Little Cracking Exercises for newbyes: Simply 3D
Explained easy targets for our future +friends

by n00se

(04 September 1997, slightly edited by fravia+)

Courtesy of fravia's page of reverse engineering

Hey, this little essay from n00se, who wrote "Perhaps an addition to the Stupid Protection Schemes page?" gives me the idea to start a new section, which may be useful for all newbyes that are a little "left behind" by the level that the "serious cracks" have got in recent times... so here is the first essay of the new "Little Cracking Exercises for Newbyes" (LCEN) section... experienced crackers will introduce an EASY target, explain its protection scheme, if necessary with LITTLE snippets of code and LEAVE the young friends reading these pages to the "satisfaction" of finding the right solution... Let's see if other contributors believe that this could be a good idea...


I recently found a 30-day trial version of Simply 3D v2 on a magazine
cover CD. I thought I'd have a look at it, and low and behold it appears
to be one of the worst protection schemes devised. This is supposed to
be a professional commercial package but the programmers (in their
ultimate laziness) haven't spent much time on the protection. I cracked
it in a little over a minute (since WinDasm8 took some time to
disassemble the file).

I thought I'd get a feel for the program in advance, so installed it and
set the date past the 30 day limit. This revealed the text "The trial
period has...". I then tested the age old failing of protection schemes:
I set the date back. I wasn't surprised to find that this didn't fixe
the problem. So then I thought I'd have a quick peek at the code and get
a feel for the level of protection on this package. Pulling out my
trusty copy of WinDasm32 I set it to disassembling the code. To my
surprise, when I used the string reference feature to locate the
lock-out text, windasm dropped me straight into this code:

:0040C4FF E87CF00600              call 0047B580
:0040C504 83C404                  add esp, 00000004
:0040C507 85C0                    test eax, eax
:0040C509 7527                    jne 0040C532
:0040C50B 6A00                    push 00000000

* StringData Ref from Data Obj ->"SIMPLY 3D 2 TRIAL PERIOD TERMINATION"
:0040C50D 6814FA4800              push 0048FA14

* StringData Ref from Data Obj ->"The trial period has expired."
                               ->" Please contact your local vendor "
                               ->"or Micrografx to purchase a complete "
                               ->"version of Simply 3D 2."
:0040C512 6894F94800              push 0048F994
:0040C517 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0195h
:0040C519 FF1530234A00            Call dword ptr [004A2330]

Looking up from the text message, a conditional jump could be seen
which, I guessed correctly, skipped the lock-out message and started the
code. A simple patch to make the jump unconditional resulted in a
complete crack. No checksums, no clever code misdirection using lookup
tables etc., not even an embedded second check.

Now crack it, newbye!



(c)n00se, 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?