by flipper, 1 January 1998
I don't need to present you neither flipper (one of the best +HCU's contributors and friends) nor this essay, since flipper's approach is outstanding clear. Just read on.
Written by Flipper (upg) on December 30th, 1997.
An understanding of how to create a dead listing of a program is required, as well as a basic understanding of procedure calling.
Hackers View v5.66
Of course, you may choose any tools you like to complete the job :-)
Knowing that there had to be some kind of date check, I figured why not crack that directly; That would most likely prevent all of my discovered serial numbers from being blacklisted, right?
Seattle Labs likes to make money just like anyone else writing software, so they started using a new protection scheme as of v2.5. Many serial number 'addicts' cried for a new number that would let their precious software run, but alas.. none have surfaced -- the company's investment saved. But wait! Lo and behold, there is another method which I'll show you that involves nothing more than a basic understanding of how any procedure stores and returns a value in register EAX.
H
E
E
S
S
A
Y
It's in your windows system directory. Don't worry, it's just a control panel applet. It is no different than a normal executable file except it uses CONTROL.EXE as a stub to perform configuration tasks at a system level. Why start with the control panel applet you ask? Because you'll find the method of protection almost instantly. Beginners may need to poke around the code a little before figuring out which jumps to follow, but seasoned crackers will almost immediately see the patch right before their very eyes.
Now, we need to search for a string, preferrably one that puts us right after the protection call. Think logically for a second, (make a chart if you have to) and observe your target. Set the date ahead one year, what happens? Since I've already done all the hard work for you, I'll give you the steps I used to figure out what string to choose.
Set clock ahead one year. Applet still loads, but it says "There are too many lists..." Clearly a violation of the license agreement for our trial period.
Click on the "tab" that shows the registration information. Still says it's in DEMO mode, but at the bottom there's a new message that reads "This version of SlMail expired on..." Well, what did it say before? "This version of SlMail will expire on..."
Clearly, if the program still thinks it's in the demo period, it will run forever. We must search for the string that is displayed on the registration screen, at the bottom, before our trial period is up.
~ Search for "This program will expire on %A, %B %d, %Y"
Use dasm's built in String Reference list to find it, or search for it by hand using CTRL+F. You'll find it at 010B6099.
Look above this string reference for a minute, and gaze deeply into the code.. see anything yet? If you missed it, here's a complete browsable listing of the procedure and the important calls it makes.
Please note that the assembly listing shown has the starting address where the code begins, and the actual commands below without line numbers or file offsets.
* Referenced by a CALL at Addresses:010B4DED, :010B52FD | :010B6040 push FFFFFFFF push 010F9B78 mov eax, dword ptr fs:[00000000] push eax mov dword ptr fs:[00000000], esp sub esp, 00000008 push esi mov esi, ecx push edi lea ecx, dword ptr [esp+08] call 010E3375 mov eax, dword ptr [esi+00000140] lea edi, dword ptr [esi+00000140] test eax, eax mov [esp+18], 00000000 je 010B611F push ecx mov eax, esp mov dword ptr [esp+10], esp push eax call 010DE6E3 mov ecx, edi call 010B6350 ; call the check procedure and return a value in EAX. test eax, eax ; an otherwise good protection given away in one line! je 010B60DC * "This program will expire on %A, %B %d, %Y" | push 0000073A lea ecx, dword ptr [esp+0C] call 010E3A1D mov ecx, dword ptr [esp+08] lea edx, dword ptr [esp+0C] push ecx push edx mov ecx, edi call 010DE6F6 push eax lea ecx, dword ptr [esi+00000128] mov [esp+1C], 01 call 010E35B9 lea ecx, dword ptr [esp+0C] mov [esp+18], 00 call 010E34C0 jmp 010B61BC * Referenced by a CALL at Addresses: |:010B49AD, :010B4B17, :010B4B7F, :010B4BE7, :010B4C4F |:010B576D, :010B5852, :010B58DA, :010B5962, :010B59EA |:010B6090 | :010B6350 mov ecx, dword ptr [ecx] mov edx, dword ptr [esp+04] xor eax, eax ; set EAX to 0. How quaint. cmp ecx, edx setg al ret 0004Right before the jump that decides whether or not we're still in the demo period there is a call to a procedure that assigns some values to ECX and EDX. In that same procedure, EAX is set back to 0 with the command 'XOR EAX, EAX'. When the procedure returns there is a 'TEST EAX, EAX' which is testing the zero flag of EAX. Jump if Equal (JE) to 0 right into the code which tells us the program has expired.
A simple deduction can now be made. If EAX is not equal to zero when the procedure returns, the program has expired. At this point, I'm not going to bother exploring the workings of the code, I'll leave that as an exercise for the reader.
Patching SLMAIL.CPL
Load up SLMAIL.CPL with Hackers View (you'll soon see why I settle for nothing less than this extraordinary hex editor).
+-- how to convert dead list addresses for use with 'hiew' --+ | | | find the address you want in the dead listing. let's say | | it's 010B6356. All you have to do is change the first 3 | | digits to zeros, and add a period in front of the number. | | | | examples | | | | 010B6356 becomes .000B6356 00408BF1 becomes .00008BF1 | | | +------------------------------------------------------------+Press F5, type in .000B6356 and press enter. You'll soon find yourself at the proper location with the cursor positioned over the bytes 33 C0.
Press F3 and type right over top of those bytes either one of these two possibilities. Since we don't want EAX to ever equal 0, the XOR statement must be replaced by code that does not affect the status of EAX. Two NOPs will do the trick, but I like the INC EAX/DEC EAX approach. They both have no effect on EAX.
1. 90 (NOP) 2. 40 (INC EAX)
90 (NOP) 48 (DEC EAX)
~ Dead List SLMAIL.EXESame deal, only this time we know what the protection code will most likely have the same TEST EAX, EAX instruction somewhere after a license violation messagebox.
Set clock ahead one year. Program still loads, but it says "Registration check has failed." Clearly a violation of the license agreement for our trial period once again.
Same old trick as before, if the program thinks it's in the demo period, it will run forever. We must search for the string that is displayed upon loading the program after the demo period has expired.
~ Search for "Registration check has failed."
Below is a listing of the code, with all important calls linked so you can follow the path of execution. Once again I'll be showing the quickest route to the protection code. When cracking, it's always a good idea to 'trace' through an important procedure/function call just to make sure you haven't missed anything. In this case, it paid off.
:0041F057
"SLMail Control Panel"
|
mov ebp, 00000001
push esi
push edx
mov dword ptr [esp+24], ebp
call 0041EB80
mov ecx, dword ptr [esp+24]
add esp, 0000000C
test ecx, ecx
mov dword ptr [0045B594], eax
jne 0041F08C
mov eax, dword ptr [0045B5E0]
push edi
push esi
* "Registration check has failed."
|
push 00001459
push eax
* USER32.LoadStringA
|
Call dword ptr [0045D6FC]
jmp 0041F0B2
* Referenced by a CALL at Address:0041F062
|
:0041EB80
call 00420C10
mov ecx, dword ptr [esp+04]
mov dword ptr [ecx], eax
* Referenced by a CALL at Addresses:0041EB80 , :0042D98E
|
:00420C10
sub esp, 00000020
lea eax, dword ptr [esp]
lea ecx, dword ptr [esp+10]
push eax
push ecx
call 004211A0
add esp, 00000008
test eax, eax
je 00420C44
lea edx, dword ptr [esp]
lea eax, dword ptr [esp+10]
push edx
push eax
call 00420BA0
add esp, 00000008
neg eax
sbb eax, eax
inc eax
add esp, 00000020
ret
* Referenced by a CALL at Address:00420C1D
|
:004211A0
sub esp, 0000003C
>> large ammount of code removed to save space.
call 00438060
add esp, 00000030
test eax, eax
jne 0042131D
* Referenced by a Jump at Address:0042121E(C)
|
:0042131D
mov eax, dword ptr [esp+50]
>> large amount of code removed to save space.
cmp word ptr [eax+06], 0000
jne 0042136B
xor eax, eax ; set EAX to 0. What a surprise.
pop edi
pop esi
pop ebp
pop ebx
add esp, 0000003C
ret
What do we have here? Before the message box there is a call
that takes us deep into the code.. but if we trace through the clutter and
spend a little time organizing our thoughts, we'll soon see the jump
to the final block of code where EAX is set back to zero. Since we don't
want EAX equalling zero (thus bypassing the license violation) after the
demo period has expired, we'll use the same technique as described above.
Patching SLMAIL.EXE
Load up SLMAIL.EXE with Hackers View. Press F5, type in .00021361 and press enter. You'll soon find yourself at the proper location with the cursor positioned over the bytes 33 C0.
Press F3 and type right over top of those bytes either one of these two possibilities. Since we don't want EAX to ever equal 0, the XOR statement must be replaced by code that does not affect the status of EAX. Two NOPs will do the trick, but I like the INC EAX/DEC EAX approach. They both have no effect on EAX.
1. 90 (NOP) 2. 40 (INC EAX)
90 (NOP) 48 (DEC EAX)
That's as far as we have to go with SlMail. The control panel applet
will never expire (thus allowing you to manage the user database without
the restrictions imposed by the demo version), and the main program will
never expire allowing you to actually process the mail. A pair of nice
byte patches for a well written program.
Before I finish up this essay, I just wanted to say a few words to all newbie crackers who tried to crack SlMail and just couldn't find the right code fragment, etc. Don't be discouraged. Cracking takes time, and as we all learn to break more and more complex protections, the more challenging the good non-commercial protection schemes get. Protectors (slowly) learn too. I can remember a time when most computer users either had an Atari or a C64, and a program by the name of GEOS was being shown off as the 'windows' clone of the decade. What Micro$oft had stolen from Xerox and IBM, Berkely Softworks decided a Commodore port was in order. Using such tricks as half-tracking and physical disk sector density checks, no one was able to copy this widely used desktop application. Time passed, and finally a cracker broke the protection (which was by now used on _every_ major C64 game at the time, about a year later) and many software companies went under, due to the fact that all of their software was now being pilfered over QuantumLink and Compuserve. The golden age of cracking died out long before IBMs took over the corner of your office cubicle, but it has now returned like never before. Thanks to +ORC and his students you too can learn to defeat the latest and greatest protections -- and that my friends, is just the beginning of a new golden era in cracking.
(c) flipper (upg) 12/30/97 All rights reversed.
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_Fravia
Is reverse engineering legal?