Back to project 6
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut
CGI-scripts
mail_fravia+
Is reverse engineering
legal?
|
|
1. Best available numerical analysis and curve fitting toolbox.
2. 101 times better than Micro$oft EXCEL.
3. Plots Each and Every type of Scientific and technical graphs.
Given below is the statement from Microcal :
" OriginTM a technical graphics and data analysis software
package designed for Microsoft Windows. First released in 1991, Origin
is used by tens of thousands of scientists, engineers, and Fortune 500
Companies, as well as hundreds of universities worldwide.
Our software provides a powerful combination of spreadsheet,
visualization, and analysis features. With Origin you can automate common
routines, analyze large amounts of data, and create spectacular graphics.
Whether you're an academic scientist, a pharmaceutical researcher, or an
automotive engineer, you'll find Origin both fast and intuitive. Origin's
flexible interface adjusts to fit your needs."
Some comments by various agencies :
"[Origin 5.0] establishes itself as the performance leader
in graphing technology....Origin out performs its competitors significantly...."
National Software Testing Laboratories Report, December
1997
"...Origin's stronger mathematical underpinnings and
powerful scripting language will make it the preferred choice for many
technical users."
PC Magazine, January 20, 1998
"Origin 5.0 is a rare software package that provides
sophisticated data analysis and technical graphics tools in an intuitive,
user-friendly environment....there is absolutely no better choice than
Origin 5.0 for Windows."
HMS Beagle Magazine, November 14, 1997
"Origin 5.0 is one of the finest analytical graphics
packages for Windows....I particularly liked how Origin works with Microsoft
Excel, allowing me to directly open an Excel worksheet from within Origin...."
InfoWorld Magazine, October 27, 1997
So it's a very good program, question is: why does every
dog use Excel instead? Because Micro$oft dominates the market and, no matter
how good the concurrence is, they will always sell theyr crap... that is, unless
some good +reversers show the truth behind the curtains...
|
|
|
|
Method 2 : W32dsm89 : Windows
disassembler.
Any Hex editor
TS :
Text search Norton utilities for DOS
Softice 3.2 : Not Required but helpful in deeper
understanding.
|
|
So its a time limit protection. Now lets move to the methods :
|
|
Run the program , quit it and note the hrs remaining. Change the date on ur computer to next day. Run the program again and quit it ......... and OH the number of hrs remaining HAS DECREASED. Change the date to one or two Days before and the hrs will increase.
Moral :
(The Price + Complex nature of a software)
IS DIRECTLY PROPORTIONAL TO
( The stupidity of its protection Scheme)
|
|
Check the number of dlls and exe : 17 LARGE dlls and 1 EXE.
Run TS in origin directory and search for "Demo" in 20 sec the program will report its occurrence inside OK50.DLL and ORIGIN50.EXE. ( I love the fast nature of TS).
So we are short listed to 2 files. Run W32dasm89 and disassemble the two files.
First we take Origin50.exe . Search for "Thank you" in the disassembly window and we got the code for the first nag :
* Reference To: MFC40.MFC40:NoName0159,
Ord:01E6h
|
:00403846 E8991C0000
Call 004054E4
* Possible Ref to Menu: MenuID_000A, Item: "Status
Bar"
|
* Reference to String Resource ID=59393:
"Thank you for using this demo version of Origin..."
|
:0040384B 6801E80000
push 0000E801
:00403850 8D4DF0
lea ecx, dword ptr [ebp-10]
:00403853 C745FC00000000
mov [ebp-04], 00000000
* Reference To: MFC40.MFC40:NoName0073,
Ord:0E48h
; I am sick of these nonames from Micro$oft
|
:0040385A E8DD210000
Call 00405A3C
:0040385F 6A00
push 00000000
:00403861 8B45F0
mov eax, dword ptr [ebp-10]
* Possible StringData Ref from Data Obj ->"Demo"
|
:00403864 68B0954000
push 004095B0
:00403869 50
push eax
:0040386A 6A00
push 00000000
* Reference To: USER32.MessageBoxA,
Ord:0188h
|
:0040386C FF157CB14000
Call dword ptr [0040B17C]
:00403872 C745FCFFFFFFFF
mov [ebp-04], FFFFFFFF
:00403879 E852000000
call 004038D0
* Referenced by a Jump at Address:00403841(C)
|
:0040387E 6A74
push 00000074
The code is self explainatory In order to kill the first nag the switch at 0040383Bh may be hardcoded by 74 -> EB.
Now load the OK50.dll file :
Search for 'Thank you' again and u will get :
* Referenced by a CALL at Addresses: 100780C5 , :100796B4 , :1008F001
|
:10096CC0 64A100000000
mov eax, dword ptr fs:[00000000]
:10096CC6 55
push ebp
--------------Cut Cut Cut -----------------------------------------------
* Referenced by a Jump at Address:10096C98(C)
|
:10096D06 C645FC02
mov [ebp-04], 02
* Reference To: MFC40.MFC40:NoName0020, Ord:0E48h
|
:10096D0A E861D80500
Call 100F4570
:10096D0F E8BC000000
call 10096DD0 ; Time Check routine
:10096D14 85C0
test eax, eax
:10096D16 740F
je 10096D27
* Reference to String Resource ID=09153:
"Thank you for trying the demo version of Origin 5.0.This demo has expired"
|
:10096D18 68C1230000
push 000023C1
:10096D1D 8D4DF0
lea ecx, dword ptr [ebp-10]
* Reference To: MFC40.MFC40:NoName0020, Ord:0E48h
|
:10096D20 E84BD80500
Call 100F4570
:10096D25 EB30
jmp 10096D57
* Referenced by a Jump at Address:10096D16(C)
|
* Reference to String Resource ID=09152:
"Thank you for trying the demo version of Origin
5.0.This demo will expire in x hrs"
|
:10096D27 68C0230000
push 000023C0
:10096D2C 8D4DEC
lea ecx, dword ptr [ebp-14]
--------------Cut Cut Cut -----------------------------------------------
:10096D97 B801000000
mov eax, 00000001
:10096D9C 8B4DF4
mov ecx, dword ptr [ebp-0C]
:10096D9F 64890D00000000
mov dword ptr fs:[00000000], ecx
:10096DA6 8BE5
mov esp, ebp
:10096DA8 5D
pop ebp
:10096DA9 C3
ret
And the nag along with a use less routine was removed. The time check routine is called from many locations (observation by execution in softice.). It is listed below with comments:
:10096DF0 83EC04
sub esp, 00000004
:10096DF3 833D2885121000
cmp dword ptr [10128528], 00000000 ;Date/Time stamp
from origin50.ini already decrypted ?
:10096DFA 7414
je 10096E10 ; Yes
:10096DFC E85F000000
call 10096E60 ; Read and Decrypt date time
:10096E01 C7052885121000000000 mov dword ptr
[10128528], 00000000 ; Toggle switch
:10096E0B A324851210
mov dword ptr [10128524], eax
* Referenced by a Jump at Address:10096DFA(C)
|
:10096E10 8D442400
lea eax, dword ptr [esp]
:10096E14 50
push eax
* Reference To: MSVCRT40.time, Ord:0466h
;obtain system time
|
:10096E15 FF15C4DF1210
Call dword ptr [1012DFC4]
:10096E1B 8B542404
mov edx, dword ptr [esp+04]
:10096E1F 83C404
add esp, 00000004
:10096E22 8B0D24851210
mov ecx, dword ptr [10128524]
:10096E28 51
push ecx
:10096E29 52
push edx
* Reference To: MSVCRT40.difftime, Ord:03DDh
; Calculate difference
|
:10096E2A FF15C0DF1210
Call dword ptr [1012DFC0]
:10096E30 DC0DF0990F10
fmul qword ptr [100F99F0]
:10096E36 83C408
add esp, 00000008
* Reference To: MSVCRT40._ftol, Ord:028Fh
; Convert from float to long
|
:10096E39 E8B2D00500
Call 100F3EF0
:10096E3E 85C0
test eax, eax
; Check to see if withen range
:10096E40 7D09
jge 10096E4B
:10096E42 B8FFFFFFFF
mov eax, FFFFFFFF ;Expired
:10096E47 83C404
add esp, 00000004
:10096E4A C3
ret
:10096E4B B9C0000000
mov ecx, 000000C0 ;OK
:10096E50 83C404
add esp, 00000004
:10096E53 2BC8
sub ecx, eax
:10096E55 8BC1
mov eax, ecx
:10096E57 C3
ret
|
|
Well this pogram has got some kind of mechanism to register itself. This is quite interesting in itself and purposely left as an exercise to the reader.
This is one of my various Essays on Reversing Engineering Software. I don't always have much time to write these essays, so I cannot say when the other ones will appear.
You can contact me via : -MML-@iname.com
|
|
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut
CGI-scripts
mail_fravia+
Is reverse engineering
legal?