Lazy software programming
("The last essay on simple password protection schemes")
by Plushmm
(10 August 1997)
Courtesy of Fravia's page of reverse engineering
Well, Plushmm confirms what we already supposed... programming in "higher" (aka as "overbloated")
languages fools overbloated programmers into forgetting the awesome power of "lower" disassembling...
Judge by yourself: an obvious protection schema used for four (at least) similar targets... this is the LAST
essay I'll publish about easy password checking, please, +HCUkers, don't
work any more on such easy protection schemes (unless they are used by Micro$oft or unless they
protect a program that we really need)... I think we have already made
the point clear even to the most stupid and lazy programmers... name-password
manipolation is no match at all
Lazy Software Companies EXPOSED!
Part 1
by Plushmm [PC'97]
8th Aug 97
Commercial Programmers are really SAD... In order to seek money,
they have to leave their real interests, to forget their coding capacities
(if they ever had some :-) and work hard on schedule on programs
that they don't have any interest in. I'm not just taking about SHAREWARE
programmers here...
I'll show, in my later essays, how the larger companies like ULEAD
and even Micro$oft's "protection" are basically lame and weak....Once you've
made an initial crack on just one of their programs, then the cracks for
the rest are done.
It is my objective to prove to you that you can exploit this laziness...human
weakness...to crack ALL a software companies program once you cracked just
ONE of them!
The general idea goes like this...
1) You visit this software house that has the
program you want.
2) You download it...and you crack it...it may
take you 5 minutes...it may take you 3 hours...it doesn't manner so
long as you are learning. :=)
3) Once you did your first crack...you'll basically
be able to crack ALL the other programs on their site BECAUSE they are
LAZY!
Ok...without further ado, let's meet our FIRST target...
Basta Computing, LLC
http://www.basta.com
This software house churns out heaps of software...the more popular
ones are Filo, WhoSock and ExIcon.
Let's run Filo v1.7, we see the NAG, telling us how many
more days we have to "Evaluate" the target and such.
Choosing REGISTER, we come across 2 Edit boxes for us to put our
"numbers" in.
Enter some crap and choose register. Ok...it tells you that
the number is "invalid". Dead-list the program and you notice
that there is no dialog to tell you that the program has been registered
sucessfully. Notice from the dead-listings that the codes are rather
messed up with many, many Calls and Jumps...Hmm...no match for Zen cracking.
Ok, out comes Softice.
Go to the registration dialog
Enter 12121212 34343434 as the registration key
Fire up Softice
task ok...name is Filo
hwnd Filo
get the handles for the edit boxes
bmsg on the edit boxes for wm_gettext
; As suggested by +ORC ;)
back to the proggie and click on "ok"
Softice breaks
Press F5 a couple of times...this is to let the program read in
all the information from the different Edit Boxes...
Now search for your registration code with s 30:0 lffffffff
"12121212"
BPR on the location given
Let the program run, Softice will break again...notice that the
program has combined your Registration key to "1212121234343434"
BPR on this new location and let the program run again...
The program will break RIGHT IN THE MIDDLE OF THE COMPARISON ROUTINE...
Check this out...
* Referenced by a Jump at Address:00407901(C)
|
:004078E9 8A0431
mov al, byte ptr [ecx + esi]
:004078EC 3C30
cmp al, 30
;"0"
:004078EE 0F8CC4000000
jl 004079B8
;not a number
:004078F4 3C39
cmp al, 39
;"9"
:004078F6 0F8FBC000000
jg 004079B8
;not a number
:004078FC 8BC1
mov eax, ecx
:004078FE 49
dec ecx
:004078FF 85C0
test eax, eax
:00407901 75E6
jne 004078E9
:00407903 0FBE5E0F
movsx ebx, byte ptr [esi+0F]
:00407907 83EB30
sub ebx, 00000030
:0040790A 8D4301
lea eax, dword ptr [ebx+01]
:0040790D 83F80F
cmp eax, 0000000F
:00407910 7C03
jl 00407915
:00407912 83E80F
sub eax, 0000000F
* Referenced by a Jump at Address:00407910(C)
|
:00407915 40
inc eax
:00407916 83F80F
cmp eax, 0000000F
:00407919 7C03
jl 0040791E
:0040791B 83E80F
sub eax, 0000000F
* Referenced by a Jump at Address:00407919(C)
|
:0040791E 8BC8
mov ecx, eax
:00407920 83C003
add eax, 00000003
:00407923 83F80F
cmp eax, 0000000F
:00407926 7C03
jl 0040792B
:00407928 83E80F
sub eax, 0000000F
* Referenced by a Jump at Address:00407926(C)
:0040792B 0FBE3C31
movsx edi, byte ptr [ecx + esi]
:0040792F 8BC8
mov ecx, eax
:00407931 83C003
add eax, 00000003
:00407934 83EF30
sub edi, 00000030
:00407937 83F80F
cmp eax, 0000000F
:0040793A 7C03
jl 0040793F
:0040793C 83E80F
sub eax, 0000000F
* Referenced by a Jump at Address:0040793A(C)
|
:0040793F 8BD0
mov edx, eax
:00407941 83C003
add eax, 00000003
:00407944 83F80F
cmp eax, 0000000F
:00407947 7C03
jl 0040794C
:00407949 83E80F
sub eax, 0000000F
* Referenced by a Jump at Address:00407947(C)
|
:0040794C 0FBE0C31
movsx ecx, byte ptr [ecx + esi] ;always
:00407950 0FBE1432
movsx edx, byte ptr [edx + esi] ;suspect
:00407954 8D0C89
lea ecx, dword ptr [ecx + 4*ecx];when you
:00407957 8D0C4A
lea ecx, dword ptr [edx + 2*ecx];see codes
:0040795A 0FBE1430
movsx edx, byte ptr [eax + esi] ;like this
:0040795E 8D0C89
lea ecx, dword ptr [ecx + 4*ecx];Key manipulations!
:00407961 8D844A30EBFFFF
lea eax, dword ptr [edx + 2*ecx - 000014D0]
:00407968 83F803
cmp eax, 00000003
;after manipulations
&nb!
sp;
;eax must be = 3
:0040796B 754B
jne 004079B8
;jump if faker
:0040796D 33C0
xor eax, eax
:0040796F B90F000000
mov ecx, 0000000F
* Referenced by a Jump at Address:00407982(C)
|
:00407974 0FBE1431
movsx edx, byte ptr [ecx + esi] ;futher manipulation
:00407978 0FAFD1
imul edx, ecx
:0040797B 03C2
add eax, edx
:0040797D 8BD1
mov edx, ecx
:0040797F 49
dec ecx
:00407980 85D2
test edx, edx
:00407982 75F0
jne 00407974
:00407984 8D4B0E
lea ecx, dword ptr [ebx+0E]
:00407987 83F90F
cmp ecx, 0000000F
:0040798A 7C03
jl 0040798F
:0040798C 83E90F
sub ecx, 0000000F
* Referenced by a Jump at Address:0040798A(C)
|
:0040798F 0FBE1431
movsx edx, byte ptr [ecx + esi]
:00407993 0FAFD1
imul edx, ecx
:00407996 2BC2
sub eax, edx
:00407998 49
dec ecx
:00407999 7903
jns 0040799E
:0040799B 83C10F
add ecx, 0000000F
* Referenced by a Jump at Address:00407999(C)
|
:0040799E 8A1C31
mov bl, byte ptr [ecx + esi]
;more "magic"
:004079A1 0FBED3
movsx edx, bl
;being done...
:004079A4 0FAFCA
imul ecx, edx
;similar principle
:004079A7 2BC1
sub eax, ecx
;to my previous
:004079A9 B90A000000
mov ecx, 0000000A
;essay...
:004079AE 99
cdq
:004079AF F7F9
idiv ecx
:004079B1 80C230
add dl, 30
:004079B4 3AD3
cmp dl, bl
;second check!
:004079B6 7406
je 004079BE
;jump if
&nb!
sp;
;good guy...
* Referenced by a Jump at Addresses:004078C9(C), :004078DE(C), :004078EE(C), :004078F6(C), :0040796B(C)
|
:004079B8 33C0
xor eax, eax
:004079BA 5F
pop edi
:004079BB 5E
pop esi
:004079BC 5B
pop ebx
:004079BD C3
ret
Based on the codes above, you can go write your own key generator...
Since this essay is NOT about KeyGen, let's just patch it...
:0040796B 754B
jne 004079B8
;jump if faker
to 4840
don't EVER jump
:004079B6 7406
je 004079BE
;jump if good guy
to EB06
jump ALL the time
Ok...now that Filo v1.7 is done, lets look at WhoSock
v1.91...lo and behold! Check this out!
...
...same code as Filo...
...
* Referenced by a Jump at Address:00406737(C)
|
:0040673C 0FBE0C31
movsx ecx, byte ptr [ecx+esi]
:00406740 0FBE1432
movsx edx, byte ptr [edx+esi]
:00406744 8D0C89
lea ecx, dword ptr [ecx+4*ecx]
:00406747 8D0C4A
lea ecx, dword ptr [edx+2*ecx]
:0040674A 0FBE1430
movsx edx, byte ptr [eax+esi]
:0040674E 8D0C89
lea ecx, dword ptr [ecx+4*ecx]
:00406751 8D844A30EBFFFF
lea eax, dword ptr [edx+2*ecx-000014D0]
:00406758 83F809
cmp eax, 00000009
;Slightly diff "checksum"
:0040675B 754B
jne 004067A8
;SAME jump length!
:0040675D 33C0
xor eax, eax
:0040675F B90F000000
mov ecx, 0000000F
* Referenced by a Jump at Address:00406772(C)
|
:00406764 0FBE1431
movsx edx, byte ptr [ecx+esi]
:00406768 0FAFD1
imul edx, ecx
:0040676B 03C2
add eax, edx
:0040676D 8BD1
mov edx, ecx
:0040676F 49
dec ecx
:00406770 85D2
test edx, edx
:00406772 75F0
jne 00406764
:00406774 8D4B0E
lea ecx, dword ptr [ebx+0E]
:00406777 83F90F
cmp ecx, 0000000F
:0040677A 7C03
jl 0040677F
:0040677C 83E90F
sub ecx, 0000000F
* Referenced by a Jump at Address:0040677A(C)
|
:0040677F 0FBE1431
movsx edx, byte ptr [ecx+esi]
:00406783 0FAFD1
imul edx, ecx
:00406786 2BC2
sub eax, edx
:00406788 49
dec ecx
:00406789 7903
jns 0040678E
:0040678B 83C10F
add ecx, 0000000F
* Referenced by a Jump at Address:00406789(C)
|
:0040678E 8A1C31
mov bl, byte ptr [ecx+esi]
:00406791 0FBED3
movsx edx, bl
:00406794 0FAFCA
imul ecx, edx
:00406797 2BC1
sub eax, ecx
:00406799 B90A000000
mov ecx, 0000000A
:0040679E 99
cdq
:0040679F F7F9
idiv ecx
:004067A1 80C230
add dl, 30
:004067A4 3AD3
cmp dl, bl
;SAME 2nd Check
:004067A6 7406
je 004067AE
;SAME jump length!!!
Geez! Now look at ExIcon v1.9a...
...
...same code as Filo...
...
* Referenced by a Jump at Address:0040AC77(C)
|
:0040AC7C 0FBE0C31
movsx ecx, byte ptr [ecx+esi]
:0040AC80 0FBE1432
movsx edx, byte ptr [edx+esi]
:0040AC84 0FBE0430
movsx eax, byte ptr [eax+esi]
:0040AC88 8D0C89
lea ecx, dword ptr [ecx+4*ecx]
:0040AC8B 8D0C4A
lea ecx, dword ptr [edx+2*ecx]
:0040AC8E 8D1489
lea edx, dword ptr [ecx+4*ecx]
:0040AC91 8D8C5030EBFFFF
lea ecx, dword ptr [eax+2*edx-000014D0]
:0040AC98 83F902
cmp ecx, 00000002
;Slightly diff "checksum"
:0040AC9B 754B
jne 0040ACE8
;SAME JUMP Length
:0040AC9D 33C0
xor eax, eax
:0040AC9F B90F000000
mov ecx, 0000000F
* Referenced by a Jump at Address:0040ACB2(C)
|
:0040ACA4 0FBE1431
movsx edx, byte ptr [ecx+esi]
:0040ACA8 0FAFD1
imul edx, ecx
:0040ACAB 03C2
add eax, edx
:0040ACAD 8BD1
mov edx, ecx
:0040ACAF 49
dec ecx
:0040ACB0 85D2
test edx, edx
:0040ACB2 75F0
jne 0040ACA4
:0040ACB4 8D4B0E
lea ecx, dword ptr [ebx+0E]
:0040ACB7 83F90F
cmp ecx, 0000000F
:0040ACBA 7C03
jl 0040ACBF
:0040ACBC 83E90F
sub ecx, 0000000F
* Referenced by a Jump at Address:0040ACBA(C)
|
:0040ACBF 0FBE1431
movsx edx, byte ptr [ecx+esi]
:0040ACC3 0FAFD1
imul edx, ecx
:0040ACC6 2BC2
sub eax, edx
:0040ACC8 49
dec ecx
:0040ACC9 7903
jns 0040ACCE
:0040ACCB 83C10F
add ecx, 0000000F
* Referenced by a Jump at Address:0040ACC9(C)
|
:0040ACCE 8A1C31
mov bl, byte ptr [ecx+esi]
:0040ACD1 0FBED3
movsx edx, bl
:0040ACD4 0FAFCA
imul ecx, edx
:0040ACD7 2BC1
sub eax, ecx
:0040ACD9 B90A000000
mov ecx, 0000000A
:0040ACDE 99
cdq
:0040ACDF F7F9
idiv ecx
:0040ACE1 80C230
add dl, 30
:0040ACE4 3AD3
cmp dl, bl
;Good old 2nd check
:0040ACE6 7406
je 0040ACEE
;SAME jump length AGAIN!
Horas v2.1...SAME STORY!
Ok ok...I think I've proved my point...I cannot be bored to find
out more, but I reckon that if 4 of their softwares have the EXACT SAME
protection, then ALL the OTHER software their (about 8 others) should HAVE
EXACTLY the same protection!
Anyway I have drafted a general crack patch below which should
be able to crack ALL the software on their site...have fun!
Plushmm [PC'97]
done := False;
location := $FF; {Skip
the initial codes}
Repeat
if thefile(location)
= $75 and thefile(location+1) = $4B then
if thefile(location+$4B) = $74 and thefile(location+4C) = $06 then
begin
Patch_File
done := True;
end;
location := location+1;
Until done or limit_reached;
(c) Plushmm 1997. All rights reserved
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
tools cocktails
antismut
search_forms
mailFraVia
is reverse engineering legal?