Cracked Metal, runtime dll creation
How to crack HoTMetaL Pro 4 Evaluation
student
Programmers
4 February 1998
by Fallen
Courtesy of Fravia's page of reverse engineering ~ very slightly edited
fra_00E1
980204
Fallen
1100
PC
XX
Well, from what Fallen writes it seems that our protectionists friends are finally beginning to learn some (elementary) aspects of code protection, i.e. DO NOT give immediate signs that the protection has discovered that somebody is cracking it... as Fallen writes:
when I ran the program everything worked fine until I 
tried to create a new document or load an existing HTML document. 
It would THEN give me a message about a corrupted rules file
Nice! of course even this sort of messages is not necessary (if you are SURE that someone is fiddling with your code and that no poor luser is just trying to install your crappy software, that is, which you can only be sure if you are not programming in overbloated languages, that is :-) and anyway we can easily zen-crack all these schemes nevertheless in two minutes flat, yet it's a good sort of feeling to constate that at least some protectionists are listening and delivering us something more palatable (like a run-time encrypted dll-creation) than the usual boring flag_good_guy dinosaurier that still rule the earth :-(

Bravo Hotmetal... that's the right way... only, s'il vous plaît, may be a little better implemented next time.
Enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner (x)Intermediate ( )Advanced ( )Expert

A very interesting protection scheme about an encrypted file used to create a DLL at runtime
Cracked Metal, runtime dll creation
Cracking HoTMetaL Pro 4 Evaluation Version
Written by Fallen


Introduction
I fully agree with Fravia+ that HTML should be written using a simple text editor. I downloaded this target solely for cracking purposes and was quite pleased with it as a target. I found the protection scheme both simple and interesting at the same time. I feel that this was one of my more fun cracks!

Tools required
SoftICE (of course.)
BoundsChecker (Not necessary, but it was helpful.)
Hex Workshop (or any other hex editor.)

Target's URL/FTP
Web Site: http://www.sq.com
FTP Site: http://ftp4.softquad.com
It took me numerous tries to get the complete application. Keep trying. I also
suggest getting the files by way of the web site. I can't remember the path to
the zip files and the FTP site will not allow access to directory lists.

Program History
I encountered HoTMetaL Lite a couple of years ago and decided to see how it had
progressed since then. I haven't much in the way of history... sorry.

Essay 
I'm still new to cracking, and this is my first attempt at an essay, so 
forgive me if I seem a little bad at it.  I have cracked numerous DOS and 
Windows programs, a lot of them I was able to locate a password in memory,
and I've done a few Nag screen/Time Trial schemes also.  
This one however, I found very interesting, and fun!

PART 1: 
When you first run HoTMetaL Pro you will see a message box saying 
something about file date inconsistencies, after this there will be 
a Dialog Box that will not allow you to close it for an agonizing 
amount of time. Then it will run the program.

Well, first lets find out where this NAG screen comes from.  
Once the OK button became enabled I popped into S-ICE and checked 
the window handle list.  
I placed a breakpoint on that handle for the message wm_destroy:

BMSG Handle_you_ll_get_on_your_own_machine WM_DESTROY

Now get back out of S-ICE and hit the OK button. 
You should pop into S-ICE somewhere in USER, if I remember right, now 
disable the breakpoints and press F12 a few times until you end up 
in a DLL that the name begins with EFY???? where the four question 
marks represent four numbers. This is where our protection scheme 
lies, but don't get excited, it's not that simple.
 
The first time I tried to crack this, I removed the call to this 
DLL and eliminated the Time Protection, Nag Screen and a MessageBox 
that pops up about file date inconsistencies all at once. 
However, when I ran the program everything worked fine until I 
tried to create a new document or load an existing HTML document. 
It would then give me a message about a corrupted rules file. 
So back to the cracking board.
 
If you search your hard drive for a matching DLL you will find that it 
exists in the system temp directory, usually C:\WINDOWS\TEMP, and that 
the four numbers at the end change every time you run the program. 

Hmmm... this could be a problem, nah not really.
 
I came to the obvious conclusion that this DLL was created by HMPRO4.EXE 
every time the program was run. Now to figure out how to alter the code 
it writes. For this I used BoundsChecker to find out how it creates the 
file. I tried using SmartCheck at first but for some reason it would 
crash every time I tried to run it in SmartCheck, so I used BoundsChecker.
 
I loaded it up in BoundsChecker and watched for the function CreateFile. 
I'm not going to get specific about BoundsChecker, but I found the portion 
of code where it created the DLL and looked above that for the ReadFile 
function. 
I found that it loaded it's information from a file named ASDFLKJH.IUY this 
is disguised to look like a temporary file, but it's not.

After examining this file you will see that this file is the DLL in an 
encrypted format.
So our problem lies here. How do we decrypt it, crack it, and re-encrypt 
it. No need, a simpler way exists.
 
The method I used of locating these functions in SoftICE may seem 
lengthy, but I wasn't having any luck using the addresses I retrieved 
from BoundsChecker. 
The first thing I did was set a breakpoint on LoadLibrary. I could see 
from my BoundsChecker listing that this was the first DLL that HMPRO4.EXE 
loads so of course we need to break on the first LoadLibrary and look at 
the code above it to see what we need.  

This is what I ended up with:

:00422A37 push 006309C8 - This address holds the name of the DLL to load

* Reference To: KERNEL32.LoadLibraryA, Ord:0021h
            |     
:00422A3C Call dword ptr cs:[0065032C] - and of course this loads it.
 
If you look up from this segment of code you will see this:

* StringData Ref from Data Obj ->"asdflkjh.iuy" - This is the name 
                                                  of the encrypted DLL.
            | 
:00422A0F mov edx, 005D537C 	- The address of the encrypted DLL filename.
... 				- Unimportant code. - Removed
:00422A27 call 004227E8 	- This call is shown below, it creates the 
                                  new DLL file.

The call from above ^.
:004227E8 			- Code to open the encrypted DLL, 
				  read it into memory and then 
				  close the handle.

:004228CE call 00411520 	- This call decrypts the file! 
				  This is what we need to eliminate for this crack.

Code to write the 
un-encrypted DLL to a file. 	- Removed

The point of the above section of the essay is to allow us to work with 
an unencrypted protection DLL. How? you may ask! Well, here's how we do it:

1. Run HoTMetaL Pro and let the Dialog Box pop up.
2. Make a copy of the efy????.dll file from you windows\temp directory 
   and place it in your HoTMetal Pro directory.
3. Rename it to the encrypted DLL file name, ASDFLKJH.IUY
4. Now patch HMPRO4.EXE at address 004228CE to eliminate the call that 
   decrypts the DLL. You choose your own method.

Well, I believe the point of this is self evident. 
We can now crack the file ASDFLKJH.IUY as a DLL and patch it accordingly.  
Since all of the protection scheme (ie. The messagebox about file date 
inconsistencies, Nag screen, and time protection) exist in ASDFLKJH.IUY,
that will be the target of the remainder of this essay.

Part 2 
The remainder of this crack is very simple.  
My first trip through, I patched the file ASDFLKJH.IUY in two places, 
once to eliminate the message box and Dialog Box, and another
to eliminate the time protection.  

However, writing of this essay, I found that if you apply the following 
patch, it eliminates both.
If you patch the time check call with this code:

:01D91BC6 XOR EAX,EAX
:01D91BC8 RET

It will prevent the program from exiting after March 1, 1998 and will 
also eliminate the messagebox and DialogBox Nag screens.


Final Notes
I found this program a lot of fun to crack and also learned something very useful during the process of writing this essay. I re-installed the software and as I went through the cracking process, I entered my steps into the essay without applying the patches to the executable. During this process I was able to eliminate one of the patches as I mentioned above.

MORAL: Document your cracks and you may learn an easier or more efficient way to crack them. This can also be useful, later, if you happen to find something interesting for the +HCU, btw.
Also, pay attention to the code and you'll see a lot of things you may miss if you don't!

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
You are deep inside Fravia's page of reverse engineering, choose your way out:

projecT3
Programmer's corner
redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?