Cracking MicroCal Origin 5.0 in 3 Simple Ways
 -MML- 3 May 1998
Introduction and Short History
Microcal Origin is an excellent program for Scientific and technical graphics. This program has a great importance for me because in 1991 it was my first windows target. My friend Dema ordered it via snail mail and we got a demo disk which contained a crippled version of this program version 1.0 (no saving + time limit). It was by reversing this program that I first came to know that some programs contained each and every routine (e.g save in this case) BUT disabled. So it is a matter of common sense to uncripple it.This program has the following features which i liked :

1. Best available numerical analysis and curve fitting toolbox.
2. 101 times better than Micro$oft EXCEL.
3. Plots Each and Every type of Scientific and technical graphs.

Given below is the statement from Microcal :

" OriginTM a technical graphics and data analysis software package designed for Microsoft Windows. First released in 1991, Origin is used by tens of thousands of scientists, engineers, and Fortune 500 Companies, as well as hundreds of universities worldwide.
Our software provides a powerful combination of spreadsheet, visualization, and analysis features. With Origin you can automate common routines, analyze large amounts of data, and create spectacular graphics. Whether you're an academic scientist, a pharmaceutical researcher, or an automotive engineer, you'll find Origin both fast and intuitive. Origin's flexible interface adjusts to fit your needs."

Some comments by various agencies :

"[Origin 5.0] establishes itself as the performance leader in graphing technology....Origin out performs its competitors  significantly...."
National Software Testing Laboratories Report, December 1997
"...Origin's stronger mathematical underpinnings and powerful scripting language will make it the preferred choice for many technical users."
PC Magazine, January 20, 1998
"Origin 5.0 is a rare software package that provides sophisticated data analysis and technical graphics tools in an intuitive, user-friendly environment....there is absolutely no better choice than Origin 5.0 for Windows."
HMS Beagle Magazine, November 14, 1997
"Origin 5.0 is one of the finest analytical graphics packages for Windows....I particularly liked how Origin works with Microsoft Excel, allowing me to directly open an Excel worksheet from within Origin...."
InfoWorld Magazine, October 27, 1997

So it's a very good program, question is: why does every dog use Excel instead? Because Micro$oft dominates the market and, no matter how good the concurrence is, they will always sell theyr crap... that is, unless some good +reversers show the truth behind the curtains...

Target URL
Tools Required
Method 1 : Brain.

Method 2 : W32dsm89 : Windows disassembler.
                  Any Hex editor
                  TS            : Text search Norton utilities for DOS
                  Softice 3.2 : Not Required but helpful in deeper understanding.

Download the fully working demo  program from the site listed above. Download any update patches they may be helpful in future. Install the demo. Run Origin and WOW a nag appears : " Thank you ..... " Use the program and quit it. Another Nag appears : "Thank you ...." and "This demo will expire in 15x hrs." .

So its a time limit protection. Now lets move to the methods :

Method 1
We used this method in 1980s.

Run the program , quit it and note the hrs remaining. Change the date on ur computer to next day. Run the program again and quit it ......... and OH the number of hrs remaining HAS DECREASED. Change the date to one or two Days before and the hrs will increase.

Moral :
(The Price + Complex nature of a software)
                                                           ( The stupidity of its protection Scheme)

Method 2
Various steps :

Check the number of dlls and exe : 17 LARGE dlls and 1 EXE.

Run TS in origin directory and search for "Demo" in 20 sec the program will report its occurrence inside OK50.DLL and ORIGIN50.EXE. ( I love the fast nature of TS).

So we are short listed to 2 files. Run W32dasm89 and disassemble the two files.

First we take Origin50.exe . Search for "Thank you" in the disassembly window and we got the code for the first nag :

:00403820 64A100000000            mov eax, dword ptr fs:[00000000]
:00403826 55                      push ebp
:00403827 8BEC                    mov ebp, esp
:00403829 6AFF                    push FFFFFFFF
:0040382B 680F394000              push 0040390F
:00403830 50                      push eax
:00403831 64892500000000          mov dword ptr fs:[00000000], esp
:00403838 83EC04                  sub esp, 00000004
:0040383B 837D0800                cmp dword ptr [ebp+08], 00000000   ; Some kind of switch check.
:0040383F 53                      push ebx
:00403840 56                      push esi
:00403841 743B                    je 0040387E
:00403843 8D4DF0                  lea ecx, dword ptr [ebp-10]

* Reference To: MFC40.MFC40:NoName0159, Ord:01E6h
:00403846 E8991C0000              Call 004054E4

* Possible Ref to Menu: MenuID_000A, Item: "Status Bar"

* Reference to String Resource ID=59393: "Thank you for using this demo version of Origin..."
:0040384B 6801E80000              push 0000E801
:00403850 8D4DF0                  lea ecx, dword ptr [ebp-10]
:00403853 C745FC00000000          mov [ebp-04], 00000000

* Reference To: MFC40.MFC40:NoName0073, Ord:0E48h             ; I am sick of these nonames from Micro$oft
:0040385A E8DD210000              Call 00405A3C
:0040385F 6A00                    push 00000000
:00403861 8B45F0                  mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Data Obj ->"Demo"
:00403864 68B0954000              push 004095B0
:00403869 50                      push eax
:0040386A 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0188h
:0040386C FF157CB14000            Call dword ptr [0040B17C]
:00403872 C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:00403879 E852000000              call 004038D0

* Referenced by a Jump at Address:00403841(C)
:0040387E 6A74                    push 00000074

The code is self explainatory In order to kill the first nag the switch at 0040383Bh may be hardcoded by 74 -> EB.

Now load the OK50.dll file :

Search for 'Thank you' again and u will get :

* Referenced by a CALL at Addresses: 100780C5 , :100796B4 , :1008F001
:10096CC0 64A100000000            mov eax, dword ptr fs:[00000000]
:10096CC6 55                      push ebp

--------------Cut Cut Cut -----------------------------------------------

* Referenced by a Jump at Address:10096C98(C)
:10096D06 C645FC02                mov [ebp-04], 02

* Reference To: MFC40.MFC40:NoName0020, Ord:0E48h
:10096D0A E861D80500              Call 100F4570
:10096D0F E8BC000000              call 10096DD0 ; Time Check routine
:10096D14 85C0                    test eax, eax
:10096D16 740F                    je 10096D27

* Reference to String Resource ID=09153: "Thank you for trying the demo version of Origin 5.0.This demo has expired"
:10096D18 68C1230000              push 000023C1
:10096D1D 8D4DF0                  lea ecx, dword ptr [ebp-10]

* Reference To: MFC40.MFC40:NoName0020, Ord:0E48h
:10096D20 E84BD80500              Call 100F4570
:10096D25 EB30                    jmp 10096D57

* Referenced by a Jump at Address:10096D16(C)

* Reference to String Resource ID=09152: "Thank you for trying the demo version of Origin 5.0.This demo will expire in x hrs"
:10096D27 68C0230000              push 000023C0
:10096D2C 8D4DEC                  lea ecx, dword ptr [ebp-14]

--------------Cut Cut Cut -----------------------------------------------

:10096D97 B801000000              mov eax, 00000001
:10096D9C 8B4DF4                  mov ecx, dword ptr [ebp-0C]
:10096D9F 64890D00000000          mov dword ptr fs:[00000000], ecx
:10096DA6 8BE5                    mov esp, ebp
:10096DA8 5D                      pop ebp
:10096DA9 C3                      ret

This routine actually produces the  nag when quitting. We will explore the time check routine after this. To disable this nag What i did was at address 10096CC0h : MOV EAX,1

And the nag along with a use less routine was removed. The time check routine is called from many locations (observation by execution in softice.). It is listed below with comments:

:10096DF0 83EC04                  sub esp, 00000004
:10096DF3 833D2885121000          cmp dword ptr [10128528], 00000000 ;Date/Time stamp from origin50.ini already decrypted ?
:10096DFA 7414                    je 10096E10 ; Yes
:10096DFC E85F000000              call 10096E60 ; Read and Decrypt date time
:10096E01 C7052885121000000000    mov dword ptr [10128528], 00000000 ; Toggle switch
:10096E0B A324851210              mov dword ptr [10128524], eax

* Referenced by a Jump at Address:10096DFA(C)
:10096E10 8D442400                lea eax, dword ptr [esp]
:10096E14 50                      push eax

* Reference To: MSVCRT40.time, Ord:0466h                 ;obtain system time
:10096E15 FF15C4DF1210            Call dword ptr [1012DFC4]
:10096E1B 8B542404                mov edx, dword ptr [esp+04]
:10096E1F 83C404                  add esp, 00000004
:10096E22 8B0D24851210            mov ecx, dword ptr [10128524]
:10096E28 51                      push ecx
:10096E29 52                      push edx

* Reference To: MSVCRT40.difftime, Ord:03DDh  ; Calculate difference
:10096E2A FF15C0DF1210            Call dword ptr [1012DFC0]
:10096E30 DC0DF0990F10            fmul qword ptr [100F99F0]
:10096E36 83C408                  add esp, 00000008

* Reference To: MSVCRT40._ftol, Ord:028Fh  ; Convert from float to long
:10096E39 E8B2D00500              Call 100F3EF0
:10096E3E 85C0                    test eax, eax       ; Check to see if withen range
:10096E40 7D09                    jge 10096E4B
:10096E42 B8FFFFFFFF              mov eax, FFFFFFFF     ;Expired
:10096E47 83C404                  add esp, 00000004
:10096E4A C3                      ret
:10096E4B B9C0000000              mov ecx, 000000C0 ;OK
:10096E50 83C404                  add esp, 00000004
:10096E53 2BC8                    sub ecx, eax
:10096E55 8BC1                    mov eax, ecx
:10096E57 C3                      ret

Method 3 and Final Notes

Well this pogram has got some kind of mechanism to register itself. This is quite interesting in itself and purposely left as an exercise to the reader.

This is one of my various Essays on Reversing Engineering Software. I don't always have much time to write these essays, so I cannot say when the other ones will appear.

You can contact me via :

Finally as per Reverser and me also (our "ob duh", which is NOT a formality: we believe in it!):
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside reverser's page of reverse engineering, choose your way out:

Back to project 6

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?