I was looking for a Post-it like program for Mac OS X (I don’t like Stickies!) and found this nice one, Edgies (available at http://www.oneriver.jp/Edgies/index_e.html).
It has a very annoying register me protection which shows every few times you open/close a note.
My first attempt to bypass this was to go after the serial registration routine (it’s located at RegistrationManager framework) but it appears to be too long and complicated to be worth the trouble.
Next obvious step was to go after the shareware message. Doing a grep for message Shareware Information and we land again at RegistrationManager framework at a nice function labeled showDemoDialogue.
After disassembling the main program and searching for function references we reach to:
000080c7 calll 0x0008f158 +[RegistrationManager sharedRegistrationManager] 000080cc movl 0x00091394,%edx registered 000080d2 movl %edx,0x04(%esp,1) 000080d6 movl %eax,(%esp,1) 000080d9 calll 0x0008f158 -[(%esp,1) registered] 000080de movb %al,(%ebx) 000080e0 testb %al,%al 000080e2 jne 0x00008134 <- CRACKME =) 000080e4 movl 0x0008a014,%eax 000080e9 cmpb $0x00,(%eax) 000080ec je 0x00008134 000080ee movl 0x000000f8(%esi),%eax (int)demoCount 000080f4 addl $0x01,%eax 000080f7 movl %eax,0x000000f8(%esi) (int)demoCount 000080fd cmpl $0x01,%eax 00008100 jbe 0x00008134 00008102 movl 0x00091398,%eax sharedRegistrationManager 00008107 movl %eax,0x04(%esp,1) 0000810b movl 0x00092668,%eax RegistrationManager 00008110 movl %eax,(%esp,1) 00008113 calll 0x0008f158 +[RegistrationManager sharedRegistrationManager] 00008118 movl 0x00091390,%edx showDemoDialogue 0000811e movl %edx,0x04(%esp,1) 00008122 movl %eax,(%esp,1) 00008125 calll 0x0008f158 -[(%esp,1) showDemoDialogue] 0000812a movl $0x00000000,0x000000f8(%esi) (int)demoCount 00008134 addl $0x10,%esp 00008137 popl %ebx 00008138 popl %esi 00008139 popl %ebp 0000813a ret
So this is pretty obvious to understand and bypass. There is a call which seems to check if the program is registered or not, and if it’s not then it will display the nag message after a few counts. Easy way to bypass all this is to change that JNE into a JMP (75 to EB) at 0x80e2 address.
Patch the main program, run it again and voila. No more nag 😄.
The whole protection goes down due to a single byte (too many protections are bypassed like this). I assumed that the serial routine is hard or long to analyse. I might be wrong since today I’m too lazy to check it, but why waste time on that if you can patch a single byte!