ArtPaint 1.3 Lenny Introduction ArtPaint comes as a 20$ shareware painting program,drawing. You can get it here : http://www.helsinki.fi/~hsuhonen/artpaint/ . You can get it on beware, too. Tools Required Your favourite text editor (as usual) dasm, the Linux disassembler by SiuL+Hacky.Get it here Your favourite HEX editor (as usual) (you can get bvi here) A nag box Everytime you launch the app you get a lovely info box informing you to register it to remove it. After a quick look in the doc,chapter "registration", and in ArtPaint "settings" folder, we notice that we need a reg file if we want the program to be registered. So at least we know where to branch. Run dasm. Assembly (assuming disassembled file is pa.txt): $grep reg pa.txt ...doesn't give much interesting stuff.... $grep Reg pa.txt 00058ff4 g DF .text 0000020a ShowRegistrationInfo__20AuthorizationControl That one looks interesting. $ grep Authorization pa.txt 000598b0 g DF .text 00000029 __20AuthorizationControl 00058d00 g DF .text 000002f2 ReadKeyfile__20AuthorizationControlR5BFile 0005980c g DF .text 00000046 DisplaySplashScreen__20AuthorizationControl 00058ff4 g DF .text 0000020a ShowRegistrationInfo__20AuthorizationControl 00059854 g DF .text 0000005c _._20AuthorizationControl 00058980 g DF .text 0000037f WriteKeyfile__20AuthorizationControlR5BFilePCcll 00059758 g DF .text 000000b3 splash_function__20AuthorizationControlPv Reference to function : __20AuthorizationControl Reference to function : ReadKeyfile__20AuthorizationControlR5BFile Reference to function : DisplaySplashScreen__20AuthorizationControl Reference to function : ShowRegistrationInfo__20AuthorizationControl Reference to function : _._20AuthorizationControl ---- Function : WriteKeyfile__20AuthorizationControlR5BFilePCcll ---- ---- Function : ReadKeyfile__20AuthorizationControlR5BFile ---- ---- Function : ShowRegistrationInfo__20AuthorizationControl ---- ---- Function : splash_function__20AuthorizationControlPv ---- ---- Function : DisplaySplashScreen__20AuthorizationControl ---- ---- Function : _._20AuthorizationControl ---- ---- Function : __20AuthorizationControl ---- $ Here's the registration system.Now we have several places to go and look for code. The simplest (I think) would be to fake the program in thinking the keyfile is present. So having a look at the first reference to the function : ReadKeyfile__20AuthorizationControlR5BFile : Reference to function : ReadKeyfile__20AuthorizationControlR5BFile 0x0004644c call 0x00058d00 <-------a call to ReadKeyfile 0x00046451 add $0x14,%esp 0x00046454 test %eax,%eax 0x00046456 jne 0x00046461 <-------a jump if not equal (need to patch here) 0x00046458 movb $0x1,0x114(%edi) 0x0004645f jmp 0x00046477 Apparently it looks like it looks for a keyfile a jump depending on the result. Let's patch the "jne" 46456 in a nice "je" : Open up HEX editor (bvi for example): Type: g 46456 r 74 : wq! So we have changed the "jne" (jump if not equal,HEX code 75) in a "je (jump if equal,HEX code 74). Launch the app,no more nag box! Conclusion No that much different from the other essays,finding the right function was a little tricky,but can be done in minutes anyway. Don't use these techniques to steal software, because it will prevent them from writing new stuff. If you use it,buy it. This is for educational purpose only.