Jul 1, 2008

NCH Tone Generator Patching Procedure

NCH Tone Generator Patching Procedure

PART 1:

Before attempting to crack this NCH Tone Generator, Let me tell that this software. NCH Tone Generator is an easy tool to create sinusoidal/square/triangle waves in your speaker.

You can also try out interference of sound

So coming back to cracking this. As Usual this software also use the GetSystemTimeAsFileTime API to find current time. The only parameter to this function is a pointer to a FILETIME structure that receives the current system date and time in UTC format.

I installed my version (2.10) on Monday, January 21, 2008, 7:09:30 PM.

So where do we start from???

We start by setting breakpoint on every call to GetSystemTimeAsFileTime.

OllyDbg Automatically pauses when it reaches the Program Entry Point. Now Right Click and select Search For -> All Intermodular Calls. Sort out the list alphabetically for convenience. Just scroll down and you should be able to see 2 calls to GetSystemTimeAsFileTime. Right click on one of them select Set breakpoint on every call to GetSystemTimeAsFileTime. Now both of them 'll become red. Now allow the program to continue by pressing the F9 key.

Now the program will pause at:

0042B95C FF15 68124000 CALL DWORD PTR DS:[<&KERNEL32.GetSystemT>; kernel32.GetSystemTimeAsFileTime

Forget that. That isn't the correct place to change. I wasted 1 and half hours there .

Just continue by pressing F9.

Now it'll pause at:

00424EE4 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]

00424EE7 50 PUSH EAX

00424EE8 FF15 68124000 CALL DWORD PTR DS:[<&KERNEL32.GetSystemT>; kernel32.GetSystemTimeAsFileTime

00424EEE 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]

00424EF1 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]

So above the function call you see that its parameter is pushed into the stack. And the values filled are moved to EAX and ECX registers. Select all the above mentioned 5 instructions and right click, Select Binary -> Fill with NOPs.

Now Use these 16 Bytes bytes to write these instructions:

MOV EAX, 00000000

MOV ECX, 00000000

Now select all the Instructions in red, right click, select Copy to executable -> Selection.

Now in the new window that pops up, right click, select Save file.

Save in some other name, close OllyDbg, backup original tone.exe and rename this cracked version to tone.exe and now run it. It should run if you've done all steps correctly .

-------------------------- CALCULATING 00000000and 00000000---------------------------

These values can be any value filled by GetSystemTimeAsFileTime when called before the trial period ends.

Make a simple project in VC++. Use SystemTimeToFileTime Function to get the values of FILETIME for a desired SYSTEMTIME . wsprintf and MessageBox these two DWORD values in FILETIME. The dwLowDateTime and dwHighDateTime members of FILETIME structure holds the values of XXXXXXXX and YYYYYYYY respectively. Use these values there.

References:

GetSystemTimeAsFileTime:

http://msdn.microsoft.com/en-us/library/ms724397(VS.85).aspx

FILETIME structure:

http://msdn.microsoft.com/en-us/library/ms724284(VS.85).aspx

SystemTimeToFileTime:

http://msdn.microsoft.com/en-us/library/ms724948(VS.85).aspx

SYSTEMTIME structure:

http://msdn.microsoft.com/en-us/library/ms724950(VS.85).aspx



Stumble Upon Toolbar
Posted by blitz at 10:50 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
::SITES LINKING ME::

SetEnvIfNoCase Referer "^http://(www.)?securecomputing\.com" ref=1 "(.*)" Order Allow,Deny Allow from all Deny from 206.169.110.66 Deny from env=ref