not assigned
Control panel applets cracking
by flipper, 1 January 1998
here
Courtesy of Fravia's page of reverse engineering
fravia's comments
This new smart "colored bar" look will be used throughout this new year and is a present of Flipper as well :-) Note that all this is obtained through a simple TABLE, and does not slow down your loading of these pages at all. It would be very nice if all people sending essays would from now on use this as *THE* model to follow.
I don't need to present you neither flipper (one of the best +HCU's contributors and friends) nor this essay, since flipper's approach is outstanding clear. Just read on.
Title
Cracking Seattle Labs' SlMail 2.6 Build 1098
Written by Flipper (upg) on December 30th, 1997.
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert
An understanding of how to create a dead listing of a program is required, as well as a basic understanding of procedure calling.
Introduction
It's been a while since my last essay, so I hope this one more than makes up for my leave of absence while trying to program another ultimate protection in Visual Basic. Today we have here another protection that many new crackers have stayed away from, thinking that it was too difficult, or the program files were just too big. Another complaint by newbies is that the protection is not contained inside a DLL or inside just one EXE, it actually spills over into a control panel applet.
Tools Required
Windows Disassembler v8.x
Hackers View v5.66


Of course, you may choose any tools you like to complete the job :-)
Program History
It always helps to look back at a software company's previous protections to get a better undetstanding of the new target's inner workings. In the case of SlMail, the protection scheme used up to v2.4 was a simple date expiry check using GetSystemTime, nothing more. A serial number could be entered from the control panel applet, and a message box alerted you if you made a mistake. SoftIce quickly took care of that little mess, but even I still had problems using a debugger to grab a serial number out of memory.

Knowing that there had to be some kind of date check, I figured why not crack that directly; That would most likely prevent all of my discovered serial numbers from being blacklisted, right?

Seattle Labs likes to make money just like anyone else writing software, so they started using a new protection scheme as of v2.5. Many serial number 'addicts' cried for a new number that would let their precious software run, but alas.. none have surfaced -- the company's investment saved. But wait! Lo and behold, there is another method which I'll show you that involves nothing more than a basic understanding of how any procedure stores and returns a value in register EAX.
T
H
E

E
S
S
A
Y
~ Dead List SLMAIL.CPL

It's in your windows system directory. Don't worry, it's just a control panel applet. It is no different than a normal executable file except it uses CONTROL.EXE as a stub to perform configuration tasks at a system level. Why start with the control panel applet you ask? Because you'll find the method of protection almost instantly. Beginners may need to poke around the code a little before figuring out which jumps to follow, but seasoned crackers will almost immediately see the patch right before their very eyes.

Now, we need to search for a string, preferrably one that puts us right after the protection call. Think logically for a second, (make a chart if you have to) and observe your target. Set the date ahead one year, what happens? Since I've already done all the hard work for you, I'll give you the steps I used to figure out what string to choose.

Set clock ahead one year. Applet still loads, but it says "There are too many lists..." Clearly a violation of the license agreement for our trial period.

Click on the "tab" that shows the registration information. Still says it's in DEMO mode, but at the bottom there's a new message that reads "This version of SlMail expired on..." Well, what did it say before? "This version of SlMail will expire on..."

Clearly, if the program still thinks it's in the demo period, it will run forever. We must search for the string that is displayed on the registration screen, at the bottom, before our trial period is up.


~ Search for "This program will expire on %A, %B %d, %Y"

Use dasm's built in String Reference list to find it, or search for it by hand using CTRL+F. You'll find it at 010B6099.

Look above this string reference for a minute, and gaze deeply into the code.. see anything yet? If you missed it, here's a complete browsable listing of the procedure and the important calls it makes.

Please note that the assembly listing shown has the starting address where the code begins, and the actual commands below without line numbers or file offsets.

* Referenced by a CALL at Addresses:010B4DED, :010B52FD   
|
:010B6040

push FFFFFFFF
push 010F9B78
mov eax, dword ptr fs:[00000000]
push eax
mov dword ptr fs:[00000000], esp
sub esp, 00000008
push esi
mov esi, ecx
push edi
lea ecx, dword ptr [esp+08]
call 010E3375
mov eax, dword ptr [esi+00000140]
lea edi, dword ptr [esi+00000140]
test eax, eax
mov [esp+18], 00000000
je 010B611F
push ecx
mov eax, esp
mov dword ptr [esp+10], esp
push eax
call 010DE6E3
mov ecx, edi
call 010B6350	; call the check procedure and return a value
		  in EAX.
test eax, eax	; an otherwise good protection given away in
		  one line!
je 010B60DC

* "This program will expire on %A, %B %d, %Y"
     |
push 0000073A
lea ecx, dword ptr [esp+0C]
call 010E3A1D
mov ecx, dword ptr [esp+08]
lea edx, dword ptr [esp+0C]
push ecx
push edx
mov ecx, edi
call 010DE6F6
push eax
lea ecx, dword ptr [esi+00000128]
mov [esp+1C], 01
call 010E35B9
lea ecx, dword ptr [esp+0C]
mov [esp+18], 00
call 010E34C0
jmp 010B61BC

* Referenced by a CALL at Addresses:
|:010B49AD, :010B4B17, :010B4B7F, :010B4BE7, :010B4C4F   
|:010B576D, :010B5852, :010B58DA, :010B5962, :010B59EA   
|:010B6090   
|
:010B6350

mov ecx, dword ptr [ecx]
mov edx, dword ptr [esp+04]
xor eax, eax	; set EAX to 0. How quaint.
cmp ecx, edx
setg al
ret 0004
Right before the jump that decides whether or not we're still in the demo period there is a call to a procedure that assigns some values to ECX and EDX. In that same procedure, EAX is set back to 0 with the command 'XOR EAX, EAX'. When the procedure returns there is a 'TEST EAX, EAX' which is testing the zero flag of EAX. Jump if Equal (JE) to 0 right into the code which tells us the program has expired.

A simple deduction can now be made. If EAX is not equal to zero when the procedure returns, the program has expired. At this point, I'm not going to bother exploring the workings of the code, I'll leave that as an exercise for the reader.

Patching SLMAIL.CPL

Load up SLMAIL.CPL with Hackers View (you'll soon see why I settle for nothing less than this extraordinary hex editor).
+-- how to convert dead list addresses for use with 'hiew' --+
|							     |
| find the address you want in the dead listing. let's say   |
| it's 010B6356. All you have to do is change the first 3    |
| digits to zeros, and add a period in front of the number.  |
|                                                            |
| examples						     |
|							     |
| 010B6356 becomes .000B6356	00408BF1 becomes .00008BF1   |
|                                                            |
+------------------------------------------------------------+
Press F5, type in .000B6356 and press enter. You'll soon find yourself at the proper location with the cursor positioned over the bytes 33 C0.

Press F3 and type right over top of those bytes either one of these two possibilities. Since we don't want EAX to ever equal 0, the XOR statement must be replaced by code that does not affect the status of EAX. Two NOPs will do the trick, but I like the INC EAX/DEC EAX approach. They both have no effect on EAX.
   1. 90 (NOP)			2. 40 (INC EAX)
      90 (NOP)			   48 (DEC EAX)
~ Dead List SLMAIL.EXE

Same deal, only this time we know what the protection code will most likely have the same TEST EAX, EAX instruction somewhere after a license violation messagebox.

Set clock ahead one year. Program still loads, but it says "Registration check has failed." Clearly a violation of the license agreement for our trial period once again.

Same old trick as before, if the program thinks it's in the demo period, it will run forever. We must search for the string that is displayed upon loading the program after the demo period has expired.


~ Search for "Registration check has failed."

Below is a listing of the code, with all important calls linked so you can follow the path of execution. Once again I'll be showing the quickest route to the protection code. When cracking, it's always a good idea to 'trace' through an important procedure/function call just to make sure you haven't missed anything. In this case, it paid off.
:0041F057

"SLMail Control Panel"
     |
mov ebp, 00000001
push esi
push edx
mov dword ptr [esp+24], ebp
call 0041EB80
mov ecx, dword ptr [esp+24]
add esp, 0000000C
test ecx, ecx
mov dword ptr [0045B594], eax
jne 0041F08C
mov eax, dword ptr [0045B5E0]
push edi
push esi

* "Registration check has failed."
     |
push 00001459
push eax

* USER32.LoadStringA
     |
Call dword ptr [0045D6FC]
jmp 0041F0B2

* Referenced by a CALL at Address:0041F062   
|
:0041EB80

call 00420C10
mov ecx, dword ptr [esp+04]
mov dword ptr [ecx], eax

* Referenced by a CALL at Addresses:0041EB80   , :0042D98E   
|
:00420C10

sub esp, 00000020
lea eax, dword ptr [esp]
lea ecx, dword ptr [esp+10]
push eax
push ecx
call 004211A0
add esp, 00000008
test eax, eax
je 00420C44
lea edx, dword ptr [esp]
lea eax, dword ptr [esp+10]
push edx
push eax
call 00420BA0
add esp, 00000008
neg eax
sbb eax, eax
inc eax
add esp, 00000020
ret

* Referenced by a CALL at Address:00420C1D   
|
:004211A0

sub esp, 0000003C

>> large ammount of code removed to save space.

call 00438060
add esp, 00000030
test eax, eax
jne 0042131D

* Referenced by a Jump at Address:0042121E(C)
|
:0042131D

mov eax, dword ptr [esp+50]

>> large amount of code removed to save space.

cmp word ptr [eax+06], 0000
jne 0042136B
xor eax, eax	; set EAX to 0. What a surprise.
pop edi
pop esi
pop ebp
pop ebx
add esp, 0000003C
ret
What do we have here? Before the message box there is a call that takes us deep into the code.. but if we trace through the clutter and spend a little time organizing our thoughts, we'll soon see the jump to the final block of code where EAX is set back to zero. Since we don't want EAX equalling zero (thus bypassing the license violation) after the demo period has expired, we'll use the same technique as described above.

Patching SLMAIL.EXE

Load up SLMAIL.EXE with Hackers View. Press F5, type in .00021361 and press enter. You'll soon find yourself at the proper location with the cursor positioned over the bytes 33 C0.

Press F3 and type right over top of those bytes either one of these two possibilities. Since we don't want EAX to ever equal 0, the XOR statement must be replaced by code that does not affect the status of EAX. Two NOPs will do the trick, but I like the INC EAX/DEC EAX approach. They both have no effect on EAX.
   1. 90 (NOP)			2. 40 (INC EAX)
      90 (NOP)			   48 (DEC EAX)
That's as far as we have to go with SlMail. The control panel applet will never expire (thus allowing you to manage the user database without the restrictions imposed by the demo version), and the main program will never expire allowing you to actually process the mail. A pair of nice byte patches for a well written program.
Ob duh
I wont even bother explaining you that you should BUY this program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
Final Notes
I just wanted to thank all those who need thanking before I forget. Greets to fravia+ for the best page on the net, and to +RCG for one hell of a protection.

Before I finish up this essay, I just wanted to say a few words to all newbie crackers who tried to crack SlMail and just couldn't find the right code fragment, etc. Don't be discouraged. Cracking takes time, and as we all learn to break more and more complex protections, the more challenging the good non-commercial protection schemes get. Protectors (slowly) learn too. I can remember a time when most computer users either had an Atari or a C64, and a program by the name of GEOS was being shown off as the 'windows' clone of the decade. What Micro$oft had stolen from Xerox and IBM, Berkely Softworks decided a Commodore port was in order. Using such tricks as half-tracking and physical disk sector density checks, no one was able to copy this widely used desktop application. Time passed, and finally a cracker broke the protection (which was by now used on _every_ major C64 game at the time, about a year later) and many software companies went under, due to the fact that all of their software was now being pilfered over QuantumLink and Compuserve. The golden age of cracking died out long before IBMs took over the corner of your office cubicle, but it has now returned like never before. Thanks to +ORC and his students you too can learn to defeat the latest and greatest protections -- and that my friends, is just the beginning of a new golden era in cracking.

(c) flipper (upg) 12/30/97 All rights reversed.
way out
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia+
redIs reverse engineering legal?