Cracking_Email_Effects_By_Ferrari.txt

                   (BEST VIEWED WITH WORDWRAP ENABLED & FONT= COURIER , SIZE =10)

         @$@$#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@@$@ @#$#$@
        @@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@  @#$#$#$@
         @@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#$@ @#$#$@
          @#$@                             
          @#$@       @$@$@$@$@ @$@$@ $@$@$ @$@$@ $@$@$   @#@#@#@#@@ @$@$@ $@$@$ @$#$#$#@
          @#$@      @#$#$#$#$@@ @#$#$#$#$#$ @#$#$#$#$#$ @$#$#$#$#@@@ @#$#$#$#$#$ @#$#$@
          @#$@    @ @#@#@#@#@#@ @#$@$#$#@@@ @#$@$#$#@@@ @#@@    @#$@ @#$@$#$#@@@  @$#@
          @#$@#$#$@ @#@#   #@#@ @#$@   @@@  @#$@   @@@  @$@     @#$@ @#$@   @@@   @$#@
          @#$@@#@#@ @#@#@#@#@#@ @#$@   @@   @#$@   @@         @#@#$@ @#$@   @@    @$#@   
          @#$@#$#$@ @$@$@$@$@$@ @#$@        @#$@         @@#@@#@#@#@ @#$@         @$#@
          @#$@    @ @$@#        @#$@        @#$@        @#$#$#$#$#$@ @#$@         @$#@
          @#$@      @$@#        @#$@        @#$@        @#$@    @#$@ @#$@         @$#@
          @#$@      @#@#@#@#@#@ @#$@        @#$@        @#$@#$#$#$#@ @#$@         @$#@
          @#$#@     @$@$@$@$@$@ @#$#@       @#$#@       @#$@#@#@#@#@ @#$#@       @#$#$@
        @#@#@#@#@    @#@#@#@#@ @#@#@#@     @#@#@#@       @#@#@#@#@# @#@#@#@     @$#$#$#@


                                        
                                     :-)---> ARTeam <---(-:
                            Visit:-http://cracking.accessroot.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$                     $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$  --EMAIL EFFECTS--  $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$        1.6          $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@@@@@@@@@@
@@@@@@@@@@@@@              AUTHOR            :   FERRARI                          @@@@@@@@@@@@@ 
@@@       @@@              PROTECTION        :   NAG SCREEN                       @@@       @@@   @@ ferrari @@              TARGET FILE       :   Email Effects.exe                @@ ferrari @@ 
@@@       @@@              TARGET URL        :   http://www.sigsoftware.com       @@@       @@@   @@@@@@@@@@@@@              OPERATING SYSTEM  :   WINDOWS ALL                      @@@@@@@@@@@@@   @@@@@@@@@@@@@              RELEASE DATE      :   5.02.2004                        @@@@@@@@@@@@@
@@@@@@@@@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@                                TOOLS USED & TARGET SOFTWARE                                 @
@                                =============================                                @
@                                                                                             @
@ OllyDbg         :- http://grinders.withernsea.com/tools/odbg110b1.rar                       @
@ EmailEffects    :- http://grinders.withernsea.com/tools/Email_Effects.rar                   @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@           
   As usual first make a back up of the original exe. Now run the program. You see a nag which tells you to register the program.Take a note of the caption of this window 'About Email Effects' After few seconds the nag closes and starts the main program. 
      Let's start dude ;-)Fire up olly and load 'Email Effects.exe'. In the CPU window press 'Ctrl N'. This brings up the API calls window(Right click-->sort by-->name). Scroll down till 'CreateWindowExA'-->Select it-->right click and choose 'Set breakpoint on every reference'. Okay now get back to Olly CPU window and press F9. You will land below (00411E26)

00411E1A  |. 68 784A4200    PUSH Email_Ef.00424A78         ; |WindowName = "About Email Effects"
00411E1F  |. 68 8C4A4200    PUSH Email_Ef.00424A8C         ; |Class = "About"
00411E24  |. 6A 01          PUSH 1                         ; |ExtStyle = WS_EX_DLGMODALFRAME
00411E26  |. FF15 DC654800  CALL DWORD PTR DS:[<&USER32.Cr>; \CreateWindowExA  <-- you land here

 Now you see at address 00411E1A...did you take note of our caption in the begining. Okay now look at 'PUSH Email_Ef.00424A78' .What we have to do is press 'Ctrl G' and enter the address  00424A78 and press OK. You land here.

00424A73   75 74            JNZ SHORT Email_Ef.00424AE9
00424A75   0000             ADD BYTE PTR DS:[EAX],AL
00424A77   0041 62          ADD BYTE PTR DS:[ECX+62],AL

 See our sweet JNZ (Jump if not equal).Okay just select it-->right click-->Binary-->Fill with NOP's-->Done(not completely though). 

 Now right click in the CPU window-->Copy to executable-->Selection-->Right click in the new window that opens-->Save File-->Choose to overwrite

Now run the program. No nags anymore he he ;-)
 dude if you think that everything is fine..bad news for you. Just try to advance the system clock by 1 year and try running the program. shit this a trial ware and expires after 28 days. So another nag screen. Okay lets get rid of this too. ;-) But first reset your original time.
 Load the program again in Olly. Hit F9. We don't get that first NAG ;-). Okay now again advance the clock by 1 year and then close the program. We get the 2nd NAG. Okay back in Olly hit F12 and then Alt K to open the call stack window and u should see this.

Call stack of main thread
Address    Stack      Procedure / arguments                 Called from                   Frame
0012FE00   77D43FBE   Includes 7FFE0304                     USER32.77D43FBC               0012FE34
0012FE04   77D487A7   USER32.WaitMessage                    USER32.77D487A2               0012FE34
0012FE38   77D4F58C   USER32.77D48607                       USER32.77D4F587               0012FE34
0012FE60   77D4F5C7   USER32.77D4F4D8                       USER32.77D4F5C2               0012FE5C
0012FE80   77D650FD   USER32.DialogBoxIndirectParamAorW     USER32.77D650F8               0012FE7C
0012FEAC   0041309E   USER32.DialogBoxParamA                Email_Ef.00413098             0012FEA8
0012FEB0   00400000     hInst = 00400000
0012FEB4   00000190     pTemplate = 190
0012FEB8   00000000     hOwner = NULL
0012FEBC   00413100     DlgProc = Email_Ef.00413100
0012FEC0   0012FEE4     lParam = 0012FEE4
0012FF04   00408FC1   Email_Ef.00412F90                     Email_Ef.00408FBC
0012FF48   0041E0F7   Email_Ef.00408E70                     Email_Ef.<ModuleEntryPoint>+


Now we can see that 00413098 called the DialogBoxParamA. So lets goto 00413098(Ctrl G) and see this code. We land at 00413098
 We see that the program call for the GetSystemTimeAsFileTime API. Now see the JNZ at 00412FA6. Now CMP compares the 28 days limit with the system time. If not over then  jumps to  004130E6 orelse get our bad messagebox. Now goto 004130E6

00412F9D  |. 894C24 04      MOV DWORD PTR SS:[ESP+4],ECX
00412FA1  |. 66:394C24 44   CMP WORD PTR SS:[ESP+44],CX
00412FA6  |. 0F85 3A010000  JNZ Email_Ef.004130E6
00412FAC  |. 8D4424 18      LEA EAX,DWORD PTR SS:[ESP+18]
00412FB0  |. 50             PUSH EAX                                 ; /pFileTime
00412FB1  |. FF15 F0644800  CALL DWORD PTR DS:[<&KERNEL32.GetSystemT>; \GetSystemTimeAsFileTime
00412FB7  |. 8B4424 4C      MOV EAX,DWORD PTR SS:[ESP+4C]
00412FBB  |. 894424 0C      MOV DWORD PTR SS:[ESP+C],EAX
00412FBF  |. 8B4424 1C      MOV EAX,DWORD PTR SS:[ESP+1C]
00412FC3  |. 894424 10      MOV DWORD PTR SS:[ESP+10],EAX
00412FC7  |. 8B4424 10      MOV EAX,DWORD PTR SS:[ESP+10]
00412FCB  |. 2B4424 0C      SUB EAX,DWORD PTR SS:[ESP+C]
00412FCF  |. B9 C9000000    MOV ECX,0C9
00412FD4  |. 31D2           XOR EDX,EDX
00412FD6  |. F7F1           DIV ECX
00412FD8  |. 2B4424 54      SUB EAX,DWORD PTR SS:[ESP+54]
00412FDC  |. 89C5           MOV EBP,EAX
00412FDE  |. 66:85ED        TEST BP,BP
00412FE1  |. 7F 0E          JG SHORT Email_Ef.00412FF1
00412FE3  |. 8B4424 10      MOV EAX,DWORD PTR SS:[ESP+10]
00412FE7  |. 3B4424 0C      CMP EAX,DWORD PTR SS:[ESP+C]
00412FEB  |. 0F83 F5000000  JNB Email_Ef.004130E6
00412FF1  |> 66:81FD B400   CMP BP,0B4
00412FF6  |. 7E 08          JLE SHORT Email_Ef.00413000
00412FF8  |. BE 01000000    MOV ESI,1
00412FFD  |. EB 36          JMP SHORT Email_Ef.00413035
00412FFF  |  90             NOP
00413000  |> 66:83FD 78     CMP BP,78
00413004  |. 7E 0A          JLE SHORT Email_Ef.00413010
00413006  |. BE 02000000    MOV ESI,2
0041300B  |. EB 28          JMP SHORT Email_Ef.00413035
0041300D  |  8D40 00        LEA EAX,DWORD PTR DS:[EAX]
00413010  |> 66:83FD 3C     CMP BP,3C
00413014  |. 7E 0A          JLE SHORT Email_Ef.00413020
00413016  |. BE 03000000    MOV ESI,3
0041301B  |. EB 18          JMP SHORT Email_Ef.00413035
0041301D  |  8D40 00        LEA EAX,DWORD PTR DS:[EAX]
00413020  |> 66:83FD 1E     CMP BP,1E
00413024  |. 7E 0A          JLE SHORT Email_Ef.00413030
00413026  |. BE 05000000    MOV ESI,5
0041302B  |. EB 08          JMP SHORT Email_Ef.00413035
0041302D  |  8D40 00        LEA EAX,DWORD PTR DS:[EAX]
00413030  |> BE 07000000    MOV ESI,7
00413035  |> 66:85F6        TEST SI,SI
00413038  |. 74 18          JE SHORT Email_Ef.00413052
0041303A  |. 0FBFCE         MOVSX ECX,SI
0041303D  |. 0FBFC5         MOVSX EAX,BP
00413040  |. 894424 08      MOV DWORD PTR SS:[ESP+8],EAX
00413044  |. 48             DEC EAX
00413045  |. 99             CDQ
00413046  |. F7F9           IDIV ECX
00413048  |. 8B4424 08     ...