PCAnywhere Version 7.5
(Time trial protection busting)

by Hackmore Readrite
(Revised version: 03 July 1997)

Courtesy of Fravia's page of reverse engineering

        PCAnywhere Version 7.5   is available at http://www.symantec.com

                            PCAnywhere Version 7.5

                      REVISED Crack by Hackmore Readrite

                     Available at http://www.symantec.com

        PCAnywhere is a MUST HAVE program for anyone with a reason to connect
two or more computers together. It allows you to connect computers using a
paralel port, com port, telephone lines, or even the internet. Once connected
you can transfer files, control the other computer from YOUR keyboard, run
programs on the other computer, etc. You can even use it to set up one of
your office computers as a gateway. Imagine being a thousand miles from home,
and being able to run debug on your home computer, for the price of a local
phone call, just by connecting through the internet! Or get that file you
left at the office without even leaving home! It even has a chat feature so
you can teach someone how to use thier own computer, while they see it 
happening on thier screen, and you sit at home sipping martini's explaining
the program to them on the phone. I LIKE IT!

        Here's a short story so you'll know why I decided to crack this
program. Call it "getting even" if you want.

        Right after I got my first computer three years ago, it became
evident that I absolutely must have a way to connect two computers together
via the telephone lines. So I shopped around and decided PCAnywhere was the
product I needed. (For those of you who don't know me, three years ago I knew
absolutely NOTHING about computers!) So I emptied my bank account and left
my money at the software store.

        One year, and one lightning bolt later, it was time to buy a new
computer. It just happened that my new computer came to me loaded with
Win95! And the first thing I did was dive into my software repository to get
my PCAnywhere disks. Install went fine, but when I rebooted and tried to run
PCAnywhere. CRASH!!!, and Win95 was kind enough to tell me the program
wouldn't run on Win95, but gave me the phone number to call to get an
updated version of PCAnywhere. Win95 actually KNEW Symantecs phone number!

        I called the number. The nice lady on the other end said I had too
much money in my bank account, and I should send some to her. There went my
life's savings again. This realy pissed me off at Win95 and Symantec, but
what else could I do? I got PCAnywhere Version 2.0!

        Just over a year later, I was helping +FRAVIA locate a piece of
software. (Whitewater Resource Toolkit - if you have a version newer than
version 3.01a PLEASE send it!) My search led me to Symantecs home page, where
they are offering ALL of their software for a FREE 30 day trial. So I scanned
the list looking for "WRT" and what do I see! PCAnywhere VERSION 7.5!

        Four megs of download time later, I was installing my "new" version.
Just reading the display during install told me this program was WAY ahead
of the "old" version I was using.

        Installed and rebooted, I started the program. I LOVED the new look.
But, curious about what I was about to crack, I shut it down and set my
clock 30 days ahead. DON'T DO THAT! The program expired, as expected, but
turning my clock back did not turn back the expiration! I deleted all traces
of the program from my computer and re-installed it, but it still said the
time limit had expired. I downloaded a whole new four megs and re-installed
again, but the time limit was still expired! It had looked SO GOOD, I wanted
to TRY IT! All it would do is tell me the time limit had expired, and I
should phone a number to order it. Then it would disapear from my screen.

        I knew I was up against one of the best. Peter Norton TAUGHT me
programming. (His book "PC Programers Bible" is my entire education on
computing.) I was sure he would pull a trick like this. I figured he jiggled
a byte in my bios or played with my registry. A quick check of the registry
came up empty, but I didn't want to waste too much time looking for
something when I had no idea what it might be.

        So, I tried a little "social engineering" on the telephone. Peter
has his ladys trained well. They told me ALL I could do was drain my life
savings again! There's NO way I could "try before I buy" because "I blew it!"
Send Peter more money, THEN I could try it. Peter, this means WAR!

        I decided to try the "dead aproach" this time, to "test" how smart
I was. I loaded Winaw32.exe into Wdasm7 (thanx Frog!) and began to read.
I scaned down the page, and in the section labeled "Imported Modules",
under the heading "Imported module 004: AWCOMM32.DLL", was the title
"TimeBombCheck@4"! I had expected a challenge!

        I did a search, and "TimeBombCheck@4" came up twice, in the listing
I had read, and at the call to it in the program. Break out SoftIce.

        Bpx on the offending line and run the program. SoftIce kicks in at
the following code:

  :00406350 FF15989D4700          CALL  DWORD PTR [EBP+FFFFF728] (TimeBomb)
  :00406356 85C0                  TEST  EAX, EAX                 (check)
  :00406358 0F8521000000          JNE   0040637F                 (good guy)
  :0040635E C78520F7FFFF00000000  MOV   DWORD PTR [EBP+FFFFF720], 00000000
  :00406368 C745FCFFFFFFFF        MOV   [EBP-04], FFFFFFFF
  :0040636F E809010000            CALL  0040647D                 (bad guy)
  :00406374 8B8520F7FFFF          MOV   EAX, [EBP+FFFFF720]
  :0040637A E914010000            JMP   00406493

        The CALL was suitably named "TimeBombCheck@4", and I usualy find all
those zero's on the line after a jump mean bad news, (I DID say USUALY!)
I assumed the TEST should come out "not" even IF I was registered. 
(For those who do not know, the TEST instruction looks for a "1" anywhere in
the binary representation of the number being TESTed, and trips the zero
flag accordingly.) Still in SoftIce, I began to assemble...

  :a cs:00406358
  :00406358 jmp 0040637f     (EB25)-> jump to the "good guy" address
  :0040635A push eax         (50)  -> then fill the extra 4 bytes 
  :0040635B push edx         (52)
  :0040635C pop edx          (5A)
  :0040635D pop eax          (58)

        To my total disgust, the "expired" picture was there, telling me
Peter was greedy, and I should send him my money! Frustrated, (but not ready
to give up yet), I lied and pushed the button that said "O.K."

        To my surprise, the program came up on my screen! This time I pushed
some buttons to see just what this puppy could do. I LIKE IT! Thanks Peter!

        (NOTE: This WORKED on MY computer for over a week, until I did some
house cleaning in my registry, which caused the program to shut down every
time I selected a function. It's a BAD crack, because there are several .exe
files in this program, each with it's own CALL to TimeBombCheck, and each
with its own TEST instruction after the call. Almost every .exe file would
have to be cracked! Sorry to all those who have tried this crack and became
angry because it did not work! The REAL fix is at the end of this page.)
+FRAVIA has been on vacation, so I could not get the REAL fix posted sooner.

        Now, the nag screen had to go. Just a tiny bit of Zen told me it
must be in the AWCOMM32.DLL module, because thats where the CALL to
"TimeBombCheck@4" pointed to. A little more SoftIce-ing was needed.

        Reload the program, Bpx on the CALL to "TimeBombCheck@4" and
SoftIce breaks at the call again, but this time trace into it. Keep tracing
("t") untill you get to a CALL instruction, then set the cursor on the line
right after the call, and type "here" at the prompt, (or "F7") watching the
screen closely each time to see if the "nag screen" is visible.

        For the begginers amoung us, tracing ("t") through code is nessesary
in order to stay with the code when it branches off (JMP's). The "here"
instruction, with the cursor on the next line of code after the "CALL" will
process the call, then stop at the cursor, then you can "t" trace again.

        I had passed through about 12 calls when I saw the "nag screen" so I
cancelled my breakpoint and set a new one on the call which I had just passed
through. Then I let the program run its course.

        After the program shut down, I re-loaded it, and pressed "ctrl-d"
to run it to my breakpoint. Here's the code from cs:088fB7F2...

        8D8DE0F3FFFF            LEA   ECX, [EBP+FFFFF3E0]  (load address)
        E8F7F30000              CALL  0890ABEE             (make nag screen)
        C78580F2FFFF00000000    MOV   DWORD PTR [EBP+FFFFF280], 00000000

        Here, I just wanted to defeat this call, so the "nag screen" would
leave me alone. So I re-assembled the bad call line to...

                  "jmp 088FB7F7"    (EB03)  -> (skip this call)
                  "push eax"        (50)    -> (cover the extra bytes)
                  "nop"             (90)
                  "pop eax"         (58)

        (NOTE: Remember, this turned out to be a dirty fix because of my
dirty registry, read on for the real fix!)

        The program ran its course without showing me that ugly "nag screen"
so I broke out my old friend "HexEdit" and got to work.

                Load...   Winaw32.exe    (To fix the TimeBombCheck)
              Search...   "0F8521000000" (The JNZ 0040637F line)
        and typed in...   "EB2550525A58" (the "fix", JMP anyway)
                Save...   to disk

                Load...   AWCOMM32.DLL   (To fix the NAG screen)
              Search...   "E8F7F30000"   (The CALL 0890ABEE line)
        and typed in...   "EB03509058"   (the "fix", pass right through)
                Save...   to disk

        Thats it. Now a test run, and I learn that I now have a program I can
test drive for as long as it takes for me to decide IF I like it. Or at least
until Peter comes up with a newer version. Thanks Peter. You, and +ORC,
have taught me well, but I thought YOU of all people, would have given me
a more challenging puzzle. This one took less than an hour to solve!

        Peter must have laughed when he read that last paragraph! I don't
know how my registry allowed this crack to work, but when I cleaned my
registry, the program did just what Peter designed it to do. SHUT DOWN! And
Peter got another 30 minutes of my time. Stop laughing Peter, here's the
real way to "repair" your TimeBomb!

        As mentioned earlier, several of the .exe files call TimeBombCheck,
and each .exe has it's very own CALL to TimeBombCheck and then does a 
"TEST EAX, EAX" right after the call. Since the TEST is looking for a "1" in
the binary representation of whatever number is in EAX, it should be obvious
that EAX should contain some number larger than a "0". We need to back up,
into the TimeBombCheck sub, to find where the value is placed into EAX.
(By the way, the second EAX in the instruction "TEST EAX, EAX" is just a
"mask" that doesn't hide very much.)

        So I repaired my registry, re-installed PCAnywhere so I would be
working with a "virgin" copy, then loaded WINAW32.EXE into SoftIce, and set
a breakpoint at the call to TimeBombCheck.

        Then trace into the call, and each time a new CALL instruction comes
up, drop the cursor down to the following line and do a "here" instruction
in SoftIce to pass through the CALL.

        The call to the nag screen is slightly different this time, but the
same "fix" will get rid of it. And after passing 16 CALLs, we see what we're
looking for. The program loads EAX with a value that has been stored on the
stack, then JMPs to the RET.

        Now let the program run itself out, and pull out HexEdit so we can
REALY fix this thing!

                Load...   AWCOMM32.DLL   (To fix BOTH "problems")
              Search...   "E8ADF40000"   (The CALL NAG screen line)
        and typed in...   "EB03509058"   (the "fix", pass right through)
              Search...   "8B8584F2FFFF" (The MOV "0" on stack to EAX line)
        and typed in...   "B801000000"   (the "fix", MOV A "1" into EAX)
                 and...   "90"           (NOP to fill the extra "lost byte")
                Save...   to disk

        No repairs will be nessesary on the other .exe files now since they
will all find a "1" in EAX when they return from TimeBombCheck. This, of
course, is a much cleaner crack, and I should have done it this way the first
time. Sorry.

        Too hard for you? You want to crack this program by changing only a
SINGLE BYTE! O.K., I'll show you how to do that too. Just load AWCOMM32.dll
into your hex editor, and search for these bytes (without the *'s)...

        8B8508F7FFFF   MOV EAX, [EBP+FFFFF708] ; the byte that kicks
        89855CF2FFFF   MOV [EBP+FFFFF25C], EAX ; moves to new home
        E9*05*060000   JMP 088FBAE0            ; then gets checked

        Then replace the byte inside the *'s (in the jump instruction) to...

        E9*FE*060000   JMP 088FBBD9            ; skip all of those checks!

        This bypasses all validation checks, so the program doesn't check to
see if you need to see a nag screen, or if you've been using the program too
long. Yes, it does BEGIN to check, thats whats in [EBP+FFFFF708], but if we
try to bypass that check also, by not calling the sub that places the value
into [EBP+FFFFF708], other data gets left out which causes the program not
to function completely. And besides, to bypass this sub would take more than
a one byte change, which takes some of the fun out of the crack.

        Yes, Peter, the "cleanest" crack would have been a repair to your
"time keeper", or the code that reads it, but many people hesitate to play
with things they do not understand, like bios or registry files, when they
know it could cause them problems with thier system. So I've tried to make
this simple enough for anyone to do. After all, EVERYONE should have
PCAnywhere, and EVERYONE should know how to CRACK.

                                       Happy Cracking 'till next time;
                                                       Hackmore Readrite
                                                       DataMiners Inc.

You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
search_forms mailFraVia
Is reverse engineering legal?