|
Programmers: don't protect with visual basic! |
Visual Basic | |
 |
by Fravia+ |
|
| fra_00xx 980504 Little-John 1100 P8 PC | This said, here you have an interesting little work by Little-John that will teach a couple of things to beginner and intermediate carckers and protectors alike... Enjoy! |
|
Two days ago a friend of mine (an engineer) pointed me a nice program, very useful for engineers (especially in Italy) called 'Verifiche Periodiche IPSOA', but he had a problem... a nice nag appeared at the start...
*** ITALIAN VERSION ***
"L'applicazione è dotata di un sistema di protezione; per utilizzare il programma
occorre infatti inserire un codice di 15 cifre che identifica univocamente il computer sul quale può essere
eseguito il programma stesso. La richiesta del codice d'autorizzazione avviene tutte che le volte che si avvia
l'applicazione stessa; se non si possiede il codice occorrerà selezionare Ok senza digitare nulla nella
casella di testo Codice Autorizzazione. Viene consentito l'utilizzo del prodotto per un numero limitato di volte,
superato questo limite sarà necessario inserire il codice o uscire dall'applicazione premendo il pulsante
Chiudi.
Venuti in possesso del codice di autorizzazione mediante le procedure descritte di seguito, occorrerà digitarlo
per permettere lo sblocco dell'applicazione. Una volta compiuta tale operazione il codice non verrà più
richiesto.
Il codice può essere inserito all'atto dell'avvio dell'applicazione.
Per ottenere il codice d'autorizzazione è necessario:
- Telefonare all'ASSISTENZA CLIENTI INDICITALIA al numero 06/5196111
- Comunicare il numero di serie che viene visualizzato
- Comunicare il proprio codice cliente (ricavabile dalle fatture)
Tale operazione è necessaria solo all'atto della prima installazione. Per gli aggiornamenti non è
necessario inserire di nuovo il codice d'autorizzazione.
Il codice deve essere custodito poichè rappresenta la "Licenza d'uso"."
*** ENGLISH VERSION ***
The application has got a protection system; in fact to use this program you need a 15
character code, to identify uniquely your computer on which the program runs. Every time you run the application
the authorization code is required; if you haven't it, just press Ok, without inserting anything in the text-box
named Codice di Autorizzazione. You are allowed to use the program a few times, once you go beyond this limit you
must insert the code or press Close.
When you have the authorization code, that you can obtain following the procedures described below, you have to
insert it to register the application. After that the code will never be required.
The code can be inserted at the application start.
To obtain the code you need to:
- Phone ASSISTENZA CLIENTI INDICITALIA, number 06/5196111
- Communicate your visualized serial number
- Communicate your client code
This operation is necessary only at the first program installation. For the upgrades the authorization code is
not needed.
The code is your 'User License'."
(Sorry for my English =).
Every time I start a cracking session I use to precrack my target (a good rule for all crackers). I open Filemon,
Regmon and VxDmon, and after that I run my target. In this case Filemon is the one we need, because this a 16 bit
application, so no Registry and no VxD. While running we see the program performing some queries on "product.inf" file on the CD and in the Windows directory on the "Mappdrv.inf" file.
Mmhh. Those nice programmers are using a STRANGE name to read data from. Let's have a look. A huge number is there
and it seems to be like:
[Profile]
824400=824400199710... (The other numbers are not in our interest and they change from one computer to another).
If we try to change one number in this file the application will say Checksum error and then will stop. Now all
is clear. The application reads the value from MAPPDRV.INF and then compares'em to some others...
Ok, so start the program and you need a 15 digit number, let's say 123456789012345. The program returns Error Code
number 4. If we obmit a digit the program returns error
code number 6! Put a breakpoint on hmemcpy (it works fine 99% of times) and you will find the code you inserted,
just bpr it and then g(o). You'll fall into VB40016.dll in RTCMIDCHARVAR and, while g(oing), see what happens. Yep! The memory
image is quite nice. In my memory I see:
123456789012345. ......1.......1. ......2.......2. ......3.......3. ......4.......4. ......5.......5. ......6.......6.
...(and so on till the end of the number). So the program is reproducing our code. Why? In order to check reason. It controls that all digits are number, in fact if you insert a non-number character you'll see the 2 columns stop at that char and then the Error Code. If all is right, at the end of two columns, the program re-writes our code without the last two numbers. They're re-written below it. At the left of these two numbers the program reports in the same location all the digits one after the other. Put a bpr on the two stand-alone digits and see what happens. The program stops at a 'REPNZ CMPSB' (see sth essay) and compares'em (45) with other two numbers (75 in our case). Take note and write'em at the end of your code. So now the first REPNZ CMPSB check is right and then the application performs another check. I saw the comparison between 9012355 and 4290156. What does it mean? NICE programmers... They pick up some digit from the code and then compare'em with some others:
123456789012375 ....6...42901.5
They are very fancyful programmers. So, our number now is 123466784290175. Press OK and the Error Code
number 4 will compare again. It's a natural thing. Since we have changed some number in the code, the last two
digits will change. Let's check. Yes, I'm right. It compares 75 with 77. And our number will be now 123466784290177.
Is it cracked? Maybe. Press Ok and all goes well. It seems to work fine, but when we restart the program the Insert_Your_Code_Here
nag will appear again. 7 numbers in our code hadn't been used, (1234.678). The program performs two checks
on our number, the first to make the nag appear and the second to start the program. In this case the only way
to make the program work is to trace the first check made (the one for the nag). In my case the program performs
24 different types of check; some of'em are meaningless and some others very useful instead. While checking, a
very strange comparison is effected between "c:\windows\mappdrv.inf" and "ERRORE" (error :).
I think this is a way to confuse a possible cracker... At a certain point it compares NL with LI... mmhh... NL
is in our mappdrv.inf file and maybe it means Non-Licensed, and it compares with LIcensed. Ok, so let's change
NL with LI in our file and run the program. Checksum Error... this means we have to change some other values in
our mappdrv.inf file. So trace again the first comparison. In fact it compares the last two numbers of the mappdrv.inf
with newer values. Just use them in the .inf file and all goes fine. CRACKED =)
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_Fravia
Is reverse engineering legal?