+HCU 1997, Project2: Winice cracking
Phase 3

Courtesy of Fravia's page of reverse engineering


I wrote the follwing after +RCG's first essay (more on Winnie):
Apparently Numega's guys reacted very quickly to the information above. The new downloads from their site DO NOT HAVE any more the
; Eval expiration date - DO NOT REMOVE!
string... :-) Funny, isn't it?

And This essay was an answer from Frog's print:

Phase 3

By Frog's print - 26 May 1997

No, unfortunately they didn't! Not yet...



I downloaded SoftIce 3.01 Win95 today (Friday 23,1997) at Numega's web site (the

quickest way to get it (and the documentation) without their registration form

is : http://www.numega.com/eval/evareq6_stp2.ht) and re-installed it.



I DID find the "Eval expiration date - DO NOT REMOVE!..." string inside

WinIce.dat.



The reason is that right BEFORE installing it I DELETED in the Registry the

following values:



        HkeyLocalMachine\SOFTWARE\Microsoft\Windows\Help

	OleGUIDHigh	

	OleGUIDLow	



Those values are ONLY used by Loader32.exe and the SetUp program.



The values inside WinIce.dat (Eval expiration date...) are ONLY used by

WinIce.exe.



Rename "HkeyLocalMachine\SOFTWARE\Microsoft\Windows\Help" or delete it and then

fire Loader32.exe. You'll get the following error message:



 "Access violation at address 78608952.Read of address 78608952".



Then, Loader32 will pop-up and you'll see:

 

 In the status bar       : "Soft-Ice not loaded"       ; even if it IS!!

 In the main window : "Blah blah blah"               ; funny isn't it?



You'll get a similar message if you delete or rename "OleGUIDHigh" or

"OleGUIDLow" but in such a case, WinIce.exe will be active.



Now, if the 'eval Expiration...' line in winice.dat is removed or does not

appear in your WinIce.dat, WinIce.exe will NEVER work but the Loader will.



The SetUp program just checks the Registry for "OleGuidHigh" and "OleGuidLow" to

see if a copy of SoftIce (14 days trial) has previously been installed on your

computer (the UnInstall program does not remove them).



If so, it will not add the installation date string inside WinIce.dat even if

your evaluation period has not yet expired and you could not use SoftIce any

longer (and it will not change the values in the Registry as well).



This is just because Numega's guys don't want you to re-install it as many times

as you want in order to use the program after the 14 days trial period.



So, without cracking WinIce.exe, NmTrans.dll and Loader32.exe, you can use

SoftIce FOREVER as long as,  when you re-install it after you trial period, yo 

delete the values located in the Registry.



 Again, this is just another very simple (and from our point of view rather 

disappointing!) trick/protection from Numega! Cmon guys, you can protect 

better than that!



PS: To check the above comments, the best is to install and then re-install

SoftIce using a "Spy" program like TechFacts 95 v1.30 (3/7/97) (from

DeanSoftware Desing - who released InfoSpy) available at:

http://ourworld.compuserve.com/homepages/deansoft

I use it each time I install a program and it is very helpful (BTW, as it is

shareware, you may want to crack it by searching for "C6051AF34C0001" and 

replace with "C6051AF34C0000"! :-)



Frog's Print -



You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
antismut CGI-tricks search_forms mailFraVia
Is software reverse engineering legal?