Target: Surfsecret privacy protector
Download: http://www.surfsecret.com/inst/SSInstaller.exe
File crack: C:\Program Files\SurfSecret\Privacy Protector\SS2-TRIAL.exe
Tools: OllyDGB+HIEW
A. INTRODUCTION:
A application time trial is expired when days left.
Example:
-At year 2005:
-Change sytem time: to year 2006
-At year 2006 :
Days Left EXPIRED
B. CRACKING:
This program need to crack at 3 point (3 address)
ADDRESS 1:
1-Set system time : year 2005
-Load SS2-TRIAL.exe into OllyDGB
-Set breakpoint : bpx getlocaltime
-Run program ( F9). Program is break at:
00421BFE |. FF15 FC104400 CALL DWORD PTR DS:[<&KERNEL32.GetLocalTi>; \GetLocalTime
-Run Script :
Choice file script : log_TimeTrial.txt
Edit file log_TimeTrial.txt :
---------------------------------------Cut here------------------------------------------------
//=============
//Script: Log addr EIP to Log Window
//Limit counter: max=150
//Author: Benina
//=============
var x
var y
var max
mov max,150
mov x,1
lb_loop:
mov y,eip
log y
sto
inc x
cmp x,max
jbe lb_loop
ret//exit script
---------------------------------------Cut here------------------------------------------------
OK, This script begin run, you wait a moment...... to Script finished.
Click button OK .
-ALT+L : Open Log window. Click right, pop-up menu/Copy to clipboard/whole table to copy log window to clipboard
-Open Notepad, paste CTRL+V, Save as: file log1.txt
2-Set system time : year 2006
- CTRL+F2 reload SS2-TRIAL.exe into OllyDGB
-Open Log window (ATL+L), Click right, choice : Clear window
-Now, you need to do simalar to the above steps. You create a second log file, but this time you set the date of your system forwards so that the time trial will show the Expired message.
-After you do as the above steps, you have a second log file : log2.txt
3. Compare the two log files:
After you have completed all the steps again and saved a second log file, you need to compare them.
File log1.txt :
y = 00421BFE
y = 00421C04
y = 00421C07
y = 00421C08
y = 00421C0E
y = 00421C12
y = 00421C19
y = 00421C56
y = 00421C5C
y = 00421C5D
y = 00421C63
y = 00421C66
y = 00421C68
y = 00421C6B
y = 00421C7F
y = 00421C81
y = 00421C86
y = 00421C87
y = 00421C88
y = 00421C8B
y = 00421C90
y = 00421C91
y = 00421C92
y = 00421C93
y = 00421C94
y = 00421C95
y = 00421C9A
y = 00421C9B
y = 00421C9C
y = 00421CA0
y = 00421CA1
y = 00421CA5
y = 00421CA6
y = 00421CAA
y = 00421CAB
y = 00421CAF
y = 00421CB0
y = 00421CB4
y = 00421CB5
y = 00421CB9
y = 00421CBA
y = 00421CBF
y = 00421CC2
y = 00421CC5
y = 00421CC7
y = 00421CCB
y = 00421CCC
y = 0041EF46
y = 0041EF49
y = 0041EF4A
y = 0041EF4D
y = 0041EF50
y = 0041EF51
y = 0041EF56
y = 0041EF59
y = 0041EF5A
y = 0041E194
y = 0041E197
y = 0041E19D
y = 0041E19E
y = 0041E1A4
y = 0041E1A5
y = 0041E1AA
y = 0041E1B0
y = 0041E1B5
y = 0041E1B7
y = 0041E1C8
y = 0041E1CC
y = 0041E1CD
y = 0041E1D0
y = 0041E1D5
y = 0041E1D8
y = 0041E1DA
y = 0041E1DB
y = 0041E1DC
y = 0041E1DD
y = 0041E1E4
y = 0041E1E5
y = 0041DDBC
y = 0041DDBE
y = 0041DDC3
y = 0041DDC6
y = 0041DDCC
y = 0041DDCF
y = 0041DDD0
y = 0041DDD2
y = 0041DDD7
y = 0041DDDA
y = 0041DDDC
y = 0041DDE1
y = 0041DDE3
y = 0041DDE8
y = 0041DE1C
y = 0041DE1E
y = 0041DE20
y = 0041DE22
y = 0041DE27
y = 0041DE29
y = 0041DE2B
y = 0041DE2C
y = 0041DE31
y = 0041DE36
y = 0041DE38
y = 0041DE39
y = 0041DE3E
y = 0041DE41
y = 0041DE43
y = 0041DE48
y = 0041DE12
y = 0041DE13
y = 0041DE15
y = 0041DE1A
y = 0041DE71
y = 0041DE74
y = 0041DE7A
y = 0041DE7D
y = 0041DE7F
y = 0041DE81
y = 0041DE82
y = 0041DE87
y = 0041DE8A
y = 0041DE8C
y = 0041DE8D
y = 0041DE8E
y = 0041DE8F
y = 0041DE91
y = 0041DE92
y = 00435D36
y = 00435D3F
y = 77D43A68
y = 77D43A70
y = 77D43A76
y = 77D43A79
y = 77D43A7A
y = 77D43A7B
y = 77D43A7C
y = 77D43A7D
y = 77D4C803
y = 77D4C806
y = 77D4C809
y = 77D4C80A
y = 77D4C80D
y = 77D4C80E
y = 77D4C80F
y = 77D4C810
y = 77D4C813
y = 77D4C816
y = 77D4C81C
y = 77D4C81E
y = 77D4C824
y = 77D4C82B
y = 77D4C68C
y = 77D4C690
y = 77D4C695
y = 77D4C698
y = 77D4C69B
y = 77D4C69D
y = 77D4C6A0
y = 77D4C6A5
y = 77D4C4F8
y = 77D4C4FA
y = 77D4C59D
y = 77D4C5A0
y = 77D4C5A1
y = 77D4C5A2
y = 77D4C5A3
y = 77D4C5A4
y = 77D4C6E5
y = 77D43A68
y = 77D43A70
y = 77D43A76
y = 77D43A79
y = 77D43A7A
y = 77D43A7B
y = 77D43A7C
y = 77D43A7D
y = 77D43B37
y = 77D43B3A
y = 77D43B3E
y = 77D43B43
y = 77D43B46
y = 77D43B4B
y = 77D45B40
y = 77D45B41
y = 77D45B42
y = 77D45B43
y = 77D45F87
y = 77D45F88
y = 0043380A
y = 0043380B
y = 0043380C
y = 00432ED8
y = 00432ED9
y = 00436460
y = 00436462
y = 00436464
y = 0043648C
y = 0043648E
y = 0043648F
y = 00436490
y = 0043420D
y = 00434210
y = 00434213
y = 00434215
y = 00434217
y = 0043421A
y = 0043421C
y = 0043421E
y = 0043421F
y = 00433F01
y = 00433F04
y = 00433F05
y = 00433F06
y = 00433F07
y = 00433F0E
y = 00433F0F
y = 00433D54
y = 00433D56
y = 00433D6E
y = 00433D71
y = 00433D72
y = 00433D73
y = 00432E1B
y = 00432E21
y = 00432E24
y = 00432E26
y = 00432E29
y = 00432E2C
y = 00432E2D
y = 00432E2E
y = 00432E33
y = 00432E5F
y = 00432E61
y = 00432E64
y = 00432E67
y = 00432E68
y = 00432E6B
y = 00432E6D
y = 00432E70
y = 00432E71
y = 00432E72
y = 00432E79
y = 00432E7A
y = 00432E7B
y = 00433023
y = 00433024
y = 77D43A68
y = 77D43A70
y = 77D43A76
y = 77D43A79
y = 77D43A7A
y = 77D43A7B
y = 77D43A7C
y = 77D43A7D
y = 77D43B37
y = 77D43B3A
File log2.txt :
y = 00421BFE
y = 00421C04
y = 00421C07
y = 00421C08
y = 00421C0E
y = 00421C12
y = 00421C19
y = 00421C56
y = 00421C5C
y = 00421C5D
y = 00421C63
y = 00421C66
y = 00421C68
y = 00421C6B
y = 00421C7F
y = 00421C81
y = 00421C86
y = 00421C87
y = 00421C88
y = 00421C8B
y = 00421C90
y = 00421C91
y = 00421C92
y = 00421C93
y = 00421C94
y = 00421C95
y = 00421C9A
y = 00421C9B
y = 00421C9C
y = 00421CA0
y = 00421CA1
y = 00421CA5
y = 00421CA6
y = 00421CAA
y = 00421CAB
y = 00421CAF
y = 00421CB0
y = 00421CB4
y = 00421CB5
y = 00421CB9
y = 00421CBA
y = 00421CBF
y = 00421CC2
y = 00421CC5
y = 00421CC7
y = 00421CCB
y = 00421CCC
y = 0041EF46
y = 0041EF49
y = 0041EF4A
y = 0041EF4D
y = 0041EF50
y = 0041EF51
y = 0041EF56
y = 0041EF59
y = 0041EF5A
y = 0041E194
y = 0041E197
y = 0041E19D
y = 0041E19E
y = 0041E1A4
y = 0041E1A5
y = 0041E1AA
y = 0041E1B0
y = 0041E1B5
y = 0041E1B7
y = 0041E1C8
y = 0041E1CC
y = 0041E1CD
y = 0041E1D0
y = 0041E1D5
y = 0041E1D8
y = 0041E1DA
y = 0041E1DB
y = 0041E1DC
y = 0041E1DD
y = 0041E1E4
y = 0041E1E5
y = 0041DDBC
y = 0041DDBE
y = 0041DDC3
y = 0041DDC6
y = 0041DDCC
y = 0041DDCF
y = 0041DDD0
y = 0041DDD2
y = 0041DDD7
y = 0041DDDA
y = 0041DDDC
y = 0041DDE1
y = 0041DDE3
y = 0041DDE8
y = 0041DDEA
y = 0041DDEF
y = 0041DDF4
y = 0041DDF6
y = 0041DDFB
y = 0041DE00
y = 0041DE02
y = 0041DE03
y = 0041DE08
y = 0041DE0B
y = 0041DE0D
y = 0041DE12
y = 0041DE13
y = 0041DE15
y = 0041DE1A
y = 0041DE71
y = 0041DE74
y = 0041DE7A
y = 0041DE7D
y = 0041DE8C
y = 0041DE8D
y = 0041DE8E
y = 0041DE8F
y = 0041DE91
y = 0041DE92
y = 00435D36
y = 00435D3F
y = 77D43A68
y = 77D43A70
y = 77D43A76
y = 77D43A79
y = 77D43A7A
y = 77D43A7B
y = 77D43A7C
y = 77D43A7D
y = 77D4C803
y = 77D4C806
y = 77D4C809
y = 77D4C80A
y = 77D4C80D
y = 77D4C80E
y = 77D4C80F
y = 77D4C810
y = 77D4C813
y = 77D4C816
y = 77D4C81C
y = 77D4C81E
y = 77D4C824
y = 77D4C82B
y = 77D4C68C
y = 77D4C690
y = 77D4C695
y = 77D4C698
y = 77D4C69B
y = 77D4C69D
y = 77D4C6A0
y = 77D4C6A5
y = 77D4C4F8
y = 77D4C4FA
y = 77D4C59D
y = 77D4C5A0
y = 77D4C5A1
y = 77D4C5A2
y = 77D4C5A3
y = 77D4C5A4
y = 77D4C6E5
y = 77D43A68
y = 77D43A70
y = 77D43A76
y = 77D43A79
y = 77D43A7A
y = 77D43A7B
y = 77D43A7C
y = 77D43A7D
y = 77D43B37
y = 77D43B3A
y = 77D43B3E
y = 77D43B43
y = 77D43B46
y = 77D43B4B
y = 77D45B40
y = 77D45B41
y = 77D45B42
y = 77D45B43
y = 77D45F87
y = 77D45F88
y = 0043380A
y = 0043380B
y = 0043380C
y = 00432ED8
y = 00432ED9
y = 00436460
y = 00436462
y = 00436464
y = 0043648C
y = 0043648E
y = 0043648F
y = 00436490
y = 0043420D
y = 00434210
y = 00434213
y = 00434215
y = 00434217
y = 0043421A
y = 0043421C
y = 0043421E
y = 0043421F
y = 00433F01
y = 00433F04
y = 00433F05
y = 00433F06
y = 00433F07
y = 00433F0E
y = 00433F0F
y = 00433D54
y = 00433D56
y = 00433D6E
y = 00433D71
y = 00433D72
y = 00433D73
y = 00432E1B
y = 00432E21
y = 00432E24
y = 00432E26
y = 00432E29
y = 00432E2C
y = 00432E2D
y = 00432E2E
y = 00432E33
y = 00432E5F
y = 00432E61
y = 00432E64
y = 00432E67
y = 00432E68
y = 00432E6B
y = 00432E6D
y = 00432E70
y = 00432E71
y = 00432E72
y = 00432E79
y = 00432E7A
y = 00432E7B
y = 00433023
y = 00433024
y = 77D43A68
y = 77D43A70
y = 77D43A76
y = 77D43A79
y = 77D43A7A
y = 77D43A7B
y = 77D43A7C
y = 77D43A7D
y = 77D43B37
y = 77D43B3A
y = 77D43B3E
y = 77D43B43
y = 77D43B46
y = 77D43B4B
y = 77D4546B
y = 77D4546D
y = 77D45472
y = 77D45476
y = 77D4547C
y = 77D4547E
I used MS Exel to campare them. You may have noticed that the two files are indentical until the address :
y = 0041DDE8
In OllyDGB, goto address : 0041DDE8
In the fist log file , the command at this address jump, but in the second log file doesn’t jump.
We need to change the file so that the JLE command does alway JUMP
So, fisrt address need to patch : 0041DDE8
HEX ASM
-----------------------------
7E JLE
EB JUMP
4. Patching the program
-Close OllyDGB
-Open HIEW
- ATL+F1 : choice file to patch
-F4 : select mode : Decode
-F5 : goto address : . 0041DDE8
-F3 : Edit code : change hex “7E” to “EB”
-F9 : Save
-F10 : Exit HIEW
ADDRESS 2# :
-Load SS2-TRIAL.exe into OllyDGB
-Set breakpoint at address 1# : 0041DDE8
-Do similar the above steps
- You have address 2#: 004….. (YOU LET GET IT)
ADDRESS 3# :
-Load SS2-TRIAL.exe into OllyDGB
-Set breakpoint at address 2# : 004……..
-Do similar the above steps
- You have address 3#: 0041BD03
NOP at address 0041BD03
The end
Benina (26/02/2005)
