A) let's crack Microsoft Money 5.0
i'm using a french version (msmoney.exe 5,022,720 b)
my target
1) removing the messagebox "Bienvenue dans la version d'évaluation ..."
2) removing the messagebox "Avis d'expiration" when the 90 days are gone
3) removing the protection about transaction when we are out of the 90 days
4) removing the messagebox telling you that it will expire in X days when leaving Money 5
-------
PART 1
-------
fire sice3.1
Ctrl+D
bpx Dialogboxparama
fire Money5.0
into sice, use f12 for tracing and we see the piece of code
* Reference To: USER32.RegisterClassA, Ord:01ABh
|
:004AB82C FF15C00A6300 Call dword ptr [00630AC0]
:004AB832 6685C0 test ax, ax <---- test if enought memory
:004AB835 0F8413010000 je 004AB94E
:004AB83B E8301A0000 call 004AD270
:004AB840 85C0 test eax, eax
:004AB842 0F8406010000 je 004AB94E
:004AB848 56 push esi
:004AB849 56 push esi
* Reference To: USER32.GetDesktopWindow, Ord:00E8h
|
:004AB84A FF15FC0A6300 Call dword ptr [00630AFC]
:004AB850 50 push eax <--- here we have to change into jmp 4ab863 (EB11) instead of (50)
:004AB851 68C03E4D00 push 004D3EC0 to avoid the messagebox of the beginning "bienvenue dans la version d'evaluation"
:004AB856 685E2F0000 push 00002F5E
:004AB85B E8C020FCFF call 0046D920 <--- call to dialogboxparama
:004AB860 83C414 add esp, 00000014
:004AB863 89B5A0FEFFFF mov dword ptr [ebp+FEA0], esi <--- jmp here
:004AB869 89B5CCFEFFFF mov dword ptr [ebp+FECC], esi
:004AB86F 89B5ACFEFFFF mov dword ptr [ebp+FEAC], esi
:004AB875 89B5D8FEFFFF mov dword ptr [ebp+FED8], esi
:004AB87B 89B5A8FEFFFF mov dword ptr [ebp+FEA8], esi
:004AB881 89B5D4FEFFFF mov dword ptr [ebp+FED4], esi
* Reference To: MFC40.MFC40:NoName0026, Ord:03FDh
|
:004AB887 E8D8BF1300 Call 005E7864
:004AB88C 6888130000 push 00001388
:004AB891 8B0DD0BD6200 mov ecx, dword ptr [0062BDD0]
:004AB897 51 push ecx
:004AB898 8985A4FEFFFF mov dword ptr [ebp+FEA4], eax
:004AB89E 8985D0FEFFFF mov dword ptr [ebp+FED0], eax
for part 1 we have to change :004ab850 push eax into jmp 4ab863
and we avoid the messagebox of the begining.
(that can be made with PSEDIT for example)
------
PART 2
------
Now we are looking for getlocaltime ( 3 occurrences in the deadlisting)
getlocaltime at :0045085f ( called by 458056)
:0046a310 ( called by a lot ) <----- green light
:005da0a0 ( called by 5d883a / 5da1d0)
change the current date ( out of the 90 trial period)
fire money
after the first messagebox "bienvenue dans la version d'evaluation"
Ctrl+D
bpx getlocaltime
then after 2 F5 (p ret)
we are here
* Reference To: KERNEL32.GetLocalTime, Ord:00E2h
|
:0046A318 FF15B0006300 Call dword ptr [006300B0]
:0046A31E 668B442406 mov ax, word ptr [esp + 06]
:0046A323 6648 dec ax
:0046A325 66C1E005 shl ax, 0005
:0046A329 6633442402 xor ax, word ptr [esp + 02]
:0046A32E 6625E001 and ax, 01E0
:0046A332 6631442402 xor word ptr [esp + 02], ax
:0046A337 668B44240A mov ax, word ptr [esp + 0A]
:0046A33C 6648 dec ax
:0046A33E 6633442402 xor ax, word ptr [esp + 02]
:0046A343 66251F00 and ax, 001F
:0046A347 6631442402 xor word ptr [esp + 02], ax
:0046A34C 8B442404 mov eax, dword ptr [esp + 04]
:0046A350 25FFFF0000 and eax, 0000FFFF
:0046A355 2D9C070000 sub eax, 0000079C <--- 79c = 1948 eax=actualyear-1948
:0046A35A 83F87F cmp eax, 0000007F <--- cmp to 7f=127
:0046A35D 7E1F jle 0046A37E
:0046A35F B89CFFFFFF mov eax, FFFFFF9C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046A37C(C)
|
:0046A364 6601442404 add word ptr [esp + 04], ax
:0046A369 8B4C2404 mov ecx, dword ptr [esp + 04]
:0046A36D 81E1FFFF0000 and ecx, 0000FFFF
:0046A373 81E99C070000 sub ecx, 0000079C
:0046A379 83F97F cmp ecx, 0000007F
:0046A37C 7FE6 jg 0046A364
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046A35D(C)
|
:0046A37E 668B442404 mov ax, word ptr [esp + 04]
:0046A383 66C1E009 shl ax, 0009
:0046A387 6633442402 xor ax, word ptr [esp + 02]
:0046A38C 6625FF01 and ax, 01FF
:0046A390 668B4C2404 mov cx, word ptr [esp + 04]
:0046A395 6683E91C sub cx, 001C
:0046A399 66C1E109 shl cx, 0009
:0046A39D 6633C1 xor ax, cx
:0046A3A0 6689442402 mov word ptr [esp + 02], ax
:0046A3A5 83C414 add esp, 00000014
:0046A3A8 C3 ret
after som f10 to understand the sheme (or F12 to be quick)
we stand here*
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047276D(C), :004727B3(C), :004727F5(C)
|
:0047260C 668B8528020000 mov ax, word ptr [ebp+0228]
:00472613 6689442414 mov word ptr [esp + 14], ax
:00472618 E8F37CFFFF call 0046A310 <--- * here (call getlocaltime routine)
:0047261D 668944246C mov word ptr [esp + 6C], ax
:00472622 6689842478010000 mov word ptr [esp + 00000178], ax
:0047262A 668B442414 mov ax, word ptr [esp + 14]
:0047262F 662500FE and ax, FE00
:00472633 663D0060 cmp ax, 6000
:00472637 0F8446020000 je 00472883 <--- the bingo
:0047263D 663D0062 cmp ax, 6200
:00472641 0F843C020000 je 00472883
:00472647 663D0064 cmp ax, 6400
:0047264B 0F8432020000 je 00472883
:00472651 8D442414 lea eax, dword ptr [esp + 14]
:00472655 6A01 push 00000001
:00472657 50 push eax
:00472658 E803FAFFFF call 00472060
:0047265D 83C408 add esp, 00000008
:00472660 85C0 test eax, eax
:00472662 0F85A2010000 jne 0047280A
:00472668 66B8E407 mov ax, 07E4
:0047266C 5D pop ebp
:0047266D 5F pop edi
:0047266E 5E pop esi
:0047266F 5B pop ebx
:00472670 81C468020000 add esp, 00000268
:00472676 C3 ret
The Bingo
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00472637(C), :00472641(C), :0047264B(C)
|
:00472883 8B44246C mov eax, dword ptr [esp + 6C] <-- the bingo
:00472887 6A5A push 0000005A
:00472889 50 push eax
:0047288A E8217BFFFF call 0046A3B0
:0047288F 83C408 add esp, 00000008
:00472892 6639442414 cmp word ptr [esp + 14], ax <--- ax and esp+14 are 2 value for the limit date and acutal date
:00472897 768E jbe 00472827 <--- the bingo #2
:00472899 6A00 push 00000000
:0047289B 6A00 push 00000000
:0047289D 6A00 push 00000000
:0047289F 6A00 push 00000000
:004728A1 6A00 push 00000000
:004728A3 680F090000 push 0000090F
:004728A8 E883330000 call 00475C30
:004728AD 66B8E407 mov ax, 07E4
:004728B1 83C418 add esp, 00000018
:004728B4 5D pop ebp
:004728B5 5F pop edi
:004728B6 5E pop esi
:004728B7 5B pop ebx
:004728B8 81C468020000 add esp, 00000268
:004728BE C3 ret
The bingo #2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00472897(C)
|
:00472827 668B442414 mov ax, word ptr [esp + 14]
:0047282C 6639842478010000 cmp word ptr [esp + 00000178], ax=value for limit date ( for example 10/12/97 = 6369h) [esp+178] = value for actualdate
:00472834 721C jb 00472852 if [esp+178] < ax then good guy
:00472836 6A00 push 00000000 else messagebox(dialogboxparama) out of 90 days
:00472838 A1D0306200 mov eax, [006230D0]
:0047283D 6A00 push 00000000
:0047283F 50 push eax
:00472840 68C03E4D00 push 004D3EC0
:00472845 685F2F0000 push 00002F5F
:0047284A E8D1B0FFFF call 0046D920
:0047284F 83C414 add esp, 00000014
for PART 2
we have to change :472834 jb 472852 (721C) into jmp 472852 (EB1C)
------
PART3
------
For Transaction
we notice that when the date is out of the 90 days
there is a messagebox
so in sice ( Ctrl D )
bpx messagebox
make a transaction
with a bad date
note the address in sice
f12 4 time ( each time note the address and bpx it)
(for me
#1 137:475cc9
#2 137:476605
#3 137:4765dc
#4 137:5c3a70
#5 137:5c4091
make transaction with a bad date
and make the same thing as before
and we see that it never break at #1 #2 #3 ( cause no messagebox)
only at the common #5 (137:5c4091)
so we look at this piece of code
:005C4091 E8FAE9FFFF call 005C2A90 <---- here
:005C4096 83C438 add esp, 00000038
:005C4099 85C0 test eax, eax
:005C409B 0F84071D0000 je 005C5DA8
:005C40A1 8B55E8 mov edx, dword ptr [ebp-18]
:005C40A4 8B4D18 mov ecx, dword ptr [ebp+18]
:005C40A7 668B4204
here
* Referenced by a CALL at Address:
|:005C4091
|
:005C2A90 64A100000000 mov eax, fs:[00000000]
:005C2A96 55 push ebp
:005C2A97 8BEC mov ebp, esp
:005C2A99 6AFF push FFFFFFFF
:005C2A9B 68F63C5C00 push 005C3CF6
:005C2AA0 50 push eax
:005C2AA1 64892500000000 mov dword ptr fs:[00000000], esp
:005C2AA8 A1B0336200 mov eax, [006233B0]
:005C2AAD 81ECC0010000 sub esp, 000001C0
:005C2AB3 8D8D34FEFFFF lea ecx, dword ptr [ebp+FE34]
:005C2AB9 53 push ebx
:005C2ABA 56 push esi
:005C2ABB 57 push edi
:005C2ABC 50 push eax
:005C2ABD E8AE21E4FF call 00404C70
:005C2AC2 8B4520 mov eax, dword ptr [ebp+20]
:005C2AC5 8B4D24 mov ecx, dword ptr [ebp+24]
....
....
....
....
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005C2CB6(U), :005C2CBB(U)
|
:005C2CC6 56 push esi
:005C2CC7 8B4DEC mov ecx, dword ptr [ebp-14]
:005C2CCA E861DAFFFF call 005C0730
:005C2CCF 56 push esi
:005C2CD0 E82B76FFFF call 005BA300
:005C2CD5 83C404 add esp, 00000004
:005C2CD8 8B4508 mov eax, dword ptr [ebp+08]
:005C2CDB 6683780C01 cmp word ptr [eax+0C], 0001
:005C2CE0 0F85380D0000 jne 005C3A1E
:005C2CE6 8A06 mov al, byte ptr [esi]
:005C2CE8 8B4D0C mov ecx, dword ptr [ebp+0C]
:005C2CEB 884110 mov byte ptr [ecx+10], al
:005C2CEE E92B0D0000 jmp 005C3A1E
:005C2CF3 8B4DEC mov ecx, dword ptr [ebp-14]
:005C2CF6 51 push ecx
:005C2CF7 E8A4DAFFFF call 005C07A0
:005C2CFC 83C404 add esp, 00000004
:005C2CFF 85C0 test eax, eax
:005C2D01 0F85170D0000 jne 005C3A1E
:005C2D07 837D3000 cmp dword ptr [ebp+30], 00000000
:005C2D0B 7421 je 005C2D2E
:005C2D0D 8B4D3C mov ecx, dword ptr [ebp+3C]
:005C2D10 668B81B5010000 mov ax, word ptr [ecx+01B5]
:005C2D17 663DFFFF cmp ax, FFFF
:005C2D1B 0F842F0D0000 je 005C3A50
:005C2D21 66390564866200 cmp word ptr [00628664], ax <----- The BINGO #3 (ax=value of current date [628664]= value of limit date)
:005C2D28 0F863B0D0000 jbe 005C3A69 if value of limit date is <= value actual date then bad guy
then we have to nop it ie ( dec eac in eax 3times = 584058405840)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005C2D0B(C)
|
:005C2D2E 837D1C00 cmp dword ptr [ebp+1C], 00000000
:005C2D32 6A00 push 00000000
:005C2D34 741E je 005C2D54
:005C2D36 8D45F2 lea eax, dword ptr [ebp-0E]
:005C2D39 8B4D3C mov ecx, dword ptr [ebp+3C]
:005C2D3C 50 push eax
:005C2D3D E83ED9FFFF call 005C0680
:005C2D42 668B00 mov ax, word ptr [eax]
:005C2D45 8B4D3C mov ecx, dword ptr [ebp+3C]
:005C2D48 6689819A000000 mov word ptr [ecx+009A], ax
:005C2D4F E9CA0C0000 jmp 005C3A1E
for PART 3
after bpx 137:5C2A90
enter a bad date for transaction
and after some F10
you found :005D2D21 cmp word ptr [00628664], ax
:005D2D28 jbe 005c3a69
and change 05d2d28 into dec eax (48h)
inc eax (40h) (3 times)
-------
PART 4
-------
When leaving Money5.0
if we are 75 - 89 days from the install date
Money with a messagebox warn us about it
so, change the current date to be 75-78 Days from install date
fire money 5.0
CTRL-D
bpx getlocaltime
then quit money5
then F5 (the second bkpoint on getlocaltime)
then F12 ( p ret)
we are here
:00470517 E8F49DFFFF call 0046A310 <--- call getlocaltime
:0047051C 668945EC mov word ptr [ebp-14], ax
:00470520 66A164866200 mov ax, [00628664] <-- ax =value for limit date
:00470526 668945EA mov word ptr [ebp-16], ax store it
:0047052A 663945EC cmp word ptr [ebp-14], ax [ebp-14] value for actual date
:0047052E A1DCFC6100 mov eax, [0061FCDC]
:00470533 735D jnb 00470592 if [ebp-14] >=ax jmp to out of trial
:00470535 8B45EA mov eax, dword ptr [ebp-16]
:00470538 50 push eax
:00470539 E852A2FFFF call 0046A790
:0047053E 83C404 add esp, 00000004
:00470541 668BF0 mov si, ax
:00470544 8B45EC mov eax, dword ptr [ebp-14]
:00470547 50 push eax
:00470548 E843A2FFFF call 0046A790
:0047054D 83C404 add esp, 00000004
:00470550 662BF0 sub si, ax
:00470553 6683FE0F cmp si, 000F <-- si = number of day left
:00470557 A1DCFC6100 mov eax, [0061FCDC]
:0047055C 7F34 jg 00470592 if > 15(decimal) then Warn us else no warning
:0047055E 0FBFC6 movsx eax, si we have to change into jmp 470595 (EB34)
:00470561 50 push eax
* Possible StringData Ref from Data Obj ->"%d"
|
:00470562 6828FA6100 push 0061FA28
:00470567 8D45E0 lea eax, dword ptr [ebp-20]
:0047056A 50 push eax
* Reference To: USER32.wsprintfA, Ord:0249h
|
:0047056B FF15080A6300 Call dword ptr [00630A08]
:00470571 83C40C add esp, 0000000C
:00470574 6A00 push 00000000
for part 4
just change jg 470592 into jmp 470592 at :0047055c
Well for MONEY 5
i think that is Ok (of course it is not the best solution ...)