Micro$oft Publisher 97
Crack it and Drop it!
student 
Not Assigned 
15 July 1998 
by Mr.Salinas 
Courtesy of Reverser's page of reverse engineering
 
fra_00xx 
980715 
Sainas 
1100 
NA 
PC
Well, an alternative way to Micro$oft's 97 Publisher! (see +ORC's lesson 4.2 for an 'older' explanation: basically you changed the call E808320000 to the faked jump E910000000). Probably Micro$oft's 'protectors' (they don't deserve such name) went to the DEAD0001 'trick' in a futile attempt to be smart.
Yes, it's the usual sad story: Micro$oft's protections do'nt even ATTEMPT to sound convincing. Come to think of it, Microsoft Publisher '98 can be cracked 'on a quickie' as well. Just search for the following subroutine (introduced by a subesp of 234)
55                      push ebp
89E5                    mov ebp, esp
53                      push ebx
56                      push esi
57                      push edi
81EC34020000            sub esp, 00000234
There you'll find the local Micro$oft's scheme flag setting, where upon return ax=0 means Ok, registered, and ax=1 means that you'r a bad silly cracker. Just load 0 into ax and ret immediately ignoring the rest of the routine and you'll have your own copy of Microsoft publisher '98 (But I would not do it if I were you: Pagemaker is MUCH, MUCH better and very easy to crack too... :-)
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert 

Yet another Micro$oft Triumph. A very interesting combination of bytes indeed. Nice work Micro$oft boys! 
Micro$oft Publisher 97
DEAD0001 !!
Written by Mr.Salinas
 

Introduction 

Hello Reverser+, Hello fellow crackers :) This is my contribution to the cracking world.
This essay will not uncover anything new, but it will, however, uncover how a nice
combination of bytes can lead to a nice crack :)  
Tools required 
SoftIce V3.X
WdasmV8.x                                            ;; For further studying
Your favourite Text Editor
And some brains. Its useful sometimes.
Target's URL/FTP 

URL: www.microsoft.com OR all over the Web !
Program History 
Well, Micro$oft has a long long history and a well known one as well. Anything more would be redundant!
Essay 
Ok, here we go.
Run the program. Notice the nice nag before the entry. So there, one way among the many
to pinpoint the protection scheme. Anyway, lets continue. Exit MsPub. Expire Mspub, and
run it again. A nice nag appears!! Hmmm, lets see....
 > Bpx GetSystemTime
Run again MsPub, and SoftIce wakes up !
Keep tracing through the code, get a feeling of what it is doing....
Seems like MsPub Opens Mspubw40.dll in the system folder, reads some bytes (from Offset 1D950
please note!) , closes the file, and THEN it does this:
:004CBC95 817DF80100ADDE   cmp dword ptr [ebp-08], DEAD0001  ;;HERE!!
:004CBC9C 0F8408010000     je 004CBDAA                       ;;Bad boy!
Well well well, What do we have here??????????????? Isn't that a nice combination for
an expiration flag ? eh?? You want to check it out? Open MsPubw40.Dll in your System, goto
Offset 1D950 (remember?) and Read :)
    >>  01 00 AD DE  .... Looks familiar ??
Now, take a look after 004CBC9C
:004CBCA2 8B45F8           mov eax, dword ptr [ebp-08]
:004CBCA5 3945F4           cmp dword ptr [ebp-0C], eax       ;;Something wrong?
:004CBCA8 7248             jb 004CBCF2                       ;;Check again Flag
:004CBCAA 8B45F4           mov eax, dword ptr [ebp-0C]       ;;
:004CBCAD B980510100       mov ecx, 00015180                 ;;Calculate how many days 
:004CBCB2 2B45F8           sub eax, dword ptr [ebp-08]       ;;you have been using the
:004CBCB5 2BD2             sub edx, edx                      ;;program.
:004CBCB7 F7F1             div ecx                           ;; Eax = Result
:004CBCB9 83F83C           cmp eax, 0000003C                 ;;Hey!! 3Ch=60d !!! WOW:)
:004CBCBC 7334             jnb 004CBCF2                      ;;Bad boy!Check expiration flag!
.....
:004CBCF2 817DF80100ADDE   cmp dword ptr [ebp-08], DEAD0001  ;;Hehe
:004CBCF9 0F84AB000000     je 004CBDAA                       ;;Exit
Search for the expiration flag: "DEAD0001" in our dead listing.
3 occurrences found. Two Cmp's and one Mov ! We already found the 2 cmp's. The Third
occurrence is when the program writes the expiration bytes in MsPubw40.DLL
Here is the relevant code:
:004CBD49 6A00             push 00000000
:004CBD4B 6850D90100       push 0001D950                     ;;Remember the Offset??
:004CBD50 50               push eax

* Reference To: KERNEL32.SetFilePointer, Ord:01F8h
                                  |
:004CBD51 FF1598005D00     Call dword ptr [005D0098]
:004CBD57 83F8FF           cmp eax, FFFFFFFF                ;;Success?
:004CBD5A 743D             je 004CBD99                      ;;No!
:004CBD5C 6A00             push 00000000
:004CBD5E 8D45F0           lea eax, dword ptr [ebp-10]
:004CBD61 50               push eax
:004CBD62 8D4DE8           lea ecx, dword ptr [ebp-18]

* Possible Reference to Dialog: DialogID_01F5, CONTROL_ID:0004, "&Find File..."
                                  |
:004CBD65 6A04             push 00000004
:004CBD67 8B55FC           mov edx, dword ptr [ebp-04]
:004CBD6A C745E80100ADDE   mov [ebp-18], DEAD0001          ;;Here!
:004CBD71 51               push ecx
:004CBD72 52               push edx

* Reference To: KERNEL32.WriteFile, Ord:024Fh
                                  |
:004CBD73 FF1530015D00     Call dword ptr [005D0130]       ;;and change file
....
Well, thats it! You can crack this anyway you like! An easy way is to Nop the jmp's
after the two DEAD0001 compares and ofcourse the jmp after the day comparison(004CBCB9).
Oh, one little thing left. The nice nag. You will find the CALL exactly after the
60-day-limitation check. Here is the code again:
:004CBCD1 E85C810200       call 004F3E32                  ;;Call the nice nag
:004CBCD6 B801000000       mov eax, 00000001              ;; Good flag and go on
An easy way to eliminate the Nag is to NOP the Call. But again there are many ways. Its up
to you.
Final Notes 
That was another Micro$oft accomplishment!  My Regards to all Crackers(+) out there.
Xairetismata tze stin Kypro! Ok. boys time to go !
Signing off..
Mr.Salinas
Mr.Salinas@Mailcity.com
Ob Duh 
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside reverser's page of reverse engineering, choose your way out:
redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?