<HTML>

<HEAD>

<SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript"><!--

function array(n) {

    this.length = n;

    for(var i = 1; i <= n; i++)

        this[i] = 0;

    return this;}

a = new array(16);

for(var i = 0; i < 10; i++)

    a[i] = i;

a[10]="a"; a[11]="b"; a[12]="c";

a[13]="d"; a[14]="e"; a[15]="f";

function hex(i) {

    if (0 < i < 255)

      return "" + a[Math.floor(i/16)] + a[i%16];}

function setbgColor(r, g, b) {

    var hr = hex(r); var hg = hex(g); var hb = hex(b);

    document.bgColor = "#"+hr+hg+hb;}

function fade(r1, g1, b1, r2, g2, b2, incr) {

    for(var i = 0; i <= incr; i++) {

        setbgColor(

        Math.floor(r1 * ((incr-i)/incr) + r2 * (i/incr)),

        Math.floor(g1 * ((incr-i)/incr) + g2 * (i/incr)),

        Math.floor(b1 * ((incr-i)/incr) + b2 * (i/incr)));}}

fade(0,0,0,255,255,255,128);

fade(255,255,255,170,221,255,128);

// --></SCRIPT>

<META HTTP-EQUIV="Last Modified" CONTENT="Sat, 15 Jan 2000">
<TITLE>Tutorial 3</TITLE>
</HEAD>

<!--<BODY BGCOLOR="#AADDFF" VLINK="#009900" ALINK="RED">-->
<BODY BACKGROUND="gif_jpg/snow_bg.gif" VLINK="#009900" ALINK="RED">

<FONT FACE="BankGothic Md BT" SIZE=6 COLOR=NAVY><P ALIGN="CENTER">Cracking a timelock and writing a patch for File-Ex v2.12c</P></FONT>

<HR COLOR=RED>
<TABLE BORDER="0" WIDTH="100%">
<TR>
	<TD WIDTH="33%"><B STYLE="background-color: #4FB9FF; color: yellow">Version 1.23</B></TD>
	<TD ALIGN="CENTER">Download [<A HREF="download/snowcat3.zip">tutorial 3</A>] and read it offline</TD>
	<TD WIDTH="33%" ALIGN="RIGHT"><A HREF="http://www.elitetoplist.com/cgi-bin/topsites.cgi?598974" TARGET="_BLANK"><IMG SRC="gif_jpg/linkbutton.jpg" BORDER=0 WIDTH=87 HEIGHT=34 ALT=""></A></TD>
</TR>
</TABLE>
<HR COLOR=RED><BR>

<FONT FACE="BankGothic Md BT" SIZE=4 COLOR=NAVY>Our target: "File-Ex"</FONT>

<P>File-Ex adds file management functions like Find, Copy, Delete, Rename, and MakeDir to the Open and Save dialogs of Windows applications automatically. File-Ex also enlarges file dialogs to any size desired, adds Recent and Favourite file/folder lists, and allows long file names to be used with 16-bit applications.<BR>
You can try this program out for 30 days. After using it for 30 days, some of the functions
will be unavailable, unless you read this tutorial...<BR>
<!--[<A HREF="http://www.webcom.com/cottonwd/fileex98.zip">File-Ex v2.12c</A>] -->[<A HREF="files/fileex98.zip">File-Ex v2.12c</A>].</P>

<HR COLOR=RED>
<FONT FACE="BankGothic Md BT" SIZE=4 COLOR=NAVY>Tools and help</FONT>

<P>For this session I used <B>W32Dasm v8.93</B> to disassemble our target, <B>Hacker's View v6.02</B> to patch the file and <B>Base Calculator v1.3</B> to do some calculations, but previous or later versions should do the job too.<BR>
If you can't find these programs at the <A HREF="http://protools.cjb.net">Programmer TOOLS</A> page:</P>

<A HREF="http://protools.cjb.net"><IMG SRC="gif_jpg/protools.gif" ALT="Protools" WIDTH=88 HEIGHT=31 BORDER=0></A>

<P>just perform a <A HREF="http://ftpsearch.lycos.com/">ftp search</A> and look for the strings <B>w32dasm</B>, <B>hiew</B> and <B>bcalcns1.zip</B>.<BR>
Unzip the <B>hiew</B> archive and you'll obtain another zipped file. Unzip it, the only file you need in order to crack File-Ex is <B>Hiew.exe</B>. Place it wherever you want on your hard disk, but be sure that its path is in your <B>autoexec.bat</B> file.</P>

<HR COLOR=RED>
<FONT FACE="BankGothic Md BT" SIZE=4 COLOR=NAVY>Cracking the file</FONT>

<P>Install File-Ex. I'm sure you're smart enough to discover the sentence "You have 30 days remaining in your free evaluation period". Press "OK" and change your system date. Enlarge File-Ex again by clicking on the system tray icon: only 29 days left! After 30 days you'll read "Your free evaluation period has expired!". Some nice options will be gone and I don't like that, do you?</P>

<P>When you look in the File-Ex directory, you'll see a lot of files. Which one do we have to crack? Well, it's <B>fxcomn.dll</B>. How do I know that? Well, if there is a timelock, there must be a function inside the program checking the time remaining in the free evaluation period and you'll only find this function in... <B>fxcomn.dll</B>.</P>

<P>It's time to use our disassembler (W32Dasm). Let's disassemble <B>fxcomn.dll</B>:
<FONT COLOR=NAVY><I><U>D</U>isassembler, <U>O</U>pen File to Disassemble..</I></FONT> and select <B>fxcomn.dll</B>.<BR>
The file should be disassembled after a few seconds.</P>

<P>How do we find this function? We don't know the function name.<BR>
Well, there's a way to see a list of exported functions: <FONT COLOR=NAVY><I><U>F</U>unctions, <U>E</U>xports</I></FONT> and there you have it!<BR>
Remember what we are looking for: a function <B>checking</B> the <B>time</B> in the free evaluation period. Couldn't that be <B>FILEEXCHECKEVALTIME</B>? Let's try!<BR>
We're going to perform a search: <FONT COLOR=NAVY><I><U>S</U>earch, <U>F</U>ind Text</I></FONT> and fill in <B>FILEEXCHECKEVALTIME</B>.<BR>
Search untill you reach:</P>

<PRE>
<FONT COLOR="navy">
Exported fn(): FILEEXCHECKEVALTIME - Ord:0011h
:0002.05CE 8CD8                   mov ax, ds
:0002.05D0 90                     nop
:0002.05D1 45                     inc bp
:0002.05D2 55                     push bp
:0002.05D3 8BEC                   mov bp, sp
:0002.05D5 1E                     push ds
:0002.05D6 8ED8                   mov ds, ax
:0002.05D8 81EC0600               sub sp, 0006
:0002.05DC 57                     push di
:0002.05DD 56                     push si
:0002.05DE 833ED00100             cmp word ptr [01D0], 0000 <FONT COLOR="red">; compare what is inside memory location 01D0 with 0000</FONT>
:0002.05E3 7403                   je 05E8                   <FONT COLOR="red">; if there is a 0 in 01D0 then jump to location 0002.05E8 else...</FONT>
:0002.05E5 E91E01                 jmp 0706                  <FONT COLOR="red">; ...jump to location 0002.0706</FONT>
</FONT>
</PRE>

<P>Write down the offset address of the instruction <B>je 05E8</B>. You can find it in the status bar of W32Dasm. The address is 13E3.<BR>
Close W32Dasm.</P>

<P>A compare instruction is always interesting.<BR>
So let's see what will happen when we change <B>je</B> (7403) into <B>jne</B> (7503).<BR>
This will result in a jump to 0002.05E8 if there is <B>not</B> a 0 in 01D0.</P>

<P>Backup the file <B>fxcomn.dll</B>, just in case...</P>

<P>Click on "Start", "Run..." and type "hiew". Enter.<BR>
OK, you're in Hacker's View now, you'll use this program to patch the file.<BR>
Go to the File-Ex directory and select <B>FXCOMN.DLL</B>.<BR>
Press F4 in order to select HEX-mode (F2).<BR>
Press F5, fill in the offset address (13E3) and enter.<BR>
Press F3 and change <B>74</B> into <B>75</B>. Be aware that File-Ex is not running, otherwise you'll obtain an error message!<BR>
Press F9 to update <B>fxcomn.dll</B> and press F10 to leave Hacker's View.</P>

<P>Run File-Ex again. From now on you'll always have 30 days remaining in your free evaluation period! All options are available.</P>

<HR COLOR=RED>
<FONT FACE="BankGothic Md BT" SIZE=4 COLOR=NAVY>Writing a patch</FONT>

<P>You should have written down the offset address of the bytes you changed.
It's 13E3 where you changed 7403 into 7503.</P>

<P>Now you can write a little program. I wrote and compiled my patch with [<A HREF="files/qb45.zip">Microsoft QuickBASIC v4.5</A>].<BR>
Run Base Calculator to translate the hexadecimal offset address to a decimal one. Select "Hex", select "32 bits" and fill in 13E3. Select "Dec" now and write down the decimal value (5091).<BR>
Attention! QuickBASIC patches the file "backwards". Therefore you should use offset address + 1 in the program. Here it is:</P>

<PRE>
<FONT COLOR="navy">
ON ERROR GOTO Oops

FILES "fxcomn.dll"
GOSUB Title

OPEN "fxcomn.dll" FOR BINARY AS #1 LEN = 1

        GET #1, 5092, GetBytes%
        IF GetBytes% &lt;&gt; &amp;H374 THEN GOTO WrongVersion

        NewBytes% = &amp;H375
        PUT #1, 5092, NewBytes%
    
        PRINT "  File successfully patched !"

CLOSE #1

END

Oops:
GOSUB Title

SELECT CASE ERR

CASE 53
        PRINT "  File 'fxcomn.dll' not found !"
        PRINT "  Run this program in the 'File-Ex directory' !"
        END

END SELECT

Title:
CLS
PRINT "                      / ,"
PRINT "                 /\  \|/  /\"
PRINT "                 |\\_;=._//|"
PRINT "                  \."   "./"
PRINT "                  //^\ /^\\"
PRINT "           .'``",/ |0| |0| \,"``'."
PRINT "          /   ,  `'\.---./'`  ,   \"
PRINT "         /`  /`\,."(     )".,/`\  `\"
PRINT "         /`     ( '.'-.-'.' )     `\"
PRINT "         /"`     "._  :  _."     `"\"
PRINT "          `/.'`"=.,_``=``_,.="`'.\`"
PRINT "         .-"-.      )   (      .-"-."
PRINT "+-------{'. '`}-----~   ~-----{'. '`}-------+"
PRINT "|       `"---"`               `"---"`       |"
PRINT "| Patch for File-Ex v2.12c                  |"
PRINT "| http://www.cottonwoodsw.com               |"
PRINT "|                                           |"
PRINT "|                                By Snowcat |"
PRINT "+-------------------------------------------+"
PRINT
RETURN

WrongVersion:
GOSUB Title
PRINT "  This is not the correct File-Ex version,"
PRINT "  or maybe it is,"
PRINT "  but the file has been patched already."
END
</FONT>
</PRE>

<P>Download the [<A HREF="download/sorc212c.zip">source code</A>]<BR>
Download the [<A HREF="download/filx212c.zip">crack</A>]</P>

<HR COLOR=RED>
<FONT FACE="BankGothic Md BT" SIZE=4 COLOR=NAVY>Conclusion</FONT>

<P>In this session, you've learned to crack a timelock and to write a patch. It would be nicer if we could remove the "registrate reminders", but our main target (using the program after a 30 days trial period) has been achieved.</P>

<TABLE BORDER="0" WIDTH="100%">
<TR>
	<TD WIDTH="40%" VALIGN="TOP"><FONT FACE="BankGothic Md BT" SIZE=4 COLOR=NAVY>SNOWCAT</FONT><BR><BR>
	<B><FONT FACE="Arial" SIZE=1>Click <A HREF="http://www.elitetoplist.com/cgi-bin/topsites.cgi?598974">here</A> when you think this tutorial is OK</FONT></B></TD>
	<TD ALIGN="CENTER" WIDTH="20%"><A HREF="snowmain.htm"><IMG SRC="gif_jpg/home.gif" BORDER=0 ALT="Back to the main page" WIDTH=73 HEIGHT=63></A></TD>
	<TD ALIGN="RIGHT"><B><FONT FACE="Arial" SIZE=1>Tutorial created by <A HREF="mailto:snowkitty@nym.alias.net">Snowcat</A><BR>
Tutorial created: 8th November 1998<BR>
Version 1.23, last updated: 9th August 1999</FONT></B></TD>
</TR>
</TABLE>

</BODY>

</HTML>