+HCU 1997, Project2: Winice reversing
Phase 1

Courtesy of Fravia's page of reverse engineering
How To reverse Soft-Ice 3.01 Win95 (Part 1: Cracking Loader32/NmTrans.dll) 

- by Frog's Print

Numega's peoples are quite nice: they offer us the possibility to download Soft-Ice 3.01
(as well as the full documentation in Acrobat Reader format!!). Of course, it is 
fully functional but....will only work for 14 days. Ain't that beautiful: we can reverse 
our beloved, amazing tool, one of the best or may be THE best program we little 
-crackers or +crackers use and cheer every day. That's really great. Thank you so 
much Numega.

WE ARE NOT GOING TO reverse IT ALL (yet), just -for now- the loader (Loader32.exe) and 
the main DLL (Nmtrans.dll). 

Let's go.

First, get yourself a copy of WinIce Win95 at Numega's site (Http://www.numega.com).
So, now, what can I expect?

1/ One of the most difficult protection scheme I ever cracked?
2/ Something I will not be able to reverse?
3/ Will my brand new Notebook Pentium 133, 16Mb/1,35Gb  blow up in my face if I 
only change one single byte inside Winnie?

Let's see.

The first thing to do is to have a look a the WinIce.dat file as I want to 
personalize it for my cracking purposes. 
And look! Check the last line:

; Eval expiration date - DO NOT REMOVE!
DATE=413477b9 39533730

Is it a joke or are they serious? I can't believe it to see this written in upper 
case letters... are they "teasing" all crackers? Are they just plain stupid? Did 
they hyde inside this program another protection? 

Of course I remove immediatly the line above (after having, of course, 
backed up the file before) and reboot. Let'see what's going to happen.

Back to Windows everything seems to be fine except that when pressing CTRL-D 
I can't get into Soft-Ice as usual. Loader32.exe works fine.

I reinstall WinIce.dat,once more, with the expiration comments inside winice.dat
and reboot again.

Now I change the date (1 month ahead) and run Loader32.exe: It says that I have 
0 days left AND that Soft-Ice isn't active (though it is if I press CTRL-D).
I restore the date and try again: it works fine!

Let's disassemble it with W32Dasm8.

Checking the Imports Functions I find a "NMTRANS.NmGetNumDaysLeft"!!!
Again, I can't believe it: what a name! This routine, located inside Nmtrans.dll, 
is used to check how many days you have left before Soft-Ice stop working.

Of course, I used the "Live approach" to understand the codes (and after having
added NmTrans.dll *INSIDE* my Wince.dat in order to be able to BPX it's functions) 
Here is now the listing of NMTRANS.NmGetNumDaysLeft and the calls to it
inside Loader32.exe, listing provided by W32Dasm8, so it will be easier for you 
to understand what's going on:

1/ From the file Nmtrans.dll (which is located inside your Winice directory):

 Exported fn(): NmGetNumDaysLeft - Ord:000Dh
 :100263F0 83EC20             sub esp, 00000020
 :100263F3 8D442404           lea eax, [esp + 04]
 ...
 ...
(* The program check the installation date *)
 ...
 ...
 * Reference To: KERNEL32.GetSystemTime, Ord:0134h
 :10026476 FF1538421C10       Call dword ptr [101C4238]
 :1002647C 8B742420           mov esi, [esp + 20]
 ...
(* Now, gets the actual date *)
 ...
 ...
 ...
(* And now....: *)

 :10026549 2BCA               sub ecx, edx ;ECX-EDX:=Days_Used
 * Referenced by a Jump at Address:10026547(C)
 :1002654B B800000000         mov eax, 0    ;EAX:=0
 :10026550 83F90E             cmp ecx, E    ;Compare Days_Used with 14_Days_Allowed
 :10026553 7307               jnb 1002655C  ;Outta_Here_If_Above_Or_Equal!
 :10026555 B80E000000         mov eax, E    ;Good_!Go_Head, EAX:=14_Days_Allowed
 :1002655A 2BC1               sub eax, ecx  ;14_Days_Allowed - Days_Used := Days_Left

 * Referenced by a Jump at Address :10026553(C)
:1002655C 5D           pop ebp
:1002655D A3DC201C10   mov [101C20DC], eax  ;Store Days_Left
:10026562 5F           pop edi
:10026563 5E           pop esi
:10026564 5B           pop ebx
:10026565 83C420       add esp, 00000020
:10026568 C3           ret                  ;Back to Loader32.exe


2/ Now, back to Loader32.exe

 * Reference To: NMTRANS.NmGetNumDaysLeft, Ord:0000h
:0043A261 E8CE9EFFFF         Call 00434134      ;That's the CALL we come from
:0043A266 898560FFFFFF       mov [ebp+FFFFFF60], eax         ;Store Days_Left
:0043A26C C68564FFFFFF00     mov byte ptr [ebp+FFFFFF64], 00
:0043A273 8D9560FFFFFF       lea edx, [ebp+FFFFFF60]         ;EDX:= Days_Left
:0043A279 33C9               xor ecx, ecx

 * Possible StringData Ref from Code Obj ->"**** Evaluation version. Valid "
                                         ->"for %d days. ****"
:0043A27B B890A44300         mov eax, 0043A490               ;"...Valid for"
:0043A280 E86FBFFCFF         call 004061F4                   ;Days_Left "days."
:0043A285 6A00               push 00000000
:0043A287 8B45FC             mov eax, [ebp-04]
:0043A28A E82D93FCFF         call 004035BC
:0043A28F 8BD0               mov edx, eax

 * Possible StringData Ref from Code Obj ->"Symbol Loader"
:0043A291 B970A54300         mov ecx, 0043A570        ; Title of the Message Box
:0043A296 A124C64300         mov eax, [0043C624]
:0043A29B E838A1FEFF         call 004243D8            ;Call to MessageBoxA...
:0043A2A0 A124C64300         mov eax, [0043C624]
:0043A2A5 8998A8000000       mov [eax+000000A8], ebx
 ...
 ...

How do we crack this?

1/ Nmtrans.dll:
We had:
:1002654B B800000000         mov eax, 0    ;
We change to:
:1002654B B900000000         mov ecx, 0    ;

Seems right, yet now, if you run Loader.exe, you will notice that it gives you 
the following message: "Sof-Ice not Loaded!".

So let's go back to Nmtrans.dll to see how it checks if Soft-Ice is loaded or not.
We find a function called "NmSymIsSoftICELoaded".

 Exported fn(): NmSymIsSoftICELoaded - Ord:0016h
 * Reference To: nmtrans.DevIO_ConnectToSoftICE
:10027A30 E82B72FEFF           call 1000EC60     
:10027A35 83F8FF               cmp eax, FFFFFFFF
:10027A38 740D                 je 10027A47
:10027A3A 50                   push eax
...

Let's have a look at Call 1000EC60:
Exported fn(): DevIO_ConnectToSoftICE - Ord:0002h
:1000EC60 83EC20                  sub esp, 00000020
:1000EC63 53                      push ebx
:1000EC64 56                      push esi
:1000EC65 57                      push edi
 ...
and we land here again: GetSysTemTime!
* Reference To: KERNEL32.GetSystemTime, Ord:0134h
:1000ED3D FF1538421C10 Call dword ptr [101C4238]
:1000ED43 8B442418     mov eax, [esp + 18]
 ...
:1000EE12 3BD1         cmp edx, ecx       ;Check Days_Left
:1000EE14 7202         jb 1000EE18        ;Take care: this little user may have 
                                          ;set the date back to previous months..
:1000EE16 2BD1         sub edx, ecx       ;EDX:= Days_Left;

* Referenced by a Jump at Address:1000EE14(C)
:1000EE18 83FA0E                cmp edx, E   ;Compare Days_Left // 14_Days_Allowed
:1000EE1B 720F                  jb 1000EE2C  ;Good!_Go_Head_If_Below
:1000EE1D C7051CEE1B1000000000  mov dword ptr[101BEE1C],0000  ;Sorry....Bye_Bye
:1000EE27 83EE02                sub esi, 00000002
:1000EE2A EB10                  jmp 1000EE3C
...
In fact, Loader32 will tell you that Soft-Ic ISN'T loaded though it IS just 
because your trial period has expired.
Let's crack it too.

We had:
:1000EE12 3BD1                  cmp edx, ecx
:1000EE14 7202                  jb 1000EE18
:1000EE16 2BD1                  sub edx, ecx

* Referenced by a Jump at Address:1000EE14(C)
:1000EE18 83FA0E                cmp edx, E    ;once more, checking 14
:1000EE1B 720F                  jb 1000EE2C
:1000EE1D C7051CEE1B1000000000  mov dword ptr[101BEE1C],0000

We change to:
:1000EE12 3BD2                  cmp edx, edx  ;<=**here**
:1000EE14 7202                  jb 1000EE18
:1000EE16 2BD2                  sub edx, edx ;<="**AND" HERE TOO**

* Referenced by a Jump at Address:1000EE14(C)
:1000EE18 83FA0E                cmp edx, E ;once more, checking 14
:1000EE1B 720F                  jb 1000EE2C
:1000EE1D C7051CEE1B1000000000  mov dword ptr[101BEE1C],0000

Now, we will always have 14 days left. As there is a nagscreen remainding it, and
as we definitely do not like nagscreen, let's crack the nagscreen too: We had:

:0043A291 B970A54300            mov ecx, 0043A570    ;prepare nag
:0043A296 A124C64300            mov eax, [0043C624]  ;and then
:0043A29B E838A1FEFF            call 004243D8        ;call MessageBoxA...

Change to:

:0043A291 B970A54300            mov ecx, 0043A570
:0043A296 A124C64300            mov eax, [0043C624]
:0043A29B 4048904048            inc ax,dec ax,nop,inc ax,dec ax ;<="**HERE**"

Now, after doing those changes, reboot and check what's going on:

1/ Soft-Ice is loaded.
2/ Loader32.exe works quite well.
3/ ...but you CANNOT reach Soft-Ice's screen as the CTRL-D keys don't work!
   (but it IS active, I checked with my own little program)
4/ Here we are for now!! I stopped here and let you think about it. Sure
someone will work onwards with this target even if I don't. Two more things:
If you delete the line 'INIT="X' from WinIce.dat and reboot, this will allow 
you to pop into Soft-Ice screen even before Windows95 starts. So, you could trace, 
BPX...

-Don't forget the line "Eval expiration date DO NOT REMOVE! DATE="XXXXXXXX" XXXXXXX"
in WinIce.dat as when it is removed, you can't reach Soft-Ice screen. To explore...

 Happy cracking,

 Frog's Print 

You are deep inside Fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
antismut CGI-tricks search_forms mailFravia
Is software reverse engineering legal?