Download IRIS5 demo Unlock patch by CW2K

Added to site2006-05-20
Rating94/100
Votes10


iris5demounlockpatchcw2k.zip (18729 bytes)

namesizecompressed
src/ 0 0
src/diablo2oo2's Universal Patcher - [dUP].url 93 95
src/iris5_demo_unlock.dUP2 5056 1824
info.txt 13878 4328
IRIS5_demo_Unlock_patch.exe 22016 9867
src/elic.asm 3871 1206
src/elic.bat 419 266
src/elic.def 418 219

info.txt

Iris - The Network Traffic Analyzer 5.02 Demo
=============================================


Stop 'eEye Iris Agent' service before patching - either run 'service.msc' or enter 'net stop irisSvc'
after patching run it again 'net start irisSvc'
The following limitation will be removed:
* Any data is decoding - not only packets with local IP
* Capture don't stop after 60 minutes
* There are more than 10 Address book entries allowed
* No NagSlash at start
* Licence Management elic.dll is replaced my a dummy-dll

Patch pattern have been tested with version 5.02 but maybe this patch will also work for future versions.


Sorry some functions are simply missing and can't be enabled in the demo.
Well at least it seems that all functionality is still left inside
irisSvc.exe and it should be possible to rewrite the call to use it.
For ex. to replace
MsgBox("This feature is not functional in the EVALUATION version") with
with
RPC_AddrBook_Save("address.bok")
However I tried - Coping the PRC_Call body from 'RPC_Capture_LoadFile'
replaced ID with 2D so is called instead RPC_AddrBook_Save.
And indeep irisSvc.RPC_AddrBook_Save is called but when it gets the parameters
it crashs...
This crappy M$ RPC Crap - who needs this anyway. To run client & serverpart on
different machines? Man this is stupid how needs this - I'd like to run always both
Client & Server on the same machine like ever normal program and with this RPC-Call
performance overhead. Also this RPC-Shit is a big welcome door for worms & viruses.
So the best would be you could turn it off completely - but as long programs
make use of it this is a bad idea. Without having RPC and lsass running
you will don't need a 'firewall' anymore...





























* Unlimited capture time and capture buffer size
* Decode captured data from any network device
* Edit and send packets to the network for testing
* Show real-time data statistics in graphical charts
* Save custom created capture filters for later use
* Unlimited address book size for creating filters

HKEY_LOCAL_MACHINE\SOFTWARE\eEye\Iris\{Iris502demo}
0	NoDebug (default)
1	level1
2	level2

addr limit
83 7D ?? 09 0F 8F

only local IP
00460ED6              .  E8 1559FFFF   CALL    004567F0
00460EDB              .  3B86 84010000 CMP     EAX, [ESI+184]
00460EE1              .  0F85 A5000000 JNZ     00460F8C
00460EE7              .  A1 38004C00   MOV     EAX, [4C0038]
00460EEC              .  8B40 14       MOV     EAX, [EAX+14]
00460EEF              .  83E8 00       SUB     EAX, 0                           ;  Switch (cases 0..2)
E8 ?? ?? ?? ?? 3B 86 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? A1 38 00 4C 00 8B 40 14 83

No Nag Slash
00467D13              > \6A 00         PUSH    0
00467D15              .  8D8D 08E9FFFF LEA     ECX, [EBP-16F8]
00467D1B              .  E8 70CCFFFF   CALL    00464990
00467D20              .  8D8D 08E9FFFF LEA     ECX, [EBP-16F8]
00467D26              .  C645 FC 0F    MOV     [BYTE EBP-4], 0F
00467D2A              .  E8 3D710100   CALL                         ;  JMP to 
8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? b9
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90


allow regmon
00467D5B              .  68 44FA4900   PUSH    0049FA44                         ;  ASCII "Win95 Registry Monitor"
00467D60              .  6A 00         PUSH    0
00467D62              .  E8 29CAFFFF   CALL    00464790
00467D67              .  85C0          TEST    EAX, EAX
00467D69              .  0F85 E9030000 JNZ     00468158
00467D6F              .  68 3CFA4900   PUSH    0049FA3C                         ;  ASCII "Regmon"
00467D74              .  50            PUSH    EAX
00467D75              .  E8 16CAFFFF   CALL    00464790
00467D7A              .  85C0          TEST    EAX, EAX
00467D7C              .  0F85 D6030000 JNZ     00468158

68 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 85
C0 0F 85 ?? ?? ?? ??
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90


No nag when load Cap-files
004075C1  |.  83C4 04       |ADD     ESP, 4
004075C4  |.  6A 00         |PUSH    0
004075C6  |.  6A 00         |PUSH    0
004075C8  |.  6A 00         |PUSH    0
004075CA  |.  6A 00         |PUSH    0
004075CC  |.  6A 08         |PUSH    8		;Nag_Capture_Stopped_onCapLoad
004075CE  |.  8BC8          |MOV     ECX, EAX
004075D0  |>  E8 FB1B0000   |CALL    
004075D5  |.  8D4C24 50     |LEA     ECX, [ESP+50]

6A 00 6A 00 6A 00 6A 00 6A 08 8B ?? E8 ?? ?? ?? ??
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90


* Unlimited capture time
find RPC_Capture_StopCapture
00410DB0 >/$  68 185F4200   PUSH    00425F18                         ;  ASCII "RPC_Capture_StopCapture"
00410DB5  |.  68 A8494200   PUSH    004249A8                         ;  ASCII "%s called"
00410DBA  |.  E8 91E4FFFF   CALL    0040F250
check refs...


	0041C0BA   .  E8 51FAFFFF   CALL    
0041C0BF   .  A1 38BC4200   MOV     EAX, []
0041C0C4   .  85C0          TEST    EAX, EAX
0041C0C6   .  74 42         JE      SHORT 

0041C0C8   .  FF15 8C404200 CALL    [<&KERNEL32.GetTickCount>]       ; [GetTickCount
0041C0CE   .  2B05 38BC4200 SUB     EAX, []
0041C0D4   .  3D 80EE3600   CMP     EAX, 36EE80                      ;  3600000msec ->1 hour
0041C0D9   .  76 2F         JBE     SHORT 

0041C0DB   .  C705 38BC4200>MOV     [DWORD ], 0
0041C0E5   .  E8 C64CFFFF   CALL            ;  bad
0041C0EA   .  8B4D 04       MOV     ECX, [EBP+4]
0041C0ED   .  51            PUSH    ECX
0041C0EE   .  E8 2D88FEFF   CALL    
0041C0F3   .  83C4 04       ADD     ESP, 4
0041C0F6   .  6A 00         PUSH    0
0041C0F8   .  6A 00         PUSH    0
0041C0FA   .  8D5424 20     LEA     EDX, [ESP+20]
0041C0FE   .  52            PUSH    EDX
0041C0FF   .  6A 04         PUSH    4
0041C101   .  6A 09         PUSH    9			;Nag_Capture_Stopped_onCapture
0041C103   .  8BC8          MOV     ECX, EAX
0041C105   .  E8 C6D0FEFF   CALL    
ok_keep_it_running 8B45 4C  MOV     EAX, [EBP+4C]
A1 ?? ?? ?? ?? 85 C0 74 ?? FF 15 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? 3D 80 EE 36 00 76 ??
42 00 00 00 00 00 E8 C6 4C FF FF





PRC_CALLS is Iris.exe
Address    Disassembly
0043857D   PUSH    1
0043867D   PUSH    2
004387BD   PUSH    3
004388ED   PUSH    4
004389DF   PUSH    5
00438B0D   PUSH    6
00438C5F   PUSH    7
00438DCD   PUSH    8
00438F31   PUSH    9
0043909F   PUSH    0A
00439221   PUSH    0B
0043937D   PUSH    0C
004394DD   PUSH    0D
004395FB   PUSH    0E
0043971F   PUSH    0F
00439851   PUSH    10
0043999D   PUSH    11
00439B4B   PUSH    12
00439DCB   PUSH    13
00439E8B   PUSH    14
00439F4B   PUSH    15
0043A06F   PUSH    16
0043A1BF   PUSH    17
0043A2CD   PUSH    18
0043A3CD   PUSH    19
0043A50D   PUSH    1A
0043A60D   PUSH    1B	RPC_Capture_UseSchedule"
0043A6FF   PUSH    1C
1d	RPC_Capture_InsertPacket"
1e RPC_PacketBuffer_GetMappedName
0043A81F   PUSH    1F
0043A98F   PUSH    20
21	"RPC_PacketBuffer_GetPacketFrame"  "%s called, instanceId=%d, mapname=%s, index=%d"
0043AAAF   PUSH    22
0043ABBB   PUSH    23
0043AC7B   PUSH    24
0043AD9F   PUSH    25
0043AEBF   PUSH    26
0043B031   PUSH    27
0043B19F   PUSH    28
0043B31F   PUSH    29
0043B48D   PUSH    2A




     00415460  
0043B56B   PUSH    2E


0043B67D   PUSH    31
0043B75D   PUSH    32
0043B83D   PUSH    33
0043B91D   PUSH    34
0043BA9D   PUSH    35
0043BBDF   PUSH    36
0043BD3D   PUSH    37
0043BE91   PUSH    38
0043BFED   PUSH    39
0043C141   PUSH    3A
0043C29D   PUSH    3B
0043C3F1   PUSH    3C
0043C54D   PUSH    3D
0043C6A1   PUSH    3E
0043C7FD   PUSH    3F
0043C8FD   PUSH    40
0043C9FD   PUSH    41
0043CB2D   PUSH    42
0043CC5D   PUSH    43
0043CD6F   PUSH    44
0043CEBF   PUSH    45

0043CFDF   PUSH    47
0043D10F   PUSH    48
0043D20F   PUSH    49
0043D3BF   PUSH    4A

0043D58F   PUSH    4C
0043D6AD   PUSH    4D
0043D78D   PUSH    4E
0043D86D   PUSH    4F

Found sequences
Address    Comment
00401250   (Initial CPU selection)
0040140E   ASCII "CAdapterInfo::EnableCapture"
004022A0   ASCII "CAdapterInfo::Enable"
0040241F   ASCII "CAdapterInfo::Enable"
00402446   ASCII "CAdapterInfo::Enable"
0040273B   ASCII "CAdapterInfo::BindAdapter"
00402861   ASCII "CAdapterInfo::IsEnabled"
00402912   ASCII "CAdapterManager::~CAdapterManager"
00402A1B   ASCII "CAdapterManager::Initialize"
0040306A   ASCII "CAdapterInfo::IsEnabled"
00403679   ASCII "CAdapterInfo::IsEnabled"
004047C1   ASCII "AddressBook::AddDNSEntry"
0040503F   ASCII "AddressBook::AddEntry"
004050D2   ASCII "AddressBook::AddEntry"
00405238   ASCII "AddressBook::ProcessRawPacket"
004054D4   ASCII "Thread_DoARPSweep"
00405576   ASCII "Thread_DoARPSweep"
00405FAB   ASCII "AddressBook::~AddressBook"
00406341   ASCII "CBufferPool::Initialize"
004063F3   ASCII "CBufferPool::AllocateBuf"
0040645E   ASCII "CBufferPool::AllocateBuf"
00406840   ASCII "Capture::InsertPacket"
00407176   ASCII "VirtualCapture"
0040728C   ASCII "VirtualCapture"
00407380   ASCII "VirtualCapture"
00407502   ASCII "VirtualCapture"
00407614   ASCII "VirtualCapture"
00407678   ASCII "Capture::Initialize"
00408303   ASCII "CDNSResolver::ResolverThread"
00408684   ASCII "CDNSResolver::~CDNSResolver"
00409050   ASCII "CEventSender::~CEventSender"
004090FF   ASCII "CEventSender::UnRegisterReceiver"
004093FF   ASCII "Thread_SendEvent"
00409557   ASCII "Thread_SendEvent"
00409897   ASCII "CEventSender::Initialize"
004099B7   ASCII "CEventSender::RegisterReceiver"
0040AE46   ASCII "CSoftFilter::CheckPort"
0040B717   ASCII "CSoftFilter::CheckPacket"
0040BB23   ASCII "CGuard::~CGuard"
0040C2D1   ASCII "CGuard::Initialize"
0040F68C   ASCII "RPC_Adapter_GetAdapterList"
0040F6E8   ASCII "RPC_Adapter_GetAdapterList"
0040F786   ASCII "RPC_Adapter_EnableAdapter"
0040F7B6   ASCII "RPC_Adapter_IsEnabled"
0040F7E0   ASCII "RPC_Adapter_SetFilter"
0040F810   ASCII "RPC_Adapter_SendPacket"
0040F889   ASCII "RPC_Capture_SetFilter"
0040F8FB   ASCII "RPC_Capture_UseFilter"
0040F9DD   ASCII "RPC_Capture_LoadFile"
0040FA6F   ASCII "RPC_Capture_InsertPacket"
0040FB5B   ASCII "RPC_PacketBuffer_GetMappedName"
0040FB8F   ASCII "RPC_PacketBuffer_AddRef"
0040FBEF   ASCII "RPC_PacketBuffer_DeRef"
0040FC45   ASCII "RPC_PacketBuffer_GetPacketFrame"
0040FCAF   ASCII "RPC_PacketBuffer_KeepAlive"
0040FCF9   ASCII "RPC_Stats_ClearAll"
0040FD49   ASCII "RPC_Stats_ClearTopHosts"
0040FD99   ASCII "RPC_Stats_ClearProtoStats"
0040FDE9   ASCII "RPC_Stats_ClearSizeStats"
0040FE45   ASCII "RPC_Stats_ShouldProcessPort"
0040FE99   ASCII "RPC_Stats_IPProto_GetSize"
0040FEE9   ASCII "RPC_Stats_IPProto_GetEntrys"
0040FF49   ASCII "RPC_Stats_MACProto_GetSize"
0040FF99   ASCII "RPC_Stats_MACProto_GetEntrys"
0040FFF9   ASCII "RPC_Stats_IPXProto_GetSize"
00410049   ASCII "RPC_Stats_IPXProto_GetEntrys"
004100A9   ASCII "RPC_Stats_SizeArray_GetSize"
004100F9   ASCII "RPC_Stats_SizeArray_GetEntrys"
00410159   ASCII "RPC_Stats_Hosts_GetSize"
004101A9   ASCII "RPC_Stats_Hosts_GetEntrys"
0041020F   ASCII "RPC_Stats_Hosts_Sort"
00410261   ASCII "RPC_Stats_SetUseFilter"
004102F9   ASCII "RPC_Stats_GetUseFilter"
00410349   ASCII "RPC_Log_IsEnable"
004103AF   ASCII "RPC_Log_Enable"
00410409   ASCII "RPC_Log_GetDirectory"
0041046F   ASCII "RPC_Log_SetDirectory"
004104CF   ASCII "RPC_Log_SetLogFilter"
00410529   ASCII "RPC_Log_GetOption"
00410589   ASCII "RPC_Log_SetOption"
004105D7   ASCII "RPC_Guard_SetParam"
00410638   ASCII "RPC_Guard_GetParam"
004106A9   ASCII "RPC_Guard_SetAllowedPorts"
004106F9   ASCII "RPC_Guard_GetAllowedPorts"
00410749   ASCII "RPC_Guard_StartGuard"
00410799   ASCII "RPC_Guard_StopGuard"
00410827   ASCII "RPC_ClientCloseSession"
00410B96   ASCII "RPC_ClientRegister0"
00410BC6   ASCII "RPC_ClientUnregister0"
00410C06   ASCII "RPC_ClientNewSession"
00410C47   ASCII "RPC_ClientInitSession"
00410D10   ASCII "RPC_Capture_StartCapture"
00410DB0   ASCII "RPC_Capture_StopCapture"
00410E66   ASCII "ScheduleCaptureRunner"
00410EA0   ASCII "RPC_Capture_UseSchedule"
00410F51   ASCII "RPC_Capture_SetSchedule"
00410FE0   ASCII "RPC_AddrBook_StartDiscover"
00411000   ASCII "RPC_AddrBook_GetSize"
00411020   ASCII "RPC_AddrBook_AddDNSEntry"
00411050   ASCII "RPC_AddrBook_AddEntry"
00411180   ASCII "RPC_AddrBook_RemoveEntry"
004111BC   ASCII "RPC_AddrBook_SetEntryColor"
00411206   ASCII "RPC_AddrBook_GetEntryColor"
00411256   ASCII "RPC_AddrBook_Save"
00419312   ASCII "CLog::~CLog"
004197E1   ASCII "CLog::GetNextLogName"
0041983B   ASCII "CLog::Initialize"
0041B2DA   ASCII "CPacketBuffer::DeleteChunk"
0041B38D   ASCII "CPacketBuffer::RefChunk"
0041B417   ASCII "CPacketBuffer::KeepAlive"
0041B715   ASCII "CPacketBuffer::~CPacketBuffer"
0041B81D   ASCII "CPacketBuffer::CreatePackChunk"
0041BA61   ASCII "CPacketBuffer::DerefChunk"
0041BB27   ASCII "CPacketBuffer::CleanDeadChunks"
0041BCC8   ASCII "CPacketBuffer::RegisterProcessor"
0041BDC8   ASCII "CPacketBuffer::UnRegisterProcessor"
0041BEBA   ASCII "CPacketBuffer::UseNewChunk"
0041C01D   ASCII "Thread_RunDelayProcessor"
0041C148   ASCII "CPacketBuffer::Initialize"
0041C3B7   ASCII "CPacketBuffer::ProcessRawPacket"
0041CD52   ASCII "CScheduler::~CScheduler"
0041CE4E   ASCII "CScheduler::RemoveScheduleItem"
0041D2AC   ASCII "CService::RunInThread"
0041D2E5   ASCII "CService::RunInThread"
0041DC48   ASCII "CService::Run"



# 0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z