"A Software Licensing System designed to provide invisible security"
(Spectralab 4.32: How to PATCH)

by +joNaH

(11 November 1997, slightly edited by Fravia)

---

Courtesy of Fravia's page of reverse engineering

Well, a new cracker with a new essay. Poor application programmers of the shareware world! Condemned to fall prey of crooks that devise half-ready abominable code concoctions and then even SELL such crap (protecting for money... quelle vulgarité) to the shareware authors, gulling the poor chaps into a "Software Licensing System designed to provide invisible security"... Nonetheless! Read and enjoy (that is... if you are a cracker. If you are a shareware programmer, read and learn!)

How to PATCH 
------------
by  +joNaH

 (a new philosophy lesson)



TARGET : Spectralab 4.32

Hi and thanks, to all my friends, and especially to fravia+, 
and +gThorne, who do such a huge work for us and for our science.
We will never be able to thank +Orc enough as he should be, 
because +he is the origin of ALL we have done and will do.

Today, I want to teach you something that nobody has already teached.
I want you to teach you how to PATCH.
Yes, "patching" can sometimes be called "cracking", but for me 
there is a little difference : 

When you patch, you try to avoid to reverse engineer the code
decrypting routines, the huge mathematical protection schemes.
Why loose so much time trying to reverse assembly to obtain 
complicated formulas ? You could instead go out, walk, look at
the birds, listen to their songs...and be happy to be here, on
this earth, with such a sunny and beautiful weather...and LIVE! 
The patchers are the guys who really FEEL the code, who sniff it
to find where the protection scheme hide itself, and who find 
a solution to bypass it.

Patching can also consist in adding some new features to a program 
(look at the nice Real Audio essay), or 
all what makes the code do something different as what he should do 
(look at the EXCELLENT advanced cracking section, you'll find a 
WONDERFUL series of essays about IDA Pro 3.7).

But I accept that some people want absolutely to make their own
key generators...  I simply think that there are enough of them
(look at the web and you'll find WITHOUT searching ALL the serial
which exist in the world -- BTW, for most of them, there was no
crack but only someone, who knew someone, who knew someone else,
who know a friend whose father bought the soft and then lost the
serial to THE WHOLE ME-TOO LUSER WORLD), whereas there are 
not enough PATCHERS.
To end this intro, let me add that you should remember that ALL what
you put on the Web is automatically given to the entire world.
 
Ok, now it's time to sniff some code...

Some days ago, a friend of mine gave me an address to find a very nice 
Spectrum Analyser : SpectraLab.
You can find it at http://www.pmgrp.com/lab432.exe (2,53Mb)

As you will see, this program is pretty nice if you need or want to
add spectral analysis function to your computer.
There is only one problem : the program is full featured, but only
lasts for 30 days on your computer...which is really not enough to 
evaluate it as it deserves.

So I ran the installation program and then I looked to the changes it
made to my hard-disk: it just added its executable files, the data
files and the samples in several subdirectories, in C:\SPECLAB\ ;
it also added some files in the start Menu, and an "odd" file inside
 the \Windows\System directory.

Nothing in the registry. Ok, I expected for once an uncommon 
protection scheme.
Then, before running the target for the first time, I have read 
its text files.

Inside readme.txt, I found the following: 
- ================================
- LICENSING FILES
- ================================
- This program will write the following licensing files to your hard  disk
- in the \BIN subdirectory: 
- 
-    SOFTEST.ENT
-    SOFTEST.KEY
-    SOFTEST.RST
-    SPECPLUS.41S  (Win95 only)
-
- These are hidden files.  Do not move or delete them or the program
- license will not operate correctly.  
-
- Since these files are marked as hidden system files, disk defragmenting 
- utilities will not move them unless you override the default settings.-
-
- Anti-Virus programs (such as Norton Utilities) that directly modify files 
- will cause problems with the licensing files.  Make sure you exclude the
- \BIN directory if you use such programs.

- If you are running Norton Speed Disk, choose   

- .  Specify that the *.ENT, *.KEY, *.RST, and *.41S files cannot
- be moved and then Speed Disk can be run without having any affect on the
- licensing.  Remember to do a     in
- order to save the new profile.

I looked in my spying report, but I did not see any of these key files.
This is because the license is not created yet: the target will create the
"temporary 30 days license" only when you run it for the first time.

In Disclaim.txt, I read :

- PROTECTION:  This SOFTWARE is protected by a Software Licensing System
- (herein referred to as SLS). It is designed to provide invisible security
- and complete flexibility of the licensing of the SOFTWARE product.  The SLS
- utilizes advanced security technology and thereby does not use or require a
- Hardware Key (dongle) that typically fits on the parallel or serial port as
- do other types of securities systems, although the type of protection
- offered by SLS is similar to a hardware-based security system.  Nor does it
- use a Disk Key.  Instead the SLS is software-based and thereby generates a
- unique SiteCODE for each computer system.   A mating Authorization KEY is
- required in order to Authorize the SOFTWARE for either Permanent use if paid
- for or on a limited Temporary basis for demonstration and/or evaluation
- purposes.
 - Note:  The SOFTWARE can not run if it is not authorized to do so.  The SLS
- achieves this level of protection by using a combination of the hardware
- already present in your computer and sophisticated encryption algorithms.
- The authorization code (Authorization KEY) that you have been provided will
- work on only the computer it was authorized for. IMPORTANT NOTE:  Once your
- present SiteCODE accepts a matching Authorization KEY, your SiteCODE will
- automatically change.  You cannot copy your Authorized Authorization KEY to
- other computers for simultaneous operation, however your license may be
- transferred to any other computer by uninstalling it off one machine and
- moving it to another. (Desktop to Laptop or visa versa).
- 
- Once the program is authorized, the protection is invisible to the user, as
- if it was not there.  As mentioned previously, your SiteCODE will change
- once a mating Authorization KEY has been accepted to allow future options to
- be added at anytime by acquiring a new Authorization KEY from your local
- authorized ST sales subsidiary where you purchased the product and/or SOUND
- TECHNOLOGY Licensing Dept. 

- HOW THE LICENSING SYSTEM WORKS:
-
- 1.  Once the SOFTWARE is installed on your hard disk, it uses CrypKey to
- report a site specific "SiteCODE" to the user.
-
- 2.  The user telephones, faxes, emails this SiteCODE to the appropriate
- authorized ST Licensing Dept.
-
- 3.   A "Authorization KEY" is issued that authorizes the SOFTWARE to run as
- many times, or for as long as you want. Two types of Authorization KEYS are
- available to authorize the SOFTWARE for operational use: 
-
- TEMPORARY LICENSE: Authorizes the user to install and evaluate the
- SOFTWARE during a set period of time.  During the authorized Demo Period,
- depending on the operating system employed in your computer, the SOFTWARE
- will either generate an automatic temporary KEY for a limited period of time
- or runs to allow you to evaluate a fully functioning SOFTWARE product and
- thereby test its compatibility with other products and systems or, if an
- Automatic Temporary KEY is not generated by the SOFTWARE, you can contact
- the Licensing Dept., and request a Manual Temporary KEY for a time limited
- evaluation purpose. 

Interesting, isn't it?
Hey, +crackers, are you scared?
What is your approach when you read something like that?
Do you really want to try to find in the assembly listing the 
crypting/decrypting procedure in order to find, after a long 
work, a key which would register you as a NEVER ENDING 
licensed user?
I believe it is possible, but I also believe that if you would have 
taken such an approach, you would have been quite crazy.

Then I ran the target for the first time.
A window popped, as expected : "Do you want to create a 30 days 
temporary license? It would take a minute or so."
I answered Yes, and then the software looked very deep into my 
computer, dig out some buried data, calculated some formulas I 
would never even know the existence, and finally it created the 
4 key files mentioned inside the readme.txt above.

But the protectionists lied: it also created 11 identical HIDDEN files, 
4 bytes long, each file being placed in a DIFFERENT directory, with a 
DIFFERENT name, RANDOMLY chosen into your HD (but preferably in 
directories containing at least 20 files...so that the average luser would 
not remark them...:-).
For instance, it created the file IOU.SYS in C:\, the file BSL.PG in 
C:\WINDOWS\SYSTEM\COLOR\, or the file DGD.C inside the 
subdirectory C:\OFFICE95\EXCEL, etc. A lot of litter, btw.
Odd, isn't?

I don't like programmers who lie and create files without warning the 
user, so I decided to defeat the protection as soon as possible, i.e. 
IMMEDIATELY.
First, I deleted all these 4 bytes garbage files which took and waste
place on my hard-disk.
Second, I changed my computer date several days (5) ahead, then I 
ran the target a second time.
A window popped up, saying "You have 25 days left".
I put back my date to the correct one, and then a other window popped : 
"You put back your computer date - The temporary period ends now" or 
something like that. A nasty stupid 'revenge' protection scheme.

I deleted all the licensing and key files added by the first run,
and even completely deleted the target, and reinstalled it, but it 
was always the same: the protection scheme kept notice that it 
had already been installed on my machine.
However, every time you reinstall you can access the program.
But each time you press the "RUN" button (to begin an analysis), 
a MessageBox tells you that "You are not authorized to use this 
function.", and then open a window with the licensing information: 
NO authorization, for ANY of the functions.

So, I relaxed, I took a deep breathe, and I thought about my target...
...and I decided to try the "LIVE" approach, my beloved approach, 
the best approach IMO for this type of protection.



1) First Patch : the Standard Analyser function (Main function)
   ------------------------------------------------------------

My target is the last Box : "You are not authorized...".
I put some bpx on MessageBox, MessageBoxA, but Softice 
didn't take control when the evil NagMessage appeared.
That's because, the prog used the procedure MessageBoxExa, 
which is often called (but not always!) by the main MessageBox 
procedure.

Now Softice pops up.
When you land in MessageBoxExa, just type F11, and FEEL the code.
Feeling the code means: magnify softice's Code window, and then
use your finger to push and release the following keys : Up arrow, Down
arrow, Page Up, Page Down, and the tracing keys : F8, F10, F12.
It means that you have to use your eyes and your BRAIN too.
What are we seeking?
We just have one target: a JZ or a JNZ which would have said to our
program that we are a good guy, that we are allowed to evaluate it as
long as we want, before buying it (if it is worth, I will decide in due 
time :=)

I you have the right feelings, you will do the equivalent of pressing
twice the F12 key.
And you'll land in an interesting snippet of code in SOFTEST.EXE, 
the main executable file: now, if you "up arrow" some lines, you'll read : 

CALL 43A3D2
POP  ECX
TEST EAX,EAX
JNZ  412063    ; HERE!!!!!!
PUSH 01
PUSH EBX
CALL 439FE6
ADD  ESP,8
...
...
CALL 43A42D    ; "You are not authorized to..." 
...
 
The JNZ is VERY interesting, it is the only jump which jump over 
a big amount of code... they did not even have the brain to 'smear' 
their code with a ton of faked useless conditional jumps  (not that 
it would have helped... yet a commercial protection should at least 
try not being exceedingly obvious)

So I bpxed it.

When Softice popped up, I simply did a "RIP 412063", and then, my 
friends, it WORKS!!! Wow!

The prog opened the analyser box, and began to display the spectrum of
the nice sounds coming from my CD drive!
First, I could not believe it: a paranoid (in words) protection scheme 
beaten by a single "JNZ to JMP" patch!

Well, protectionists, where did you find the effrontery to sell your 
"heavy, complicated and dongle-like protection", to poor nice little 
programmers who don't even know that a single byte patch is more 
than enough to defeat your software? 

I can't understand. Or yes, I can: as +ORC said, the programmers have
reached a laziness level so high that they don't know any more what is
a program: a series of bytes, each byte having a special signification,
so that it can be patched, and this makes us patchers feel better, in a 
commercial world, where money is the only thing which is important for
about 95% of the people.

With this first patch, we realized the same percentage of 'score' of the
total patch below, because we know yet that this scary protection is less 
than nothing.
+Crackers, would you keep your attitude, saying that the "REAL" or 
"TRUE" way is to copy each instruction on paper, to decode 
mathematical procedures after hours of work?
Do you think it is worth it?
Do you think that my dog could fly like a bird?
Be serious, and learn that VERY often, you don't need to loose time to 
understand mathematical procedures.


2) Second Patch : the universal patch 
   ----------------------------------

This patch authorize ALL the options which are in the License Status
Box (the Window which was opened after saying that we are not 
authorized. .etc.).

I used exactly the same approach : bpx MessageBoxExa, to pop up in
the middle of a procedure which is called each time you want to use
a special function like "Multicolor 3D surface display", "Full 
color spectrogram display", or "Advanced Octave analysis" etc. -- there
are about 10 'blocked' "options" like that.

So, after the bpx, the "CTRL-D", and some intelligent "keyboard 
fingering", you land here : 

...
CALL 004C331C             ; the "Is_it_a_nice_authorized_person?" function
ADD  ESP,8
TEST EAX,EAX              ; test the flag
JNZ  			; Where_the_nice_guy_should_go
...

Do you remember all that scary text above?
No, that can't be true. 
Yes it is: they used EXACTLY the SAME type of code to test
if you are allowed or not to use the special features...
And that's true with ALL the special features of the program : they all
call the same procedure 4C331C !
Mesdames et Messieurs, le protection est morte!
Yes, just enter the relevant procedure, and look at its end : you'll 
find something like that : 

           ...
	   CALL Subfunction
	   ADD  ESP,8
	L1:TEST EAX,EAX  ; one more time!!!!!! ah ah ah 
	L2:JNZ  Good_guy
	L3:XOR  EAX,EAX
Good_guy : POP  ECX
           ...
           RET  

Obviously, you already know what you can do : for example replacing
L1,L2,L3 (three 2 bytes instruction) with MOV EAX,1 and a NOP (a 5 bytes
instruction and a 1 byte instruction).

Now, after you launch SpectraLab, you can access to ALL the features of
the program. Moreover, when you open the License Status, you'll see that
every option is followed by the word "Authorized" : quite a good 
confirmation that your patch was the right one.

Conclusion : when commercial programmers buy expensive commercial 
protection (for sure, this protection seems certainly like one of the most 
expensive software protection I have ever reversed), they loose their money, 
because the result is the same as if they had given the program for free.


3) Third and fourth Patches : the anti-Nag Boxes patches 
   -----------------------------------------------------
There are just two things which are not nice : 
when you double click on the SpectraLab icon, before entering the 
program (full-featured now, thanks to its pathetic protection scheme,
we are now reversing on a non-limited copy of it), you have to pass 
through two boxes : 
The first one to ask you if you want to create a temporary license (if 
you answer yes, another box pops up, saying that you already have it 
and that the program will run with no functionalities, even if this is 
now false :-) 
The second one is a box saying that you are Unlicensed, and use a delay 
of several seconds (and we don't wanna loose our precious time :-)

I let these patches as a 2 minutes exercise with Softice, as once more,
they use the same type of instructions : you just have to bpx on 
MessageBoxExa, and then to force 2 JMPs to go somewhere else.
It is so easy I could laugh (and the shareware programmers that 
have bought this crap could cry)...


4) General Conclusion and remarks
   ------------------------------

Summary of the 2 first patches : 

1) Look for       : E8C5830200 59 85C0 7551 6A01
   and change in  : ---------- -- ---- EB-- ----

2) Look for       : E8E9FDFFFF 83C408 85C0 7505 33C0 5B
   and change in  : ---------- ------ B801 0000 0090 --

3) and 4) patches : find them yourself! It's dead easy!

And remark that you don't even need to have your 4 key files in 
your  \BIN directory ; BTW, if you delete them, the proggy will 
create 4 new files.
And the 3 files SOFTEST.ENT, SOFTEST.RST, and SOFTEST.KEY 
will now contain no more binary keys, but these words : 
"DO_NOT_DISTURB". Quite humorous, isn't it?

Note that you MUST delete the program from your hard-drive, as I 
already did, of course, after you completely evaluate it (this lesson is 
for education purpose only, and it just allow pretty unlucky users, like 
me, who set their clock back without malice, to recover the all-featured
program for their allowed 30 days).

That's all, folks.

To give you an idea, this patch took me less than one hour, from the
beginning of the download to the end of the fourth patch.
This tutorial took me about 2.30 hours... but I think it was worth
it, especially for the +young crackers who don't follow yet  +Orc 
philosophy, which, I hope, is like mine.

Remember to use only your brain , intead of using BOTH your time and 
your brain.
"If you give a man a Key Generator, or a ready-made crack, he'll loose
his time (and his life); but if you teach him how to PATCH, he'll be 
happy to defeat in a couple of minutes commercial protection built 
during hours of (not very clever) work and sold for MONEY."

                  +joNaH '97  ALL RIGTHS RESERVED
		  -------------------------------	
 

homepage links anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia
Is reverse engineering illegal?