=====================================================================
Target : Sonic Foundry Noise Reduction Plug-In
Version : 2.0a (update)
Type : Module (dll)
Name : sfnrpack.dll
Done by : UmanErrOr
=====================================================================
Stuff for insiders
==================
> For some history, get the early patch for version 2.0 about
this stuff [CrackStory.nfo].
> Disabled Getsystemtime function callback to jne
> This function is only used at init of each
plugin routine of sfnrpack at startup and en/disables
the trial period after 7 days of
using the plugin ie : installed the plugin.
Why the GetSystemTime function and not the serial/machinecode ?
----------------------------------------------------------------
Like version 2.0 DEMO, this update has still the lousy
GetSystemTime functioncall in kernel to check if the
trialperiod has been expired. The procedure of reversing
and debugging this event is basicly the same as in version
2.0. However the routine has changed slightly, it was a manner
of minutes to find the bug and fix this.
At the beginning I had to choose : or disable the serial
and unlock-key functions; or disable the trial_period function.
While a serialnumber is floating on inet. (thanks to our Russian
friends of the RHA) Remember this is not the unlock-key !!!
The unlock key had to be found or dissabled as a routine,
but changing your machine and also it's machinenumber, makes this
anoying popup for a new unlock-key not go away. :-(
So, a logical option to disable the trialcheck
routine to avoid this problem for the future. :-)
The job and how to.
-------------------
> Hit WaveLab, set a bpx GetSystemTime and run the plugin.
> And what did I see ?
> Some breaks at GetSystemTime !
> Forget the first break at this one [just an ord init]
> Now we are getting somewhere;
> 0x004565E4 <== Wow, this one is activated a lot for a start;
Looking for the time, set in the registry and the current
systemtime. Hey, this is an update, remember ?
> Ok, now see what it does with the systemtime changed to 2004...
> Hey, instead of no jump, it wants to jump...
> Ok, now I'm shure this is the one... let's check.
and hit r fl z
> No jump this time, and i'm still in my trial period,
in 2004 that is...:-)
> Now change it to je..
> That works ok, no jump..
> Change the date for a few years... still no jump...
> That's it for now, get HIEW and do it for ever...
> Run again, play with the dates, it's still in trialmode :-)
and no serials or unlock-keys are asked...:--))
> Have a drink, put some music on, do the twist and go for it.
The routine
-----------
- s -
.004565DB: 8BCF mov ecx,edi
.004565DD: E8BE050000 call .000456BA0
.004565E2: 85C0 test eax,eax
.004565E4: 7516 jne .0004565FC << Here is the silly thing
.004565E6: 8BCF mov ecx,edi
.004565E8: E8C3020000 call .0004568B0
.004565ED: 85C0 test eax,eax
.004565EF: 750B jne .0004565FC
.004565F1: 5F pop edi
.004565F2: 5E pop esi
.004565F3: 5D pop ebp
.004565F4: 83C8FF or eax,-001
.004565F7: 5B pop ebx
.004565F8: 83C408 add esp,008
.004565FB: C3 retn
-es-
Now we change [within Hiew or something like that]:
.004565E4: 7516 jne .0004565FC
In Hex that is:
00 00 85 C0-75 16 8B CF-E8 C3 02 00-00 85 C0 75 α+u ∩ñ▐+ α+u
-----
into:
.004565E4: 7416 je .0004565FC
In hex that is:
00 00 85 C0-74 16 8B CF-E8 C3 02 00-00 85 C0 75 α+t ∩ñ▐+ α+u
-- --
and save it...
Ok, let's make the patch and we are done. :-)
Well that was very, very easy.
Why do they still write this silly protection ?
U may polish this asm up with your own ideas about debugging,
so some of the routine can be nopped, however changing a byte
to realize the same is much easier... Try for yourself.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tanx to the boyz and girlz from SoftICE;
the HIEW crew;
The creators of IDA -- great tool --;
And last but not least; the SFNR team who made this possible ;-)
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXeof