Reverse engineering Academy


numega's own

(Softice reverse engineering and all other brilliant Numega's tools)

Our most important project... Numega's protections are deeper as you may have thought... or are they incredibly simple and stupid? That was the question we had to solve...

Enough babbling, let's go straight to the softice essays
Enough babbling, let's go straight to the Numega's adds-on
Hey! I'm new to this... how does softice work? I mean, how do I set breakpoints and all that?

This has been for obvious reasons the most important project of the +HCU, and I'm glad to say that we have TERMINATED it in less than four months. BOZO's Phase 8, that I'm publishing to-day (2 August 1997), represents the final point for the protection scheme of the NT version. Does it? See Phase 9 by Birdy Harry and Phase A by ViceVersa+!!

Anyway, I would like to thank the guys of Numega for their wonderful debugger, a tool that I have used with passion and love since its DOS version 2.6 (cracked and distributed by the Marquis de Soiree), a software debugger so powerful that Numega's hardware concurrence (Periscope) went bust! I hope the Numega guys will improve Softice even more in the future, if possible, for once, not only in order to facilitate debugging with source code available (which has for us zero interest! And stupid programmers leaving stupid bugs in their overbloated source code can use simpler -and equally stupid- debuggers) but also for more noble and difficult reverse engineering purposes (which has an enormous interest for the whole future evolution of the software industry out of the mortal "embrace" of Micro$oft), and I hope as well that they will learn here how to protect better their invaluable product.
I believe it is appropriate to remember here the names of the Godot developers:
Dom Basile      Wizard extraordinaire   	
Tom Guinther    Symbol engine, loader   	
Dan Babcock     Symbol engine   	
Gerald Ryckman  Win95 porting & debugging   	
Ray Hsu         Video & mouse support
Let's also send a greeting to Cathy Philbrick, Numega's main "scarecrow spammer", here it is:
Dear Cathy, I have received your spam, sent on 9/9/97. Unfortunately your email 
was a little imprecise: 
  	this site is NOT "distributing your products on the Web", legally 
  or illegaly. In fact there is absolutely no need to distribute them 
  even more. There has never been such a need: the "Bonamico" copy is 
  everywhere and Numega itself has recently distributed all its products to 
  the world with a "trial" protection so silly that one wonders if you 
  actually WANTED your products distributed to every looser for free 
  (as if, I repeat, it would have been difficult to find complete pirated
  copies of any Numega product on the Net... there was NO NEED to reverse 
  engineer your trial in order to have a perfect complete working copy 
  of whatever product you have... we have done it just for the fun!). 
       I'll speak only for my own site: not a single copy of your product 
  has been distributed from this pages where, on the countrary, I have 
  always publicly written that people should even "buy" your product.
  This by the way is jolly nice of us, since in the reality -I repeat- 
  your prouct can be gathered everywhere (but here) for free... yes kids, 
  even version 3.2... I just did a stupid ftpsearch and found two of 
  them :-)
  You write also that you "monitor illegal sites frequently" (Gee... I 
  would really love to have a job like that!). 
  Well, you do not seem to be very well informed.
  This is NOT an illegal site. Reverse engineering is NOT illegal. 
  Protection busting is NOT illegal. Removing protections from a 
  target that you have legally obtained (bought, or as shareware, or
  as "trial ware, like your programs), is NOT illegal. Screwing or 
  re-writing or modifiyng or nuking, or hitting with a mace alien 
  code is NOT illegal... 
  It's exactly what your own researchers, at Numega, are doing all 
  the time, ask them, watch them, grow up for God's sake. And since 
  you are at it, Cathy, you may as well ask them why the hell are 
  complete unprotected registered versions of ALL Numega's products
  being kept on your own public anonymous FTP server, another of the 
  many facts that you don't seem to be aware of.
        I'll now repeat to you, Cathy, what I have always written yet
  -alas- you do not seem to have never read (which is bad, since I 
  believe that there are not many sites on the web where Numega gets 
  so much real feedback -and so much praise- as here at fravia's... 
  therefore you are probably NOT doing your "monitoring" job very well, 
  dear Cathy, time to fire you, may be) here it is: 
  Anybody that is seriously into reverse engineering should BUY 
  softice (as I have done long ago) and THEN crack it black and 
  Anyway I'll monitor your site frequently to ensure compliance 
  with reality.

In name of the +HCU I would like to thank in particular Frog's print and +Rcg. First of all Frog's print, mon ami, if it were not for you all this would not have been possible. Frog's print and +Rcg have supplied the "Backbone" of this Project.
My thanks, and the thanks of the whole scene go also to IgNorAMUS, Birdy Harry, The Undertaker, Bozo and ViceVersa+. Each one of these Authors has given valuable input and decisive help to this project.

Project2 is CONCLUDED, long life to Winice!

And yet we had to add some "adds-on": Numega continues to give out "trial" versions of beautiful programs with incredibly silly protection schemes... (and yes, Numega continues to publish complete registered versions of them on its own ftp server as well, btw :-)

In fact the problem is not how to find a fully functional, registered and working copy of ANY Numega's software whatsoever (every version is roaming the Web). The real funny question for us is: "Why does Numega use such stupid protection schemes inside his "protected" versions?". Mind you, we are not speaking of a small shareware programmer that is using some overbloated language for some overbloated useless application: we are speaking of the BEST programmers and wizards of assembly in the whole planet here! And yet they protect as if they had just finished their copy of "teach yourself assembly language in 5 easy lessons".
The fact that Numega (which, differently from Micro$oft lamers' park, HAS INDEED A LOT of said good programmers and wizards) publishes powerful disassembly and reversing tools (Bondcheck, Smartcheck, Softice...) in downlodable "trial" version with pretty silly protections (as if the kind of people that REALLY USE such tools were not capable of earing a password echo in memory), added to the fact that they "forget" complete versions of their programs on their own ftp servers (Softice for Win95 3.2 has been there for more than two months now :-) can IMO only mean two things:

A) EITHER Numega follows the Micro$oft path of giving away everything for free, in the hope that they will dominate the disassembler "commercial" markt and get the rewards from "scale" economy.
This may happen: crackers and "simple" programmers of to-day, i.e. a great part of the people that peruse sites like mine (of which, I am afraid, there are MANY available that offer just the cracks and no explanation at all), ARE the reverse engineers of to-morrow (who else?), and will be able to afford *any* "commercial" fare that Numega will in the future decide for, say, Smartcheck version 13.0.
B) OR that Numega will bring to light a very tough protections (the mytical "unbreakable" software protection :-) as soon as their absolute dominance of the market has been asserted. Let's hope they do it as early as possible: the "protections" (if you really want to call them so) that they are using at the moment are simply too boring to bother

(c) fravia+ October 1997. All rights reversed

PHASE 1 by Frog's print

Cracking Loader32/NmTrans.dll
How it all started

PHASE 2 by +RCG:

More on Winnie
Another approach to crack SoftIce 3.01 14 day trial

PHASE 3 by Frog's print:

Registry joggling, 26 May1997
Another short approach


WiniceNT cracking, a first approach, 27 May1997
How EXE checksums work

PHASE 5 by +RCG:

An introduction to virtual devices cracking, 27 May1997
An important lesson

PHASE 6 by Birdy Harry:

Deeper WiniceNT cracking, working with HIEW, 17 July 1997
An important lesson, deepens our undesrtanding of NT-Winice.
About this phase I got a comment from Squirrle:

Phase six was only partly helpful in patching ntice.  
I got lots of errors and even after I found out about the need for 
certain visual c++ libraries to follow phase 4.  Since I could not 
load pnpisa.sys as described (error requesting some debug data) 
I could not get the new checksum.  
My version was different than in phase six so I was not able to copy 
the work.  I did some searching on the net and found a helpful news 
article describing how to AUTOMATICALLY change the checksum.  
Simple (although not as instructive, it WORKS) use vc++ editbin.exe 
as follows:  editbin /release   That's it.  
You'll need editbin.exe, link.exe and mspdb40.dll from vc++ v4 
(I got a cheapie copy from a store selling an old standard version 
under a different name).  
Perhaps this would help some newbies get up and running faster -- 
NT is not an easy thing to understand without some good training!  
Thanks for all the good information and keep up the good work!

Squirlle, 25 July 1997
The problem addressed by Squirlle is discussed (and resolved) in BOZO's PHASE 8... read that and look... it's an interesting history... Winice for WinNT "changes" if loaded at Boot or afterwards... anybody would like to delve a little inside this particular aspect?

PHASE 7 by The Undertaker

Short and effective Win95's Softice cracking, 01 August 1997
The final point in cracking Godot for Win95, from Sri Lanka!

PHASE 8 by Bozo

WinNT-Winice reverse engineering, another approach, 02 August 1997
The final point in cracking Godot for WinNT, this concludes the whole project2!

PHASE 9 by Birdy Harry

WinNT-Winice reverse engineering, some explanations, 06 August 1997
There is never a final point in cracking... a lesson for everyone!

PHASE A by ViceVersa+

Winice 3.01 time-stamp encryption algorithm, 07 August 1997
Timestamping... and timedestamping


How to install Soft-Ice 3.01 Win95 (trial version), 19 August 1997

PHASE B by Frog's Print

melted MeltICE, 22 August 1997
SoftIce 3.xx detection and another lesson for shareware programmers

PHASE C by Frog's Print

little patch to get back the AZERTY keyboard, 20 September 1997
The new winice.exe version 3.21 (available everywhere) is an US copy so it will turn your keyboard into QWERTY
Frog's print defends our European perspective

useful info

I decided to add to this project all essays that have to do with softice/winice
ADD-ON 1 by Civetta

NO MORE annoying anti SOFT-ICE tricks
The famous essay from a friend of +ORC

ADD-ON 2 by Harwi, 5 July 1997

BoundsChecker time limit defeated
The 'Persistent file' protection scheme

ADD-ON 3 by Shadow, 21 October 1997

BoundsChecker 5.02 Visual C++ Edition
'Hardcoded' serial numbers

ADD-ON 4 by Snatch, 27 October 1997

An interesting tool: Numega Smartcheck 5.0
Echoing a silly "install" and trial protection scheme

ADD-ON 5 by fravia+, 07 November 1997

An interesting tool: Numega's Smartcheck
how to defeat all protections (visual basic 1-5 and other languages as well)

ADD-ON 6 by Sandman, 03 May 1998

How to crack ANY program that uses the TL32V2.DLL!)
(An addition to Harwi's essay)

ADD-ON 7 by Kaxeli, 06 July 1998

Softice's DigitCheck's Checkdigit :-)

It would be nice if somebody (I have unfortunately not the time at the moment) would "condensate" all phases of this project in a COMPLETE essay about Softice95 and SofticeNT (and all other nice Numega's tools), checking everything once more and presenting a "final" nice product of the +HCU to the scene... on the other hand it could be better to leave the things a little "rough", without making it too much easy for lamers and lurkers... you, reader, decide.

How does Softice work? How do I set breakpoints and all that?
I receive tons of silly emailings like that...

No, I'm not going to explain you this too... softice must be learned through experience. I suggest you the following:
1) read the softice documentation thoroughly, you'll find it complete and free to download (in acrobat format) at Numega's site AND on many good scene pages,
2) experiment, experiment and experiment a little more. And then experiment again. And then re-read the documentation (which is available, I repeat) and then experiment some more... then, if you still have some problems,
3) visit (and read) "Mankind comes into the ice Age", from the beautiful series "Mammon_'s Tales to his Grandson", and if you still need knowledge,
4) visit the other +HCU pages at +gthorne's place where all your remaining doubts and problems will be clarified and solved, at least I hope, because if it is still not so, you should leave this stuff and find something else to play with :-)

This said, if a pious soul would gather ALL advices about softice breakpointing techniques that are scattered in the various scene pages and on many essays and in some +ORC's lessons and elsewhere, and if the same pious soul would bravely put all this together and send it to me, I could consider opening a special section of my site to this endeavour... do not make things TOO easy! It's always the same problem: should we make things so easy that any luser can grab software even if he does not understand nor love our white magic art or should we set a minimum threshold: a minimum "brain entry level"?

homepage links red anonymity +ORC students' essays academy database
tools counter measures cocktails antismut search_forms mail_fravia
Is reverse engineering legal?

red(c) Fravia 1995, 1996, 1997, 1998, 1999. All rights reversed