<html>
<head>
<title>Miscreant's Reverse Engineering</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<body bgcolor="#000000" text="#FFFFFF" link="#CCCCCC" vlink="#CCCCCC" alink="#CCCCCC">
<font face="terminal"> <font size="-2">22 Oct 1999 - Cracking Merlyn 2.1 by Miscreant<br>
Rating: Easy </font></font> 
<p><font face="terminal" size="-2">Program Details<br>
  ---<br>
  Program Name: Merlyn 2.1 - By Hyland Software<br>
  Program Type: Mathematics Equations Utility<br>
  Program Location: http://www.hylandsoftware.com/<br>
  Program Size: 3.35mb</font></p>
<p><font face="terminal" size="-2">Tools used<br>
  ---<br>
  SoftIce 3.25 (use 4 if you like)<br>
  W32Dasm 8.93<br>
  A Hex Editor (I used HIEW/UltraEdit)</font></p>
<p><font face="terminal" size="-2">Intro:<br>
  From the Merlyn help file -<br>
  We created Merlyn to do two things. First, we wanted to be able to create mathematical 
  expressions. <br>
  We wanted it to be fast and flexible; and we wanted the equations to look just 
  like they do in a textbook.<br>
  Second, we wanted to be able to manipulate those equations. What do we mean 
  by manipulating equations? <br>
  If you look at any problem that's been done in detail, step by step, in a textbook, 
  the difference between one step<br>
  and the next is that some part of the expression has been rearranged, simplified, 
  canceled, etc. <br>
  This is just what Merlyn does. You select the part of the expression you want 
  to change, then you tell Merlyn what kind of<br>
  change you want. You apply commands like simplify, cancel, commute, and so on, 
  and the expression changes accordingly.<br>
  If there is more than one possibility you're offered a list of options. Pick 
  the one you want and the result will appear in your document.</font></p>
<p><font face="terminal" size="-2">We designed Merlyn for everyday calculations. 
  Our goal was to create software that would be just as fast and flexible, and 
  a whole<br>
  lot less error prone, than that paper and pencil method you currently use. We 
  also designed Merlyn with students in mind. Merlyn not<br>
  only gets you to the answer, but it takes you through the steps to help you 
  understand what&AElig;s happening along the way.</font></p>
<p><font face="terminal" size="-2">IMPORTANT NOTE: If you download the trial from 
  the Hyland website, install it and find that it says Merlyn 2.0 on the Start 
  Menu,<br>
  do not worry - they didn't update the setup program - check the About Box for 
  the true version.</font></p>
<p><font face="terminal" size="-2">About This Protection System:<br>
  Registration is not possible, after 30 days you must buy the program.<br>
  The program is not compacted/encrypted in any way.</font></p>
<p><font face="terminal" size="-2">No nag screens, except when trial is over. 
  Title bar of main application displays days remaining, about box displays Trial 
  Version.</font></p>
<p><font face="terminal" size="-2">The Essay:<br>
  OK, first thing I did was to set my date forward (at least 30 days) and run 
  the program, then note down important strings. I noticed:</font></p>
<p><font face="terminal" size="-2">Merlyn - this trial version has expired<br>
  ^-- this appears in the title bar of both the main window and the nag screen.</font></p>
<p><font face="terminal" size="-2">Then I opened up W32Dasm, disassembled it, 
  chose string references and looked for this string...<br>
  I found:<br>
  Merlyn - this trial version has</font></p>
<p><font face="terminal" size="-2">The word 'expired' has lost itself somewhere, 
  but if you double click on the string you will find it underneath.<br>
  Here is what I found:</font></p>
<p><font face="terminal" size="-2">:004BB897 A150DE4B00 mov eax, dword ptr [004BDE50]<br>
  :004BB89C 8B00 mov eax, dword ptr [eax]<br>
  :004BB89E E8A988FAFF call 0046414C<br>
  :004BB8A3 85C0 test eax, eax<br>
  :004BB8A5 7D21 jge 004BB8C8</font></p>
<p><font face="terminal" size="-2">* Possible StringData Ref from Code Obj -&gt;&quot;Merlyn 
  - this trial version has &quot;<br>
  -&gt;&quot;expired&quot;<br>
  |<br>
  :004BB8A7 BAE4B94B00 mov edx, 004BB9E4<br>
  :004BB8AC 8BC3 mov eax, ebx</font></p>
<p><font face="terminal" size="-2"><br>
  How convenient :) A crackers gate :)<br>
  So whats a crackers gate? A nice little test and then a compare routine.</font></p>
<p><font face="terminal" size="-2">So whats it mean?<br>
  LINE 1:004BB89E E8A988FAFF call 0046414C &lt;-- Check amount of days remaining<br>
  LINE 2:004BB8A3 85C0 test eax, eax &lt;-- Look at results<br>
  LINE 3:004BB8A5 7D21 jge 004BB8C8 &lt;-- If its more than or equal to something 
  then jump to 4BB8C8</font></p>
<p><font face="terminal" size="-2">I labelled the 3 lines 1,2 and 3 to make it 
  easier for me to talk about them.<br>
  Now load up Symbol Loader (the proggie that comes with softice), choose file, 
  open then choose merlyn.exe<br>
  Once it has loaded click on Module, Load and it will ask if you are sure, choose 
  yes and softice should pop up.<br>
  WHAT TO DO IF IT DOESN'T POP UP: Choose Module, Settings and make sure that 
  Load Executable and Stop at Winmain... are both checked!<br>
  SoftIce pops up at the start of the program.<br>
  Type: bpx 4BB8A5<br>
  This sets a breakpoint on that line.<br>
  Now type: X [ENTER]<br>
  Softice should flash off then on, this is because it broke in where we set the 
  breakpoint!<br>
  We can see that softice doesn't want to jump, so we therefore do want it to 
  jump.<br>
  Type: A<br>
  Once you hit enter you will be able to modify that line of code. So type: JMP 
  4bb8c8<br>
  Hit enter twice to finish editing.</font></p>
<p><font face="terminal" size="-2">Notice the 7D21 changes to EB21.<br>
  Now type BC * [ENTER]<br>
  This clears all breakpoints.<br>
  Type: X [ENTER]</font></p>
<p><font face="terminal" size="-2">Softice will now exit and the program will 
  load with no problems - how convenient :)</font></p>
<p><font face="terminal" size="-2">Now we need to hex edit the code.<br>
  So load up your favourite hex editor (I recommend Hackers View or UltraEdit) 
  - some people prefer hex workshop - which I personally hate.</font></p>
<p><font face="terminal" size="-2">Search for 85C07D21 - Where did I get this 
  number from?</font></p>
<p><font face="terminal" size="-2">LINE 2:004BB8A3 85C0 <br>
  LINE 3:004BB8A5 7D21 </font></p>
<p><font face="terminal" size="-2">You can see the numbers were at the end of 
  the above two lines.</font></p>
<p><font face="terminal" size="-2">Now change the 7D21 to EB21, run the program 
  and voila - it works forever :)</font></p>
<p><font face="terminal" size="-2">Now we have one last problem. The title bar 
  says the amount of days still.<br>
  So note down the string in the titlebar:<br>
  Merlyn - this trial version expires in xx days</font></p>
<p><font face="terminal" size="-2">Load up W32Dasm again, and look for the string. 
  Heres what I found:<br>
  :004BB828 C7803402000048AB4B00 mov dword ptr [ebx+00000234], 004BAB48<br>
  :004BB832 80BB4503000000 cmp byte ptr [ebx+00000345], 00<br>
  :004BB839 0F84E3000000 je 004BB922</font></p>
<p><font face="terminal" size="-2">* Possible StringData Ref from Code Obj -&gt;&quot;Merlyn 
  - this trial version expires &quot;<br>
  -&gt;&quot;in &quot;<br>
  |<br>
  :004BB83F 68A4B94B00 push 004BB9A4</font></p>
<p><font face="terminal" size="-2">hmmm, the jump looks very interesting :) Lets 
  change it to JMP instead of JE, so it always jumps.<br>
  JE = Jump if equal (Conditional)<br>
  JMP = Always Jump (Unconditional)</font></p>
<p><font face="terminal" size="-2">Wahoo! It worked, now just the finishing touches.<br>
  Open up a hex editor and search for the strings in the about box, and change 
  them to Full Version etc.<br>
  (You could also use a resource editor if you wish).</font></p>
<p><font face="terminal" size="-2">DON'T FORGET TO SET YOUR DATE BACK TO NORMAL!!! 
  - IT WRECKS HAVOC WITH EMAIL ;)</font></p>
<p><font face="terminal" size="-2">If you managed to crack the proggie, go and 
  have a well deserved cuppa.</font></p>
<p><font face="terminal" size="-2">The Crack<br>
  ---<br>
  I'm not making it that easy - read the essay you lazy person :)</font></p>
<p><font face="terminal" size="-2">Final Notes<br>
  ---<br>
  Well this is my first essay, I hope it helps someone out there. You can find 
  me on EFNet under the nickname Miscreant - mostly at weekends.<br>
  Feel free to send me constructive critisism or nice comments. I made this essay 
  because I saw way to many essays on serial number cracking,<br>
  but not enough on programs that don't allow serial #'s to be entered. If I get 
  enough feedback I may write some more essays.</font></p>
<p><font face="terminal" size="-2">I would like to thank in no particular order:<br>
  #Cracking4Newbies - For their kind patience<br>
  BubbleGun - Who brought me into the scene<br>
  WAKKeHACK - For recording futurama for me - hehehe<br>
  The Sandman - For his great essays<br>
  Fravia - For having perhaps the largest, yet messiest website on the entire 
  web<br>
  Numega - For the greatest debugger ever<br>
  Slide - For trying this essay for me and telling me what didn't work - all fixed 
  now ;)<br>
  Duelist - For helping me so much on hard cracks<br>
  MisterE - ditto.<br>
  And anyone else I forgot.</font></p>
<p><font face="terminal" size="-2">Disclaimer<br>
  ---<br>
  If you like and use this program then please buy it. The authors deserve the 
  money. If you don't like spending money, get Linux.<br>
  Essay written on 22-Oct-1999.</font></p>
<p><font face="terminal" size="-2">Printing<br>
  ---<br>
  This essay is best printed using Verdana font on size 8.</font></p>
<p><font face="terminal" size="-2">I would like to thank<br>
  ---<br>
  Slide for pointing out my mistakes - well complaining when the tutorial didn't 
  work. Should have ironed out all the bugs ;)<br>
  #cracking4newbies for all their help</font></p>
</body>
</html>
