|
Beating M$ with his own tools |
 Most stupid protection | |
 |
by Fravia+ | |
| fra_00xx 980924 LaptoniC 1000 ST PC | For protectors: you SHOULD NEVER, NEVER, NEVER write inside a module something like: If LicCheck = 0 Then 'are the licence details already stored somewhere on the computer? The fact that you can use access' debug functions to crack - and even to produce a keygenerator! - is something that shareware authors should take note of... | |
"Have you ever found a program which resists any attack by WinIce and where no Decompiler exists ? Even no other tool works ?" says Pepper in his essay..Yes i have found a program which cant be attacked by softice.(at least for me).Our target is only one .mdb file.It is executed by Access runtime.Usual breakpoints doesnt help you much.I couldn't found any valuable information after one week.In this essay i will completely nake M$ protection schema and code keygen for this program.Sorry for my bad English I think you speak Turkish bad too :)
Program is really big 18 mb.It is nightmare for dialup users like me.Program is not
important at all.Main goal is understanding the protection of mdb files.
This program is database program for companies.It is usefull for big companies to track
meetings, events etc.Program needs serial to unlock its some features.Main protection is in
the sp2000.mdb.If this program is access database lets try to open with Access 97.If you have
read pepper's essay you know that calculation is done by modules.I have tried to open all
modules and looked what is going on.I have opened all modules but Gfstartup and Mieutilities.
When you try to open this modules, access says that "You dont have access to ....".Lets try to
open this modules.I have bpx on messagebeep like pepper but couldnt found the way.(If you find
it please letme know)Before reinventing the wheel, I decided to search well.After good search
I found GetAccess 98.Here is what GetAccess claims in its helpfile "GetAccess'98 unsets Access
database file password&User level Security.It also reveals the database password if available."
GetAccess is Vb i hope finding a serial is not a big deal.Open the database and choose
"Remove Security Permissions Also".Wait, wait, wait it is very long process.Lets try to open
Mieutilities module.Yeah it worked.Lets analyze what is in this module.
Public Function LicCheck()
On Error GoTo LCErrorBit
Dim dbs As Database, rst As Recordset
Set dbs = CurrentDb
Set rst = dbs.OpenRecordset("Software Details")
rst.MoveFirst
ProdCode = rst("ProductCode")
ExtLName = rst("LicenceeName")
LicName = Left(ExtLName, Len(ExtLName) - 1) & ProdCode ;prodcode is SP2000 in the table
LicNum = rst("LicenceNumber")
If IsNull(LicName) Or LicName = "" Or IsNull(LicNum) Or LicNum = 0 Then
LicCheck = 0
GoTo LCExitPoint
End If
L1Len = Len(LicName)
DC = 0
For J = 1 To L1Len
DC = DC + (Asc(Mid(LicName, J, 1)) * (L1Len + 1 - J + 3))
Next J
DC = DC * Int((L1Len + 14.3) / 2)
If Int(DC) + 71077345 = Int(UnGNum(LicNum)) Then LicCheck = 1 Else LicCheck = 0
LCExitPoint:
If LicCheck = 0 Then
'are the licence details already stored somewhere on the computer ;ehehe programmers comment
On Error GoTo CantReadF1
SystemDirectory = GetSysDir()
FileNumber = FreeFile
Open SystemDirectory & "\config.sli" For Input As #FileNumber
Input #FileNumber, WLicName, LicNum
Close #FileNumber
SetAttr SystemDirectory & "\config.sli", vbHidden + vbSystem
GoTo FoundStoredDetails
CantReadF1:
Resume NothingValidStored
FoundStoredDetails:
On Error GoTo LCErrorBit
If IsNull(LicName) Or LicName = "" Or IsNull(LicNum) Or LicNum = 0 Then
LicCheck = 0
GoTo NothingValidStored
End If
LicNum = CLng(LicNum)
LicName = Left(WLicName, Len(WLicName) - 1) & "SP2000"
L1Len = Len(LicName)
DC = 0
For J = 1 To L1Len
DC = DC + (Asc(Mid(LicName, J, 1)) * (L1Len + 1 - J + 3))
Next J
DC = DC * Int((L1Len + 14.3) / 2)
If Int(DC) + 71077345 = Int(UnGNum(LicNum)) Then LicCheck = 1 Else LicCheck = 0
If LicCheck = 0 Then GoTo NothingValidStored
If LicCheck = 1 Then
rst.Edit
rst("LicenceeName") = WLicName
rst("LicenceNumber") = LicNum
rst.Update
rst.Close
Exit Function
It opens Software Details table and take Product Code ,Licence Name and LicenceNumber.It
computes real serial number and compare it.What is this Ungnum function ?
Public Function GNum(SN)
On Error Resume Next
SNStr = CStr(SN)
N1Str = Left(SNStr, 2)
N2Str = Left(SNStr, 1)
N1 = CInt(N1Str) + 17
N2 = CInt(N2Str) + 6
N1 = N1 * N2
GNum = SN + N1
End Function
Public Function UnGNum(SN)
On Error Resume Next
SNStr = CStr(SN)
N1Str = Left(SNStr, 2)
N2Str = Left(SNStr, 1)
N1 = CInt(N1Str) + 17
N2 = CInt(N2Str) + 6
N1 = N1 * N2
UnGNum = SN - N1
End Function
This info is enough to code keygen.If you have ever used access 97 you know that it has debug
menu.You can surf in the code like in softice.Open software details table ad fill name and
license number.Run it step by step.When you are at If Int(DC) + 71077345 ... note int(dc)
open debug menu and type gnum(int(dc)+71077345).This is your serial.You may ask why i didnt
changed this License check=0 stuff.I have tried but it crashes the program maybe it is because
of startupgf module.Access use visual basic language.You can easily code keygen by just copy
and paste.However program looks config.sli file in system directory you can make key file also.
Key file format is like this "Name","Serial" ie. "LaptoniC","12345678"
Sorry for my bad english and writing skill ,I am totally newbie but trying to learn.I hope this essay helped you.As you see, M$ protection is worst than no protection.I end my essay with a little poet
Hey cousin Billy
Hey cousin Billy
Is there anything
That you can do for me
homepage
links
search_forms
+ORC
how to protect
academy database
reality cracking
how to search
java-script wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_Fravia
Is reverse engineering legal?