IDA-Cracking: QuickView Plus 4.5 for Win95
('grayed' menu options - nag - timelock)


by Snatch
(5 November 1997, slightly edited by fravia+)


Courtesy of fravia's page of reverse engineering

Well, here is another essay by Snatch, once more some sound ida cracking, once more a timelock target: (uses GETPROCADDRESS to call everything). This is typical visual basic. To clear the 'aThelab' question I suggest to you all to play a little more with the amazing (and indeed SCARY POWERFUL) reversing tool by the great reverser at Numega: Smartcheck (which carries a protection that Ryckman should be ashamed of, and has been quickly reversed by Snatch himself inside snatch1.htm. enjoy! 
Cracking QuickView Plus 4.5 for Windows 95
By Snatch

Recently I came upon this new version of quickview that I thought 
would replace the one that comes with windows.  It did, it was 
better!  But there was a 30 day trial limit.  Stupidly, even with 
a practically fully working IDA pro, I started putting breakpoints 
and working with softice.  BPX GetLocalTime was fatal.  I wasn't 
thinking I started stepping through... all of the sudden there was 
something like: Call [403322].  Oh NO!  My monitor.  What happened!  
It was blown up and very dark.  After 2 days of testing the video 
board, etc...  I determined that it was my monitor that had failed.  
I tested one other monitor but it gave the same results because the 
drive was set down and this led me to believe that it was something 
else. 
OK, to the crack:
I now loaded up IDA Pro with what monitor I had left and cracked my 
target.  
Well it actually took 2 and a half days but who is counting?
First of all lets crack the irrelevant part.  There is a menu under the 
help, inso on the web, register quickview plus that is grayed.  
How do we ungray it?  Lets load up symantec 16 AND 32 BIT resource 
workshop.  We look through the menu for QVP.DLL(the main program file 
for quickview).  There is the ID, #25Bh.  Lets goto IDA and search for 
that: 2 occurences.  
At 201D6E91 and 201D6984.  
At 6E91, they are building the menu but at 6984 they are: 
Gray_option_scheme
201D6976                 mov     ecx, [esi+108h]
201D697C                 cmp     eax, 1
201D697F                 sbb     eax, eax
201D6981                 neg     eax
201D6983                 push    eax
201D6984                 push    25Bh; lets make this 0
201D6989                 push    ecx
201D698A                 call    ds:EnableMenuItem ; Enable/disable/grays

We have now applied half of the patching that has to be done :-)
On to the nag screen!  If we check out the Symantec resource editor once 
again, we find that the nag screens handle is 77h.  
Search in IDA and find this:

Nag_screen_scheme
201DD0BD  cmp     bl, 68h            ; some sort of table for dialogs
201DD0C0  jnz     short loc_201DD0DA ; lets patch this to make it jump!, 
201DD0C2  push    ebp                ; then the dialog cannot display.
201DD0C3  mov     eax, ds:dword_201ECDA8
201DD0C8  push    offset loc_201DCB70 ; offset of sub when you give the dialog input, 
201DD0CD  push    0                   ; it will push a 1 when you say continue
201DD0CF  push    77h
201DD0D1  push    eax
201DD0D2  call    ds:DialogBoxParamA
201DD0D8  jmp     short loc_201DD121
201DD0DA ; --------------------------------------------------------------_
201DD0DA
201DD0DA loc_201DD0DA
201DD0DA  cmp     bl, 60h  

Now the final patch: the date patch.
QuickView uses the timelock library and does not load it in its import 
directory.  Instead it uses GETPROCADDRESS to call everything.  
In the same sub that the dialogs are shown, they load this DLL.  
I have done some work in finding that 201EA970 is previously 
loaded with the address to TIMELOCK!TRIALENVIRONMENTOPEN.  
This checks the date:   

Date_scheme
201DD05A       push    offset aThelab     ; I still dont understand this
201DD05F       call    ds:dword_201EA970  ; our time lock call!
201DD065       cmp     eax, 1897Ch
201DD06A       jz      short loc_201DD073 ; good guy with time left
201DD06C       cmp     eax, 1A143h
201DD071       jnz     short loc_201DD09E ; bad guy ran out of time
There are two ways to patch this, 
1) force the first jump or 
2) nop the second jump.  
Lets only change one byte and force the first jump.

Conclusion:
The patches that we need to apply, discussed above in this essay, 
are the following, using file offsets:
Offset 5D85: 5B->00
Offset 5D86: 02->00
Offset C46A: 74->EB
Offset C4C0: 75->EB


Snatch '97
(c) Snatch 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?