Return to Main Index Return to Time TrialsW32Dasm, IDA Pro v4.04 (slow but everyone needs a check), Hiew (a good Hex editor) & a brain.
So who is CSAR/Nastran?. A bunch of guys who took on M$C/Nastran (the engineering equivalent of Micro$oft) and got crushed (they sold out to the borg). They existed for a couple of years and got greedy. The 1.2 (1996) version did everything, then PC's got more powerful, you didn't need a workstation box or $20,000 version of Nastran. The 97PC version was limited by the disk lock. So the 97PC version was less capable than the 1996 version if you didn't fork out the $20,000.
v1.2 :- Run the installation batch file. Note this is for the Windows 95 version only. Create a test file either by using the demo section or using Femap. To run the program use the START>RUN with the following command :-
csanast csa -m 64mw -s c:\scratch
Note csa should be the demo file csa.dat, also note the extension dat. Please also note that 64mw is equivalent to 256Mb of memory. This is your output in csa.f06 file :-
****************************************** This Windows NT Version has expired Please contact CSAR to update your license Stop - Program terminated. ******************************************
Searching for "This Windows NT" :-
* Referenced by a CALL at Addresses:
|:00401525 , :004017F6
:00403218 PUSH EBP
:00403219 MOV EBP, ESP
:0040321B PUSH EBX
:0040321C PUSH ESI
:0040321D PUSH EDI
:0040321E PUSH 0
:00403220 PUSH 0
:00403222 PUSH 0
:00403224 PUSH -1
* Possible StringData Ref from Data Obj ->
"(/,/,10X,'This Windows NT Version "
"has expired ',/,10X,'Please contact "
"CSAR to update your license')"
:00403226 PUSH 00F6F604
:0040322B PUSH 6
It is obvious that we don't want to execute these 2 calls. So find references 00401525 & 004017F6.
:00401518 CMP D, [0116A358], 4
:0040151F JNE 0040152A
:00401525 CALL 00403218 <-- Bad CALL #1.
:004017E6 CALL 00F3FA20
:004017EB MOVSX EAX, AL
:004017EE TEST EAX, EAX
:004017F0 JE 004017FB
:004017F6 CALL 00403218 <-- Bad CALL #2.
The solution is very easy, just NOP CALL #1 and #2. All done with version 96.
Version 97 :- Run installation, do not run csavaild.exe. Use time limited demo license. Create a test file either by using the demo section or using Femap. Checking the csa.f06 file we find the following message from Ed or Tyler.
Temporary site license has expired Please run the program csavalid.exe and email its output (csavalid.out) to lmb@csar.com If you have questions, Please contact Ed or Tyler at CSAR (818) 707-6060 and report message HID=3
However it is really hard to contact them since their company no longer exists. Since csanast calls Nastran.exe lets disassemble this thing with W32Dasm. Note it is a 17 Mb file so do it overnight, and while your at it run it through IDA. Search for the string "temporary", NOTICE HID=3 message in W32Dasm (ditto for IDA) will not show the last couple of lines!!!. So just use the third message you find. Yes they are 1, 2, and 3 next to each other. It is amazing that this expensive piece of software is protected by this code.
After looking at this code it is pretty obvious that we NEVER want HID>1, in fact we want it to be ZERO. So the first test we should pass to end of routine. There are at least two ways of doing this, one would be to set dword ptr [015B9FF4] to zero, or just NOP the JLE line. Fortunately the program never checks the dword ptr [015B9FF4] value ever again.
* Referenced by a CALL at Addresses:
|:004016D0 , :00491ADC , :00491EFD
|
:00492D47 PUSH EBP
:00492D48 MOV EBP, ESP
:00492D4A PUSH EBX
:00492D4B PUSH ESI
:00492D4C PUSH EDI
:00492D4D CMP DWORD PTR [015B9FF4], 0
:00492D54 JLE 00492D5F <-- NOP this.
:00492D5A JMP 00492DE3
:00492D5F MOV EAX, DWORD PTR [EBP+08]
:00492D62 CMP DWORD PTR [EAX], 1 <-- HID=1
:00492D65 JNE 00492D87
:00492D6B PUSH 0
:00492D6D PUSH 0
:00492D6F PUSH 0
:00492D71 PUSH -1
* Possible StringData Ref from Data Obj ->
"(/,1X,'Temporary site license "
:00492D73 PUSH 0109CBC0
:00492D87 MOV EAX, DWORD PTR [EBP+08]
:00492D8A CMP DWORD PTR [EAX], 2 <-- HID=2
:00492D8D JNE 00492DAF
:00492D93 PUSH 0
:00492D95 PUSH 0
:00492D97 PUSH 0
:00492D99 PUSH -1
* Possible StringData Ref from Data Obj ->
"(/,1X,'Temporary site license "
:00492D9B PUSH 0109CDE8
:00492DAF MOV EAX, DWORD PTR [EBP+08]
:00492DB2 CMP DWORD PTR [EAX], 3 <-- HID=3
:00492DB5 JNE 00492DD7
:00492DBB PUSH 0
:00492DBD PUSH 0
:00492DBF PUSH 0
:00492DC1 PUSH -1
* Possible StringData Ref from Data Obj ->
"(/,1X,'Temporary site license "
:00492DC3 PUSH 0109D010
:00492DE3 JMP 00492DE8 <-- This is where we want to
jump too
OK, make the change and run the program again. Re-run the case, it crashes and burns again in a different spot. Another nasty message from Ed and Tyler.
---------------------------------------------------------------------
This Win/NT or Win/95 Version has expired
Please contact CSAR to update your license
---------------------------------------------------------------------
Another fix is needed just like v1.2 (1996). Remember to study, the old protections, because they very seldom change!.
* Referenced by a CALL at Addresses: <-- The offending
message CALL.
|:004021D5 , :004027B4
|
:004AB525 PUSH EBP
:004AB526 MOV EBP, ESP
* Possible StringData Ref from Data Obj ->
"(/,/,10X,'This Win/NT or Win/95 "
"Version has
expired ',/,10X,'Please "
"contact CSAR to update your
license')"
Back tracking to the 2 calling routines :-
:004021CF JNE 004021DA <-- Patch to a JMP.
:004021D5 CALL 004AB525 <-- BAD CALL #1.
:004027A4 CALL 01058490
:004027A9 MOVSX EAX, AL
:004027AC TEST EAX, EAX
:004027AE JE 004027B9 <-- Patch to a JMP.
:004027B4 CALL 004AB525 <-- BAD CALL #2.
That's it, your done!. Now we could have found the exact routine that called this error message, either by using the debugger portion of W32Dasm or SoftICE. But the brute force method works. FYI v1.2 was supposed to stop on the first day of 2000, but it continued working through 2000 to the first day of 2001 at which point it croaked. The 97 version did not work in 2000 or 2001 until it was fixed. This is what the output looks like for the csa.f04 file. Notice the Y2K BUG!. Notice machine serial ID is 0, and our license has expired.
********************************************************************
C S A / N A S T R A N P C E X E C U T I O N S U M M A R Y
********************************************************************
DATE OF EXECUTION 22-Jan-00
------------------------------
CSA/NASTRAN VERSION - 97pc
SYSTEM GENERATION - 6/11/97
REVISION - 0000
MACHINE SERIAL ID - 0
LICENSE EXPIRATION - 12/31/1999
LICENSED CAPABILITIES
---------------------
Unlimited NODEs
Static Analysis
Inertia Relief
Normal Modes
Buckling
Complex Eigenvalue
Frequency Response
Transient Response
Statics with GAP
Heat Transfer
Aero
Cyclic Symmetry
Superelements
Substructuring
DSA
Optimization
Multiple Superelements
Nonlinear
+fravia for showing the way, CrackZ for putting it all together for me.
MTB.
Return to Main Index Return to Time Trials