OMNIPAGE PRO 11 (Recognita 6)
Have a nice day!
student
Not Assigned
20.5.2002
by macilaci
Published by Tsehp
Courtesy of Fravia's page of reverse engineering
slightly edited
by tsehp
There is a crack, a crack in everything That's how the light gets in
Rating
(X)Beginner ( )Intermediate ( )Advanced ( )Expert

"Have a nice day!" stands in the header of Omnipage.exe...
OMNIPAGE PRO 11 (Recognita 6)
Have a nice day!
Written by macilaci


Introduction 
It happened as usual: I wasn't looking special for this kind of software neither for this kind
of protection, but sometimes it happens. I hate these scrambled import tables and encrypted
code. I doensn't lead anywhere. It's like a revenge on cracker (or some person who don't want
to buy a protection). And this sarcastic clause: "HAVE A NICE DAY!" inside the executable....
I said: Let's have finally a nice day!


Tools required
SICE, REVIRGIN, PE dumper (Procdump or so), IDA (not necessary), Info on reconstructing the import table (revirgin essays), PE format overview

Target's URL/FTP
http://www.scansoft.com,

Program History
Omnipage - I don't know much about it's history. Just the recent information that Scansoft bought Recognita (which was among us quite good text recognizer).

Essay 
 Turgid words are characteristic of dilettantism. Always. Believe.
First look on this executable told me it won't be an easy task. First I saw the import table,
second was the disassembling approach. The result was, that the executable is scrambled and 
the import table too. So next step was examine which packer or wrapper was used. Doing a
bpm 54258a x on the entry point shows some home made protection:

0054258A                 call    sub_542647		;we start here
0054258F                 call    sub_542824
00542594                 cmp     eax, 0
00542597                 jnz     short loc_5425A0
00542599                 push    0
0054259B                 call    sub_543B25
005425A0 
005425A0 loc_5425A0:                             ; CODE XREF: Have:00542597j
005425A0                 call    ds:dword_541F49
005425A6                 test    eax, 80000000h
005425AB                 jz      short loc_5425BB
005425AD                 push    offset aCProgramFilesS ; "C:\\PROGRAM FILES\\SCANSOFT\\OMNIPAGEPRO11"...
005425B2                 call    sub_543B31
005425B7                 or      eax, eax
005425B9                 jz      short loc_542619
005425BB 
005425BB loc_5425BB:                             ; CODE XREF: Have:005425ABj
005425BB                 push    offset aCProgramFile_0 ; "C:\\PROGRAM FILES\\SCANSOFT\\OMNIPAGEPRO11"...
005425C0                 call    sub_543B31
005425C5                 or      eax, eax
005425C7                 jz      short loc_542630
005425C9                 mov     ds:dword_541CD4, eax
005425CE                 call    ds:dword_541EC7
005425D4                 mov     ds:dword_541A72, eax
005425D9                 push    0
005425DB                 call    sub_543B19
005425E0                 mov     ds:dword_541A76, eax
005425E5                 push    offset aNewsecuritypro ; "NewSecurityProc"
005425EA                 push    ds:dword_541CD4
005425F0                 call    sub_543B2B             ;some security procedures
005425F5                 cmp     eax, 0
005425F8                 jz      short loc_542630
005425FA                 push    ds:dword_541E16
00542600                 push    ds:dword_541A72
00542606                 push    offset unk_540000
0054260B                 push    ds:dword_541A76
00542611                 call    eax			;finally check license and unwrap the exe
00542613 
00542613 loc_542613:                             ; CODE XREF: Have:00542613j
00542613                 jmp     ds:off_540000          ;jump to original entry point (0x004EB405)

First I was digging inside the 542611 call but it seemed useless (some 16 bit code that I last saw
inside CDilla's Safecast).
	 At the location 542613 is the executable completely restored and the imports
are linked. You can dump at this location. So now do a ENTER jmp eip ENTER ENTER and hit F5.
Run Procdump or some dumping tool (PEditor is good too) and save it to disc.
	 Back to winice  + and restore the original jump. Keep the target running. You might
close you dumping tool and run Revirgin. Choose appropriate task (Omnipage.exe). Revirgin comes up to
expectation with some found imports. Checking the disassembled dump you may see that the RVA (000FF000)
and Lenght (000020E4) values are correct, but the OEP needs to be changed to 004EB405.
	 Clicking on IAT Resolver we will get a demangled import table. You can check now the names 
for correctness.We will now append the import table section on the dumped executable. Size of the dumped
exe is now 0x145FF0 so we will use 146000 for IT Generator.
	Now fill up the fields RVA (00146000) and Lenght (000020E4) to the right. 
Pressing on the generate! button, choosing the dumped executable and a name for import table (this is 
stored as a copy), the program will now append the import table and fix the PE header (be sure you have 
checked the Autofix sections + IT paste checkbox).

	And we're done. You can check the executable with IDA. Imports are now ok, the protection shell
is apart and we have now a nice day...


Final Notes 
I was looking at the PE header again. And I saw irony:
"Have a nice day!"
.tsehp


Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.
You are deep inside fravia's page of reverse engineering, choose your way out:


redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?