Keyfiles: Monitor/RA v1.80 and the 'hidden protection' idea
Written by MisterE
31 July 1998
Cortesy of Fravia's page of reverse engineering

Well this is a very simple, yet interesting essay about the reconstruction of a needed keyfile. Of course there are hundred different ways to crack this target (nopping the evil compares, reversing jumps, etcetera), yet the correct cracking technique, when dealing with keyfile protections, is exactly this one: reconstructing the missing file... just in case.
The target is moreover an interesting tool per se

Shareware programmers should deal with these problems implementing random checks (say once every four or five days or once every ten runs of their program) that trigger - not immediately! - a COMPLETELY UNRELATED "real" protection scheme if the code has been patched or if the keyfile is corrupted or, simply enough and VERY effective, if softice and wdasm are on the same harddisk as the target :-)
Best choice is - as usual - an auto-crippling scheme and an automated email once on line (this scares the hell out of a newbie :-)
No strings in this part of the protection: everything should be build dynamically ONLY IF THE SCHEME HAS BEEN TRIGGERED. Crackers that have found strings in the 'smoke' protection part will judge the shareware author a moron and won't usually (unless they zen the code) seek dynamically created strings elsewhere.


Keyfiles: Monitor/RA v1.80 - *THE* monitoring tool
Written by MisterE
31 July 1998
.----------------------------------------------------------------------------------------------.
|                                          INTRODUCTION                                    |
`----------------------------------------------------------------------------------------------'

Someone asked me to crack this program. That is nothing special. I opened the program and 
started to search for a registration box. But I couldn't find one!! Huh, is this a crippleware 
program? Nope. When I checked the monitor.wri it said the program needed a KEYFILE!! Wow, this 
IS cool. I had never cracked such a program before. There aren't many tutorial about KEYFILES 
so I decided to write one (you're reading it). 
This is my story about how the crack Monitor/RA v1.80 - *THE* monitoring tool.
Hope you enjoy it.

.----------------------------------------------------------------------------------------------.
|                                             PROGRAMS                                      |
`----------------------------------------------------------------------------------------------'

Programs I have used:

- SoftIce V3.2
- W32dasm V8.9
- Hex Workshop Version 2.5
- Monitor/RA v1.80 (http://www.envytech.co.uk/monitorra.html)


.----------------------------------------------------------------------------------------------.
|                                     Getting the right name                           |
`----------------------------------------------------------------------------------------------'

OK, we know the program needs a keyfile. The first thing to do is ofcourse search for the 
filename of the keyfile. Open w32dasm and click on Refs - String Data References. Look for a 
filename. You should notice the monitor.key. Well I say this is the right file. Let's check it.
In the same directory as monitor.exe perform this copy command:

Copy monitor.txt monitor.key

Start Monitor.exe and the programs say the keyfile isn't an Envy Technologies keyfile.
Well, they are right about that. Our keyfile isn't from Envy Technologies YET. Let's change that.

.----------------------------------------------------------------------------------------------.
|                        Getting an Envy Technologies keyfile                     |
`----------------------------------------------------------------------------------------------'

We are going to use softice now. When do we want SoftIce to stop the program?. I would say when
it wants to read the file. Well, there are several API's for this. Here they are:

 for 16-bit win apps:

GetPrivateProfileString
GetPrivateProfileInt
WritePrivateProfileString
WritePrivateProfileInt

  for 32-bit win apps:


CreateFileA
GetPrivateProfileStringA
GetPrivateProfileIntA
WritePrivateProfileStringA   
WritePrivateProfileIntA
ReadFile


Let's try the ReadFile first. Enter the breakpoint in Softice and start Monitor.exe.
BLAM, kicked back into SoftIce. Trace (F11 one time then F12 one time) till you get here:

:00452354 A1D4564500              mov eax, dword ptr [004556D4]  ;; import from our keyfile
:00452359 E8123AFBFF              call 00405D70
:0045235E 8BC3                    mov eax, ebx
:00452360 BA80244500              mov edx, 00452480             
:00452365 33C9                    xor ecx, ecx
:00452367 8A08                    mov cl, byte ptr [eax]
:00452369 41                      inc ecx
:0045236A E82D05FBFF              call 0040289C
:0045236F 7509                    jne 0045237A
:00452371 83BB9600000000          cmp dword ptr [ebx+00000096], 00000000
:00452378 750F                    jne 00452389

If you type 'd eax' at 452354, you'll see a part of our KEYFILE. Well, you can't deny: our 
keyfile is a mess. Get out of SoftIce and open our keyfile with notepad and remove some lines, 
I removed all lines but the 1st one. Now we can go on. Start monitor.exe again and trace until
you get at 452354. The call at 452359 isn't important. If you don't believe me, check it out 
yourself by tracing through it. Place a breakpoint at 45235E. Continue till you get at there.
Hmm, that compare at 45236F might be important, place a breakpoint here and continue.
BUT you never get at the compare, you get the 'wrong keyfile' error, then something must go 
wrong in the call function at 45236A. So let's check out this call. Here is our call:

:0040289C 53                      push ebx
:0040289D 56                      push esi
:0040289E 51                      push ecx
:0040289F 89CE                    mov esi, ecx
:004028A1 C1EE02                  shr esi, 02
:004028A4 7426                    je 004028CC
:004028A6 8B08                    mov ecx, dword ptr [eax]     ;; the 1st line of our keyfile
:004028A8 8B1A                    mov ebx, dword ptr [edx]     ;; what the 1st line should be
:004028AA 39D9                    cmp ecx, ebx                 ;; compare lines
:004028AC 7545                    jne 004028F3                 ;; jump to the 
:004028AE 4E                      dec esi                         'no Envykey' message
:004028AF 7415                    je 004028C6
:004028B1 8B4804                  mov ecx, dword ptr [eax+04]
:004028B4 8B5A04                  mov ebx, dword ptr [edx+04]
:004028B7 39D9                    cmp ecx, ebx
:004028B9 7538                    jne 004028F3
:004028BB 83C008                  add eax, 00000008
:004028BE 83C208                  add edx, 00000008
:004028C1 4E                      dec esi
:004028C2 75E2                    jne 004028A6
:004028C4 EB06                    jmp 004028CC


At 4028A8 type 'd edx' Now we know what the first line should be. Open a hexeditor and edit our
keyfile. It should look like this:

         ||
         \/
00000000 0745 6E76 794B 6579 0000 0000 0000 0000 .EnvyKey........
00000010 0000 0000 0000 0000 00                  .........

Note: you HAVE to use a hexedit, because you can't type the 07 in notepad.

Now continue running the program till you get here:

:0045236A E82D05FBFF              call 0040289C   ;; this is our last call
:0045236F 7509                    jne 0045237A
:00452371 83BB9600000000          cmp dword ptr [ebx+00000096], 00000000   ;; check if keyfile
:00452378 750F                    jne 00452389                                contains a zero
                                                                              at ebx+96

Time to make our keyfile a little bigger. Something like this:


00000000 0745 6E76 794B 6579 0000 0000 0000 0000 .EnvyKey........
00000010 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000080 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090 0000 0000 0000 FF                       .......
                        /\
                        ||

The value at 96 may NOT contain a zero, otherwise you get an error. So fill it with FF
Now continue our running the program, till we get here:

:00452389 8D437F                  lea eax, dword ptr [ebx+7F]
:0045238C 8B8B8A000000            mov ecx, dword ptr [ebx+0000008A]
:00452392 66BA0200                mov dx, 0002
:00452396 E89517FFFF              call 00443B30
:0045239B 3B838E000000            cmp eax, dword ptr [ebx+0000008E]       ;; no problem they
:004523A1 751B                    jne 004523BE                               are the same
:004523A3 33D2                    xor edx, edx
:004523A5 8A5309                  mov dl, byte ptr [ebx+09]
:004523A8 8D430A                  lea eax, dword ptr [ebx+0A]
:004523AB 8B8B82000000            mov ecx, dword ptr [ebx+00000082]
:004523B1 E87A17FFFF              call 00443B30
:004523B6 3B8392000000            cmp eax, dword ptr [ebx+00000092]       ;; no problem they
:004523BC 740C                    je 004523CA                                are the same

:004523BE B8C8244500              mov eax, 004524C8                      \  If not the same:
:004523C3 E894DEFDFF              call 0043025C                          |  say keyfile is  
:004523C8 EB7C                    jmp 00452446                           /  corrupt

:004523CA 33D2                    xor edx, edx
:004523CC 8A533D                  mov dl, byte ptr [ebx+3D]
:004523CF 8D433E                  lea eax, dword ptr [ebx+3E]
:004523D2 B9E6250200              mov ecx, 000225E6
:004523D7 E85417FFFF              call 00443B30
:004523DC 3B8382000000            cmp eax, dword ptr [ebx+00000082]      ;; ebx+82 must contain
:004523E2 7418                    je 004523FC                               0225E6 as value

ebx+82 must contain 0225E6.
Remember: values get pushed in reverse order, so your keyfile must look like this:

00000000 0745 6E76 794B 6579 0000 0000 0000 0000 .EnvyKey........
00000010 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000080 0000 E625 0200 0000 0000 0000 0000 0000 ...%............  
00000090 0000 0000 0000 FF                       .......

Continue the program. 

:004523B1 E87A17FFFF              call 00443B30
:004523B6 3B8392000000            cmp eax, dword ptr [ebx+00000092]     ;; A problem, 
:004523BC 740C                    je 004523CA                              value must be 0225E6

:004523BE B8C8244500              mov eax, 004524C8                      \  If not the same:
:004523C3 E894DEFDFF              call 0043025C                          |  say keyfile is  
:004523C8 EB7C                    jmp 00452446                           /  corrupt

Notice that a problem has arisen at 4523B6, simply remove this problem
by putting this value in your keyfile. Like this:

00000000 0745 6E76 794B 6579 0000 0000 0000 0000 .EnvyKey........
00000010 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000080 0000 E625 0200 0000 0000 0000 0000 0000 ...%............  
00000090 0000 E625 0200 FF                       ...X...


Continue the program. You don't GET ANY ERRORS ANYMORE, we have CRACKED the program.
Clear all your breakpoints and start the program. YES!! WE DID IT!!!
I've attached my keyfile to this essay, I hope it is still there when you read this.
You can edit your keyfile, making a nice logo in it at the locations that Monitor/RA doesn't
use. 

.----------------------------------------------------------------------------------------------.
|                                           Final Notes:                                  |
`----------------------------------------------------------------------------------------------'


Well, I hope you learned SOMETHING from this tutor.

If you have any comments, questions, need help or whatever, mail me at MisterE@freemail.nl

OR

look for me at EFNET => #cracking4newbies or #cracking


.----------------------------------------------------------------------------------------------.
`----------------------------------------------------------------------------------------------'

You are deep inside Fravia's page of reverse engineering, choose your way out:

progcor
Back to progcor

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?