Application for +HCU98

by swann (swann@nym.alias.net)

Mnydemo.exe

This session deals with the French version of ms money trial 3.00p,
1.205.888 bytes, of 02/08/94 which Fravia+ kindly provided on his web
page.

I'm not dogmatic, and so I usually employ a mixed approach to my cracks,
get a general orientation and strategy from the disassembly, and use
winice for local tactics and operations.

The task at hand is spelled out by +orc in lesson 4.2: get rid of the
check for the year, get rid of the check for the 60 days limit, get
rid of the transaction limit. Plus disabling a couple of nag screens
as a gimme.

So you run the program and the first thing you encounter after the
startup nag is the message that informs you that your system date
should be between 1994 and 1995. Let's tackle that first.

In this program, most problems we encounter are signified by such
message boxes. It turned out to be pretty efficient to bpr on the
location of the message text once the box appears, and then after the
breakpoint get back to the offending instruction and defeat it. They're
mostly conveniently located right before the call to the message box.

In the case of the system year check, we end up in the code segment 8:

:0008.14E4 8D46FC lea ax, [bp-04]
:0008.14E7 50 push ax
:0008.14E8 9A52052815 call 0081.0552
:0008.14ED 8BD8 mov bx, ax
:0008.14EF 368B07 mov ax, ss:[bx]
:0008.14F2 8946FE mov [bp-02], ax
:0008.14F5 8A66FF mov ah, [bp-01]
:0008.14F8 80E4FE and ah, FE
:0008.14FB 80FC5C cmp ah, 5C; check if 92
:0008.14FE 741C je 151C
:0008.1500 8A66FF mov ah, [bp-01]
:0008.1503 80E4FE and ah, FE
:0008.1506 80FC5E cmp ah, 5E; check if 94
:0008.1509 7411 je 151C ; let's screw some more
:0008.150B 681709 push 0917
:0008.150E 6A00 push 0000
:0008.1510 9A1AADBB0E call 0064.AD1A; you got bad breath
:0008.1515 33C0 xor ax, ax
:0008.1517 C9 leave

So obviously we want to jump at 8.1509, so we'll patch "EB11" for "7411."
And jump we do and that was that.

On my system, this jump fix takes care of a lot. For some reason,
I don't even get an expiration notice, no matter how I change my system
date back and forth.

So the next part can probably be skipped and I only add it because our
diva asked us to "DELVE DEEP". When I first tried this crack, I changed
the system date to 1995, and then I encountered the further protection
parts. If you do this, change your system date to 1995 and then change
the date beyond the 60 days limit, you'll get the next error message telling
you the trial period is over. With the same tactics mentioned before
you'll land here:

|
:0008.17E2 8B46F4 mov ax, [bp-0C]
0008.17E5 3946F0 cmp [bp-10], ax; has it been 60 dayz yet?
:0008.17E8 7246 jb 1830 ; let's screw some more

* Possible Reference to Dialog: DialogID_0494
|
:0008.17EA 689404 push 0494 ; buy the registered version
:0008.17ED 686D05 push SEG ADDR of Segment 0028
:0008.17F0 68C015 push 15C0

This obviously is one of the three locations +orc mentioned in 4.2,
only the address being different because it's the French version.
+orc suggested we nop this jump at 8.17e8 out. I don't know whom he is
kidding, but certainly noone who's studied his tutorials. Obviously,
we _do_ want to take that jump, and therefore patch "EB46" for "7246"
at 8.17e8.

This may lead to a problem here:

:0008.1830 50 push ax
:0008.1831 9AE6083E18 call 0081.08E6
:0008.1836 FF76F0 push word ptr [bp-10]
:0008.1839 8BF0 mov si, ax
:0008.183B 9AE608EB14 call 0081.08E6 ; date check call
:0008.1840 2BF0 sub si, ax
:0008.1842 8976FE mov [bp-02], si
:0008.1845 83FE07 cmp si, 0007
:0008.1848 7F22 jg 186C; let's screw some more
:0008.184A 8A46FE mov al , [bp-02]
:0008.184D 0430 add al, 30
:0008.184F 8846EE mov [bp-12], al
:0008.1852 C646EF00 mov byte ptr [bp-11], 00
:0008.1856 681949 push 4919
:0008.1859 68D207 push 07D2
:0008.185C 8D46EE lea ax, [bp-12]
:0008.185F 16 push ss
:0008.1860 50 push ax
:0008.1861 6A00 push 0000
:0008.1863 6A00 push 0000
:0008.1865 6A40 push 0040
:0008.1867 9A44B11315 call 0064.B144

We want to jump at 8.1848, and that's why we patch "eb22" for "7f22".
After that, we'll get to the program without much of a problem, except
for two standard nag screens we'll take care of later.

Now in the program, you create an account and do some transactions. If
the transaction date you use is beyond the registration year, you'll
get another error message. Same procedure, bpr on message string, pop
into winice, get back into the program, find the call and take the jump
with which you could have avoided the call.

* Referenced by a Jump at Address:0014.2B5E(C)
|
:0014.2B63 A1D664 mov ax, [64D6]
:0014.2B66 3906D870 cmp [70D8], ax
:0014.2B6A 7203 jb 2B6F; hey honey - make money
:0014.2B6C E9970A jmp 3606; bad breath

If your transaction date is beyond the valid period, you don't take the
jump at 14.2b6a (in softice it's 0e.2b6a but you did know that didn't
you?) So you'll patch "eb03" for "7203" and then you can record
transactions for all future generations. >Insert generic anti-capitalist
flame here <.

The program is functional now, all that's left to do is kick those nag
screens out.
There are two of them, the general trial one, and a - so I assume-
specifically French one informing you that the minitel features are not
available in the trial version. Same procedure:

:0002.0EAE 837E0601 cmp word ptr [bp+06], 0001
:0002.0EB2 7406 je 0EBA; patch here
:0002.0EB4 837E0609 cmp word ptr [bp+06], 0009
:0002.0EB8 7530 jne 0EEA

* Referenced by a Jump at Address:0002.0EB2(C)
|
:0002.0EBA FF36540B push word ptr [0B54]
:0002.0EBE 833E720B01 cmp word ptr [0B72], 0001
:0002.0EC3 1BC0 sbb ax, ax
:0002.0EC5 24FE and al, FE
:0002.0EC7 050300 add ax, 0003
:0002.0ECA 50 push ax
:0002.0ECB 9AF20E0000 call USER.SHOWWINDOW
:0002.0ED0 689304 push 0493
:0002.0ED3 68FFFF push SEG ADDR of Segment 0028
:0002.0ED6 68C015 push 15C0
:0002.0ED9 FF36540B push word ptr [0B54]
:0002.0EDD 6A00 push 0000
:0002.0EDF 6A00 push 0000
:0002.0EE1 6A00 push 0000
:0002.0EE3 9A3A01FFFF call 0005.013A; EVIL
:0002.0EE8 EB0C jmp 0EF6

You patch the location 2.0eb2: "EB36" (jmp 0eea) for "7406" and you'll
never see that nag screen again.

And here goes minitel:

:0002.1455 7508 jne 145F; patch here
:0002.1457 68E666 push 66E6
:0002.145A 9A7A287C15 call 0002.287A; 666 <<

* Referenced by a Jump at Address:0002.1455(C)
|
:0002.145F 9A520AFFFF call 0030.0A52
:0002.1464 0BC0 or ax, ax
:0002.1466 7503 jne 146B
:0002.1468 E9CB00 jmp 1536

So our last patch is at location 2.1455: "EB0d" (jmp 1464) for "7508".
Nuff said about this truly ZEN crack of an intrinsically useless
program. Don't ask me why I've done this. I don't know.
----------------

MSMONEY97 trial

Well, having worked on the old version does help a bit for cracking
this disgrace of a program, since it uses the same protectionist
structure. The version I'm working on is msmoney.exe 4.929.536 bytes
of 09/10/96.

This time we'll do it in the order in which the annoyances occur. First
the nag screen. "Welcome to Microsoft Money, which will transform the
way you manage your finances." You bet that it won't. BPR on the message
text, and you'll land in the program after cs:46bfbf. This section is
called from cs:4a74fb. No useful conditional jumps before that section.
There are some conditional jumps 4a75ee but they correspond to startup
errors, so you don't want to take these. It looks like whenever you
start the program you're supposed to get the nag screen.

* Reference To: USER32.RegisterClassA, Ord:01ABh
|
:004A74CC FF15D00A6200 Call dword ptr [00620AD0]
:004A74D2 6685C0 test ax, ax
:004A74D5 0F8413010000 je 004A75EE;not enough memory
:004A74DB E8401A0000 call 004A8F20
:004A74E0 85C0 test eax, eax
:004A74E2 0F8406010000 je 004A75EE
:004A74E8 56 push esi
:004A74E9 56 push esi

* Reference To: USER32.GetDesktopWindow, Ord:00E8h
|
:004A74EA FF150C0B6200 Call dword ptr [00620B0C]
:004A74F0 50 push eax
:004A74F1 6810F54C00 push 004CF510
:004A74F6 685E2F0000 push 00002F5E
:004A74FB E8104AFCFF call 0046BF10; call to nag

So let's see what happens if we nop the whole call out. Insert any 5
bytes that don't do anything at cs:4a74fb. In this case, simply inserting
5 nops works just fine. And now the program starts without a nag screen.
Hurdle 1 taken.

Next thing you do is advance your system time and, as expected, you'll
get a notice of expiration screen. You bpx on the text again, which
leads you to our friend cs:46bfbf again and this time it's called
from cs:470e2a. So let's take a look at the code "before.class" tppabs="http://www.Fravia.org/solutions/before.class" this
instruction.

* Referenced by a Jump at Address:00470E81(C)
:00470E07 668B442414 mov ax, word ptr [esp + 14]
:00470E0C 6639842478010000 cmp word ptr [esp + 00000178], ax
:00470E14 721C jb 00470E32; good guy
:00470E16 6A00 push 00000000
:00470E18 A1F03F6100 mov eax, [00613FF0]
:00470E1D 6A00 push 00000000
:00470E1F 50 push eax
:00470E20 6810F54C00 push 004CF510
:00470E25 685F2F0000 push 00002F5F
:00470E2A E8E1B0FFFF call 0046BF10; call to expir

cs:470e0c compares system date and expiration date. If ax is not lower, the
program calls the note of expiration. So it might be a good idea to change
the conditional jump into an unconditional jump: eb1c.

In case you have tampered your system time (moved it forward and back again),
you won't even get there. Note the conditional jump that leads to the above
quoted section.

* Referenced by a Jump at Addresses:00470C17(C), :00470C21(C), :00470C2B(C)
|
:00470E63 8B44246C mov eax, dword ptr [esp + 6C]
:00470E67 6A5A push 0000005A
:00470E69 50 push eax
:00470E6A E8017CFFFF call 00468A70
:00470E6F 6689442474 mov word ptr [esp + 74], ax
:00470E74 83C408 add esp, 00000008
:00470E77 668B442414 mov ax, word ptr [esp + 14]
:00470E7C 663944246C cmp word ptr [esp + 6C], ax
:00470E81 7384 jnb 00470E07; here
:00470E83 6A00 push 00000000
:00470E85 6A00 push 00000000
:00470E87 6A00 push 00000000
:00470E89 6A00 push 00000000
:00470E8B 6A00 push 00000000
:00470E8D 680F090000 push 0000090F
:00470E92 E8A9330000 call 00474240; bad guy

cs:470e7c compares the system date and the installation date. If the former is
earlier than the latter, the program sends you to the "get your system clock
right, lamer" screen. So in case you have played around with your system time,
you might want to make the conditional jump at cs:470e81 an unconditional jump:
eb84.

So let's take a look at the transaction limit, shall we? You enter a date beyond
the registration period in the account manager, and the program gives you a
screen: "The date you just entered is beyond ... blabla." Back in the program
you get to a couple of locations with not much going on. You hit F12 until you
find something more interesting. After 5 or so times you'll find:

* Referenced by a Jump at Address:005B5525(C)
|
:005B622D 6A00 push 00000000
:005B622F 680B090000 push 0000090B
:005B6234 E867E9EBFF call 00474BA0; call to transaction limit
:005B6239 83C408 add esp, 00000008

Which leads us to this location:

:005B550D 668B81A9010000 mov ax, word ptr [ecx+01A9]
:005B5514 663DFFFF cmp ax, FFFF
:005B5518 0F84F60C0000 je 005B6214
:005B551E 66390544926100 cmp word ptr [00619244], ax; beyond hope?
:005B5525 0F86020D0000 jbe 005B622D; jump to transaction limit

Here, at cs:5b551e the transaction date is being compared to the expiration
date. If the expiration date is below or equal, we take that jump we don't
want to take. So it might be a good idea to nop out that jump at cs:5b5525.
Let's make it inc eax, dec eax, inc ax, dec ax for a change.

It's not like I've ever used that program but playing around with it I found
another restriction: on creating new files. This is actually the major difference
between the old demo and the new trial version: an additional check on the
creation of new files. The usual procedure takes you here:

* Referenced by a Jump at Addresses:00470648(C), :00470664(C)

:0047067C E84F83FFFF call 004689D0
:00470681 6689442402 mov word ptr [esp + 02], ax
:00470686 662500FE and ax, FE00
:0047068A 663D0060 cmp ax, 6000
:0047068E 7428 je 004706B8;good guy
:00470690 663D0062 cmp ax, 6200
:00470694 7422 je 004706B8;good guy
:00470696 6A00 push 00000000
:00470698 A1F03F6100 mov eax, [00613FF0]
:0047069D 6A00 push 00000000
:0047069F 50 push eax
:004706A0 6810F54C00 push 004CF510
:004706A5 68DC2F0000 push 00002FDC
:004706AA E861B8FFFF call 0046BF10; call to expir
:004706AF 83C414 add esp, 00000014
:004706B2 33C0 xor eax, eax
:004706B4 83C404 add esp, 00000004
:004706B7 C3 ret

As you can see, ax is compared to 6000 and 6200 consecutively, and if it matches
either of them, you will skip the call to the expiration notice. Looks like we
better have one of these values in ax. So we can make either the jump at cs:47068e
or the one at cs:470694 unconditional. For instance EB28 at the former location.

So what is the date format anyway? What's all this 6000, 6200, etc. stuff about?
It's the result of a date transformation routine starting with a call to
getlocaltime at cs:4689d8

These are the restrictions I've encountered and how they can be overcome.
There might be some more somewhere but I didn't want to spend too much time
with this program. So there.

MsProject

The question was: Why does patching the location at cs:5168015 not work?

Well, it seems pretty obvious just from looking at the code fragments in the
tutorial.

If
we jump to "badflag" at cs:5167f97
and
don't patch something related to that "badflag"

Then
the comparison at cs:5167fdc and the consecutive jump at cs:5167fe1
will kick us out before we even get to the location cs:5168015.

The patch at cs:5168015 doesn't work because, if we're expired and don't patch
something else, we don't even get to that location. Duh.

---------

Ok. Hope this is enough to qualify for +HCU98. I've learnt a lot about
cracking during the last year but I know I'm far from being a good cracker.
I'm a little unsatisfied because mostly I've used the same approach for all of
this. Break at the text of the error message and kill the instruction that
sends you there. This wouldn't have worked as well if the offending instructions
had been hidden better. But it works sufficiently well in this case. And that
should be enough. Minimalism is not a bad thing.