Русский / Russian English / Английский

Сейчас на форуме: Bad_guy, Adler, FOXHACKBOK (+6 невидимых)
 · Начало · Статистика · Регистрация · Поиск · ПРАВИЛА ФОРУМА · Язык · RSS ·

 eXeL@B —› WorldWide —› Reverse Engineering: MS-Buchhalter
Посл.ответ Сообщение

Ранг: 0.6 (гость)
Статус: Участник

Создано: 6 января 2016 01:31 New!
Цитата · Личное сообщение · #1

Hi everybody,
recently I got in touch with a software called "MS-Buchhalter". It is a tiny tool for accounting purposes regarding bookkeeping and creating the annual financial statement.

There are three different versions: a free one (minimalistic), a mid-ranged one for EUR 99 with restricted features and a full one with all features for EUR 129.

A trial version is available with the restriction of only 60 bookings allowed and other restrications as some functions are not available. The trial version can be downloaded here: and is about 33 MB.

It seems as MS-Buchhalter is a "clone" of TZ-EasyBuch as the binaries are the same in size and naming.
TZ-EasyBuch seems to be cracked in the past. But actual cracks are not available as I spent so much time for searching up til now.

When closing the software or trying to access funtions not provided in the trial version there is always a screen that points to the website or entering the activation/unlock code.

If you enter the wrong code there is an error that says "Lizenznummer ungültig".

Now I tried reverse engineering with Ollydbg and IDA Pro by opening the exe-file "ezbook.exe".
I searched for the error message "Lizenznummer" and found it at .rdata:00993C64.
This leads to "sub_5EA7F0+26Fo". After analyzing a bit upper and lower around this section I found "005EA9E4".
Here it says "Programm freigeschaltet" what means that the activation was successfull.

So I tried to analyze how to get into this and how to avoid getting the error message that the code entered is invalid.

I found out that at "005EA9AB" there is "JE SHORT 005EA9EE". I changed it to "JE SHORT 005EA9AD" by changing the hex value from 74 01 to 74 00.

After saving it to the binary (ezbook.exe) I entered an activation code and was happy that the software says "Programm freigeschaltet" what means that it turned in to a full version.

Unfortunately, it does not seem to save the state of the registration and the full version.
So I have to repeat the process of entering "any" serial before using the program.

Now I'd like to find out how the code can be changed that when having entered any serial the program realizes that it is a full version from now on without the necessity to always enter a serial before the initial use of MS-Buchhalter.

I'm quite sure that it cannot be that hard work as it was already quite easy to crack the license routine (although, I'm a newbie, I spent to many hours on understanding what happens in the disassembler and how I can use that information).

But I can't get it and so I'd like to ask for your assistance to be successfull.

If you need any further information or screenshots, don't hesitate to ask.

Thank you very much!

Ранг: 0.3 (гость)
Статус: Участник

Создано: 6 января 2016 02:51 · Поправил: 6 января 2016 03:03 cr_w9rdz New!
Цитата · Личное сообщение · #2

better with pm

Ранг: 582.2 (!)
Статус: Участник

Создано: 6 января 2016 07:30 · Поправил: 6 января 2016 08:28 plutos New!
Цитата · Личное сообщение · #3

Check just in case what your program does to the Registry because there is a good chance the program looks there while initializing. Just a guess.

Ранг: 50.4 (постоянный)
Статус: Участник

Создано: 6 января 2016 14:52 New!
Цитата · Личное сообщение · #4

Activation code is saved in "HKCU\Software\TZ-Ware\TZ-EasyBuch\no", parameter "no1b". Code is relatively simple, it doesn't need to patch EXE. Address of checking procedure: 5E3D90. Try one of these codes

P. S. My german is too weak. All above is valid if translation was made correctly.

Ранг: 0.6 (гость)
Статус: Участник

Создано: 6 января 2016 20:28 · Поправил: 6 января 2016 20:29 uetzwurschd New!
Цитата · Личное сообщение · #5

Hi everybody,
thanks for your great work.
The hint with the registry was good but unfortunately didn't help. I already thought that could solve the "problem" but didn't...

@ cr_w9rdz: Your private message was nice
@Prober: I'm quite sure that your German is much more better than my Russian

Thanks a lot.

Ранг: 582.2 (!)
Статус: Участник

Создано: 7 января 2016 02:58 New!
Цитата · Личное сообщение · #6

uetzwurschd writes:
I already thought that could solve the "problem" but didn't...

Keep digging then! Good luck!
 eXeL@B —› WorldWide —› Reverse Engineering: MS-Buchhalter

Видеокурс ВЗЛОМ