"A Software Licensing System designed to provide invisible security"
(Spectralab 4.32: How to PATCH)

by +joNaH

(11 November 1997, slightly edited by Fravia)

Courtesy of Fravia's page of reverse engineering

Well, a new cracker with a new essay. Poor application programmers of the shareware world! Condemned to fall prey of crooks that devise half-ready abominable code concoctions and then even SELL such crap (protecting for money... quelle vulgarité) to the shareware authors, gulling the poor chaps into a "Software Licensing System designed to provide invisible security"... Nonetheless! Read and enjoy (that is... if you are a cracker. If you are a shareware programmer, read and learn!)

How to PATCH ------------ by +joNaH (a new philosophy lesson)
TARGET : Spectralab 4.32 Hi and thanks, to all my friends, and especially to fravia+, and +gThorne, who do such a huge work for us and for our science. We will never be able to thank +Orc enough as he should be, because +he is the origin of ALL we have done and will do. Today, I want to teach you something that nobody has already teached. I want you to teach you how to PATCH. Yes, "patching" can sometimes be called "cracking", but for me there is a little difference : When you patch, you try to avoid to reverse engineer the code decrypting routines, the huge mathematical protection schemes. Why loose so much time trying to reverse assembly to obtain complicated formulas ? You could instead go out, walk, look at the birds, listen to their songs...and be happy to be here, on this earth, with such a sunny and beautiful weather...and LIVE! The patchers are the guys who really FEEL the code, who sniff it to find where the protection scheme hide itself, and who find a solution to bypass it. Patching can also consist in adding some new features to a program (look at the nice Real Audio essay), or all what makes the code do something different as what he should do (look at the EXCELLENT advanced cracking section, you'll find a WONDERFUL series of essays about IDA Pro 3.7). But I accept that some people want absolutely to make their own key generators... I simply think that there are enough of them (look at the web and you'll find WITHOUT searching ALL the serial which exist in the world -- BTW, for most of them, there was no crack but only someone, who knew someone, who knew someone else, who know a friend whose father bought the soft and then lost the serial to THE WHOLE ME-TOO LUSER WORLD), whereas there are not enough PATCHERS. To end this intro, let me add that you should remember that ALL what you put on the Web is automatically given to the entire world. Ok, now it's time to sniff some code... Some days ago, a friend of mine gave me an address to find a very nice Spectrum Analyser : SpectraLab. You can find it at http://www.pmgrp.com/lab432.exe (2,53Mb) As you will see, this program is pretty nice if you need or want to add spectral analysis function to your computer. There is only one problem : the program is full featured, but only lasts for 30 days on your computer...which is really not enough to evaluate it as it deserves. So I ran the installation program and then I looked to the changes it made to my hard-disk: it just added its executable files, the data files and the samples in several subdirectories, in C:\SPECLAB\ ; it also added some files in the start Menu, and an "odd" file inside the \Windows\System directory. Nothing in the registry. Ok, I expected for once an uncommon protection scheme. Then, before running the target for the first time, I have read its text files. Inside readme.txt, I found the following: - ================================ - LICENSING FILES - ================================ - This program will write the following licensing files to your hard disk - in the \BIN subdirectory: - - SOFTEST.ENT - SOFTEST.KEY - SOFTEST.RST - SPECPLUS.41S (Win95 only) - - These are hidden files. Do not move or delete them or the program - license will not operate correctly. - - Since these files are marked as hidden system files, disk defragmenting - utilities will not move them unless you override the default settings.- - - Anti-Virus programs (such as Norton Utilities) that directly modify files - will cause problems with the licensing files. Make sure you exclude the - \BIN directory if you use such programs. - If you are running Norton Speed Disk, choose - . Specify that the *.ENT, *.KEY, *.RST, and *.41S files cannot - be moved and then Speed Disk can be run without having any affect on the - licensing. Remember to do a in - order to save the new profile. I looked in my spying report, but I did not see any of these key files. This is because the license is not created yet: the target will create the "temporary 30 days license" only when you run it for the first time. In Disclaim.txt, I read : - PROTECTION: This SOFTWARE is protected by a Software Licensing System - (herein referred to as SLS). It is designed to provide invisible security - and complete flexibility of the licensing of the SOFTWARE product. The SLS - utilizes advanced security technology and thereby does not use or require a - Hardware Key (dongle) that typically fits on the parallel or serial port as - do other types of securities systems, although the type of protection - offered by SLS is similar to a hardware-based security system. Nor does it - use a Disk Key. Instead the SLS is software-based and thereby generates a - unique SiteCODE for each computer system. A mating Authorization KEY is - required in order to Authorize the SOFTWARE for either Permanent use if paid - for or on a limited Temporary basis for demonstration and/or evaluation - purposes. - Note: The SOFTWARE can not run if it is not authorized to do so. The SLS - achieves this level of protection by using a combination of the hardware - already present in your computer and sophisticated encryption algorithms. - The authorization code (Authorization KEY) that you have been provided will - work on only the computer it was authorized for. IMPORTANT NOTE: Once your - present SiteCODE accepts a matching Authorization KEY, your SiteCODE will - automatically change. You cannot copy your Authorized Authorization KEY to - other computers for simultaneous operation, however your license may be - transferred to any other computer by uninstalling it off one machine and - moving it to another. (Desktop to Laptop or visa versa). - - Once the program is authorized, the protection is invisible to the user, as - if it was not there. As mentioned previously, your SiteCODE will change - once a mating Authorization KEY has been accepted to allow future options to - be added at anytime by acquiring a new Authorization KEY from your local - authorized ST sales subsidiary where you purchased the product and/or SOUND - TECHNOLOGY Licensing Dept. - HOW THE LICENSING SYSTEM WORKS: - - 1. Once the SOFTWARE is installed on your hard disk, it uses CrypKey to - report a site specific "SiteCODE" to the user. - - 2. The user telephones, faxes, emails this SiteCODE to the appropriate - authorized ST Licensing Dept. - - 3. A "Authorization KEY" is issued that authorizes the SOFTWARE to run as - many times, or for as long as you want. Two types of Authorization KEYS are - available to authorize the SOFTWARE for operational use: - - TEMPORARY LICENSE: Authorizes the user to install and evaluate the - SOFTWARE during a set period of time. During the authorized Demo Period, - depending on the operating system employed in your computer, the SOFTWARE - will either generate an automatic temporary KEY for a limited period of time - or runs to allow you to evaluate a fully functioning SOFTWARE product and - thereby test its compatibility with other products and systems or, if an - Automatic Temporary KEY is not generated by the SOFTWARE, you can contact - the Licensing Dept., and request a Manual Temporary KEY for a time limited - evaluation purpose. Interesting, isn't it? Hey, +crackers, are you scared? What is your approach when you read something like that? Do you really want to try to find in the assembly listing the crypting/decrypting procedure in order to find, after a long work, a key which would register you as a NEVER ENDING licensed user? I believe it is possible, but I also believe that if you would have taken such an approach, you would have been quite crazy. Then I ran the target for the first time. A window popped, as expected : "Do you want to create a 30 days temporary license? It would take a minute or so." I answered Yes, and then the software looked very deep into my computer, dig out some buried data, calculated some formulas I would never even know the existence, and finally it created the 4 key files mentioned inside the readme.txt above. But the protectionists lied: it also created 11 identical HIDDEN files, 4 bytes long, each file being placed in a DIFFERENT directory, with a DIFFERENT name, RANDOMLY chosen into your HD (but preferably in directories containing at least 20 files...so that the average luser would not remark them...:-). For instance, it created the file IOU.SYS in C:\, the file BSL.PG in C:\WINDOWS\SYSTEM\COLOR\, or the file DGD.C inside the subdirectory C:\OFFICE95\EXCEL, etc. A lot of litter, btw. Odd, isn't? I don't like programmers who lie and create files without warning the user, so I decided to defeat the protection as soon as possible, i.e. IMMEDIATELY. First, I deleted all these 4 bytes garbage files which took and waste place on my hard-disk. Second, I changed my computer date several days (5) ahead, then I ran the target a second time. A window popped up, saying "You have 25 days left". I put back my date to the correct one, and then a other window popped : "You put back your computer date - The temporary period ends now" or something like that. A nasty stupid 'revenge' protection scheme. I deleted all the licensing and key files added by the first run, and even completely deleted the target, and reinstalled it, but it was always the same: the protection scheme kept notice that it had already been installed on my machine. However, every time you reinstall you can access the program. But each time you press the "RUN" button (to begin an analysis), a MessageBox tells you that "You are not authorized to use this function.", and then open a window with the licensing information: NO authorization, for ANY of the functions. So, I relaxed, I took a deep breathe, and I thought about my target... ...and I decided to try the "LIVE" approach, my beloved approach, the best approach IMO for this type of protection. 1) First Patch : the Standard Analyser function (Main function) ------------------------------------------------------------ My target is the last Box : "You are not authorized...". I put some bpx on MessageBox, MessageBoxA, but Softice didn't take control when the evil NagMessage appeared. That's because, the prog used the procedure MessageBoxExa, which is often called (but not always!) by the main MessageBox procedure. Now Softice pops up. When you land in MessageBoxExa, just type F11, and FEEL the code. Feeling the code means: magnify softice's Code window, and then use your finger to push and release the following keys : Up arrow, Down arrow, Page Up, Page Down, and the tracing keys : F8, F10, F12. It means that you have to use your eyes and your BRAIN too. What are we seeking? We just have one target: a JZ or a JNZ which would have said to our program that we are a good guy, that we are allowed to evaluate it as long as we want, before buying it (if it is worth, I will decide in due time :=) I you have the right feelings, you will do the equivalent of pressing twice the F12 key. And you'll land in an interesting snippet of code in SOFTEST.EXE, the main executable file: now, if you "up arrow" some lines, you'll read : CALL 43A3D2 POP ECX TEST EAX,EAX JNZ 412063 ; HERE!!!!!! PUSH 01 PUSH EBX CALL 439FE6 ADD ESP,8 ... ... CALL 43A42D ; "You are not authorized to..." ... The JNZ is VERY interesting, it is the only jump which jump over a big amount of code... they did not even have the brain to 'smear' their code with a ton of faked useless conditional jumps (not that it would have helped... yet a commercial protection should at least try not being exceedingly obvious) So I bpxed it. When Softice popped up, I simply did a "RIP 412063", and then, my friends, it WORKS!!! Wow! The prog opened the analyser box, and began to display the spectrum of the nice sounds coming from my CD drive! First, I could not believe it: a paranoid (in words) protection scheme beaten by a single "JNZ to JMP" patch! Well, protectionists, where did you find the effrontery to sell your "heavy, complicated and dongle-like protection", to poor nice little programmers who don't even know that a single byte patch is more than enough to defeat your software? I can't understand. Or yes, I can: as +ORC said, the programmers have reached a laziness level so high that they don't know any more what is a program: a series of bytes, each byte having a special signification, so that it can be patched, and this makes us patchers feel better, in a commercial world, where money is the only thing which is important for about 95% of the people. With this first patch, we realized the same percentage of 'score' of the total patch below, because we know yet that this scary protection is less than nothing. +Crackers, would you keep your attitude, saying that the "REAL" or "TRUE" way is to copy each instruction on paper, to decode mathematical procedures after hours of work? Do you think it is worth it? Do you think that my dog could fly like a bird? Be serious, and learn that VERY often, you don't need to loose time to understand mathematical procedures. 2) Second Patch : the universal patch ---------------------------------- This patch authorize ALL the options which are in the License Status Box (the Window which was opened after saying that we are not authorized. .etc.). I used exactly the same approach : bpx MessageBoxExa, to pop up in the middle of a procedure which is called each time you want to use a special function like "Multicolor 3D surface display", "Full color spectrogram display", or "Advanced Octave analysis" etc. -- there are about 10 'blocked' "options" like that. So, after the bpx, the "CTRL-D", and some intelligent "keyboard fingering", you land here : ... CALL 004C331C ; the "Is_it_a_nice_authorized_person?" function ADD ESP,8 TEST EAX,EAX ; test the flag JNZ ; Where_the_nice_guy_should_go ... Do you remember all that scary text above? No, that can't be true. Yes it is: they used EXACTLY the SAME type of code to test if you are allowed or not to use the special features... And that's true with ALL the special features of the program : they all call the same procedure 4C331C ! Mesdames et Messieurs, le protection est morte! Yes, just enter the relevant procedure, and look at its end : you'll find something like that : ... CALL Subfunction ADD ESP,8 L1:TEST EAX,EAX ; one more time!!!!!! ah ah ah L2:JNZ Good_guy L3:XOR EAX,EAX Good_guy : POP ECX ... RET Obviously, you already know what you can do : for example replacing L1,L2,L3 (three 2 bytes instruction) with MOV EAX,1 and a NOP (a 5 bytes instruction and a 1 byte instruction). Now, after you launch SpectraLab, you can access to ALL the features of the program. Moreover, when you open the License Status, you'll see that every option is followed by the word "Authorized" : quite a good confirmation that your patch was the right one. Conclusion : when commercial programmers buy expensive commercial protection (for sure, this protection seems certainly like one of the most expensive software protection I have ever reversed), they loose their money, because the result is the same as if they had given the program for free. 3) Third and fourth Patches : the anti-Nag Boxes patches ----------------------------------------------------- There are just two things which are not nice : when you double click on the SpectraLab icon, before entering the program (full-featured now, thanks to its pathetic protection scheme, we are now reversing on a non-limited copy of it), you have to pass through two boxes : The first one to ask you if you want to create a temporary license (if you answer yes, another box pops up, saying that you already have it and that the program will run with no functionalities, even if this is now false :-) The second one is a box saying that you are Unlicensed, and use a delay of several seconds (and we don't wanna loose our precious time :-) I let these patches as a 2 minutes exercise with Softice, as once more, they use the same type of instructions : you just have to bpx on MessageBoxExa, and then to force 2 JMPs to go somewhere else. It is so easy I could laugh (and the shareware programmers that have bought this crap could cry)... 4) General Conclusion and remarks ------------------------------ Summary of the 2 first patches : 1) Look for : E8C5830200 59 85C0 7551 6A01 and change in : ---------- -- ---- EB-- ---- 2) Look for : E8E9FDFFFF 83C408 85C0 7505 33C0 5B and change in : ---------- ------ B801 0000 0090 -- 3) and 4) patches : find them yourself! It's dead easy! And remark that you don't even need to have your 4 key files in your \BIN directory ; BTW, if you delete them, the proggy will create 4 new files. And the 3 files SOFTEST.ENT, SOFTEST.RST, and SOFTEST.KEY will now contain no more binary keys, but these words : "DO_NOT_DISTURB". Quite humorous, isn't it? Note that you MUST delete the program from your hard-drive, as I already did, of course, after you completely evaluate it (this lesson is for education purpose only, and it just allow pretty unlucky users, like me, who set their clock back without malice, to recover the all-featured program for their allowed 30 days). That's all, folks. To give you an idea, this patch took me less than one hour, from the beginning of the download to the end of the fourth patch. This tutorial took me about 2.30 hours... but I think it was worth it, especially for the +young crackers who don't follow yet +Orc philosophy, which, I hope, is like mine. Remember to use only your brain , intead of using BOTH your time and your brain. "If you give a man a Key Generator, or a ready-made crack, he'll loose his time (and his life); but if you teach him how to PATCH, he'll be happy to defeat in a couple of minutes commercial protection built during hours of (not very clever) work and sold for MONEY." +joNaH '97 ALL RIGTHS RESERVED -------------------------------
(c) +joNaH 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia
Is reverse engineering illegal?