0 90                     nop
:0002.05D1 45                     inc bp
:0002.05D2 55                     push bp
:0002.05D3 8BEC                   mov bp, sp
:0002.05D5 1E                     push ds
:0002.05D6 8ED8                   mov ds, ax
:0002.05D8 81EC0600               sub sp, 0006
:0002.05DC 57                     push di
:0002.05DD 56                     push si
:0002.05DE 833ED00100             cmp word ptr [01D0], 0000 ; compare what is inside memory location 01D0 with 0000
:0002.05E3 7403                   je 05E8                   ; if there is a 0 in 01D0 then jump to location 0002.05E8 else...
:0002.05E5 E91E01                 jmp 0706                  ; ...jump to location 0002.0706

Write down the offset address of the instruction je 05E8. You can find it in the status bar of W32Dasm. The address is 13E3.
Close W32Dasm.

A compare instruction is always interesting.
So let's see what will happen when we change je (7403) into jne (7503).
This will result in a jump to 0002.05E8 if there is not a 0 in 01D0.

Backup the file fxcomn.dll, just in case...

Click on "Start", "Run..." and type "hiew". Enter.
OK, you're in Hacker's View now, you'll use this program to patch the file.
Go to the File-Ex directory and select FXCOMN.DLL.
Press F4 in order to select HEX-mode (F2).
Press F5, fill in the offset address (13E3) and enter.
Press F3 and change 74 into 75. Be aware that File-Ex is not running, otherwise you'll obtain an error message!
Press F9 to update fxcomn.dll and press F10 to leave Hacker's View.

Run File-Ex again. From now on you'll always have 30 days remaining in your free evaluation period! All options are available.


Writing a patch

You should have written down the offset address of the bytes you changed. It's 13E3 where you changed 7403 into 7503.

Now you can write a little program. I wrote and compiled my patch with [Microsoft QuickBASIC v4.5].
Run Base Calculator to translate the hexadecimal offset address to a decimal one. Select "Hex", select "32 bits" and fill in 13E3. Select "Dec" now and write down the decimal value (5091).
Attention! QuickBASIC patches the file "backwards". Therefore you should use offset address + 1 in the program. Here it is:


ON ERROR GOTO Oops

FILES "fxcomn.dll"
GOSUB Title

OPEN "fxcomn.dll" FOR BINARY AS #1 LEN = 1

        GET #1, 5092, GetBytes%
        IF GetBytes% <> &H374 THEN GOTO WrongVersion

        NewBytes% = &H375
        PUT #1, 5092, NewBytes%
    
        PRINT "  File successfully patched !"

CLOSE #1

END

Oops:
GOSUB Title

SELECT CASE ERR

CASE 53
        PRINT "  File 'fxcomn.dll' not found !"
        PRINT "  Run this program in the 'File-Ex directory' !"
        END

END SELECT

Title:
CLS
PRINT "                      / ,"
PRINT "                 /\  \|/  /\"
PRINT "                 |\\_;=._//|"
PRINT "                  \."   "./"
PRINT "                  //^\ /^\\"
PRINT "           .'``",/ |0| |0| \,"``'."
PRINT "          /   ,  `'\.---./'`  ,   \"
PRINT "         /`  /`\,."(     )".,/`\  `\"
PRINT "         /`     ( '.'-.-'.' )     `\"
PRINT "         /"`     "._  :  _."     `"\"
PRINT "          `/.'`"=.,_``=``_,.="`'.\`"
PRINT "         .-"-.      )   (      .-"-."
PRINT "+-------{'. '`}-----~   ~-----{'. '`}-------+"
PRINT "|       `"---"`               `"---"`       |"
PRINT "| Patch for File-Ex v2.12c                  |"
PRINT "| http://www.cottonwoodsw.com               |"
PRINT "|                                           |"
PRINT "|                                By Snowcat |"
PRINT "+-------------------------------------------+"
PRINT
RETURN

WrongVersion:
GOSUB Title
PRINT "  This is not the correct File-Ex version,"
PRINT "  or maybe it is,"
PRINT "  but the file has been patched already."
END

Download the [source code]
Download the [crack]


Conclusion

In this session, you've learned to crack a timelock and to write a patch. It would be nicer if we could remove the "registrate reminders", but our main target (using the program after a 30 days trial period) has been achieved.

SNOWCAT

Click here when you think this tutorial is OK
Back to the main page Tutorial created by Snowcat
Tutorial created: 8th November 1998
Version 1.23, last updated: 9th August 1999