HyperChem 5.0 - 'Same old sauce'
"Don't lure us any more"
by +Sync
(28 October 1997)
Courtesy of Fravia's page of reverse engineering
Well, +Sync (our "tester maximo") worked on this essay as an answer
to an email that we
got some days ago. +Sync has accomplished a very "altruistic" task indeed: he
tested a protection scheme in order to see if it was relevant or not for
our studies. Unfortuntaley it was not.
I believe we should all learn some lessons:
1) Never ask for help when you have not "done your math" yourselves.
Admittely, it may be difficult at times to know if a "new protection" is
only an old known one in disguise, or if it is really new and daunting, yet
we'll never accept, from now on, requests regarding "apparently new" protection
schemes that are not accompanied by a THOROUGH first investigation by the
guy that asks for help. +Sync's time and capabilities (and +gthorne's and
mine, and of all other 'new' +HCUkers... not to speak of +ORC's ones)
are too precious to be wasted on such banalities).
2) New and daunting protection schemes are indeed very rare.
As soon as
one appears there are many chances that it will reveal itself as an 'old sauce',
like this one. It's a pity, but it is -alas- so (let's hope that clever programmers
will learn enough from our essays to provide us more tough challenges :-)
3) I hope that some funny faces are not mistaking the +HCU for a place
where you are allowed to hunt for ready made cracks.
WE ARE NOT INTERESTED in the software
that we crack (with very few exceptions), as funny as it may seem to some,
we are interested (a lot) in 'pure' software reverse engineering activities,
it just happens that protection schemes constitute a nice challenge. Anyway we
will NEVER again publish any reverse engineering of a program if we may again
suspect, like we do in this case, that we have been lured to work on a
protection scheme only in order to crack a banal specific target. You need a
ready-made crack? Are you a "me-too" luser, incapable of reversing software yourself? Are
you too lazy or stupid to study the (aboundant) material provided all over the
net? Beggar off, there are plenty of self-appointed
crackers ready to futter you software in spades till you have slurped so much that you'll explode.
You are here at the wrong address.
And now, duly feeling guiltiness and remorse, enjoy this nice "surgical" clean cut essay by +Sync
HyperChem 5.0 - 'Same old sauce'
Well, this was sent to me through the +HCU as a possible new project.
I would have to say that not only does this not qualify as a new project,
it is simply the same thing that we have presented over and over again.
At most, this might qualify for the "time protections" section.
Anyway, here it is.
Available at http://www.hyper.com the program is called HyperChem,
which seems to be a very versatile use for you Chemical Engineers out
there.
First thing, as always, is to run the program.
It quickly tells you that you cannot run this version without an
"authorization code". You get this code from them, and enter it in
HCLicense.EXE in order to run this program.
This is the very interesting part of this target's protection.
Enter any set of numbers as the Authorization Code and it will
register almost every time.
It doesn't like alpha characters though.
Can it really be that easy? Unfortunately not.
Try running the program again and nothing has changed.
So what the hell is HCLicense doing? Well, check it out with WDASM or
Softice or IDA or any way you want, and it comes down to this:
All it does is take the number you put in, and store it in a key in the
registry.
The key is :
HKEY_CURRENT_USER\Software\Hypercube\HyperChem\5.0\Registration\DemoKey
Well, so now all we need to do is find out where in the program it
checks this key. So WDASM CHEM.EXE and look for 'DemoKey'.
Right below where you find it, you will find the following code
* Reference To: ADVAPI32.RegQueryValueExA, Ord:0136h
|
:0041B730 FF156CA65000 Call dword ptr [0050A66C] ;get the key
:0041B736 85C0 test eax, eax
:0041B738 753E jne 0041B778
:0041B73A 8B9540FEFFFF mov edx, dword ptr [ebp+FFFFFE40]
:0041B740 899538FDFFFF mov dword ptr [ebp+FFFFFD38], edx
:0041B746 8B8538FDFFFF mov eax, dword ptr [ebp+FFFFFD38]
:0041B74C 8B08 mov ecx, dword ptr [eax] ;ecx holds code from HCLicense
:0041B74E 898D34FDFFFF mov dword ptr [ebp+FFFFFD34], ecx
:0041B754 8B9534FDFFFF mov edx, dword ptr [ebp+FFFFFD34] ;now in edx
:0041B75A 3B9530FDFFFF cmp edx, dword ptr [ebp+FFFFFD30] ;check if right
:0041B760 7516 jne 0041B778 ;jmp if it's not right
So, we need to prevent the jump at 41b760 from being made, as follows:
:0041B760 7516 jne 0041B778 ;jmp if it's not right
to
:0041B760 4048 inc eax dec eax ; ie do nothing
So now we will be able to run the program right? Well, try it out.
It tells us that our evaluation has expired! Before we even get to
run it once! What kind of shoddy programming is this?
Well, it's not hard to fix. Look for an occurrence of GetLocalTime
(or BPX it in S-ICE) and you'll quickly find the code snippet below.
* Reference To: KERNEL32.GetLocalTime, Ord:00F5h
|
:0041A176 FF1514A95000 Call dword ptr [0050A914]
:0041A17C 83EC10 sub esp, 00000010
:0041A17F 8BCC mov ecx, esp
:0041A181 8B55F0 mov edx, dword ptr [ebp-10]
:0041A184 8911 mov dword ptr [ecx], edx
:0041A186 8B45F4 mov eax, dword ptr [ebp-0C]
:0041A189 894104 mov dword ptr [ecx+04], eax
:0041A18C 8B55F8 mov edx, dword ptr [ebp-08]
:0041A18F 895108 mov dword ptr [ecx+08], edx
:0041A192 8B45FC mov eax, dword ptr [ebp-04]
:0041A195 89410C mov dword ptr [ecx+0C], eax
:0041A198 E814160000 call 0041B7B1 ;check if expired yet
:0041A19D 83C410 add esp, 00000010
:0041A1A0 85C0 test eax, eax ;are we?
:0041A1A2 7504 jne 0041A1A8 ;yes, jmp away
:0041A1A4 33C0 xor eax, eax ;no, go on good guy
:0041A1A6 EB31 jmp 0041A1D9
So again we need to force the jump not to be made
:0041A1A2 7504 jne 0041A1A8 ;yes, jmp away
to
:0041A1A2 4048 inc eax dec eax ;don't ever jump
That's it, HyperChem 5.02 Evaluation version now runs as it would if you
had entered a valid code, and were still in the evaluation period.
There is still a nag screen at startup, which I did not bother writing
details about (if you don't know how to remove it, you need to study a
little more).
I did begin to reverse the Authorization Code, it is created from the
name and organization you type in at install, however a patch was
necessary to clean up the expiration, so a keymaker would only do half
the job anyway.
Hope this helps someone.
+Sync sync1@iname.com
(c) +Sync, 1997. All rights reversed.
You are deep inside Fravia's page of reverse
engineering, choose your way out:
homepage
links
anonymity
+ORC students' essays tools
cocktails
academy database
antismut search_forms mail_Fravia
is reverse engineering legal?