I recently found a 30-day trial version of Simply 3D v2 on a magazine
cover CD. I thought I’d have a look at it, and low and behold it appears
to be one of the worst protection schemes devised. This is supposed to
be a professional commercial package but the programmers (in their
ultimate laziness) haven’t spent much time on the protection. I cracked
it in a little over a minute (since WinDasm8 took some time to
disassemble the file).
I thought I’d get a feel for the program in advance, so installed it and
set the date past the 30 day limit. This revealed the text "The trial
period has…". I then tested the age old failing of protection schemes:
I set the date back. I wasn’t surprised to find that this didn’t fixe
the problem. So then I thought I’d have a quick peek at the code and get
a feel for the level of protection on this package. Pulling out my
trusty copy of WinDasm32 I set it to disassembling the code. To my
surprise, when I used the string reference feature to locate the
lock-out text, windasm dropped me straight into this code:
:0040C4FF E87CF00600 call 0047B580
:0040C504 83C404 add esp, 00000004
:0040C507 85C0 test eax, eax
:0040C509 7527 jne 0040C532
:0040C50B 6A00 push 00000000
* StringData Ref from Data Obj ->"SIMPLY 3D 2 TRIAL PERIOD TERMINATION"
:0040C50D 6814FA4800 push 0048FA14
* StringData Ref from Data Obj ->"The trial period has expired."
->" Please contact your local vendor "
->"or Micrografx to purchase a complete "
->"version of Simply 3D 2."
:0040C512 6894F94800 push 0048F994
:0040C517 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:0195h
:0040C519 FF1530234A00 Call dword ptr [004A2330]
Looking up from the text message, a conditional jump could be seen
which, I guessed correctly, skipped the lock-out message and started the
code. A simple patch to make the jump unconditional resulted in a
complete crack. No checksums, no clever code misdirection using lookup
tables etc., not even an embedded second check.