From:alt-f4@
To: gthorne@freenet.tlh.fl.us
Subject: My strainer work so far.

Hi Remeber me?
We were talking the other day on #coders (I was the perwson with the 486 :)

Anyway, you said you would look at what I had done so far on the strainer.
I have attached it to this file.

So far I have only done the old money version, but all I wan't to know is if
I am on the right track, and what improvements I could make in my
description/style of writing/approach to cracking.

Thanks very much for doing this. If you changed your mind and don't want to,
no worries.

Alt-f4
Part1:

First I had to find it! I searched archies, ftp-search, deja-news, irc, 
and 
everything else I could think of, but to no avail(I did manage to find 
version 1.00 somewhere though!).
I kept looking, whilst I cracked Money 1. One day Fravia said he haid it 
on 
his +Orc page, but it wasn't there! After another week he actually 
put it there, and I was able to start. It was in French, and I can only 
speak English, but I was able to manage...


I set the date to the 1/1/94, and installed money.
I ran, and looking at what it did. I then made directory listings, backed 
up copies of all the money files, and a copy of the registery.
Running the program past the date, I see that it has a dialog telling 
you that it is expired, but it seems to work as before.
Then set the date back, and try to run. It still Works! Mircosoft are 
pathetic! Even the simplest of programmers would have added code to stop 
you 
setting the date back once it expires!


Ok, time for some cracking
Now I run the prgram through WCB, and look at the source code.
Hmmm, it's different to what you wrote, but not substantially so.

Ok, lets try doing the first patch like you suggested.(At 8:17D0)
BUT LOOK! we don't want always fall into the code, we want to always jump 
over it!

Thus change:
8:17E8	7246	jb 1830	;Jump only when ok
to
8:17E8	EB46	jmp 1830	;Always jump

Running this, it Works!
No more dialog telling us that we are expired!
We do get a new screen though, warning us that our time is up.
Looking at 8:1830 (where we jump to), we find:

  8.1830 >50                       push    ax
  8.1831  9AE6083E18               call    81:08E6
  8.1836  FF76F0                   push    word ptr [bp-10]
  8.1839  8BF0                     mov     si, ax
  8.183B  9AE608EB14               call    81:08E6
  8.1840  2BF0                     sub     si, ax
  8.1842  8976FE                   mov     [bp-02], si
  8.1845  83FE07                   cmp     si, 0007
  8.1848  7F22                     jg      186C
  8.184A  8A46FE                   mov     al, byte ptr [bp-02]
  8.184D  0430                     add     al, 30
  8.184F  8846EE                   mov     byte ptr [bp-12], al
  8.1852  C646EF00                 mov     byte ptr [bp-11], 00
  8.1856  681949                   push    4919
  8.1859  68D207                   push    07D2
  8.185C  8D46EE                   lea     ax, [bp-12]
  8.185F  16                       push    ss
  8.1860  50                       push    ax
  8.1861  6A00                     push    0000
  8.1863  6A00                     push    0000
  8.1865  6A40                     push    0040
  8.1867  9A44B11315               call    64:B144	;BAD GUY Call

  8.186C >8B5E08                   mov     bx, [bp+08] ;Continue..



Gets the dates, compares, and if less than 7 days left, jump.
Ok easy, lets change

8.1848  7F22                     jg      186C	;jump GoodGuy if more 
than week
to
8.1848  EB22                     jmp      186C	;jump GoodGuy all the time

Run, and it works.

Lastly, we had better see what happens with dates before the installation 
date.
Bpx on messagebox. Look at the stack. p ret a couple of time

  8.180D  9AD8053418               call    81:05D8
  8.1812  8BD8                     mov     bx, ax
  8.1814  368B07                   mov     ax, ss:[bx]
  8.1817  8946FE                   mov     [bp-02], ax
  8.181A  8B46F4                   mov     ax, [bp-0C]
  8.181D  3946FE                   cmp     [bp-02], ax
  8.1820  73C0                     jae     17E2	;If date is above, goto 
goodguy
  8.1822  681809                   push    0918
  8.1825  6A00                     push    0000
  8.1827  9A1AAD6A18               call    64:AD1A	;Call BadGuy
  8.182C  E9D8FD                   jmp     1607
Could they have made it any easier? Gets installation date, and todays 
date, 
and only continues if date is above or equal!

Another simple crack, change
jae 17E2
jmp 17E2



So what were you talking about when you said "all this DOES NOT 
work correctly... did I forgot something?"???
Ahh I think I see, you have only done half the crack, we 
haven't done the date transaction crap yet..

Ok, lets try entering some dates.
All dates before 2/3/94 work, but dates after that have a 
message box, telling us our time is up.

Ok searching for messagebox in the listing, there are 
2 instances, which are both close together.

 64.B434 >FF76FA                   push    word ptr [bp-06]
 64.B437  8D8644FD                 lea     ax, [bp-02BC]
 64.B43B  16                       push    ss
 64.B43C  50                       push    ax
 64.B43D  8D4688                   lea     ax, [bp-78]
 64.B440  16                       push    ss
 64.B441  50                       push    ax
 64.B442  FF76F8                   push    word ptr [bp-08]
 64.B445  9AFFFF0000               call    USER.MESSAGEBOX
 64.B44A  8BF0                     mov     si, ax
 64.B44C  0BF6                     or      si, si
 64.B44E  751F                     jne     B46F
 64.B450  FF76FA                   push    word ptr [bp-06]
 64.B453  8D8644FD                 lea     ax, [bp-02BC]
 64.B457  16                       push    ss
 64.B458  50                       push    ax
 64.B459  8D4688                   lea     ax, [bp-78]

 64.B45B >8816508A                 mov     byte ptr [8A50], dl
 64.B45F  46                       inc     si
 64.B460  F8                       clc    
 64.B461  250F00                   and     ax, 000F
 64.B464  0D1010                   or      ax, 1010
 64.B467  50                       push    ax
 64.B468  9A46B40000               call    USER.MESSAGEBOX

Ok, Using Winice 

BPX messagebox
and check if 64:b445 is the right message box.
After entering a bad date, landing in messagebox and using p ret, 
Softice tells me I am in 40:B44A.
WCB uses decimal for its segments and 40Hex = 64 Decimal, so the 
first messagebox is the right one.

The important thing here, is that there are no conditions(such as jne) 
above this, so it has already decided a bad date. Therefore we must look 
at 
the code that Calls 64:B434

Now I could search the listing, to find any such calls, but it takes ages 
on my little 486, and I already have winice loaded, so time for a look at 
the stack...

0A:00A8
0A:2e70
User!GetMessage+368
06:01BE
35:223A
0E:360F
40:AF7E
 => 40:B44A

Lets have a look at 40:AF7E:

 64.AF58  8CD8                     mov     ax, ds
 64.AF5A  90                       nop    
 64.AF5B  45                       inc     bp
 64.AF5C  55                       push    bp
 64.AF5D  8BEC                     mov     bp, sp
 64.AF5F  1E                       push    ds
 64.AF60  8ED8                     mov     ds, ax
 64.AF62  83EC02                   sub     sp, 0002
 64.AF65  8B460C                   mov     ax, [bp+0C]
 64.AF68  80CC40                   or      ah, 40
 64.AF6B  50                       push    ax
 64.AF6C  68D107                   push    07D1
 64.AF6F  FF760A                   push    word ptr [bp+0A]
 64.AF72  FF7608                   push    word ptr [bp+08]
 64.AF75  6A00                     push    0000
 64.AF77  6A00                     push    0000
 64.AF79  6A24                     push    0024
 64.AF7B  FF7606                   push    word ptr [bp+06]
 64.AF7E  9A76B1B6AF               call    64:B176	;Call Message Box
 64.AF83  8D66FE                   lea     sp, [bp-02]
 64.AF86  1F                       pop     ds
 64.AF87  5D                       pop     bp
 64.AF88  4D                       dec     bp
 64.AF89  CA0800                   retf    0008

Hmm, no conditionals again. Could keep going, but the Call goes to B176 
and not B434. Lets have a look at 64:B176


 64.B176  8CD8                     mov     ax, ds
 64.B178  90                       nop    
 64.B179  45                       inc     bp
 64.B17A  55                       push    bp
 64.B17B  8BEC                     mov     bp, sp
 64.B17D  1E                       push    ds
 64.B17E  8ED8                     mov     ds, ax
 64.B180  81ECC202                 sub     sp, 02C2
 64.B184  57                       push    di
 64.B185  56                       push    si
 64.B186  8B4606                   mov     ax, [bp+06]
 64.B189  8946FA                   mov     [bp-06], ax
 64.B18C  8B4608                   mov     ax, [bp+08]
 64.B18F  8946F8                   mov     [bp-08], ax
 64.B192  837EFA00                 cmp     word ptr [bp-06], 0000
 64.B196  7508                     jne     B1A0
 64.B198  9AF0ACCEB1               call    64:ACF0

Hmm, jumps to B1A0, but still no jump to the right code.

I now think back to the start of the 4.2 tute, and remember that you said 
'...since the protectionists are aware of these obvious "weak" 
points in their schemes, there "defences" will all be concentrated on 
this "path"'
How stupid of me! I am pretty sure I could crack it this way (Microsofts 
"defences" don't seem to good), but why take the hard way when I can 
get the same result but with an easier way.

Ok, time to sit back and think a little.
Why not use a "registration code" type crack, and find what happens 
to the date I enter?

Lets try entering a date, searching for it, and breaking on read/writes

I enter the date 5/5/95
search 30:0 Lffffffff '5/5/'
Cool, only one found above 80000000
at 30:8086CC2A

set bpr on this
bpr 30:8086CC2A 30:8086CC2A+5 rw

and go

Break into some code copying it, so set another range and go again.

Breaks in some code at language(1):466. Not very interesting, so keep 
going...

Lands in 5:B1B, this looks much more promising, Have a quick step 
through, 
doesn't do much, so unlikely to be of much importance.

go again, and we land in 51:266. BINGO!
Look at the code:

 81.0234  8CD8                     mov     ax, ds
 81.0236  90                       nop    
 81.0237  45                       inc     bp
 81.0238  55                       push    bp
 81.0239  8BEC                     mov     bp, sp
 81.023B  1E                       push    ds
 81.023C  8ED8                     mov     ds, ax
 81.023E  83EC1A                   sub     sp, 001A
 81.0241  57                       push    di
 81.0242  56                       push    si
 81.0243  8B7E0A                   mov     di, [bp+0A]
 81.0246  8D7501                   lea     si, [di+01]
 81.0249  8A15                     mov     dl, byte ptr [di]
 81.024B  2AF6                     sub     dh, dh
 81.024D  03D6                     add     dx, si
 81.024F  C746FA0000               mov     word ptr [bp-06], 0000
 81.0254  C746FCFFFF               mov     word ptr [bp-04], FFFF
 81.0259  3BD6                     cmp     dx, si
 81.025B  761B                     jbe     0278
 81.025D  8956F8                   mov     [bp-08], dx
 81.0260  8D7EEA                   lea     di, [bp-16]
 81.0263  8B4EFC                   mov     cx, [bp-04]

 81.0266 >AC                       lodsb  		;get next character
 81.0267  2AE4                     sub     ah, ah
 81.0269  3D2F00                   cmp     ax, 002F	; is it '/'
 81.026C  7F10                     jg      027E
 81.026E  3D2D00                   cmp     ax, 002D	; is it '-'
 81.0271  7D48                     jnl     02BB
 81.0273  2D2000                   sub     ax, 0020
 81.0276  EB16                     jmp     028E

 81.0278 >8B4EFC                   mov     cx, [bp-04]
 81.027B  EB59                     jmp     02D6
 81.027D  90                       nop    

 81.027E >2D3000                   sub     ax, 0030
 81.0281  7C0D                     jl      0290
 81.0283  2D0900                   sub     ax, 0009
 81.0286  7F03                     jg      028B
 81.0288  E99300                   jmp     031E

 81.028B >2D6700                   sub     ax, 0067

 81.028E >7478                     je      0308

 81.0290 >8A44FF                   mov     al, byte ptr [si-01]
 81.0293  8846E8                   mov     byte ptr [bp-18], al
 81.0296  3A069662                 cmp     al, byte ptr [6296]
 81.029A  741F                     je      02BB
 81.029C  A09762                   mov     al, [6297]
 81.029F  3846E8                   cmp     byte ptr [bp-18], al
 81.02A2  7417                     je      02BB
 81.02A4  807EE820                 cmp     byte ptr [bp-18], 20
 81.02A8  7403                     je      02AD
 81.02AA  E98702                   jmp     0534

 81.02AD >803E9662A0               cmp     byte ptr [6296], A0
 81.02B2  7407                     je      02BB
 81.02B4  3CA0                     cmp     al, A0
 81.02B6  7403                     je      02BB
 81.02B8  E97902                   jmp     0534

 81.02BB >8D46F0                   lea     ax, [bp-10]
 81.02BE  3BF8                     cmp     di, ax
 81.02C0  7503                     jne     02C5
 81.02C2  E96F02                   jmp     0534

 81.02C5 >83C702                   add     di, 0002
 81.02C8  894DFE                   mov     [di-02], cx
 81.02CB  FF46FA                   inc     word ptr [bp-06]
 81.02CE  B9FFFF                   mov     cx, FFFF

 81.02D1 >3976F8                   cmp     [bp-08], si
 81.02D4  7790                     ja      0266

 81.02D6 >8B76FA                   mov     si, [bp-06]
 81.02D9  83FE03                   cmp     si, 0003
 81.02DC  7503                     jne     02E1
 81.02DE  E95302                   jmp     0534

 81.02E1 >8D5AEA                   lea     bx, [bp+si-16]
 81.02E4  368908                   mov     ss:[bx+si], cx
 81.02E7  B8FFFF                   mov     ax, FFFF
 81.02EA  8946F4                   mov     [bp-0C], ax
 81.02ED  8946F0                   mov     [bp-10], ax
 81.02F0  8946F2                   mov     [bp-0E], ax
 81.02F3  8D4401                   lea     ax, [si+01]
 81.02F6  48                       dec     ax
 81.02F7  48                       dec     ax
 81.02F8  7442                     je      033C
 81.02FA  48                       dec     ax
 81.02FB  7469                     je      0366
 81.02FD  8B46EA                   mov     ax, [bp-16]
 81.0300  8946F2                   mov     [bp-0E], ax
 81.0303  E99000                   jmp     0396
 81.0306  90                       nop    
 81.0307  90                       nop    

 81.0308 >3976F8                   cmp     [bp-08], si
 81.030B  76C4                     jbe     02D1
 81.030D  83F9FF                   cmp     cx, FFFF
 81.0310  74BF                     je      02D1
 81.0312  803C30                   cmp     byte ptr [si], 30
 81.0315  72BA                     jb      02D1
 81.0317  803C39                   cmp     byte ptr [si], 39
 81.031A  77B5                     ja      02D1
 81.031C  EB9D                     jmp     02BB

 81.031E >83F9FF                   cmp     cx, FFFF
 81.0321  7502                     jne     0325
 81.0323  33C9                     xor     cx, cx

 81.0325 >8A44FF                   mov     al, byte ptr [si-01]
 81.0328  2AE4                     sub     ah, ah
 81.032A  8BD1                     mov     dx, cx
 81.032C  C1E202                   shl     dx, 02
 81.032F  03D1                     add     dx, cx
 81.0331  D1E2                     shl     dx, 1
 81.0333  03C2                     add     ax, dx
 81.0335  2D3000                   sub     ax, 0030
 81.0338  8BC8                     mov     cx, ax
 81.033A  EB95                     jmp     02D1

 81.033C >A09462                   mov     al, [6294]
 81.033F  2403                     and     al, 03
 81.0341  3C02                     cmp     al, 02
 81.0343  7532                     jne     0377
 81.0345  8B46EA                   mov     ax, [bp-16]
 81.0348  8B369462                 mov     si, [6294]
 81.034C  83E660                   and     si, 0060
 81.034F  C1EE04                   shr     si, 04
 81.0352  8942F0                   mov     [bp+si-10], ax
 81.0355  8B46EC                   mov     ax, [bp-14]
 81.0358  8B369462                 mov     si, [6294]
 81.035C  81E60018                 and     si, 1800
 81.0360  C1EE0A                   shr     si, 0A
 81.0363  EB2E                     jmp     0393
 81.0365  90                       nop    

 81.0366 >8B46EE                   mov     ax, [bp-12]
 81.0369  8B369462                 mov     si, [6294]
 81.036D  81E60018                 and     si, 1800
 81.0371  C1EE0A                   shr     si, 0A
 81.0374  8942F0                   mov     [bp+si-10], ax

 81.0377 >8B46EA                   mov     ax, [bp-16]
 81.037A  8B369462                 mov     si, [6294]
 81.037E  83E603                   and     si, 0003
 81.0381  D1E6                     shl     si, 1
 81.0383  8942F0                   mov     [bp+si-10], ax
 81.0386  8B46EC                   mov     ax, [bp-14]
 81.0389  8B369462                 mov     si, [6294]
 81.038D  83E660                   and     si, 0060
 81.0390  C1EE04                   shr     si, 04

 81.0393 >8942F0                   mov     [bp+si-10], ax

 81.0396 >8D46FC                   lea     ax, [bp-04]
 81.0399  50                       push    ax
 81.039A  9A5205FFFF               call    81:0552	;Get Todays Date
 81.039F  8BD8                     mov     bx, ax
 81.03A1  368B07                   mov     ax, ss:[bx]
 81.03A4  8946F6                   mov     [bp-0A], ax
 81.03A7  837EF2FF                 cmp     word ptr [bp-0E], FFFF
 81.03AB  751E                     jne     03CB
 81.03AD  837EF0FF                 cmp     word ptr [bp-10], FFFF
 81.03B1  7513                     jne     03C6
 81.03B3  837EF4FF                 cmp     word ptr [bp-0C], FFFF
 81.03B7  750D                     jne     03C6
 81.03B9  8A46F6                   mov     al, byte ptr [bp-0A]
 81.03BC  251F00                   and     ax, 001F
 81.03BF  40                       inc     ax
 81.03C0  8946F2                   mov     [bp-0E], ax
 81.03C3  EB06                     jmp     03CB
 81.03C5  90                       nop    

 81.03C6 >C746F20100               mov     word ptr [bp-0E], 0001

 81.03CB >837EF0FF                 cmp     word ptr [bp-10], FFFF
 81.03CF  750B                     jne     03DC
 81.03D1  837EF4FF                 cmp     word ptr [bp-0C], FFFF
 81.03D5  740B                     je      03E2
 81.03D7  C746F00100               mov     word ptr [bp-10], 0001

 81.03DC >8B7E08                   mov     di, [bp+08]
 81.03DF  EB30                     jmp     0411
 81.03E1  90                       nop    

 81.03E2 >8B7E08                   mov     di, [bp+08]
 81.03E5  F7C70800                 test    di, 0008
 81.03E9  7467                     je      0452
 81.03EB  8A46F6                   mov     al, byte ptr [bp-0A]
 81.03EE  251F00                   and     ax, 001F
 81.03F1  3B46F2                   cmp     ax, [bp-0E]
 81.03F4  7C03                     jl      03F9
 81.03F6  E99200                   jmp     048B

 81.03F9 >33DB                     xor     bx, bx

 81.03FB >8B46F6                   mov     ax, [bp-0A]
 81.03FE  25E001                   and     ax, 01E0
 81.0401  C1E805                   shr     ax, 05
 81.0404  03C3                     add     ax, bx
 81.0406  B90C00                   mov     cx, 000C
 81.0409  2BD2                     sub     dx, dx
 81.040B  F7F1                     div     cx
 81.040D  42                       inc     dx
 81.040E  8956F0                   mov     [bp-10], dx

 81.0411 >837EF4FF                 cmp     word ptr [bp-0C], FFFF
 81.0415  7403                     je      041A
 81.0417  E9D600                   jmp     04F0

 81.041A >8B46F6                   mov     ax, [bp-0A]
 81.041D  C1E809                   shr     ax, 09
 81.0420  059C07                   add     ax, 079C
 81.0423  8946F4                   mov     [bp-0C], ax
 81.0426  F7C70800                 test    di, 0008
 81.042A  746E                     je      049A
 81.042C  8B46F6                   mov     ax, [bp-0A]
 81.042F  25E001                   and     ax, 01E0
 81.0432  C1E805                   shr     ax, 05
 81.0435  8946E6                   mov     [bp-1A], ax
 81.0438  2B46F0                   sub     ax, [bp-10]
 81.043B  40                       inc     ax
 81.043C  7554                     jne     0492
 81.043E  8A46F6                   mov     al, byte ptr [bp-0A]
 81.0441  251F00                   and     ax, 001F
 81.0444  3B46F2                   cmp     ax, [bp-0E]
 81.0447 >7D03                     jnl     044C
 81.0449  E9CF00                   jmp     051B

 81.044C >FF46F4                   inc     word ptr [bp-0C]
 81.044F  E9C900                   jmp     051B

 81.0452 >F7C70400                 test    di, 0004
 81.0456  7412                     je      046A
 81.0458  8A46F6                   mov     al, byte ptr [bp-0A]
 81.045B  251F00                   and     ax, 001F
 81.045E  40                       inc     ax
 81.045F  3B46F2                   cmp     ax, [bp-0E]
 81.0462  7D95                     jnl     03F9

 81.0464 >BB0B00                   mov     bx, 000B
 81.0467  EB92                     jmp     03FB
 81.0469  90                       nop    

 81.046A >8A46F6                   mov     al, byte ptr [bp-0A]
 81.046D  251F00                   and     ax, 001F
 81.0470  2B46F2                   sub     ax, [bp-0E]
 81.0473  F7D8                     neg     ax
 81.0475  3D1400                   cmp     ax, 0014
 81.0478  7DEA                     jnl     0464
 81.047A  8A46F6                   mov     al, byte ptr [bp-0A]
 81.047D  251F00                   and     ax, 001F
 81.0480  2B46F2                   sub     ax, [bp-0E]
 81.0483  3D0B00                   cmp     ax, 000B
 81.0486  7D03                     jnl     048B
 81.0488  E96EFF                   jmp     03F9

 81.048B >BB0100                   mov     bx, 0001
 81.048E  E96AFF                   jmp     03FB
 81.0491  90                       nop    

 81.0492 >8B46F0                   mov     ax, [bp-10]
 81.0495  3946E6                   cmp     [bp-1A], ax
 81.0498  EBAD                     jmp     0447

 ;***********************turns a date into a number
 81.049A >8BC7                     mov     ax, di
 81.049C  A804                     test    al, 04
 81.049E  742E                     je      04CE
 81.04A0  8B46F6                   mov     ax, [bp-0A]
 81.04A3  25E001                   and     ax, 01E0
 81.04A6  C1E805                   shr     ax, 05
 81.04A9  8946E6                   mov     [bp-1A], ax
 81.04AC  2B46F0                   sub     ax, [bp-10]
 81.04AF  40                       inc     ax
 81.04B0  7512                     jne     04C4
 81.04B2  8A46F6                   mov     al, byte ptr [bp-0A]
 81.04B5  251F00                   and     ax, 001F
 81.04B8  40                       inc     ax
 81.04B9  3B46F2                   cmp     ax, [bp-0E]

 81.04BC >7D5D                     jnl     051B

 81.04BE >FF4EF4                   dec     word ptr [bp-0C]
 81.04C1  EB58                     jmp     051B
 81.04C3  90                       nop    

 81.04C4 >8B46E6                   mov     ax, [bp-1A]
 81.04C7  40                       inc     ax
 81.04C8  3B46F0                   cmp     ax, [bp-10]
 81.04CB  EBEF                     jmp     04BC
 81.04CD  90                       nop    

 81.04CE >8B46F6                   mov     ax, [bp-0A]
 81.04D1  25E001                   and     ax, 01E0
 81.04D4  C1E805                   shr     ax, 05
 81.04D7  8946E6                   mov     [bp-1A], ax
 81.04DA  2B46F0                   sub     ax, [bp-10]
 81.04DD  F7D8                     neg     ax
 81.04DF  3D0900                   cmp     ax, 0009
 81.04E2  7DDA                     jnl     04BE
 81.04E4  8B46E6                   mov     ax, [bp-1A]
 81.04E7  2B46F0                   sub     ax, [bp-10]
 81.04EA  3D0400                   cmp     ax, 0004
 81.04ED  E957FF                   jmp     0447


;***************Checks year is in long format: Ie 94 becomes 1994
 81.04F0 >817EF49C07               cmp     word ptr [bp-0C], 079C
 81.04F5  7D24                     jnl     051B
 81.04F7  8146F46C07               add     word ptr [bp-0C], 076C
 81.04FC  817EF49C07               cmp     word ptr [bp-0C], 079C
 81.0501  7C14                     jl      0517
 81.0503  8BC7                     mov     ax, di
 81.0505  A808                     test    al, 08
 81.0507  7412                     je      051B
 81.0509  8B46F6                   mov     ax, [bp-0A]
 81.050C  C1E809                   shr     ax, 09
 81.050F  059C07                   add     ax, 079C
 81.0512  3B46F4                   cmp     ax, [bp-0C]
 81.0515  7E04                     jle     051B

 81.0517 >8346F464                 add     word ptr [bp-0C], 0064

 81.051B >FF76F4                   push    word ptr [bp-0C]
 81.051E  FF76F0                   push    word ptr [bp-10]
 81.0521  FF76F2                   push    word ptr [bp-0E]
 81.0524  8D46FC                   lea     ax, [bp-04]
 81.0527  50                       push    ax
 81.0528  9AAE101306               call    81:10AE	;Calculate number 
 81.052D  8BD8                     mov     bx, ax
 81.052F  368B07                   mov     ax, ss:[bx]
 81.0532  EB08                     jmp     053C

 81.0534 >C746F6FFFF               mov     word ptr [bp-0A], FFFF
 81.0539  8B46F6                   mov     ax, [bp-0A]

 81.053C >8B5E06                   mov     bx, [bp+06]
 81.053F  368907                   mov     ss:[bx], ax
 81.0542  8BC3                     mov     ax, bx
 81.0544  8CD2                     mov     dx, ss
 81.0546  5E                       pop     si
 81.0547  5F                       pop     di
 81.0548  8D66FE                   lea     sp, [bp-02]
 81.054B  1F                       pop     ds
 81.054C  5D                       pop     bp
 81.054D  4D                       dec     bp
 81.054E  CA0600                   retf    0006

The Call to 81:10AE calculates a number based on the date. The formula is

	number=(year-1948)*512 + (month-1) * 32 + (day-1)

To go from a number to the corresponding date, use:
	year  = (num / 512) + 48
	month = ((num / 16) MOD 16) / 2 + 1
	day   = num MOD 32 + 1



Ok, we know the above code gets the field data, and turns it into a 
number. 
Now just bpr on places this number goes to.
Right after the routine(using p ret)
At 51:53F it is copied into ss:bx
-So use bpr ss:bx ss:bx+1 rw

At E:1892 it is copied into bp-10
-So use bpr bp-10 bp-10+1 rw
The value is still in ax though, and is copied again at:
14.18AC

 14.1892  8946F0                   mov     [bp-10], ax		;Copied Once
 14.1895  3DFFFF                   cmp     ax, FFFF
 14.1898  7512                     jne     18AC
 14.189A  680308                   push    0803

 14.189D >8D4501                   lea     ax, [di+01]

 14.18A0 >1E                       push    ds
 14.18A1  50                       push    ax
 14.18A2  6A00                     push    0000
 14.18A4  9A84AE2C09               call    64:AE84
 14.18A9  E9C8FE                   jmp     1774

 14.18AC >A3D870                   mov     [70D8], ax		;Copied Again

WAHOOO! found it!
This looks very promising, the date number is copied into a global variable.

Okay, clear all other break points, and just break point on 70D8.



We end up here

 14.2B63 >A1D664                   mov     ax, [64D6]
 14.2B66  3906D870                 cmp     [70D8], ax
 14.2B6A  7203                     jb      2B6F
 14.2B6C  E9970A                   jmp     3606		;GOTO OoR

Does changing jb 2b6F to jmp 2b6F work? YES! cracked!


Ok, to crack this part of the crap, just change:
7203 	jb 	2B63
EB03	jmp 	2B63




Total patches needed are:
Change 

83FE077F22 to
83FE07EB22

3946F07246 to
3946F0E246

3906D8707203 to
3906D870EB03

3946FE73C0 to
3946FEEBC0
-----------------------------------------------------------------------------

Ok, this is all that is required to crack this crap, but you said you 
wanted 
us to "DELVE DEEP", so I'll keep looking for more stuff.

The first thing that interested me was where the installation date stuff 
was 
kept. I knew it was moved into 64D6 some time, so I looked in the 
listing, 
for whenever stuff was placed into 64D6, or whenever it was pushed before 
a call.

Setting a bpr on ds:64D6, I see that the installation date is copied 
into 64D6 at 8:18ED
Ok, what calls this code? Looking at the stack, I see that it is called at

8.02EC  E84D12                   call    153C

Looking for the start of this bit of code, I see an interseting little call:
8.01A6  9AFFFF0000               call    KERNEL._LREAD

How nice, obviously reading the expiry date from some file? But which file?

Now the normal thing to do now, would be to either search in the listing 
for 
"open", or to bpx on _lopen and openfile

I felt like experimenting though, so I quit out of windows, load kgb, and 
then load up windows again(I cannot run 95 on my computer, so I can't use 
filemon.exe)
Running money, I see the only files it seems to load are msmoney.exe, and 
msmoney.mny

I search both files  for "415C" (5C41 in little endian notation)

Found It!
The installation date is stored at offset 0x224 in msmoney.mny
Change the date around, and it changes the date when the program expires!
      




Part2 Crack for Money 95:

First I had to find it! I searched archies, ftp-search, deja-news, irc, and 
everything else I could think of, but to no avail(I did manage to find 
version 1.00 somewhere though!).
I kept looking, whilst I cracked Money 1. One day Fravia said he haid it on 
his +Orc page, but it wasn't there! After another week he actually 
put it there, and I was able to start. It was in French, and I can only 
speak English, but I was able to manage...


I set the date to the 1/1/94, and installed money.
I ran, and looking at what it did. I then made directory listings, backed 
up copies of all the money files, and a copy of the registery.
Running the program past the date, I see that it has a dialog telling 
you that it is expired, but it seems to work as before.
Then set the date back, and try to run. It still Works! Mircosoft are 
pathetic! Even the simplest of programmers would have added code to stop you 
setting the date back once it expires!


Ok, time for some cracking
Now I run the prgram through WCB, and look at the source code.
Hmmm, it's different to what you wrote, but not substantially so.

Ok, lets try doing the first patch like you suggested.(At 8:17D0)
BUT LOOK! we don't want always fall into the code, we want to always jump 
over it!

Thus change:
8:17E8  7246    jb 1830 ;Jump only when ok
to
8:17E8  EB46    jmp 1830        ;Always jump

Running this, it Works!
No more dialog telling us that we are expired!
We do get a new screen though, warning us that our time is up.
Looking at 8:1830 (where we jump to), we find:

  8.1830 >50                       push    ax
  8.1831  9AE6083E18               call    81:08E6
  8.1836  FF76F0                   push    word ptr [bp-10]
  8.1839  8BF0                     mov     si, ax
  8.183B  9AE608EB14               call    81:08E6
  8.1840  2BF0                     sub     si, ax
  8.1842  8976FE                   mov     [bp-02], si
  8.1845  83FE07                   cmp     si, 0007
  8.1848  7F22                     jg      186C
  8.184A  8A46FE                   mov     al, byte ptr [bp-02]
  8.184D  0430                     add     al, 30
  8.184F  8846EE                   mov     byte ptr [bp-12], al
  8.1852  C646EF00                 mov     byte ptr [bp-11], 00
  8.1856  681949                   push    4919
  8.1859  68D207                   push    07D2
  8.185C  8D46EE                   lea     ax, [bp-12]
  8.185F  16                       push    ss
  8.1860  50                       push    ax
  8.1861  6A00                     push    0000
  8.1863  6A00                     push    0000
  8.1865  6A40                     push    0040
  8.1867  9A44B11315               call    64:B144      ;BAD GUY Call

  8.186C >8B5E08                   mov     bx, [bp+08] ;Continue..



Gets the dates, compares, and if less than 7 days left, jump.
Ok easy, lets change

8.1848  7F22                     jg      186C   ;jump GoodGuy if more than week
to
8.1848  EB22                     jmp      186C  ;jump GoodGuy all the time

Run, and it works.

Lastly, we had better see what happens with dates before the installation 
date. Bpx on messagebox. Look at the stack. p ret a couple of time

  8.180D  9AD8053418               call    81:05D8
  8.1812  8BD8                     mov     bx, ax
  8.1814  368B07                   mov     ax, ss:[bx]
  8.1817  8946FE                   mov     [bp-02], ax
  8.181A  8B46F4                   mov     ax, [bp-0C]
  8.181D  3946FE                   cmp     [bp-02], ax
  8.1820  73C0                     jae     17E2 ;If date is above, goto goodguy
  8.1822  681809                   push    0918
  8.1825  6A00                     push    0000
  8.1827  9A1AAD6A18               call    64:AD1A      ;Call BadGuy
  8.182C  E9D8FD                   jmp     1607
Could they have made it any easier? Gets installation date, and todays date, 
and only continues if date is above or equal!

Another simple crack, change
jae 17E2
jmp 17E2



So what were you talking about when you said "all this DOES NOT 
work correctly... did I forgot something?"???
Ahh I think I see, you have only done half the crack, we 
haven't done the date transaction crap yet..

Ok, lets try entering some dates.
All dates before 2/3/94 work, but dates after that have a 
message box, telling us our time is up.

Ok searching for messagebox in the listing, there are 
2 instances, which are both close together.

 64.B434 >FF76FA                   push    word ptr [bp-06]
 64.B437  8D8644FD                 lea     ax, [bp-02BC]
 64.B43B  16                       push    ss
 64.B43C  50                       push    ax
 64.B43D  8D4688                   lea     ax, [bp-78]
 64.B440  16                       push    ss
 64.B441  50                       push    ax
 64.B442  FF76F8                   push    word ptr [bp-08]
 64.B445  9AFFFF0000               call    USER.MESSAGEBOX
 64.B44A  8BF0                     mov     si, ax
 64.B44C  0BF6                     or      si, si
 64.B44E  751F                     jne     B46F
 64.B450  FF76FA                   push    word ptr [bp-06]
 64.B453  8D8644FD                 lea     ax, [bp-02BC]
 64.B457  16                       push    ss
 64.B458  50                       push    ax
 64.B459  8D4688                   lea     ax, [bp-78]

 64.B45B >8816508A                 mov     byte ptr [8A50], dl
 64.B45F  46                       inc     si
 64.B460  F8                       clc    
 64.B461  250F00                   and     ax, 000F
 64.B464  0D1010                   or      ax, 1010
 64.B467  50                       push    ax
 64.B468  9A46B40000               call    USER.MESSAGEBOX

Ok, Using Winice 

BPX messagebox
and check if 64:b445 is the right message box.
After entering a bad date, landing in messagebox and using p ret, 
Softice tells me I am in 40:B44A.
WCB uses decimal for its segments and 40Hex = 64 Decimal, so the 
first messagebox is the right one.

The important thing here, is that there are no conditions(such as jne) 
above this, so it has already decided a bad date. Therefore we must look at 
the code that Calls 64:B434

Now I could search the listing, to find any such calls, but it takes ages 
on my little 486, and I already have winice loaded, so time for a look at 
the stack...

0A:00A8
0A:2e70
User!GetMessage+368
06:01BE
35:223A
0E:360F
40:AF7E
 => 40:B44A

Lets have a look at 40:AF7E:

 64.AF58  8CD8                     mov     ax, ds
 64.AF5A  90                       nop    
 64.AF5B  45                       inc     bp
 64.AF5C  55                       push    bp
 64.AF5D  8BEC                     mov     bp, sp
 64.AF5F  1E                       push    ds
 64.AF60  8ED8                     mov     ds, ax
 64.AF62  83EC02                   sub     sp, 0002
 64.AF65  8B460C                   mov     ax, [bp+0C]
 64.AF68  80CC40                   or      ah, 40
 64.AF6B  50                       push    ax
 64.AF6C  68D107                   push    07D1
 64.AF6F  FF760A                   push    word ptr [bp+0A]
 64.AF72  FF7608                   push    word ptr [bp+08]
 64.AF75  6A00                     push    0000
 64.AF77  6A00                     push    0000
 64.AF79  6A24                     push    0024
 64.AF7B  FF7606                   push    word ptr [bp+06]
 64.AF7E  9A76B1B6AF               call    64:B176      ;Call Message Box
 64.AF83  8D66FE                   lea     sp, [bp-02]
 64.AF86  1F                       pop     ds
 64.AF87  5D                       pop     bp
 64.AF88  4D                       dec     bp
 64.AF89  CA0800                   retf    0008

Hmm, no conditionals again. Could keep going, but the Call goes to B176 
and not B434. Lets have a look at 64:B176


 64.B176  8CD8                     mov     ax, ds
 64.B178  90                       nop    
 64.B179  45                       inc     bp
 64.B17A  55                       push    bp
 64.B17B  8BEC                     mov     bp, sp
 64.B17D  1E                       push    ds
 64.B17E  8ED8                     mov     ds, ax
 64.B180  81ECC202                 sub     sp, 02C2
 64.B184  57                       push    di
 64.B185  56                       push    si
 64.B186  8B4606                   mov     ax, [bp+06]
 64.B189  8946FA                   mov     [bp-06], ax
 64.B18C  8B4608                   mov     ax, [bp+08]
 64.B18F  8946F8                   mov     [bp-08], ax
 64.B192  837EFA00                 cmp     word ptr [bp-06], 0000
 64.B196  7508                     jne     B1A0
 64.B198  9AF0ACCEB1               call    64:ACF0

Hmm, jumps to B1A0, but still no jump to the right code.

I now think back to the start of the 4.2 tute, and remember that you said 
'...since the protectionists are aware of these obvious "weak" 
points in their schemes, there "defences" will all be concentrated on 
this "path"'
How stupid of me! I am pretty sure I could crack it this way (Microsofts 
"defences" don't seem to good), but why take the hard way when I can 
get the same result but with an easier way.

Ok, time to sit back and think a little.
Why not use a "registration code" type crack, and find what happens 
to the date I enter?

Lets try entering a date, searching for it, and breaking on read/writes

I enter the date 5/5/95
search 30:0 Lffffffff '5/5/'
Cool, only one found above 80000000
at 30:8086CC2A

set bpr on this
bpr 30:8086CC2A 30:8086CC2A+5 rw

and go

Break into some code copying it, so set another range and go again.

Breaks in some code at language(1):466. Not very interesting, so 
keep going...

Lands in 5:B1B, this looks much more promising, Have a quick step 
through, doesn't do much, so unlikely to be of much importance.

go again, and we land in 51:266. BINGO!
Look at the code:

 81.0234  8CD8                     mov     ax, ds
 81.0236  90                       nop    
 81.0237  45                       inc     bp
 81.0238  55                       push    bp
 81.0239  8BEC                     mov     bp, sp
 81.023B  1E                       push    ds
 81.023C  8ED8                     mov     ds, ax
 81.023E  83EC1A                   sub     sp, 001A
 81.0241  57                       push    di
 81.0242  56                       push    si
 81.0243  8B7E0A                   mov     di, [bp+0A]
 81.0246  8D7501                   lea     si, [di+01]
 81.0249  8A15                     mov     dl, byte ptr [di]
 81.024B  2AF6                     sub     dh, dh
 81.024D  03D6                     add     dx, si
 81.024F  C746FA0000               mov     word ptr [bp-06], 0000
 81.0254  C746FCFFFF               mov     word ptr [bp-04], FFFF
 81.0259  3BD6                     cmp     dx, si
 81.025B  761B                     jbe     0278
 81.025D  8956F8                   mov     [bp-08], dx
 81.0260  8D7EEA                   lea     di, [bp-16]
 81.0263  8B4EFC                   mov     cx, [bp-04]

 81.0266 >AC                       lodsb                ;get next character
 81.0267  2AE4                     sub     ah, ah
 81.0269  3D2F00                   cmp     ax, 002F     ; is it '/'
 81.026C  7F10                     jg      027E
 81.026E  3D2D00                   cmp     ax, 002D     ; is it '-'
 81.0271  7D48                     jnl     02BB
 81.0273  2D2000                   sub     ax, 0020
 81.0276  EB16                     jmp     028E

 81.0278 >8B4EFC                   mov     cx, [bp-04]
 81.027B  EB59                     jmp     02D6
 81.027D  90                       nop    

 81.027E >2D3000                   sub     ax, 0030
 81.0281  7C0D                     jl      0290
 81.0283  2D0900                   sub     ax, 0009
 81.0286  7F03                     jg      028B
 81.0288  E99300                   jmp     031E

 81.028B >2D6700                   sub     ax, 0067

 81.028E >7478                     je      0308

 81.0290 >8A44FF                   mov     al, byte ptr [si-01]
 81.0293  8846E8                   mov     byte ptr [bp-18], al
 81.0296  3A069662                 cmp     al, byte ptr [6296]
 81.029A  741F                     je      02BB
 81.029C  A09762                   mov     al, [6297]
 81.029F  3846E8                   cmp     byte ptr [bp-18], al
 81.02A2  7417                     je      02BB
 81.02A4  807EE820                 cmp     byte ptr [bp-18], 20
 81.02A8  7403                     je      02AD
 81.02AA  E98702                   jmp     0534

 81.02AD >803E9662A0               cmp     byte ptr [6296], A0
 81.02B2  7407                     je      02BB
 81.02B4  3CA0                     cmp     al, A0
 81.02B6  7403                     je      02BB
 81.02B8  E97902                   jmp     0534

 81.02BB >8D46F0                   lea     ax, [bp-10]
 81.02BE  3BF8                     cmp     di, ax
 81.02C0  7503                     jne     02C5
 81.02C2  E96F02                   jmp     0534

 81.02C5 >83C702                   add     di, 0002
 81.02C8  894DFE                   mov     [di-02], cx
 81.02CB  FF46FA                   inc     word ptr [bp-06]
 81.02CE  B9FFFF                   mov     cx, FFFF

 81.02D1 >3976F8                   cmp     [bp-08], si
 81.02D4  7790                     ja      0266

 81.02D6 >8B76FA                   mov     si, [bp-06]
 81.02D9  83FE03                   cmp     si, 0003
 81.02DC  7503                     jne     02E1
 81.02DE  E95302                   jmp     0534

 81.02E1 >8D5AEA                   lea     bx, [bp+si-16]
 81.02E4  368908                   mov     ss:[bx+si], cx
 81.02E7  B8FFFF                   mov     ax, FFFF
 81.02EA  8946F4                   mov     [bp-0C], ax
 81.02ED  8946F0                   mov     [bp-10], ax
 81.02F0  8946F2                   mov     [bp-0E], ax
 81.02F3  8D4401                   lea     ax, [si+01]
 81.02F6  48                       dec     ax
 81.02F7  48                       dec     ax
 81.02F8  7442                     je      033C
 81.02FA  48                       dec     ax
 81.02FB  7469                     je      0366
 81.02FD  8B46EA                   mov     ax, [bp-16]
 81.0300  8946F2                   mov     [bp-0E], ax
 81.0303  E99000                   jmp     0396
 81.0306  90                       nop    
 81.0307  90                       nop    

 81.0308 >3976F8                   cmp     [bp-08], si
 81.030B  76C4                     jbe     02D1
 81.030D  83F9FF                   cmp     cx, FFFF
 81.0310  74BF                     je      02D1
 81.0312  803C30                   cmp     byte ptr [si], 30
 81.0315  72BA                     jb      02D1
 81.0317  803C39                   cmp     byte ptr [si], 39
 81.031A  77B5                     ja      02D1
 81.031C  EB9D                     jmp     02BB

 81.031E >83F9FF                   cmp     cx, FFFF
 81.0321  7502                     jne     0325
 81.0323  33C9                     xor     cx, cx

 81.0325 >8A44FF                   mov     al, byte ptr [si-01]
 81.0328  2AE4                     sub     ah, ah
 81.032A  8BD1                     mov     dx, cx
 81.032C  C1E202                   shl     dx, 02
 81.032F  03D1                     add     dx, cx
 81.0331  D1E2                     shl     dx, 1
 81.0333  03C2                     add     ax, dx
 81.0335  2D3000                   sub     ax, 0030
 81.0338  8BC8                     mov     cx, ax
 81.033A  EB95                     jmp     02D1

 81.033C >A09462                   mov     al, [6294]
 81.033F  2403                     and     al, 03
 81.0341  3C02                     cmp     al, 02
 81.0343  7532                     jne     0377
 81.0345  8B46EA                   mov     ax, [bp-16]
 81.0348  8B369462                 mov     si, [6294]
 81.034C  83E660                   and     si, 0060
 81.034F  C1EE04                   shr     si, 04
 81.0352  8942F0                   mov     [bp+si-10], ax
 81.0355  8B46EC                   mov     ax, [bp-14]
 81.0358  8B369462                 mov     si, [6294]
 81.035C  81E60018                 and     si, 1800
 81.0360  C1EE0A                   shr     si, 0A
 81.0363  EB2E                     jmp     0393
 81.0365  90                       nop    

 81.0366 >8B46EE                   mov     ax, [bp-12]
 81.0369  8B369462                 mov     si, [6294]
 81.036D  81E60018                 and     si, 1800
 81.0371  C1EE0A                   shr     si, 0A
 81.0374  8942F0                   mov     [bp+si-10], ax

 81.0377 >8B46EA                   mov     ax, [bp-16]
 81.037A  8B369462                 mov     si, [6294]
 81.037E  83E603                   and     si, 0003
 81.0381  D1E6                     shl     si, 1
 81.0383  8942F0                   mov     [bp+si-10], ax
 81.0386  8B46EC                   mov     ax, [bp-14]
 81.0389  8B369462                 mov     si, [6294]
 81.038D  83E660                   and     si, 0060
 81.0390  C1EE04                   shr     si, 04

 81.0393 >8942F0                   mov     [bp+si-10], ax

 81.0396 >8D46FC                   lea     ax, [bp-04]
 81.0399  50                       push    ax
 81.039A  9A5205FFFF               call    81:0552      ;Get Todays Date
 81.039F  8BD8                     mov     bx, ax
 81.03A1  368B07                   mov     ax, ss:[bx]
 81.03A4  8946F6                   mov     [bp-0A], ax
 81.03A7  837EF2FF                 cmp     word ptr [bp-0E], FFFF
 81.03AB  751E                     jne     03CB
 81.03AD  837EF0FF                 cmp     word ptr [bp-10], FFFF
 81.03B1  7513                     jne     03C6
 81.03B3  837EF4FF                 cmp     word ptr [bp-0C], FFFF
 81.03B7  750D                     jne     03C6
 81.03B9  8A46F6                   mov     al, byte ptr [bp-0A]
 81.03BC  251F00                   and     ax, 001F
 81.03BF  40                       inc     ax
 81.03C0  8946F2                   mov     [bp-0E], ax
 81.03C3  EB06                     jmp     03CB
 81.03C5  90                       nop    

 81.03C6 >C746F20100               mov     word ptr [bp-0E], 0001

 81.03CB >837EF0FF                 cmp     word ptr [bp-10], FFFF
 81.03CF  750B                     jne     03DC
 81.03D1  837EF4FF                 cmp     word ptr [bp-0C], FFFF
 81.03D5  740B                     je      03E2
 81.03D7  C746F00100               mov     word ptr [bp-10], 0001

 81.03DC >8B7E08                   mov     di, [bp+08]
 81.03DF  EB30                     jmp     0411
 81.03E1  90                       nop    

 81.03E2 >8B7E08                   mov     di, [bp+08]
 81.03E5  F7C70800                 test    di, 0008
 81.03E9  7467                     je      0452
 81.03EB  8A46F6                   mov     al, byte ptr [bp-0A]
 81.03EE  251F00                   and     ax, 001F
 81.03F1  3B46F2                   cmp     ax, [bp-0E]
 81.03F4  7C03                     jl      03F9
 81.03F6  E99200                   jmp     048B

 81.03F9 >33DB                     xor     bx, bx

 81.03FB >8B46F6                   mov     ax, [bp-0A]
 81.03FE  25E001                   and     ax, 01E0
 81.0401  C1E805                   shr     ax, 05
 81.0404  03C3                     add     ax, bx
 81.0406  B90C00                   mov     cx, 000C
 81.0409  2BD2                     sub     dx, dx
 81.040B  F7F1                     div     cx
 81.040D  42                       inc     dx
 81.040E  8956F0                   mov     [bp-10], dx

 81.0411 >837EF4FF                 cmp     word ptr [bp-0C], FFFF
 81.0415  7403                     je      041A
 81.0417  E9D600                   jmp     04F0

 81.041A >8B46F6                   mov     ax, [bp-0A]
 81.041D  C1E809                   shr     ax, 09
 81.0420  059C07                   add     ax, 079C
 81.0423  8946F4                   mov     [bp-0C], ax
 81.0426  F7C70800                 test    di, 0008
 81.042A  746E                     je      049A
 81.042C  8B46F6                   mov     ax, [bp-0A]
 81.042F  25E001                   and     ax, 01E0
 81.0432  C1E805                   shr     ax, 05
 81.0435  8946E6                   mov     [bp-1A], ax
 81.0438  2B46F0                   sub     ax, [bp-10]
 81.043B  40                       inc     ax
 81.043C  7554                     jne     0492
 81.043E  8A46F6                   mov     al, byte ptr [bp-0A]
 81.0441  251F00                   and     ax, 001F
 81.0444  3B46F2                   cmp     ax, [bp-0E]
 81.0447 >7D03                     jnl     044C
 81.0449  E9CF00                   jmp     051B

 81.044C >FF46F4                   inc     word ptr [bp-0C]
 81.044F  E9C900                   jmp     051B

 81.0452 >F7C70400                 test    di, 0004
 81.0456  7412                     je      046A
 81.0458  8A46F6                   mov     al, byte ptr [bp-0A]
 81.045B  251F00                   and     ax, 001F
 81.045E  40                       inc     ax
 81.045F  3B46F2                   cmp     ax, [bp-0E]
 81.0462  7D95                     jnl     03F9

 81.0464 >BB0B00                   mov     bx, 000B
 81.0467  EB92                     jmp     03FB
 81.0469  90                       nop    

 81.046A >8A46F6                   mov     al, byte ptr [bp-0A]
 81.046D  251F00                   and     ax, 001F
 81.0470  2B46F2                   sub     ax, [bp-0E]
 81.0473  F7D8                     neg     ax
 81.0475  3D1400                   cmp     ax, 0014
 81.0478  7DEA                     jnl     0464
 81.047A  8A46F6                   mov     al, byte ptr [bp-0A]
 81.047D  251F00                   and     ax, 001F
 81.0480  2B46F2                   sub     ax, [bp-0E]
 81.0483  3D0B00                   cmp     ax, 000B
 81.0486  7D03                     jnl     048B
 81.0488  E96EFF                   jmp     03F9

 81.048B >BB0100                   mov     bx, 0001
 81.048E  E96AFF                   jmp     03FB
 81.0491  90                       nop    

 81.0492 >8B46F0                   mov     ax, [bp-10]
 81.0495  3946E6                   cmp     [bp-1A], ax
 81.0498  EBAD                     jmp     0447

 ;***********************turns a date into a number
 81.049A >8BC7                     mov     ax, di
 81.049C  A804                     test    al, 04
 81.049E  742E                     je      04CE
 81.04A0  8B46F6                   mov     ax, [bp-0A]
 81.04A3  25E001                   and     ax, 01E0
 81.04A6  C1E805                   shr     ax, 05
 81.04A9  8946E6                   mov     [bp-1A], ax
 81.04AC  2B46F0                   sub     ax, [bp-10]
 81.04AF  40                       inc     ax
 81.04B0  7512                     jne     04C4
 81.04B2  8A46F6                   mov     al, byte ptr [bp-0A]
 81.04B5  251F00                   and     ax, 001F
 81.04B8  40                       inc     ax
 81.04B9  3B46F2                   cmp     ax, [bp-0E]

 81.04BC >7D5D                     jnl     051B

 81.04BE >FF4EF4                   dec     word ptr [bp-0C]
 81.04C1  EB58                     jmp     051B
 81.04C3  90                       nop    

 81.04C4 >8B46E6                   mov     ax, [bp-1A]
 81.04C7  40                       inc     ax
 81.04C8  3B46F0                   cmp     ax, [bp-10]
 81.04CB  EBEF                     jmp     04BC
 81.04CD  90                       nop    

 81.04CE >8B46F6                   mov     ax, [bp-0A]
 81.04D1  25E001                   and     ax, 01E0
 81.04D4  C1E805                   shr     ax, 05
 81.04D7  8946E6                   mov     [bp-1A], ax
 81.04DA  2B46F0                   sub     ax, [bp-10]
 81.04DD  F7D8                     neg     ax
 81.04DF  3D0900                   cmp     ax, 0009
 81.04E2  7DDA                     jnl     04BE
 81.04E4  8B46E6                   mov     ax, [bp-1A]
 81.04E7  2B46F0                   sub     ax, [bp-10]
 81.04EA  3D0400                   cmp     ax, 0004
 81.04ED  E957FF                   jmp     0447


;***************Checks year is in long format: Ie 94 becomes 1994
 81.04F0 >817EF49C07               cmp     word ptr [bp-0C], 079C
 81.04F5  7D24                     jnl     051B
 81.04F7  8146F46C07               add     word ptr [bp-0C], 076C
 81.04FC  817EF49C07               cmp     word ptr [bp-0C], 079C
 81.0501  7C14                     jl      0517
 81.0503  8BC7                     mov     ax, di
 81.0505  A808                     test    al, 08
 81.0507  7412                     je      051B
 81.0509  8B46F6                   mov     ax, [bp-0A]
 81.050C  C1E809                   shr     ax, 09
 81.050F  059C07                   add     ax, 079C
 81.0512  3B46F4                   cmp     ax, [bp-0C]
 81.0515  7E04                     jle     051B

 81.0517 >8346F464                 add     word ptr [bp-0C], 0064

 81.051B >FF76F4                   push    word ptr [bp-0C]
 81.051E  FF76F0                   push    word ptr [bp-10]
 81.0521  FF76F2                   push    word ptr [bp-0E]
 81.0524  8D46FC                   lea     ax, [bp-04]
 81.0527  50                       push    ax
 81.0528  9AAE101306               call    81:10AE      ;Calculate number 
 81.052D  8BD8                     mov     bx, ax
 81.052F  368B07                   mov     ax, ss:[bx]
 81.0532  EB08                     jmp     053C

 81.0534 >C746F6FFFF               mov     word ptr [bp-0A], FFFF
 81.0539  8B46F6                   mov     ax, [bp-0A]

 81.053C >8B5E06                   mov     bx, [bp+06]
 81.053F  368907                   mov     ss:[bx], ax
 81.0542  8BC3                     mov     ax, bx
 81.0544  8CD2                     mov     dx, ss
 81.0546  5E                       pop     si
 81.0547  5F                       pop     di
 81.0548  8D66FE                   lea     sp, [bp-02]
 81.054B  1F                       pop     ds
 81.054C  5D                       pop     bp
 81.054D  4D                       dec     bp
 81.054E  CA0600                   retf    0006

The Call to 81:10AE calculates a number based on the date. The formula is

	number=(year-1948)*512 + (month-1) * 32 + (day-1)

To go from a number to the corresponding date, use:
	year  = (num / 512) + 48
	month = ((num / 16) MOD 16) / 2 + 1
	day   = num MOD 32 + 1



Ok, we know the above code gets the field data, and turns it into a number. 
Now just bpr on places this number goes to.
Right after the routine(using p ret)
At 51:53F it is copied into ss:bx
-So use bpr ss:bx ss:bx+1 rw

At E:1892 it is copied into bp-10
-So use bpr bp-10 bp-10+1 rw
The value is still in ax though, and is copied again at:
14.18AC

 14.1892  8946F0                   mov     [bp-10], ax          ;Copied Once
 14.1895  3DFFFF                   cmp     ax, FFFF
 14.1898  7512                     jne     18AC
 14.189A  680308                   push    0803

 14.189D >8D4501                   lea     ax, [di+01]

 14.18A0 >1E                       push    ds
 14.18A1  50                       push    ax
 14.18A2  6A00                     push    0000
 14.18A4  9A84AE2C09               call    64:AE84
 14.18A9  E9C8FE                   jmp     1774

 14.18AC >A3D870                   mov     [70D8], ax           ;Copied Again

WAHOOO! found it!
This looks very promising, the date number is copied into a global variable.

Okay, clear all other break points, and just break point on 70D8.



We end up here

 14.2B63 >A1D664                   mov     ax, [64D6]
 14.2B66  3906D870                 cmp     [70D8], ax
 14.2B6A  7203                     jb      2B6F
 14.2B6C  E9970A                   jmp     3606         ;GOTO OoR

Does changing jb 2b6F to jmp 2b6F work? YES! cracked!


Ok, to crack this part of the crap, just change:
7203    jb      2B63
EB03    jmp     2B63




Total patches needed are:
Change: 

83FE077F22 to
83FE07EB22

3946F07246 to
3946F0E246

3906D8707203 to
3906D870EB03

3946FE73C0 to
3946FEEBC0
-----------------------------------------------------------------------------

Ok, this is all that is required to crack this crap, but you said you wanted 
us to "DELVE DEEP", so I'll keep looking for more stuff.

The first thing that interested me was where the installation date stuff was 
kept. I knew it was moved into 64D6 some time, so I looked in the listing, 
for whenever stuff was placed into 64D6, or whenever it was pushed before 
a call.

Setting a bpr on ds:64D6, I see that the installation date is copied 
into 64D6 at 8:18ED
Ok, what calls this code? Looking at the stack, I see that it is called at

8.02EC  E84D12                   call    153C

Looking for the start of this bit of code, I see an interseting little call:
8.01A6  9AFFFF0000               call    KERNEL._LREAD

How nice, obviously reading the expiry date from some file? But which file?

Now the normal thing to do now, would be to either search in the listing for 
"open", or to bpx on _lopen and openfile

I felt like experimenting though, so I quit out of windows, load kgb, and 
then load up windows again(I cannot run 95 on my computer, so I can't use 
filemon.exe)
Running money, I see the only files it seems to load are msmoney.exe, and 
msmoney.mny

I search both files  for "415C" (5C41 in little endian notation)


Found It!
The installation date is stored at offset 0x224 in msmoney.mny
Change the date around, and it changes the date when the program expires!


Ok, Enough of this....
--------------------------------------------------------------------------
Part 1 Reason for crack of MS-project
Simple!

At 5167fe1 it beggars off, if valid_flag is set. Thus it wont even reach 
the code of the suggested crack.

Thus your solution isn't the only one, although it is more elegant.
Just nopping out 516fe1, 5168015, (and 5167fef just in case), works as well.





------------------------------------------------------------------------------

Part 3 Crack of Money 97
On the 30th of August, I finally got a computer capable of running win 95.

Heres an intersting challenge, set up the computer, set up all the drivers,
set up Softice 3.0, and then crack Money in time for it to get to +ORC!

I haven't got a backup of wdasm either, so it looks like I'll have to
use "live cracking"

I have got a solution to money 95 though, so I should be able to use that..

Ok, here are some of my initial ideas on how to crack money 97

1:Snap when a message box appears
2:See what happens to the dates that are entered
3:Find the date stored in a file somewhere, and see where this goes
4:Use +Orcs technique he mentioned at the start, "once more with
  GetLocalTime?". Can't really do this unless I get Wdasm, and I don't
  have the time to download it.
5:Search for some code used in the previous version, and see where that goes:
  Areas that could be searched:
	A: The code where the number is calculated. The actual formula
	   didn't change between money 1.0 and 3.0,so it probably hasn't 
	   changed much between 3.0 and the 97 version.
6:I remebered once that +orc cracked something, and then cracked the
  next version very quickly, which is eactly what I need to do!
  Looking back, I found in tute 9.2, where +Orc cracked psp, and the next
  version. Here he said "I'll never repeat it enough: PROTECTIONISTS ARE
  STUPID!", the crack for the old version was EXACTLY the same as the crack
  for the new version! This is unlikely in this case, but worth a try.


Ok, heres my basic plan of attack:
1) Run Money, have a good look at it.
   See where it stops me, nags me, what the limits are, etc.
   I now can run regmon and filemon, so Whilst running Money I will have them
   loaded.

2) If the Protections are the same, try 6: This is unlikely to work, but 
   worth a try.
3) If the protections are slighly different, I might Try a combination of
   techniques. By running and checking where the data is transformed, I
   can keep an eye out for any code that is familar to the code in the
   old crack.  The actual code may have changed, but I doubt that the 
   logic, structure and order of things will have changed much.
4) If everything has changed, I will just use 3, as that is how I cracked 
   before. I doubt very much that they will have chanegd the formula they
   use for calculating the date though, in which case at the very least
   I should be able to use 5A.


Anway, here goes:

Running it and playing around, I see that the protections used are the 
same.
I am not sure yet if the code is the same, but it checks the date in 
the same places, and the date can STILL be set back, even after it has 
expired!

Unfortunately, I have trouble setting my computer up, and I am getting 
nowhere with softice 3.00 :(

Before giving up, I decide to get WDasm off the net. Whilst there, I 
found out on Fravias page that the strainer wasn't due until September 
15! PHEW!

Looking at the code, I find the getlocaltime's that +orc was talking 
about.
And look at the second one!

:0046A308 FF15B0006300            Call dword ptr [006300B0]	;GetLocalTime
:0046A30E 668B442406              mov ax, word ptr [esp + 06]
:0046A313 6648                    dec ax
:0046A315 66C1E005                shl ax, 0005
:0046A319 6633442402              xor ax, word ptr [esp + 02]
:0046A31E 6625E001                and ax, 01E0

Hahaha, this code looks like it is performing the "magic formula"(The 
1E0 was used last time to start the formula)

Ok, try and bpx on getlocaltime in softice. DAMN! doesn't work! After 
fidling around for a while, I release that my version of winice isn't 
getting the 32 bit export symbols :(
I make some changes in winice.dat, and it works...

p ret, and then bpr on where the number is used....

By bpxing getlocaltime as I type in a date, I eventually got to here: 

;Code to check if date is in allowed range
:005C2C80 668B81B5010000          mov ax, word ptr [ecx+01B5]	; Get maximum allowed date
:005C2C87 663DFFFF                cmp ax, FFFF			; Date Valid?
:005C2C8B 0F842F0D0000            je 005C39C0			; No? Beggar Off	
:005C2C91 66390564866200          cmp word ptr [00628664], ax	; Entered date in valid range?
:005C2C98 0F863B0D0000            jbe 005C39D9			; No? Ask for date again.

Easy to crack, just change:

:005C2C98 0F863B0D0000            jbe 005C39D9
to
:005C2C98 909090909090            nop,nop,nop,nop,nop,nop



;Code to check if past expirey date:

:00472873 8B44246C                mov eax, dword ptr [esp + 6C]
:00472877 6A5A                    push 0000005A
:00472879 50                      push eax
:0047287A E8217BFFFF              call 0046A3A0
:0047287F 83C408                  add esp, 00000008
:00472882 6639442414              cmp word ptr [esp + 14], ax
:00472887 768E                    jbe 00472817


Easy again, just change

:00472887 768E                    jbe 00472817	;jump if date<
to
:00472887 EB8E                    jmp 00472817  ; always jump

by searching for 6639442414768E
and changing to  6639442414EB5E



Hmm, another annoying nag when there is less than 15 days left..
Just do a bpx getlocaltime again at the end. Look for the one that 
calculates using the formula, and watch where ax goes to. Leads to 
here:


:0047050C 668945EC                mov word ptr [ebp-14], ax	;Get todays date
:00470510 66A164866200            mov ax, [00628664]		;Get maximum date
:00470516 668945EA                mov word ptr [ebp-16], ax
:0047051A 663945EC                cmp word ptr [ebp-14], ax	;Date in Range?
:0047051E A1DCFC6100              mov eax, [0061FCDC]
:00470523 735D                    jnb 00470582			; No Beggar off
:00470525 8B45EA                  mov eax, dword ptr [ebp-16]
:00470528 50                      push eax
:00470529 E852A2FFFF              call 0046A780			; Calculate number from date1
:0047052E 83C404                  add esp, 00000004
:00470531 668BF0                  mov si, ax
:00470534 8B45EC                  mov eax, dword ptr [ebp-14]
:00470537 50                      push eax
:00470538 E843A2FFFF              call 0046A780			; Calculate number from date2
:0047053D 83C404                  add esp, 00000004

:00470540 662BF0                  sub si, ax		;Subtract numbers, This gives number of
							;Days between the dates
:00470543 6683FE0F                cmp si, 000F		;15 days left?
:00470547 A1DCFC6100              mov eax, [0061FCDC]
:0047054C 7F34                    jg 00470582		;If more don't write message.

Wow! on line 00470523 they know the date is out of range, but the 
jump to a good place(Ie they jump to the No message place, the same 
that 0047054C jumps to with more than 15 days left!)

Easy to patch then.
Just change

:00470523 735D                    jnb 00470582	
with
:00470523 EB5D                    jnb 00470582	

by searching for  A1DCFC6100735D
and changing with A1DCFC6100EB5D

Ok, where does it check is date < installation date?

:0047287A E8217BFFFF              call 0046A3A0		;Calcluate Today + 90
:0047287F 83C408                  add esp, 00000008
:0047287F 83C408                  add esp, 00000008
:00472882 6639442414              cmp word ptr [esp + 14], ax	;Allowed date < today+90?
:00472887 768E                    jbe 00472817			;If so, go away, good guy


Change 
:00472887 768E                    jbe 00472817
to
:00472887 EB8E                    jmp 00472817		

by searching for 6639442414768E
and changing to  6639442414EB8E

Ok, last of all, the date must be either 1996 or 1997 to create a new 
project.

Again, I just use Winice, and see where the calculated date gets 
taken...


It's here:

:0047208C E86F82FFFF              call 0046A300			;Get Date
:00472091 6689442402              mov word ptr [esp + 02], ax
:00472096 662500FE                and ax, FE00			;Just years
:0047209A 663D0060                cmp ax, 6000			;1996?
*0047209E 7423                    je 004720C3			;Jump GoodGuy
:004720A0 663D0062                cmp ax, 6200			;1997?
:004720A4 741D                    je 004720C3			;Jump GoodGuy

Hmm, I saw some code like this before.
So I search for 
"and ax, FE00"
and look for cmp ax,6000's underneath. I find the following...


:00459058 668B44240A              mov ax, word ptr [esp + 0A]
:0045905D 662500FE                and ax, FE00
:00459061 663D0060                cmp ax, 6000	;1996?
*00459065 7454                    je 004590BB	;Jump GoodGuy
:00459067 663D0062                cmp ax, 6200	;1997?
:0045906B 744E                    je 004590BB	;Jump GoodGuy
:0045906D 663D0064                cmp ax, 6400	;1998?
:00459071 7448                    je 004590BB	;Jump GoodGuy



:0047205A 66A164866200            mov ax, [00628664]	;Get Date
:00472060 662500FE                and ax, FE00		;just years
:00472064 663D0060                cmp ax, 6000		;1996?
*00472068 740C                    je 00472076		;Jump GoodGuy
:0047206A 663D0062                cmp ax, 6200		?1997?
:0047206E 7406                    je 00472076		;Jump GoodGuy
:00472070 663D0064                cmp ax, 6400		;not 1998?
:00472074 7516                    jne 0047208C		;Jump badGuy


:0047261A 668B442414              mov ax, word ptr [esp + 14]
:0047261F 662500FE                and ax, FE00
:00472623 663D0060                cmp ax, 6000		;1996?
*00472627 0F8446020000            je 00472873		;Jump GoodGuy
:0047262D 663D0062                cmp ax, 6200		;1997?
:00472631 0F843C020000            je 00472873		;Jump GoodGuy
:00472637 663D0064                cmp ax, 6400		;1998?
:0047263B 0F8432020000            je 00472873		;Jump GoodGuy


All of these are EASY to change. Just change the very first je xxx 
to jmp xxx
I have shown these with a *

I am not sure of when these are used, or even if they ever are. 
It doesn't matter, If I change them all, the program will always 
have a correct year...

Therefore I make the following changes:

663D00607423	
to
663D0060EB23


663D00607454
to
663D0060EB54

663D0060740C
to
663D0060EB0C

663D00600F8446020000
to
663D0060E94702000090

Hurrah, Cracked! Still got a nag screen at the start, but I don't 
ever actually intend on using this pathetic program, so why bother 
cracking any further??


Post Cracking Review:

Here are some of the things I learnt from this lesson.

1) Microsoft is PATHETIC! Cracking their overbloated programs is much 
easier than I initially would have thought.

2) Whilst live cracking, and dead-listing are both powerful techniques, 
I find combining the two approaches to be the most beneficial.

3) The correct tools are important. Before I got wdasm, I found cracking 
much harder.

4) The right tools are only good when set up properly. Before I setup 
winice, it couldn't breakpoint on 32 bit code, such as getlocaltime.

5) (I didn't learn this from the lesson, but at the same time), 
The media is PATHETIC! As I was finishing the crack, Princess Di was killed 
due to the media. The media coverage afterwards was disgusting (All the 
papers, every TV channel, 24 hours a day ). Never once did I hear 
anyone mourning over the driver, and they didn't even mention Mother 
Teresa dying! I truly discovered that the media are blood sucking 
vourmin.




Hope you have found this essay to be correct +Orc. I put quite a lot of work 
into it, and have learnt a lot as well.

Alt-F4

-----

it seems he likes including code sections as much as we do (heh)

+gthorne