| Instant removing of CrypKey (together with a lock)
Unwrapping the wrapped |
Programmer's
corner |
| 7 May 1998 | by Marigold | |
 | Courtesy of Fravia's page of reverse engineering | slightly edited
by Fravia+ |
fra_00xx
98xxxx
handle
1100
NA
PC
|
"We believe that CrypKey is the best copy protection system available,
with an approximate 2 year technological lead on the nearest
competition.
With our strong growth, world-wide acceptance and continual
enhancements, we believe that CrypKey will help keep YOU at the
forefront of technology if you choose to join our list of satisfied
customers, who include Motorola, Panasonic, SEGA, IBM, Sybase, and
Hewlett Packard to name a few." Ah ah ah! Commercial assholes! Enjoy! | |
| There is a crack, a crack in everything That's how the light gets in | |
| Rating | ( )Beginner (x)Intermediate (x)Advanced ( )Expert | |
Protection by "wrapping", "injection" and similar methods seems to be on rage nowadays.
Here is another example.
Instant removing of CrypKey (together with a lock)
Unwrapping the wrapped
Written by Marigold
CrypKey protection (by Kenonic Controls Ltd) struck me as very cracker-friendly, especially in comparison with Vbox. I would never bother to write about it, had I not received a piece of spam from the company.
You only read
this:"We believe that CrypKey is the best copy protection system available,
with an approximate 2 year technological lead on the nearest
competition.
With our strong growth, world-wide acceptance and continual
enhancements, we believe that CrypKey will help keep YOU at the
forefront of technology if you choose to join our list of satisfied
customers, who include Motorola, Panasonic, SEGA, IBM, Sybase, and
Hewlett Packard to name a few."
What a flagrant boasting! What ignorance! Hope, the crack I made will let some light into their heads (and into the heads of their satisfied customers... no wonder Motorola is there: sunset
boulevard!).
BTW, "2 year lead" places them into year 2000 and makes an ideal target
for next millenium +crackers :-)))
Our real target is CrypKey Instant 4.3.1. As with all similar protections, the protected proggy itself (the actual target of this reversing session) is irrelevant, so we'll take CrypKey Slot Machine, which is distributed as a protection demo.
Methods, with which protections of this kind are cracked, are quite standard in their own way. So, it is strongly recommended to read the relevant essays, for instance my own ones on
TimeLock and, maybe, Vbox. I rely on reader's knowledge of
PE-file structure and SoftDumping.
SoftIce - master debugger (everywhere on the Web)
+Quine's SoftDump
Hiew566 - disassembler/hexeditor (everywhere on the Web)
HTTP :Slotz.exe
or
FTP :Slotz.exe
Never heard before
Disassembly of the target gives a strong deja vu feeling: again an obviously extra section CODE with the Entry Point in it; again some trouble with imported objects.
Let's go to .idata section. Of course, it is mutilated. With close look
one can see that the first 100h bytes are removed and some crap is placed in here. (With those PE-files one have to feel not only the code, but the idata section, as well! ;-)
Well, it seems we have no choice but go to CODE section.
Never seen such a well-commented protection! For cracker not to miss the "hidden" chunk of .idata, his attention is attracted by a string "Resolve Imports". Almost immediately after it, at 41150, (all addresses are RVA) we have our 100h bytes! Of course, we
are returning them to where they belong.
Code itself begins with a loop that decrypts the next 0DCh bytes (XORing them with an openly stored mask). These bytes do the usual dirty work of license-checking, and let them do. We go to the following code:
0041FBD: 5B pop ebx ; = (4)41E53
0041FBE: 8BC3 mov eax,ebx
0041FC0: 83EB04 sub ebx,004
0041FC3: 8B0B mov ecx,[ebx]
0041FC5: 2BC1 sub eax,ecx
0041FC7: FFE0 jmp eax
For me it reads like: "Take a DWORD preceding the Entry Point and subtract it from the Entry Point address to get the real Entry Point." (41E53 - 387D3 = 9680) Do you see now why they inserted a string "EntryMarkHere" at 41E3E?
Having looked at the real Entry Point, we can instantly see that 1000(dec)=3E8h bytes here are encrypted. (We feel code +ORC's way, don't we?) Encryption is made by XORing with a pseudo-random mask, but we shouldn't bother about it: we're just waiting for the protection to decrypt code to dump then those 3E8 bytes with SoftDump to a file. (To patch them, of course, in place of encrypted crap).
I hope, you already know what to do next:
1. Cut the CODE section off the file.
In PE-header correct:
2. Number of Sections |086: 06 -> 05
3. Entry Point |0A8: 531E0400 -> 80960000
4. Image Size |0D0: 00304000->00104000 (optionally for 95, but obligatory for NT!)
5. Erase the CODE section header
Cracking in the best traditions of "virginity restoration" is done.
Any trialware, which limits number of runs, has necessarly to
mark in some way the computer to prevent "the license prolongation trick"
by simple reinstallation. As Slots issues a license only for 2 runs, it may be of practical interest to prolong it (if you failed to crack it within the legitimate trial period). CrypKey Instant marks computers differently under Windows95 and NT.
Under NT it all is simple enough. Additional NT driver start the service "CrypKey License". License information is recorded in the file esnecil.ind ("license" inverted, ah ah ah) in the system directory. This file cannot be deleted (which is our objection) or changed when the service is running (even if disabled). So, to renew your license you may:
1. Remove drivers with setup_ck /D
command, delete the file and then reinstall drivers!
; or
2. Load computer from a floppy in DOS mode and delete the file.
Under 95, when your license is expired, the program scans all directories on disk C: and writes in some of them at random 4-byte-long strangely named files with content "00 00 00 7C" (in my case). At every start, the program scans
directories in search for these files and, if at least one was found, displays message about license expiration and quits. Removing these files (I found about a dozen) improves the matter, but not decisively. Now program tells that it can't access id information on your HD, which obviously means that there is another mark somewhere. I had no patience to explore the problem to the bottom and solved it with a simple patch in cryp9516.dll.
File
offset
007A56: FF76F4 push w,[bp][-000C]
007A59: FF76F2 push w,[bp][-000E]
007A5C: 9AD071BC71 call 001:071D0
007A61: 83C404 add sp,004
007A64: 8946FC mov [bp][-0004],ax -> xor ax,ax
007A67: 0BC0 or ax,ax -> mov [bp][-0004],ax
007A69: 752B jne .0000171C6 -> or ax,ax ; to avoid nop-ing
007A6B: 837E0800 cmp w,[bp][00008],000
007A6F: 7408 je .0000171A9
Now the license is renewed automatically when expired.
Targets, protected with CrypKey, may be regged with some license code. Some other approaches to cracking in this case may exist. But, IMHO, this kind of protection is specially conceived to be totally removed from target.
I wont even bother explaining
you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
You are deep inside Fravia's page of reverse engineering, choose your way out:
homepagelinks search_forms+ORCstudents' essaysacademy database
reality crackinghow to searchjavascript warstoolsanonymity academy cocktailsantismut CGI-scriptsmail_Fravia
Is reverse engineering legal?