<HTML>
<HEAD>
	<TITLE>Removing shareware limits in TransMac 2.4&szlig;</TITLE>
</HEAD>
<BODY BACKGROUND="stucco.gif" BGCOLOR="silver" LINK="red" ALINK="gray">
<FONT FACE="Copperplate Gothic Bold">
<CENTER>
<B><H1> Removing shareware limits in TransMac 2.4&szlig; </H1></B>
<H4>&copy 1997 by Pero / MiB</H4>
</CENTER>
</FONT>
<HR>
<CENTER><B>Software: </B><A HREF="http://www.asy.com">TransMac 2.4&szlig;</A><BR>
<B>Tools: </B>Softice, W32Dasm (well, acctually not needed)</CENTER>
<HR>
<FONT COLOR="purple" FACE="Book Antiqua">
<CENTER><H2>The target:</H2></CENTER>
</FONT>
<FONT SIZE="4">
<FONT COLOR="green">TransMac</FONT> is a cute little proggie from Acute Systems,  that can read/write Mac disks from
a PC like CDrom, floppy, Hdd, Zip...
The <FONT COLOR="red">limit</FONT> of the shareware version is that we cannot copy directories and we can't copy files
longer than 1.4 MB (well larger than 1.474.560 acctually) :-)
<P>
<HR SIZE="1">
<P>
Ok, after finishing the setup, let take a look at out traget and let it run.
a nasty Message box pops up, telling us that we are running a shreware version of the program
(like we didn't know it) and that we should send the registration fee to the company if we decide
to keep using it...
We have two buttons : '<FONT COLOR="green">YES</FONT>' and '<FONT COLOR="green">NO</FONT>'. If we press '<FONT COLOR="green">NO</FONT>' we are immediately thrown out of the program
and if we choose <FONT COLOR="green">YES</FONT>, we are rewarded with another message box (disclaimer) and again we have
two buttons (<FONT COLOR="green">Yes</FONT>/<FONT COLOR="green">No</FONT>), the result is the same as before, No, throws us out, and Yes, lets us to
continue...
<P>

So let get rid of this messageboxes first:
<P>
Fire up your SoftICE and set a breakpoints on eg. <FONT COLOR="blue">MessageBoxA</FONT> and <FONT COLOR="blue">DialogBoxParamA</FONT> and some others
you usually do....
<P>
Press <FONT COLOR="blue">[Ctrl-D]</FONT> to get out from SoftIce and start TransMac
<P>
You are immediately thrown back into SoftICe (yes, our nag is responsible for this! :))
so we press <FONT COLOR="blue">[F12]</FONT> to land back in the TransMac's code and we land here...
<P>
</FONT>
<HR SIZE=1>
<PRE>

	.
	.
   Some Memory filling with nag screen text (encoded for now)
	.
	.

:00411C08 8D85D8FCFFFF	lea eax, dword ptr [ebp+FFFFFCD8]	<FONT COLOR="blue"><- eax points to the start of this text</FONT>
:00411C0E 50		push eax			     	<FONT COLOR="blue"><- store eax</FONT>
:00411C0F 8D85D8FCFFFF	lea eax, dword ptr [ebp+FFFFFCD8]  	<FONT COLOR="blue"><- point again</FONT>
:00411C15 50	     	push eax                           	<FONT COLOR="blue"><- and store again</FONT>
:00411C16 E8754D0000	call 00416990			     	<FONT COLOR="blue"><- this call decodes the nag text</FONT>
:00411C1B 83C408	add esp, 00000008
:00411C1E 6A04		push 00000004

* Possible StringData Ref from Data Obj ->"TransMac"
                                  |
:00411C20 6810864200	push 00428610
:00411C25 8D85D8FCFFFF	lea eax, dword ptr [ebp+FFFFFCD8]  	<FONT COLOR="blue"><- address of nag text in eax...</FONT>
:00411C2B 50		push eax
:00411C2C 6A00		push 00000000

* Reference To: USER32.MessageBoxA, Ord:0188h			<FONT COLOR="red">****** HERE ******</FONT>
                                  |
:00411C2E FF1530844300	Call dword ptr [00438430]          	<FONT COLOR="blue"><- call 1st message box</FONT>
:00411C34 83F807	cmp eax, 00000007		     	<FONT COLOR="blue"><- did user pres yes?</FONT>
:00411C37 0F8505000000	jne 00411C42			     	<FONT COLOR="blue"><- ok, let him in</FONT>
:00411C3D E950130000	jmp 00412F92			     	<FONT COLOR="blue"><- NO?! throw him out!!!</FONT>
</PRE>
<P>
<HR SIZE=1>
<FONT SIZE="4">
So as we can se if we press <FONT COLOR="blue">|YES|</FONT>, <FONT COLOR="green">EAX</FONT> become <B>7</B> and we can continue to the next dialog (disclaimer)
where the situation is just the same
<P>
Press <FONT COLOR="blue">[F5]</FONT> to return to TransMac and after SoftIce pops up again press <FONT COLOR="blue">[F12]</FONT> to go out of the
Messageboxa routine...
<HR SIZE=1>
</FONT>
<PRE>
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411C37(C)
|
:00411C42 8D85DCFAFFFF            lea eax, dword ptr [ebp+FFFFFADC]	<FONT COLOR="blue"><-- Here is all this</FONT>
:00411C48 50                      push eax				<FONT COLOR="blue"><-- happening again,</FONT>
:00411C49 8D85DCFAFFFF            lea eax, dword ptr [ebp+FFFFFADC]     <FONT COLOR="blue"><-- exactly the same</FONT>
:00411C4F 50                      push eax				<FONT COLOR="blue"><-- just for the 2nd</FONT>
:00411C50 E83B4D0000              call 00416990				<FONT COLOR="blue"><-- message box</FONT>
:00411C55 83C408                  add esp, 00000008
:00411C58 6A04                    push 00000004

* Possible StringData Ref from Data Obj ->"TransMac Disclaimer"
                                  |
:00411C5A 68FC854200              push 004285FC
:00411C5F 8D85DCFAFFFF            lea eax, dword ptr [ebp+FFFFFADC]
:00411C65 50                      push eax
:00411C66 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0188h				<FONT COLOR="red">*** WE LAND HERE ***</FONT>
                                  |
:00411C68 FF1530844300            Call dword ptr [00438430]		<FONT COLOR="blue"><-- call 2st message box</FONT>
:00411C6E 83F807                  cmp eax, 00000007			<FONT COLOR="blue"><-- AGREE?!</FONT>
:00411C71 0F8505000000            jne 00411C7C				<FONT COLOR="blue"><-- ok, let him pass</FONT>
:00411C77 E916130000              jmp 00412F92				<FONT COLOR="blue"><-- DISAGREE?? go out!</FONT>
</PRE>
<FONT SIZE="4">
<HR SIZE=1>
OK everything is exactly the same as before, just the text of the messagebox changed...
<P>
But look at the next piece of code, just following the code where we landed....
<HR SIZE=1>
</FONT>
<PRE>
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411C71(C)
|
:00411C7C C7055481420000000000    mov dword ptr [00428154], 00000000   <FONT COLOR="blue"><- !!! set the shareware flag</FONT>
:00411C86 A154814200              mov eax, dword ptr [00428154]        <FONT COLOR="blue"><- and copy it</FONT>
:00411C8B A350814200              mov dword ptr [00428150], eax	       <FONT COLOR="blue"><- to some</FONT>
:00411C90 A150814200              mov eax, dword ptr [00428150]        <FONT COLOR="blue"><- other</FONT>
:00411C95 A34C814200              mov dword ptr [0042814C], eax        <FONT COLOR="blue"><- locations</FONT>
:00411C9A B801000000              mov eax, 00000001		       <FONT COLOR="blue"><- Eax=1 so we can continue</FONT>
:00411C9F E9F9150000              jmp 0041329D			       <FONT COLOR="blue"><- Go to the program...</FONT>
</PRE>
<FONT SIZE="4">
<HR SIZE=1>
Well, Well, Well now, isn't that interesenting? :-)
If we are 'allowed' to continue the program set the Shareware Flag and the this flag is copied to
some other places... (<I>the default flag is 1 - the full version</I>)
<P>
So the crack is obvious isn't it?
<P>
We could jump (instead calling the string decoding routine - <FONT COLOR="green">CALL 00416990</FONT>) over the Messageboxes..
<P>
<HR SIZE=1>
example:
</FONT>
<PRE>
<FONT COLOR="blue">:00411C16 E8754D0000  CALL 00416990</FONT>    <FONT COLOR="red"><---  change it to:</FONT>   <FONT COLOR="maroon"><B>JMP 00411C42</B></FONT>

<FONT COLOR="blue">:00411C50 E83B4D0000  CALL 00416990</FONT>    <FONT COLOR="red"><---- change it to:</FONT>   <FONT COLOR="maroon"><B>JMP 00311C86</B></FONT>
</PRE>
<FONT SIZE="4">
We could also patch the code to:
</FONT>
<PRE>
<FONT COLOR="blue">:00411C16 E8754D0000  CALL 00416990</FONT>    <FONT COLOR="red">to <FONT COLOR="maroon"><B>JMP 00311C86</B></FONT> so we would jump over <B>2</B> message boxes at once...</FONT>
</PRE>
<FONT SIZE="4">
But why are we jumping to <FONT COLOR="green">00411C86</FONT> instead to <FONT COLOR="green">00411C7C</FONT> ? Well, (as you probably guessed) just to
bypass setting the 'Shareware' flag
<P>
So after we do all this, we run the program and there are no Message boxes at the startup
and we can copy sub directories and also the files which all together exceed the size of 1.4 Mb,
BUT (well i was surprised when i notice this) we can't copy a single file, which is greater than
1.474.560 bytes....
<P>
Hmmm....
<P>
Let's think for a while...
<P>
If the program don't check the size of the all files together we want to copy then it just
compare the size of every single file with the 1.4 Mb
So somewhere in the program it must be a compare (actually there are two).
<P>
so let bpx again on <FONT COLOR="blue">DialogBoxParamA</FONT> and fire TransMac once again...
<P>
Select the file to copy and press the 'Copy Files' icon and we are thrown into SoftICE again..
Press <FONT COLOR="blue">[F12]</FONT> and the copy dialog pops up... Now, press OK and we are back in SofICE..,
<P>
Here we land if we choose to copy from PC to MAC
<HR SIZE=1>
</FONT>
<PRE>
* Reference To: USER32.DialogBoxParamA, Ord:008Ah
                                  |
:00413455 FF15A4844300            Call dword ptr [004384A4]
:0041345B 8945EC                  mov dword ptr [ebp-14], eax
:0041345E 837DEC00                cmp dword ptr [ebp-14], 00000000
:00413462 0F8507000000            jne 0041346F
:00413468 33C0                    xor eax, eax
:0041346A E993050000              jmp 00413A02
</PRE>
<FONT SIZE="4">
and here we land if we choose to copy from MAC to PC
</FONT>
<PRE>
* Reference To: USER32.DialogBoxParamA, Ord:008Ah
                                  |
:00413E95 FF15A4844300            Call dword ptr [004384A4]
:00413E9B 8945EC                  mov dword ptr [ebp-14], eax
:00413E9E 837DEC00                cmp dword ptr [ebp-14], 00000000
:00413EA2 0F8507000000            jne 00413EAF
:00413EA8 33C0                    xor eax, eax
:00413EAA E948070000              jmp 004145F7
</PRE>
<HR SIZE=1>
<FONT SIZE="4">
Again, as we see quite similar pieces of code...
So let's trace the code for a while with <FONT COLOR="blue">[F10]</FONT> until we come to the following parts:
<P>
COPY PC to MAC:
<HR SIZE=1>
</FONT>
<PRE>
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041353F(C), :0041354E(C), :004135A6(C)
|
:004135B1 A152AD4200              mov eax, dword ptr [0042AD52]
:004135B6 8B4DE4                  mov ecx, dword ptr [ebp-1C]
:004135B9 8B0488                  mov eax, dword ptr [eax+4*ecx]
:004135BC 813800801600            cmp dword ptr [eax], 00168000  *** HERE *** ($168000 = 1474560)
:004135C2 0F8644000000            jbe 0041360C                  if the file is larger - begger off!
:004135C8 8B45E4                  mov eax, dword ptr [ebp-1C]
:004135CB 50                      push eax
:004135CC 6A00                    push 00000000
:004135CE 6885010000              push 00000185
:004135D3 8B45F4                  mov eax, dword ptr [ebp-0C]
:004135D6 50                      push eax


COPY MAC to PC:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00413F69(C), :00414010(C), :00414072(C)
|
:0041407D A13CAD4200              mov eax, dword ptr [0042AD3C]
:00414082 8B4D94                  mov ecx, dword ptr [ebp-6C]
:00414085 8B0488                  mov eax, dword ptr [eax+4*ecx]
:00414088 8B4004                  mov eax, dword ptr [eax+04]
:0041408B 8B0D3CAD4200            mov ecx, dword ptr [0042AD3C]
:00414091 8B5594                  mov edx, dword ptr [ebp-6C]
:00414094 8B0C91                  mov ecx, dword ptr [ecx+4*edx]
:00414097 034108                  add eax, dword ptr [ecx+08]
:0041409A 3D00801600              cmp eax, 00168000                 *** HERE!!! ***
:0041409F 0F8644000000            jbe 004140E9                  begger off, if filesize > 1.4 Mb
:004140A5 8B4594                  mov eax, dword ptr [ebp-6C]
:004140A8 50                      push eax
:004140A9 6A00                    push 00000000
:004140AB 6885010000              push 00000185
:004140B0 8B45F4                  mov eax, dword ptr [ebp-0C]
:004140B3 50                      push eax
</PRE>
<HR SIZE=1>
<FONT SIZE="4">
So now just NOP the cals after compare or compare size with FFFFFFFF so we can copy a file long
up to 4.29 Gb (FFFFFFFF = 4.294.976.295 bytes).
<P>
So that's all....
<P>
I didn't spend much time to explain how to crack this, because it's very very easy and the way i
did it isn't qute a 'clean crack' like <FONT COLOR="red"><B>+ORC</B></FONT> taught us, so experiment and do it <FONT COLOR="red">YOUR WAY</FONT>!
<P>
<HR SIZE=1>
<FONT COLOR="purple" FACE="Book Antiqua">
<CENTER><H2>Summary:</H2></CENTER>
</FONT>
<B>The 1st part:</B> get rid of the 2 dialogs at startup and enabling copy directory function<br>
<B>The 2nd part:</B> cracking filesize limits<br>
<I>It took me cca 15 min with all the corrections i made...</I><br>
<P>
</FONT>
<HR>
</FONT>
<center>If you wanna send any feedback to me, <A HREF="mailto:pero75@hotmail.com">pero75@hotmail.com</A> is my email!</FONT>.</center>
<HR>
<A HREF="tutor.htm"><IMG SRC="back.gif" WIDTH="15" HEIGHT="15" ALT="Back to Tutor page!" ALIGN="LEFT" border=0></A></b>Back to tutorial page.
</FONT>
<FONT COLOR="gray">
<P ALIGN=RIGHT>Copyright &copy MiB 1997. All rights reversed.</P>
</FONT>
</BODY>
</HTML>
