DLL-based schemes are *dead*
(A long overdue lesson for shareware programmers)

stupid

by +ReZiDeNt
+cracker
(22 September 1997)


Courtesy of fravia's page of reverse engineering

Well, protectionists don't seem to have learned much yet, do they? Here is +ReZiDeNt's email:
Hello fravia+,

Here's a quick contribution to the 'stupid protections' project - 
it's amazing how stupid protections can be, it took less than five 
minutes to crack this (most of that time was spent disassembling the 
file :-))


A contribution to the 'Stupid Protections' project
by +ReZiDeNt

Target: 6x86 Configuration Control 3.15, by Olivier Gilloire

6x86cfg.exe, 950,272 bytes, download from
http://www.chez.com/6x86config/ or any shareware site, such as
http://www.softseek.com

Tools: BRW 4.5
       SoftICE 3.1 (we don't really even need this at all!)
       W32Dasm 8.9


This program is designed to tweak Cyrix 6x86 and 6x86MX CPUs to
improve CPU performance. Since I have a 6x86 P166+ CPU I thought I'd
give it a try, perhaps see whether it can speed things up under the
dreaded Windoze 95.

This program is also a classic case of 'bloatware' - nearly a
megabyte of data (12 precious and expensive minutes of downloading
time if you have a 14.4 modem as I do!) just to tweak a few settings.
What makes this huge size even more ludicrous is the fact that there
is a command line program by another author that does much the same
thing, except it is only a few kilobytes! So much for Micro$haft's
'the road ahead'...

Back to the crack...when you run the program it places itself in the
system tray and in the startup folder - upon starting Windoze the CPU
settings are altered and you see a nasty splash screen telling you how
may days you have left in your evaluation period. Hmm...take a look at
it with BRW and we can see that there is *another* splash screen, one
for the registered users only, without any nag on it. However, within
the program itself there is no option to register, so we will have to
make a physical patch for this somehow. Now is the time to make a dead
listing of the program, see what we can find...look at the imported
functions and lo and behold, what do we see:

SoftVer.?GetSoftVersion@@YAHXZ
SoftVer.?GetUsedDays@@YAHXZ

This is really far too easy...how on earth did the author hope to
protect his program with this *pathetic* scheme, no doubt bought
over-the-counter from some stupid and greedy protectionists who
assured him that forking over $199 would save him from the evil
+crackers ;-) So Olivier Gilloire, where ever you are, you might want
to get your money back...these DLL-based schemes are *dead*,
especially when you give the whole game away by naming everything so
nicely for us :-)

So let's search for the above string,
'SoftVer.?GetSoftVersion@@YAHXZ'. You'll see that we find just one
relevant occurrence:

* Reference To: SoftVer.?GetSoftVersion@@YAHXZ, Ord:0000h
                                  |
:0040314E E867330000    Call 004064BA ; registered version?
:00403153 A804          test al, 04
:00403155 743B          je 00403192 ; jump if good guy!
:00403157 53            push ebx    ; else beggar off
:00403158 8D8D60FFFFFF  lea ecx, dword ptr [ebp+FFFFFF60]
:0040315E E8882D0000    call 00405EEB
:00403163 8D8D60FFFFFF  lea ecx, dword ptr [ebp+FFFFFF60]
:00403169 C645FC01      mov [ebp-04], 01
:0040316D E889A80100    call 0041D9FB
:00403172 395DC4        cmp dword ptr [ebp-3C], ebx

Take a look at the above lines in SoftICE if you really want to,
you'll see that all we need to do to crack this program is to replace
the following instruction:

:00403155 743B                    je 00403192  ; jump if good guy!

with:

:00403155 EB3B                    jmp 00403192 ; jump always!

In 6x86cfg.exe (430,592 bytes) at offset 0x2555 insert 0xEB to make
the changes permanent!

Just one byte to defeat a stupid protection scheme that probably
describes itself as 'uncrackable' :-) It goes to prove that +ORC was
of course right, we can never underestimate the stupidity of
protectionists.

Good Hunting,
+ReZiDeNt, September 1997 
(c) +ReZiDeNt 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to Project 7 ("Most stupid protection")
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?