IntelliSecure R2
Courtesy of Fravia's pages of reverse engineering
by +Xoanon
31 July 1998

24 September 1998
IntelliSecure R2 has been slightly censored on request



Original essay with the abovementioned corrections
(31 July 1998 ~ 24 September 1998)


Well, well: +Xoanon is back with another 'cracking exploit'! This excellent italian cracker delivers -once more- a very good essay, that will convince any shareware protector, once more, about the old truth: ready-made protections are NOT to be used, no, no, no!
BTW: +Xoanon attitude towards our reversing science and towards the other sex is, IMHO much more emulating worth than his curious attitude towards maggots
:-)
And, I love +Xoanon's 'tradition' of presenting 'universal cracks', wish many more contributors would do just that, instead of concentrating on a single target... and I enjoy the fact that he's building on Marigold's (good) previous work: this's the whole point of our work: team working in order to solve generical puzzles and to develop software protection - and deprotection - into a science in its own rights!

IntelliSecure R2
Another readymade protection dies
Written by xOANON [UCF/CLASS]

Introduction

Hi again Fravia+! Probably you can't believe your eyes.... another essay from +Xoa after less than a month! :) Am i mad maybe? Or i've run out of women and fun in this hot summer and i have nothing better instead of staying here sitting at the PC writing essays ? Who knows.... ehehhehe :) xOANON ran out of women... impossible :) I just found some free time, that's all :) See, in reality <== xOANON is actually not a +cracker, he's a +playboy ! (Don't care too much of this rambling, please it's very hot down here and this grasp our minds, we all get a little bit mad :)

Anyway... this time i'll present to your readers another readymade protection, very very crappy in my opinion. Nothing compared to VBox and Timelock, they are wrappers... This instead act only as a "crypter". But you will understand better reading the essay.

Another thing i want to say: the programmer (maybe knowing how fool the protection is) have released IntelliSecure R2 as freeware (you can find it on http://www.dataet.com/products/isr2, get it coz it's required for complete understanding of the protection). This is good, at least he doesn't ask anything for his (crappy) work. PreviewSoftware (VBox & Timelock) asks instead thousands $$$ for their protections.... bah. Shareware programmers please , -OPEN YOUR EYES- !

Tools required

SoftIce
W32D/ASM
Your favourite HexEditor
Cigarettes (i think i will be bugged soon by anti-smokers... anyway, i think smoking while cracking is quite relaxing. Don't take it like "i wanna be a kewl cracker so i'll start smoking", coz smoking it's quite dangerous for health (you die sooner)... It's just my personal 'controcorrente' opinion, nothing more :)
A fan (to face this warm summer)
Some good grunge music (Nirvana, Stone Temple Pilots, etc...)
Not so optional: a blond/red/black/blue/green/orange/violet haired girl next to you to keep the cracking more amusing... crackers need love! :)

Target's URL/FTP

Intellisecure R2 from DataEt software


Program History

I don't know any other versions of IntelliSecure... maybe more to come after this essay :)


Essay

Well, let's start as always... load SoftICE, light your cigarettes, sip your drinks, etc....

But first of all get Intellisecure R2 and apply it to an executable file of your choice. After applied, you notice some other files appeared in the directory. They are:

1) EULA1.RTF <== End user license agreement 1 (don't care of it)
2) EULA2.RTF <== End user license agreement 2 (don't care of it)
3) REGISTER.RTF <== Registration form(don't care of it)
4) CAPTIONS.DAT <== Used for the localization of the Intellisecure module (don't care of it)
5) REPORT.TXT <=== Just a report file which contains number of executions of the file, state (locked/unlocked), etc... Don't care of it too.
6) xxxxxx.xxx <==== The key created using Intellisecure Lock Configuration utility after the lock. In the intention of the programmer, this must kept only by the producer of the locked software and used in combination with the USER-ID given by the locked module to obtain a valid serial number.... Amazing :) But don't care of it too.....
7) ISR2RT.DAT <== Interesting
8) xxxxx.EXE <=== Your .EXE file .... hmmm.... it's length is changed... what the hell is happened? It's packed? It's crypted? It's wrapped with something ? We'll see later...

(xxxxxx = names you choose)

Let's start thinking now.... we notice immediately ISR2RT.DAT have **THE SAME** length of your original file. What does it means?
Easy.... IntelliSecure simply does this: Encrypt your file, rename it to ISR2RT.DAT then create a loader with the same name of your .EXE file. This loader is universal (always same structure and same length of 371633 bytes) and it's used to control the time/executions expiration. So what i tought in the beginning was to make an "universal crack" for it, according to my tradition of universal cracks as for Timelock and VBox. Very easy.....

Just load your locked .EXE, choose "Unlock Software", enter a name (min. 6 char) and an unlocking code you want. Now enter in SoftICE, put a BPX on HMEMCPY and click on "Unlock Application". You will land after various PRETs and stepping in this code:

{ At this point, a result mask is already computed from your name/serial combination }

mov eax, dword ptr [eax+00000264]
call 13AD4
mov eax, dword ptr [ebp-48]
mov al, byte ptr [eax+05]
xor byte ptr [ebp-1A], al
cmp bl, byte ptr [ebp-0E] <== start comparing
jne 35355 <=== are you trying to crack my routine ? ma per cortesia...... SHUT UP!
......

There are some other JNE simply avoiding them we land here

lea edx, dword ptr [ebp-4C] <=== here starts the unlocking routine
xor eax, eax
E883D9FCFF call 027C4
mov eax, dword ptr [ebp-4C]
lea edx, dword ptr [ebp-44]
call 05C44
lea eax, dword ptr [ebp-44]
mov edx, 35484
call 0350C
mov eax, dword ptr [ebp-44]
..........................

Nothing more to say, just change the JNE 35355 into JMP 34E37 will do the work without wasting time to analyze the serial routine. And this work fine, the program is correctly decrypted and the ISR2 screen will not appear anymore. As i said, since the loader is universal, you can do an universal patch which change at offset 213469 (dec) the JNE 35355 in JMP 34E37 and this will work with every IntelliSecured program.
NB: Loader is universal means it has the same structure but it's not completely the same in every program. This means you must do a simple patch like "Enter IntelliSecured filename: ", you can't obviously use the same loader for every IntelliSecured program.

Just this prove the weakness of this protection... The file is decrypted simply changing a jump, no other checks are made after the program is executed again. For a weird case, i noticed (bug in ISR2) the unlocked program sometimes just load then exit immediatly if it resides in the same directory as the ISR2 package is installed... bah :) But i can assure you this crack would works every time (i tried many times).


After this funny "prologue" about the weakness of this protection, i start my Marigold emulator and i present you the true essay: (NDB: hey Fravia+, why the hell did you accept this guy in the HCU... he's totally mad!) :)

IntelliSecure R2: Virginity restored
by xOANON [UCF/CLASS] powered with Marigold Emulator

Hi guys! It's me again (xOANINO) this time in Marigold (TM) emulation. As xOANON i couldn't do better than a simple universal patch.... but with my brand,new,amazing Marigold (TM) emulator i can go further: Virginity restoration!

First of all, why virginity restoration if the program is already unlocked with the universal crack? Simple: i don't like the loader, and since the original executable is only crypted, why waste our precious HD space with 300+ kbytes of loader, stupid .RTF,.DAT and .TXT files? Just throw'em out!

Well, light another cigarette now and start thinking: the IRS2RT.DAT must be accessed somewhere by the loader, to be decrypted. So, load it in our HexEditor and write down the first few bytes... just locate them in memory when it's accessed. Then, lock another file with IntelliSecure, run it, set a BPX CREATEFILEA (used to access the file) and choose "Continue Execution" from the IntelliSecure screen.

Once located when it pushes ISR2RT.DAT as the filename before the call to CREATEFILEA, set another BPX on READFILE and..... bingo! You'll land here (as always, i will not show you the relevant codelocations, you should be able to trace and locate them yourself, on your own legally obtained copy of this ineffective protection using SoftICE):

{ISR2RT.DAT is readed with READFILE in steps of $2000 bytes}

lea edx, dword ptr [ebp+FFFFDFEC] <== location which will hold the bytes read
mov ecx, 00002000 <=== bytes read
mov eax, dword ptr [ebp-10]
call 05A54 <== read $2000 bytes from ISR2RT.DAT using READFILE api
mov edi, eax
xor eax, eax
mov al, byte ptr [ebp-09] <== hmmm... EBP-09 holds something like a "magic numbers" table...
mov dword ptr [38030], eax <=== first of 5 bytes magic table moved to 438030
mov ebx, 00002000
lea esi, dword ptr [ebp+FFFFDFEC] <== at ESI dwell the $2000 bytes read
mov eax, 00000100
call 0293C
------------------------------------------------------------------------------------------------------------ Code at 0293C (this is where the "magic table" enters the game)

imul edx, dword ptr [38030], 08088405 <== uses the magic value, edx is $2000
inc edx
mov dword ptr [38030], edx <=== move the result to 438030
mul edx
mov eax, edx <== result in EAX
ret

---------------------------------------------------------------------------------------------------------

xor byte ptr [esi], al <== decrypt first byte
inc esi <== next byte
dec ebx <== decrement the counter set to $2000 bytes read
jne 2FC43 <= until all $2000 bytes read are decrypted
xor eax, eax

{ the following code does exactly the same, the file have 5 layers of encryption based on the 5 magic numbers}

:2FC55 8A45F8 mov al, byte ptr [ebp-08] <== 2nd magic number
mov dword ptr [38030], eax
mov ebx, 00002000
lea esi, dword ptr [ebp+FFFFDFEC]
mov eax, 00000100
call 0293C
xor byte ptr [esi], al
inc esi
dec ebx
jne 2FC68
xor eax, eax
mov al, byte ptr [ebp-07] <== 3d magic number
mov dword ptr [38030], eax
mov ebx, 00002000
lea esi, dword ptr [ebp+FFFFDFEC]
mov eax, 00000100
call 0293C
xor byte ptr [esi], al
inc esi
dec ebx
jne 2FC8D
xor eax, eax
mov al, byte ptr [ebp-06] <== 4th magic number
mov dword ptr [38030], eax
mov ebx, 00002000
lea esi, dword ptr [ebp+FFFFDFEC]
mov eax, 00000100
call 0293C
xor byte ptr [esi], al
inc esi
dec ebx
jne 2FCB2
xor eax, eax
mov al, byte ptr [ebp-05] <== 5th (last) magic number
mov dword ptr [38030], eax
mov ebx, 00002000
lea esi, dword ptr [ebp+FFFFDFEC]
mov eax, 00000100
call 0293C
xor byte ptr [esi], al
inc esi
dec ebx
jne 2FCD7
lea edx, dword ptr [ebp+FFFFDFEC] <== d EDX now to see the first $2000 bytes of the file decrypted. You can finally see the "MZ" indicating the beginning of the file is decrypted.
mov ecx, edi
mov eax, dword ptr [ebp-14]
call 05A80 <== read next $2000 bytes now
cmp edi, 00002000 <== Reached end of file ?
je 2FC19 <== no ? restart from beginning

Pheeeeeew.... it took really a long to me to write all this :) But we haven't finished yet.... It's time for another cigarette? bah..... yes :)
Now, we have 99% of the things needed to code a decrypter. Only thing we miss is the magic table... it's always the same for all the locked files ? Well, i tried and ... no, the programmer was so smart to change it everytime (wow ! :)).
So... Where this magic table is located ? It's something about the key file created by the IntelliSecure Lock Configuration utility ? again, NO!

(what the hell xOA.... tell us where that crap magic table is!!!!)

Ehehehehhe.... calm down :) Since i haven't had better ideas, i've written down the bytes found here and started to search them inside the files we have handy : the loader and the RS2RT.DAT . Surprisingly (how stupid commercial programmers are.....) they are hardcoded even without encryption in the loader at offset 371200 (dec).
Trying locking other files, produced the same results.... the magic table is ALWAYS stored in the loader at such offset.

So guys, now we have all for the decrypter. Here is the Delphi code (you may say it's an overbloated language, but i like it a lot... so don't bug me! :)
Of course this decrypter has been written and is being published only in order to demonstrate how utterly useless are this kind of protection schemes, try it out onto the target and/or modify and ameliorate it if you find it worth...

{ this obviously need his forms to work... so don't think you can use it only by cutting&pasting}

------------------------------------------------------------------------------------------------------------

unit isec;
interface
uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
  StdCtrls, ExtCtrls, ComCtrls;
type
  TForm1 = class(TForm)
    Edit1: TEdit;
    Button1: TButton;
    Label1: TLabel;
    Button2: TButton;
    Label2: TLabel;
    Label3: TLabel;
    Bevel1: TBevel;
    Image1: TImage;
    Image2: TImage;
    Image3: TImage;
    Button3: TButton;
    pbar: TProgressBar;
    progress: TStaticText;
    Button4: TButton;
    procedure Button1Click(Sender: TObject);
    procedure Button2Click(Sender: TObject);
    procedure Button3Click(Sender: TObject);
    procedure Button4Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;
var
  Form1: TForm1;
  var infile,outfile:tfilestream;
    magic:dword;
    magic1,magic2,magic3,magic4,magic5:byte;
    buflength,flength:longint;
    buf:array [1..$3000] of byte;
    temp,nameoffile:string;
    filetorape,file2:file of byte;
implementation
uses dirbox, Unit3, Unit4;
{$R *.DFM}
procedure decrypt; // main decryption asm routine
label keepon,alldone;
begin
     asm
        pushad
        mov edx,buflength
        cmp edx,$0
        jz alldone
        mov ebx,edx
        lea esi,buf
     keepon:
        mov eax,$100
        imul edx,dword ptr [magic],$8088405
        inc edx
        mov dword ptr [magic],edx
        mul edx
        mov eax,edx
        xor byte ptr [esi],al
        inc esi
        dec ebx
        jne keepon
        xor eax,eax
     alldone:
        popad
     end;
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
     form2.show;
end;
procedure TForm1.Button2Click(Sender: TObject);
begin
     if edit1.text='' then showmessage ('Please select a .EXE file to be unwrapped!')
     else begin
     nameoffile:=edit1.text;
     nameoffile:=strupper (pchar (nameoffile));
     assignfile (filetorape,nameoffile);
     if fileexists (nameoffile) then // check if the file exists
     begin
     reset (filetorape);
     // now checks if the .EXE file selected is a valid ISR2 file by comparing the length 
        with the standard length of the loader (371633 bytes	
     if (filesize (filetorape) <> 371633) then 
			   showmessage (nameoffile+' isn''t a valid IntelliSecured file!');
     if (filesize (filetorape) = 371633) then begin
                                   progress.show;
                                   pbar.show;
                                   // get the magic values from the loader
                                   application.processmessages;
                                   seek (filetorape,371200);
                                   read (filetorape,magic1);
                                   read (filetorape,magic2);
                                   read (filetorape,magic3);
                                   read (filetorape,magic4);
                                   read (filetorape,magic5);
                                   closefile (filetorape);
                                   temp:=extractfilepath (nameoffile);
                                   temp:=temp+'isr2rt.dat';
                                   try
                                   infile:=tfilestream.Create (temp,fmopenread);
                                   pbar.max:=infile.size;
                                   outfile:=tfilestream.create (nameoffile,fmcreate);
                                   buflength:=$2000;
                                   pbar.step:=buflength;
                                   // begin the decryption at $2000 bytes per time
                                   while buflength <> 0 do begin
                                                           buflength:=infile.read (buf,$2000);
                                                           magic:=magic1;decrypt;
                                                           magic:=magic2;decrypt;
                                                           magic:=magic3;decrypt;
                                                           magic:=magic4;decrypt;
                                                           magic:=magic5;decrypt;
                                                           outfile.Write (buf,buflength);
                                                           pbar.stepit;
                                                           end;
                                  progress.caption:='Deleting files';
          // The End (my only friend, the end <== The Doors... aaargh i'm goin' really mad 
             tonight :))Well... delete unnecessary files now (.DAT,.RTF,etc..)
                                  pbar.position:=0;
                                  pbar.max:=6;
                                  pbar.step:=1;
                                  outfile.free;
                                  infile.free;
                                  temp:=extractfilepath (nameoffile);
                                  filesetattr (temp+'eula2.rtf',faarchive);
                                  deletefile (temp+'eula2.rtf');
                                  pbar.stepit;
                                  filesetattr (temp+'eula1.rtf',faarchive);
                                  deletefile (temp+'eula1.rtf');
                                  pbar.stepit;
                                  filesetattr (temp+'captions.dat',faarchive);
                                  deletefile (temp+'captions.dat');
                                  pbar.stepit;
                                  filesetattr (temp+'register.rtf',faarchive);
                                  deletefile (temp+'register.rtf');
                                  pbar.stepit;
                                  filesetattr (temp+'isr2rt.dat',faarchive);
                                  deletefile (temp+'isr2rt.dat');
                                  pbar.stepit;
                                  filesetattr (temp+'report.txt',faarchive);
                                  deletefile (temp+'report.txt');
                                  pbar.stepit;
                                  pbar.Hide;
                                  progress.caption:=nameoffile+ 'has been succesfully unwrapped!';
                                  except
                                  showmessage ('Sorry... i can''t find ISR2RT.DAT');
                                  pbar.hide;
                                  progress.hide;
                                  end;
                                  end;
     end
     else begin
          showmessage (nameoffile+' not found!');
          pbar.hide;
          progress.hide;
          end;
     end;
end;
procedure TForm1.Button3Click(Sender: TObject);
begin
     form3.show;
end;
procedure TForm1.Button4Click(Sender: TObject);
begin
     form4.show;
end;
end.

----------------------------------------------------------------------------------------

					THE END
      (c) xOANINO [UCF/CLASS] 1998
Final Notes

Finally... it tooks me like 3 hours to write this essay ! :) Hope you liked it... and again shareware programmers "OPEN YOUR EYES" ! Ask crackers if you don't know how to code a decent protection, but please don't give your money to those vampires! Hope this is the last time i write an essay on readymade protections but..... as we always knew... stupid's mothers are always pregnant :))

Ciao Fravia+, Tot ziens! Bis zum nächsten Mal! Alla prossima!

Ob Duh

I wont even bother explaining you that you should BUY all relevant target programs if you intend to use them for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find anything on the Warez sites, complete and already regged, farewell.


You are deep inside Fravia's page of reverse engineering, choose your way out:

progcor
Programmers' corner

red homepage red links red search_forms red +ORC red students' essays red academy database
red reality cracking red how to search red javascript wars
red tools red anonymity academy red cocktails red antismut CGI-scripts red mail_Fravia
red Is reverse engineering legal?