IDA-Cracking: QuickView Plus 4.5 for Win95
('grayed' menu options - nag - timelock)


by Snatch
(5 November 1997, slightly edited by fravia+)



Courtesy of fravia's page of reverse engineering

Well, here is another essay by Snatch, once more some sound ida cracking, once more a timelock target: (uses GETPROCADDRESS to call everything). This is typical visual basic. To clear the 'aThelab' question I suggest to you all to play a little more with the amazing (and indeed SCARY POWERFUL) reversing tool by the great reverser at Numega: Smartcheck (which carries a protection that Ryckman should be ashamed of, and has been quickly reversed by Snatch himself inside snatch1.htm. enjoy!


Cracking QuickView Plus 4.5 for Windows 95

By Snatch



Recently I came upon this new version of quickview that I thought 

would replace the one that comes with windows.  It did, it was 

better!  But there was a 30 day trial limit.  Stupidly, even with 

a practically fully working IDA pro, I started putting breakpoints 

and working with softice.  BPX GetLocalTime was fatal.  I wasn't 

thinking I started stepping through... all of the sudden there was 

something like: Call [403322].  Oh NO!  My monitor.  What happened!  

It was blown up and very dark.  After 2 days of testing the video 

board, etc...  I determined that it was my monitor that had failed.  

I tested one other monitor but it gave the same results because the 

drive was set down and this led me to believe that it was something 

else. 

OK, to the crack:

I now loaded up IDA Pro with what monitor I had left and cracked my 

target.  

Well it actually took 2 and a half days but who is counting?

First of all lets crack the irrelevant part.  There is a menu under the 

help, inso on the web, register quickview plus that is grayed.  

How do we ungray it?  Lets load up symantec 16 AND 32 BIT resource 

workshop.  We look through the menu for QVP.DLL(the main program file 

for quickview).  There is the ID, #25Bh.  Lets goto IDA and search for 

that: 2 occurences.  

At 201D6E91 and 201D6984.  

At 6E91, they are building the menu but at 6984 they are: 

Gray_option_scheme

201D6976                 mov     ecx, [esi+108h]

201D697C                 cmp     eax, 1

201D697F                 sbb     eax, eax

201D6981                 neg     eax

201D6983                 push    eax

201D6984                 push    25Bh; lets make this 0

201D6989                 push    ecx

201D698A                 call    ds:EnableMenuItem ; Enable/disable/grays



We have now applied half of the patching that has to be done :-)

On to the nag screen!  If we check out the Symantec resource editor once 

again, we find that the nag screens handle is 77h.  

Search in IDA and find this:



Nag_screen_scheme

201DD0BD  cmp     bl, 68h            ; some sort of table for dialogs

201DD0C0  jnz     short loc_201DD0DA ; lets patch this to make it jump!, 

201DD0C2  push    ebp                ; then the dialog cannot display.

201DD0C3  mov     eax, ds:dword_201ECDA8

201DD0C8  push    offset loc_201DCB70 ; offset of sub when you give the dialog input, 

201DD0CD  push    0                   ; it will push a 1 when you say continue

201DD0CF  push    77h

201DD0D1  push    eax

201DD0D2  call    ds:DialogBoxParamA

201DD0D8  jmp     short loc_201DD121

201DD0DA ; --------------------------------------------------------------_

201DD0DA

201DD0DA loc_201DD0DA

201DD0DA  cmp     bl, 60h  



Now the final patch: the date patch.

QuickView uses the timelock library and does not load it in its import 

directory.  Instead it uses GETPROCADDRESS to call everything.  

In the same sub that the dialogs are shown, they load this DLL.  

I have done some work in finding that 201EA970 is previously 

loaded with the address to TIMELOCK!TRIALENVIRONMENTOPEN.  

This checks the date:   



Date_scheme

201DD05A       push    offset aThelab     ; I still dont understand this

201DD05F       call    ds:dword_201EA970  ; our time lock call!

201DD065       cmp     eax, 1897Ch

201DD06A       jz      short loc_201DD073 ; good guy with time left

201DD06C       cmp     eax, 1A143h

201DD071       jnz     short loc_201DD09E ; bad guy ran out of time

There are two ways to patch this, 

1) force the first jump or 

2) nop the second jump.  

Lets only change one byte and force the first jump.



Conclusion:

The patches that we need to apply, discussed above in this essay, 

are the following, using file offsets:

Offset 5D85: 5B->00

Offset 5D86: 02->00

Offset C46A: 74->EB

Offset C4C0: 75->EB





Snatch '97

      
(c) Snatch 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?