Application for entry to the 1998 +HCU

name: +YOSHi
email address:

strainer answers:
1. Microsoft WinProject crack explanation)
The reason for the flagging crack over the nopping the alternate location 
is due to the following code:

:05167FDC 66837DFE00       cmp [ebp-02], 0000   ;valid_flag?
:05167FE1 755F             jne 05168042  ;beggar off:unvalid something <- here
:05167FE3 66837DF000       cmp [ebp-10], 0000   ;valid ebp-10?
:05167FE8 750E             jne 05167FF8         ;jmp unvalid_e10
:05167FEA 66837DEC00       cmp [ebp-14], 0000   ;valid ebp-14?
:05167FEF 7451             je 05168042          ;beggar off,unvalid  <- and here
:05167FF1 66837DF000       cmp [ebp-10], 0000   ;sure thatebp-10=0?
:05167FF6 7407             je 05167FFF          ;continue ifso
:05167FF8 66837DEC00       cmp [ebp-14], 0000   ;check if e14valid
:05167FFD 7543             jne 05168042         ;no? be damned! <- and here also
:05167FFF 0FBF4DF2         movsx word ptr ecx, [ebp-0E] ;e10 and e14 true
:05168003 66833D58192C0501 cmp dword ptr [052C1958], 0001 
:0516800B 1BC0             sbb eax, eax
:0516800D 83E05A           and eax, 0000005A  ;pretty obvious
:05168010 83C05A           add eax, 0000005A  ;isnt it?
:05168013 3BC1             cmp eax, ecx       ;HERE********
:05168015 7C2B             jl 05168042        ;beggar off ; here's the "main" jump
:05168017 66837DF21E       cmp [ebp-0E], 001E ;0x1E = 30
:0516801C 7F4A             jg 05168068        ;good guy jump
:0516801E 8D45F4           lea eax, [ebp-0C]
The jl 05168042 at location :05168015 has something in common with the 
locations :05167FE1, :05167FEF, and :05167FFD; they all can possibly call 
the "evil" routiene lurking behind 05168042, so nopping it would not have 
a great effect, because the jump could still be executed by one of
the other 3 offsets, thus calling the "beggar off" routiene. Changing 
the flag at ebp-02 though, will have a greater effect.

2. The Microsoft Money 97 crack, with time encrytion explanation) 
Comparing files msmoney.ded and msmoney.exe
00070214: 72 EB
00070281: 73 EB

How I did it.
The first thing I had to do was to find it, so I went to the Microsoft 
site and as it turns out they stopped letting you evaluate it. So I went 
to and did a search for "Money AND Microsoft AND 97". I 
ended up at a review for it, with a link to it. After I got it (4.1 megs 
grrr) and had installed it, I started dissembling it under W32Dasm 8.9... 
it took me 25 minutes on my 686/200! After it dissassembled I saved it... 
40 megs of text? So I searched for "GetLocalTime" and I landed right in 
the following code "(the.class" tppabs="" date encryption)

* Referenced by a CALL at Addresses:
|:00408F8A   , :00411D14   , :00414D39   , :004214DC   , :0042B496   
|:0042BC26   , :00430128   , :0043B756   , :0043BAFD   , :0043BB28   
|:0043DB1D   , :0043EA45   , :0044100C   , :00458909   , :0045891D   
|:00468701   , :004694E3   , :00469A9A   , :0046A1E3   , :0046A360   
|:0046A55E   , :0046A653   , :0046EAF7   , :0047067C   , :00470BF8   
|:00472926   , :00472F1A   , :004840C9   , :0048A8B1   , :0048B044   
|:0048D3C3   , :0048FAA5   , :0049B5EB   , :0049C42F   , :0049D5D7   
|:0049D60C   , :0049D638   , :0049D777   , :004AD465   , :004C451B   ; obviously too many 
|:004C4D7A   , :004E9E42   , :004EF63A   , :004EF812   , :0051615B   ; locations to examine
|:005180C6   , :0051A53A   , :00527428   , :005274ED   , :005433D3   
|:005433EC   , :00546A1E   , :00546A3D   , :005487F9   , :00548921   
|:005539CD   , :005573AE   , :00560B38   , :0056CEB3   , :0056E818   
|:005739D5   , :00584BD2   , :0058D74F   , :005964B4   , :00596EC3   
|:00598A8A   , :00598FA9   , :00598FEA   , :005A8AF5   , :005A96C4   
|:005A97C2   , :005A9A55   , :005BEF23   , :005C198C   , :005CB8F4   
|:005CB918   , :005CB92B   , :005CC585   , :005D373D   , :005D38C6   
:004689D0 83EC14                  sub esp, 00000014
:004689D3 8D442404                lea eax, dword ptr [esp+04]
:004689D7 50                      push eax

* Reference To: KERNEL32.GetLocalTime, Ord:00E2h
:004689D8 FF1540016200            Call dword ptr [00620140] ;Get local time
:004689DE 668B442406              mov ax, word ptr [esp+06] ; month
:004689E3 6648                    dec ax
:004689E5 66C1E005                shl ax, 05
:004689E9 6633442402              xor ax, word ptr [esp+02] ; BEF7
:004689EE 6625E001                and ax, 01E0
:004689F2 6631442402              xor word ptr [esp+02], ax
:004689F7 668B44240A              mov ax, word ptr [esp+0A] ; day
:004689FC 6648                    dec ax
:004689FE 6633442402              xor ax, word ptr [esp+02]
:00468A03 66251F00                and ax, 001F
:00468A07 6631442402              xor word ptr [esp+02], ax
:00468A0C 8B442404                mov eax, dword ptr [esp+04] ; year
:00468A10 25FFFF0000              and eax, 0000FFFF
:00468A15 2D9C070000              sub eax, 0000079C
:00468A1A 83F87F                  cmp eax, 0000007F
:00468A1D 7E1F                    jle 00468A3E ; jump valid_year
:00468A1F B89CFFFFFF              mov eax, FFFFFF9C ;this part shouldn't be executed

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00468A24 6601442404              add word ptr [esp+04], ax
:00468A29 8B4C2404                mov ecx, dword ptr [esp+04]
:00468A2D 81E1FFFF0000            and ecx, 0000FFFF
:00468A33 81E99C070000            sub ecx, 0000079C
:00468A39 83F97F                  cmp ecx, 0000007F
:00468A3C 7FE6                    jg 00468A24

* Referenced by a (U)nconditional or (C)onditional Jump at Address: ; valid_year
:00468A3E 668B442404              mov ax, word ptr [esp+04] ; year
:00468A43 66C1E009                shl ax, 09
:00468A47 6633442402              xor ax, word ptr [esp+02]
:00468A4C 6625FF01                and ax, 01FF
:00468A50 668B4C2404              mov cx, word ptr [esp+04] ; year
:00468A55 6683E91C                sub cx, 001C
:00468A59 66C1E109                shl cx, 09
:00468A5D 6633C1                  xor ax, cx ; the encryped code is calculated!
:00468A60 6689442402              mov word ptr [esp+02], ax
:00468A65 83C414                  add esp, 00000014
:00468A68 C3                      ret
***Some observations***
The code is four digits long.
The code grows as the day, month, and year grow.
The code for today was 627*, * = something :) = 08/20/97
The code for today, 2005 was 72**, so the year is the most of it 08/20/05
What the code is doing is taking a value retreived from who knows where, and xoring it with 
modified parts of the date.... at the end, I ended up with something only in the high part of the
register, and the other one had only something in the low part, so when they xored, they "merged"
into ax. The value used to xor was probably created at the installation.

So I bpxed on :00468A60, so I could see what my code would be, and afterwards I looked to see 
what the surrounding code was that called it. One of the calls had code that looked like this 
around it:

:00470E6F 6689442474              mov word ptr [esp+74], ax ; The code for the install date code
:00470E74 83C408                  add esp, 00000008  
:00470E77 668B442414              mov ax, word ptr [esp+14] ; The code as calculated by the time
:00470E7C 663944246C              cmp word ptr [esp+6C], ax ; encryption call
:00470E81 7384                    jnb 00470E07 ; this makes sure that you havent set your clock
					       ; before the installation code, change to jump
					       ; just for the hell of it

Now what hides behind 00470E07?

:00470E07 668B442414              mov ax, word ptr [esp+14] ; your current date
:00470E0C 6639842478010000        cmp word ptr [esp+00000178], ax ; esp+178 = last time you can 
:00470E14 721C                    jb 00470E32 ; use MSMoney97, change the jb to a jmp.

And... that's all, that wasnt too hard was it?
I hope you found my time encryption description to be adaqute.
3. The Microsoft Money *French* 1994 crack)
Comparing files Mnydemo.BAK and mnydemo.exe
00011948: 72 EB
000119A8: 7F EB
0002D4BE: 75 EB
0007CF3A: 75 40
0007CF3B: 03 48
000922B7: 74 40
000922B8: 5B 48

To whoever is reading this: I assume this crack is the way it should be, 
because I eliminated two messageboxes in the beginning that to be honest 
with you, I have no clue what it said... I could read "Advertissment" 
(Advertisment to buy something) and "version d'evaluation"e (evaluation 
ver)so, in cracking them, I assume they were both "bad" screens, sure 
wouldnt want to get rid of the good parts. Also, the "Minitel" menu has 
no enabled choices... I dont know what that is, something about the modem 
I think.

How I did it:
The first part of the crack was very simple. You could do it only with 
what you gave at the end of your last essay. Here is the code:
:0006.0012 57                     push di
:0006.0013 6A00                   push 0000
:0006.0015 9AFFFF0000             call USER.GETWINDOWWORD
:0006.001A 8BF0                   mov si, ax
:0006.001C 8B460C                 mov ax, [bp+0C]
:0006.001F 3DA100                 cmp ax, 00A1 ;is it 161?
:0006.0022 7503                   jne 0027 ;may call NoE if not
:0006.0027 7729                   ja 0052  ;may call NoE if more
:0006.0052 3D1501                 cmp ax, 0115
:0006.0055 7503                   jne 005A ;if not 115
:0006.005A 7712                   ja 006E ;more? Call NoE
:0006.006E 2D0102                 sub ax, 0201 ;sub 201
:0006.0071 7503                   jne 0076 ;may call NoE
:0006.0076 48                     dec ax   ;-1
:0006.0077 48                     dec ax   ;-1
:0006.0078 7503                   jne 007D ;may call NoE
:0006.007D 2D9102                 sub ax, 0291  ;sub 291
:0006.0080 7503                   jne 0085 ;do not call NoE
:0006.0082 E9D701                 jmp 025C ;call NoE ****** <- This is the only instruction that
...					   ; can call the NoE... change the jne above it to a jmp	
:0006.025C 57                     push di
:0006.025D 9AFFFF0000             call USER.GETPARENT
* Possible Reference to Dialog: DialogID_0494 
:0006.0263 689404        push 0494  ;HERE! NOTICE OF EXPIRATION
:0006.0266 FF760A        push word ptr [bp+0A]
:0006.0269 FF7608        push word ptr [bp+08]
:0006.026C FF7606        push word ptr [bp+06]
:0006.026F 9AFFFF0000    call USER.SENDMESSAGE ;bagger off, bad guy!
:0006.0274 EB14          jmp 028A

What do we see here... well there is only one jump that can call the nag at :0006.0082... so look
for an instruction that can jump over this.. the jne above it looks good, change it to a jmp.

:0008.17CA 8B46F4                 mov ax, [bp-0C] <- here's where the code from the time 
:0008.17CD 3946F0                 cmp [bp-10], ax ; encryption comes in... 
:0008.17D0 7246                   jb 1818 <- same as in the MSMoney97 crack, change to a jmp.

* Possible Reference to Dialog: DialogID_0494 
:0008.17D2 689404                 push 0494 ;HERE! NOTICE OF EXPIRATION
:0008.17D5 685505                 push SEG ADDR of Segment 0028
:0008.17D8 684C15                 push 154C
:0008.17DB FF362C0A               push word ptr [0A2C]
:0008.17DF 6A00                   push 0000
:0008.17E1 6A00                   push 0000
:0008.17E3 6A00                   push 0000
:0008.17E5 9A34019911             call 0005.0134 ;call KERNEL.MAKEPROCINSTANCE

* Possible Ref to Menu: MAINMENU, Item: "Future Transactions"
:0052.2449 6A02                   push 0002
:0052.244B 9AE00ED424             call 0006.0EE0
:0052.2450 837EF800               cmp word ptr [bp-08], 0000 
:0052.2454 7503                   jne 2459 <- can call the nag, get rid of it with an inc/dec ax
:0052.2456 E9CE00                 jmp 2527

:0052.2459 8B5EFC                 mov bx, [bp-04]
:0052.245C FF7718                 push word ptr [bx+18]
:0052.245F 9AFFFF0000             call USER.GETPARENT
:0052.2464 50                     push ax
* Possible Reference to Dialog: DialogID_0494 
:0052.2465 689404                 push 0494 ;HERE! NOTICE OF EXPIRATION

* Possible Ref to Menu: MAINMENU, Item: "Account Book"
:0052.2468 6A01                   push 0001
:0052.246A 6A00                   push 0000
:0052.246C 6A00                   push 0000
:0052.246E 9A1B250000             call USER.SENDMESSAGE

That takes care of the Notice of Expirations. Now at this point I was confused, but I figured it
out. In Soft-Ice, bpx on messagebox and run the program. You're in the comparison in the 
beginning. Look above your current position and you'll see this:
:0064.B3D0 9AFFFF0000             call KERNEL.CATCH
:0064.B3D5 0BC0                   or ax, ax
:0064.B3D7 745B                   je B434 <- This is the jump that, if executed, will call a nag.
:0064.B3D9 8B46F0                 mov ax, [bp-10] ; Change it to inc/dec ax
:0064.B3DC 8946F4                 mov [bp-0C], ax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0064.B3DF C746FC0000             mov word ptr [bp-04], 0000
:0064.B3E4 837EEE00               cmp word ptr [bp-12], 0000
:0064.B3E8 740A                   je B3F4
:0064.B3EA FF76FA                 push word ptr [bp-06]

* Possible Ref to Menu: MAINMENU, Item: "Livre de comptes"
:0064.B3ED 6A01                   push 0001
:0064.B3EF 9AFFFF0000             call USER.ENABLEWINDOW

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0064.B3F4 A1540B                 mov ax, word ptr [0B54]
:0064.B3F7 3946FA                 cmp [bp-06], ax
:0064.B3FA 7533                   jne B42F
:0064.B3FC 50                     push ax
:0064.B3FD 9A09AD0000             call USER.GETLASTACTIVEPOPUP
:0064.B402 8946F6                 mov [bp-0A], ax
:0064.B405 50                     push ax
:0064.B406 9AFFFF0000             call USER.ISWINDOW
:0064.B40B 0BC0                   or ax, ax
:0064.B40D 7420                   je B42F
:0064.B40F A1540B                 mov ax, word ptr [0B54]
:0064.B412 3946F6                 cmp [bp-0A], ax
:0064.B415 7418                   je B42F
:0064.B417 FF76F6                 push word ptr [bp-0A]

* Possible Reference to Dialog: DialogID_0439, CONTROL_ID:00F0, "&Réallouer le montant non affecté"
:0064.B41A 6AF0                   push FFF0
:0064.B41C 9AFFFF0000             call USER.GETWINDOWLONG
:0064.B421 F7C20080               test dx, 8000
:0064.B425 7408                   je B42F
:0064.B427 FF76F6                 push word ptr [bp-0A]
:0064.B42A 9AFFFF0000             call USER.DESTROYWINDOW

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0064.B3FA(C), :0064.B40D(C), :0064.B415(C), :0064.B425(C)
:0064.B42F 33F6                   xor si, si
:0064.B431 EB3C                   jmp B46F

:0064.B433 90                     nop

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0064.B434 FF76FA                 push word ptr [bp-06] ; the jump above goes to here
:0064.B437 8D8644FD               lea ax, [bp+FD44]
:0064.B43B 16                     push ss
:0064.B43C 50                     push ax
:0064.B43D 8D4688                 lea ax, [bp-78]
:0064.B440 16                     push ss
:0064.B441 50                     push ax
:0064.B442 FF76F8                 push word ptr [bp-08]
:0064.B445 9AFFFF0000             call USER.MESSAGEBOX ; here's where the nag is called
:0064.B44A 8BF0                   mov si, ax
:0064.B44C 0BF6                   or si, si
:0064.B44E 751F                   jne B46F
:0064.B450 FF76FA                 push word ptr [bp-06]
:0064.B453 8D8644FD               lea ax, [bp+FD44]
:0064.B457 16                     push ss
:0064.B458 50                     push ax
:0064.B459 8D4688                 lea ax, [bp-78]
:0064.B45C 16                     push ss
:0064.B45D 50                     push ax
:0064.B45E 8A46F8                 mov al , [bp-08]
:0064.B461 250F00                 and ax, 000F
:0064.B464 0D1010                 or ax, 1010
:0064.B467 50                     push ax
:0064.B468 9A46B40000             call USER.MESSAGEBOX
:0064.B46D 8BF0                   mov si, ax

That takes care of everything except for the fact that you cant use dates 
outside of your trial period. The date you type in is put through the same 
process that the current date is, so ***eof***