whois.html

This is a e-book How to Crack with Softice. HTML type document.

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>To see if there are any
other references, double click on the string reference again. Ahh...</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>* StringData Ref from
Data Obj -> "Thank you for trying Who-Is. The trail"</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-> "Your trial period expires in %d days."</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004184C1 68089F4200&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
PUSH 0042AF08</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004184C6 52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
PUSH EDX</FONT></FONT>

<P>Hm...did you notice the difference? If the time limit is reached, then
the first routine (<FONT COLOR="#993366"> <B>:0041847B</B></FONT> ) is
called. If you still have time left, then the second routine at ( <B><FONT COLOR="#993366">:004184C1</FONT></B>
) is called.

<P>We don't care about this, though. We want to totally bypass the nag.

<P>From <B><FONT COLOR="#993366">:004184C1</FONT></B> scroll upwards to
see if there are any compare/conditional jump pairs near by. Nope. There
IS, though, a reference to a conditional jump from <B><FONT COLOR="#993366">:00418475.</FONT></B>
Did you notice that this address is very close to the first nag routine
(<B><FONT COLOR="#993366"> :0041847B</FONT></B> )?

<P>OK, now go to<B> :00418472</B>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00418472&nbsp; 83FE0E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
CMP ESI, 0000000E&nbsp;&nbsp; ;<B><FONT COLOR="#993366">&lt;- 14 day limit
is up?</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00418475&nbsp; 7E2A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
JLE 004184A1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ;<B><FONT COLOR="#993366">&lt;-
Not yet so jump to the</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">&lt;- second routine</FONT></B></FONT></FONT>

<P><B><FONT FACE="Courier New,Courier"><FONT COLOR="#993366"><FONT SIZE=-1>So.
Remember my curiosity? Let's scroll farther upwards, shall we?</FONT></FONT></FONT></B>
<BR><B><FONT FACE="Courier New,Courier"><FONT COLOR="#993366"><FONT SIZE=-1>Ahh...Do
you see the two conditional jumps?</FONT></FONT></FONT></B>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0041841F&nbsp; 833A01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
CMP DWORD PTR [EDX], 00000001</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00418422&nbsp; 0F85C9000000&nbsp;&nbsp;
JNE 004184F1&nbsp;&nbsp;&nbsp; ;<B><FONT COLOR="#993366">&lt;- Not a 1?
Must be registered!</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00418428&nbsp; 8B742418&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
MOV ESI, DWORD PTR [ESP+18]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0041842C&nbsp; F7C600000080&nbsp;&nbsp;
TEST ESI, 80000000</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00418432&nbsp; 0F85B9000000&nbsp;&nbsp;
JNE 004184F1&nbsp;&nbsp;&nbsp; ;<B><FONT COLOR="#993366">&lt;- No? Must
be registered!</FONT></B></FONT></FONT>

<P>If you change both JNE 004184F1 instructions to JE 004184F1 , that will
kill the first nag. It also kills, the time limit too..:).

<P>Second nag. Go back to the Data String Resouces in W32Dasm&nbsp; and
scroll down. Do you see "<FONT COLOR="#990000">This is the free preview
copy</FONT>"?&nbsp; then Double click on it.

<P>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00414FA0 6870994200&nbsp;
PUSH 00429970 ;"This is the free preview copy of</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
"Who-Is."</FONT></FONT>

<P>As usual, scroll upwards to see if there is a compare/conditional jump
pair. There is.

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00414F97&nbsp; 833901&nbsp;&nbsp;&nbsp;&nbsp;
CMP DWORD PTR [ECX], 00000001</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00414F9A&nbsp; 750E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
JNE 00414FAA&nbsp; <B><FONT COLOR="#993366">&lt;- Not a 1? Then must be
*registered*</FONT></B></FONT></FONT>

<P>Change the <B><FONT COLOR="#993366">JNE 00414FAA</FONT></B>&nbsp; to
<B><FONT COLOR="#993366">JE 00414FAA.</FONT></B>

<P>Go back to the String Ref and double click again to see if there is
another reference.
<BR>&nbsp;
<BR>There is.

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>* StringData Ref -> "This
is the free preview copy of Who-Is."</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00416EEC 6870994200&nbsp;&nbsp;
PUSH 00429970&nbsp; ;<B><FONT COLOR="#993366">Scroll upwards to see if
there is a</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">compare / conditional jump pair.</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">There sure is!</FONT></B></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00416EE3 833901&nbsp;&nbsp;&nbsp;&nbsp;
CMP DWORD PTR [ECX],00000001</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00416EE6 750E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
JNE 004166F6 ;<B><FONT COLOR="#993366">Not a 1? This program must be registered</FONT></B></FONT></FONT>
<BR>&nbsp;
<BR>Change the <B><FONT COLOR="#993366">JNE 004166F6</FONT></B> to <B><FONT COLOR="#993366">JE
004166F6</FONT></B>.
<BR>&nbsp;
<BR>Set your computer's date ahead 1 month and run that program. Look Ma---no
nags!!!
<BR>&nbsp;
<BR>Program cracked.
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The 'Crack'</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Load up <B>whois.exe</B> into your favorite
Hex-Editor ( I prefer hiew v5.66) but just about any Hex-Editor will do..</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Courier New,Courier"><B>SEARCH</B> FOR THE FOLLOWING BYTES
: 833A010F85C9000000F7C6000000800F85B9000000</FONT>

<P><FONT FACE="Courier New,Courier"><B>REPLACE</B> WITH <B><U><FONT COLOR="#990000">HIGHLIGHTED</FONT></U></B>
BYTES :&nbsp; 833A010F<B><FONT COLOR="#993300">84</FONT></B>C9000000F7C6000000800F<B><FONT COLOR="#993300">84</FONT></B>B9000000</FONT>

<P><FONT FACE="Courier New,Courier"><B>SEARCH</B> FOR THE FOLLOWING BYTES
:&nbsp; 833901750E6A00</FONT>
<BR><FONT FACE="Courier New,Courier"><B>REPLACE</B> WITH <B><U><FONT COLOR="#993300">HIGHLIGHTED</FONT></U></B>
BYTES :&nbsp; 833901<B><FONT COLOR="#993300">74</FONT></B>0E6A00</FONT>
<BR>&nbsp;
<BR><FONT FACE="Arial,Helvetica">Note: the last search above has 2 occurances.
Change both.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">Final Notes</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#333333">&nbsp;</FONT></FONT>
<BR>This program's protection scheme is simple but annoying.

<P><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">My thanks and gratitude goes to:-</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Fravia+ for providing possibly the greatest
source of Reverse Engineering</FONT>
<BR><FONT FACE="Arial,Helvetica">knowledge on the Web.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">+ORC for showing me the light at the end
of the tunnel.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Ob Duh</FONT></FONT>&nbsp;</CENTER>
</TD>
</TR>
</TABLE>
<I><FONT FACE="Arial,Helvetica">&nbsp;</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><I><FONT FACE="Arial,Helvetica">Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that these
software houses will continue to&nbsp; produce even *better* software for
us to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems.</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><I><FONT FACE="Arial,Helvetica">If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR>&nbsp;
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Essay by: <A HREF="mailto:KLee8084@snet.net">KLee8084</A></FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Page Created: 24th July
1998</FONT></FONT>
</BODY>
</HTML>