SOFTICE 3.01 PHASE7
more reverse engineering
by The Undertaker
(01 August 1997, slightly edited by Fravia)
Courtesy of Fravia's page of reverse engineering
Well, this author sent me a reverse engineering essay with his
complete address and telephon number inside the text... I wont publish these data unless
he confirms that he really wants it...
SOFTICE 3.01 PHASE4 CRACK BY THE UNDERTACKER
************ FINAL PAY LOAD FOR SOFTICE 3.01 ************
It is a great plesure for me to crack SoftIce, because NuMega's
programmer are simply the Best in the world.
Also this is my favorite debugging tool. Anyway thanks, Numega, for
having created such a nice debugger. Your work is honored, you should
protect it better, though (or d'you want it to be the world's standard
trough "gratis spreading"? :-).
This crack is an addition to Frog's Print (project2-PHASE 1) and
+Rcg's(project2-PHASE 2).
Before you start with this cracking session you must already have completed
PHASE 1 and PHASE 2 of +HCU's project2.
Unfortunately, once you have completed PHASE 1 and PHASE 2 you still
have the "14 day" problem... Yet after completing this session SoftIce's "Godot"
trial version will be forever yours.
In addition to that I will include a special crack for LOADER32, in order to
avoid the annoying "Evaluation 14 days" Message box!
Lets light up a "Ganja" Cigarette (in our Sri Lankan way :-)
Ok! Here we go!
TOOLS YOU NEED:
- W32DASM VERSION 8.5
- SOFTICE 3.01 "Godot" (14 days evaluation version)
1) Load W32DASM with NMTRANS.DLL
2) Once you have started W32dasm, choose Function / imports and then
click onto "NmSymIsSoftICELoaded"...
Then You'll land more or less here:
Exported fn(): NmSymIsSoftICELoaded - Ord:0016h
Process the code thoroughly, until you find following function
* Reference To: KERNEL32.GetSystemTime, Ord:0134h
....
....
:1000EE12 3BD1 CMP EDX, ECX Check Days_Left
:1000EE14 7202 JB 1000EE18
Up to this point FROG'S PRINT crack [Project's 2, PHASE 1] worked well...
* Referenced by a Jump at Address:1000EE14(C)
:1000EE18 83FA0E CMP EDX, E ; Compare Days_Left with 14_Days_Allowed
:1000EE1B 720F JB 1000EE2C ; evil jump below!
This code must be changed to
:1000EE1B EB0F JMP 1000EE2C
Therefore: opcode Search for 83FA0E720FC7051C
and change opcode to 83FA0EEB0FC7051C
Again follow the code until the following location...
:1000EE35 2BC2 SUB EAX,EDX
and you'll change it, nopping it to
:1000EE35 90 NOP
:1000EE36 90 NOP
Therefore: opcode Search for 8D747F012BC2
and change opcode to 8D747F019090
Finito!, Caput! Softice is yours!
(Of course it's yours only in case you reallybadly need a working
copy of this target in order to use it for more than two weeks... say
because you have been ill, and you are in the impossibility to buy a
regular copy of it in your favourite software shop... in this case,
as an emergency solution, you could eventually use the short crack
above :-)
As I promised at the beginning, here is something more:
the way to get rid of the annoying "14 Days Eval" Window inside LOADER32.
- W32DASM loader32
- choose Refs & String data ref
- click "*** Valid for"
You'll land here ....
:0043A27B B890A44300 MOV EAX, 0043A490
:0043A280 E86FBFFCFF CALL 004061F4
:0043A285 6A00 PUSH 00000000
:0043A287 8B45FC MOV EAX, [EBP-04]
:0043A28A E82D93FCFF CALL 004035BC
:0043A28F 8BD0 MOV EDX, EAX
:0043A291 B970A54300 MOV ECX, 0043A570 ; Obj ->"Symbol Loader"
:0043A296 A124C64300 MOV EAX, [0043C624]
# :0043A29B E838A1FEFF CALL 004243D8 ;here it is! This call is evil!
CHANGE TO
:0043A29B 48 DEC EAX
:0043A29C 40 INC EAX
:0043A29D 48 DEC EAX
:0043A29E 40 INC EAX
:0043A29F 90 NOP
-> Search opcode A124C64300E838A1FEFF
-> Change to A124C643004840484090
Hereby you have got the complete crack for SoftICE 3.01. I feel that
+HCU's project2 is therefore terminated (for Win95's Godot at least).
I'm actually working on project0 (W32DASM version 8.5 crack).
In a week or two I hope to release an essay about that protection scheme.
I am also working on NTICE 3.01, using a different approach.
The relevant essay will be released (I hope) very soon.
Finally my Thanks go to Fravia's page of reverse engineering and all
the +ORC's students and +HCU's guys for their hard work!
Keep Up the good work guys!!!.
REVERSE ENGINEERING LIVES FOREVER!!!
REACH THE UNDERTACKER IN SRI LANKA!
PHONE xxx (supprimed by fravia+ until confirmed)
EMAIL xxx (supprimed by fravia+ until confirmed)
(c) The Undertaker, 1997. All rights reserved.
You are deep inside fravia's page of reverse
engineering, choose your way out:
homepage links
anonymity
+ORC students' essays tools
cocktails
antismut search_forms mailFraVia
is reverse engineering legal?