smartdr

SmartDraw 3.11 W95
("'Heavy/Stupid' Anti-Crackers protection defeated with HexWorkShop & BRW")

by Frog's prin+

(05 July 1997, slightly edited by Fravia)

Courtesy of Fravia's page of reverse engineering

SmartDraw v3.11 Win95

'Heavy/Stupid' Anti-Crackers protection defeated with HexWorkShop & BRW

- by Frog's Print -

I noticed lately that there was no cracks/patches for the new SmartDraw v3.11 Win95
(http://www.smartdraw.com) on the Net (at least I didn't find any). As I was looking
for some interesting protection schemes to crack, I thought that this soft would be
what I was looking for.

I downloaded it and fired it:

-2 nagscreens
-time limited (30 days)
-adds "created with the trial edition of Smartdraw" to any printed document
-disables the save function when the time trial period has expired
-detects if the system clock has been set back...
-dialog boxes and bitmaps have 'Trial Edition' written/printed throughout...
-you are supposed not to be able to turn it into a registered version as it is a demo
and cannot be unlocked with a password/serial number.

Nothing really exciting yet.

I first loaded it into SoftIce with Loader32 and started to trace, trying to find
some 'infos': SoftIce crashed and I had to re-boot. I started again, it soon crashed
again...
I gave up tracing and ran W32Dasm80: I crashed too! I tried W32Dasm versions 5,6,7
and the new 85: they all crashed.

What a protection for such a simple $49.00 graphic tool! I understood why I didn't find
any cracks on the Net.

Well, most of the time such softwares (16 or 32 bits - EXE or COM) use ready-to-use
expensive protections tools (ie: EverLock, CopyControl...) that act on EXE files
and/or are linked in DLL's and called from within the code.

If you have a look at Microcosm's home page (CopyControl) you'll read:

CopyControl Software
Pirates Hate It! ; < who said that??
Very high level of security.
Beats ALL the hardware and software "bit-copiers" and dis-assemblers.
Encrypts your programs and adds strong anti-debug code to it.

And at EverLock's one:

Protects your investment in development and marketing, protects your software against
no authorized use and reverse engineering, on platforms: DOS, Windows 3.1, Windows for
Workgroups 3.11, Windows'95, Windows-NT and Networks (Novell, LANtastic, etc.).
...
...

You'll find several companies and Softs like the above mentioned on the Net to protect
any program from debugging, disassembling, copying...

I assume that such tools are strong to crack, but without SoftIce and without W32Dasm
I have to say that I'm a bit lost.

As we (I) cannot 'high crack' SmartDraw, let's 'zen crack':

First, those tools are 'ready-to-use' (I don't know which one is used in SmartDraw, but
if you DO KNOW please keep me informed:=). It means that you just have to write your
program as usual and they will take care of the rest. And that's the problem :
=> programmers will not work a lot on their own protection scheme (time limitation,
disabled features) just because they think that their new anti-crackers tool will do
it for them.

Are SmartDraw programmers real anti-crackers protectionists??

NO!! In fact they should get our "Most Stupid Protectionists" Award...
But I'm afraid they would have to share it with many other stupid protectionists,
among others the Numega's guys... I recently decided to reverse engineer the
protection of BoundsChecker (all editions) hoping its scheme, at least, would have
been a little more complicated than SoftIce ridiculous'one.
But I was very deceived!... it's even worse: this time the great Numega's programmers
simply used the TimeLock DLL (TL32v20.DLL)to protect this very valuable target!
See Xoanon's essay if you want to crack the TL32v20.DLL protection scheme, or
Horwi's essay on BoundsChecker reverse engineering in order to crack Numega's
BoundsChecker directly!.

Despite its anti-wdasm and anti-winice protection, I am going to show you
right now how to FULLY 'zen crack' SmartDraw 3.11 Win95 within 5 minutes
time using following tools:
- HexWorkShop (80% of the crack)!
- a little help from the good old Resource WorkShop (about 15%)
- the 5% left will be done with a BPX DialogBoxParamA (without any crash!)

When I say 'crack' I mean that we are going to turn this demo into a fully functional
version identical to the commercial's one:
- No more limitations of any kind
- Dialog boxes and even bitmaps with no more 'Trial Edition' written or printed (without
having to edit them with BRW itself, of course).

1/ Run Borland Resource WorkShop and load SmartDraw 3.11 Win95 so we can have a look at
all those nagscreens...

In the "BITMAP" section you can see:

-ABOUT (display the 'SmartDraw' bitmap of the licensed version)
-ABOUTD (display the same bitmap but with 'TRIAL EDITION' printed on it)

Other 'ABOUTxx' bitmaps are non-used and come from older version of SmartDraw.

In the "DIALOG" section you can see:

-ABOUT (display a small dialogbox with 'Licensed Copy' written)
-ABOUTKISS (identical but the dialogbox is bigger)
-ABOUTSHARE (display our 'TRIAL EDITION' dialogbox with a 'PURCHASE' button)
-CANTSAVE (display a dialogbox with "YOU ARE NO LONGER ABLE TO SAVE DOCUMENTS")
-HINT_REG (display a dialogbox with "WELCOME to the trial edition".
Note: we do not care about this one as it only appears
once: the very first time you install SmartDraw:=)
-LIC_EXPIRED (dialogbox with "YOUR LICENSE HAS NOW EXPIRED")
-LIC_EXPIRED_RUNS (dialogbox with "YOUR LICENSE HAS NOW EXPIRED..you have xx runs remaining")
-LIC_ROLLBACK (dialogbox with "YOUR SYSTEM CLOCK HAS BEEN SET BACK")
-LIC_TAMPERED (dialogbox with "YOUR TRIAL VERSION TIMER HAS BEEN TAMPERED WITH") ...
-NAG (dialogbox with "PURCHASE SmartDraw......")

Now you can leave Resource WorkShop, we do not need its help anymore.

2/ Run HexWorkShop and load SmartDraw:

Now let's search for the bitmaps and dialogboxes:

-Search for "ABOUTD": We find it twice. DELETE (yes, delete!) the "D" in the HEX WINDOW
(that's "44") and change both occurrences to "00".

-Search for "ABOUTSHARE": We find it twice too. Delete the "SHARE" and replace them with
"0000000000" too.

-For : LIC_EXPIRED, LIC_EXPIRED_RUNS, LIC_ROLLBACK, LIC_TAMPERED and NAG, just delete and
replace them ALL with a lot of "00"s;.
(again, all the above changes to be done in the Hex window).

Now we already have done 95% of our crack.

Save your modified file and run it. No more nagscreens, and at the beginning of the program
(or if you press Help-About) you'll see that you have now turned the dialogboxes and even
the bitmaps into a licensed version. If you set the system date 2 or 3 months ahead (or back)
you'll notice that it still works fine as well.

Just one more thing to do: We know that SmartDraw will disable the SAVE function if your
trial period has expired. Keep the system date a couple of month ahead and press the Save
button. A message box (CANTSAVE) will notify you that you are no longer allow to use this
feature.

3/ With SofIce, just BPX the DialogBoxParamA function and press again SmartDraw's Save button.
SoftIce will pop out. Press F11 and you'll land in the middle of a small and un-interesting
function. Trace (F10) until the next "RET" and you'll land here:

(This piece of code come from Hiew v5.5)

00024B8F: 833D84E0510000 cmp d,[00051E084],000 ; Is '0'?
00024B96: 0F8419000000 je 000024BB5 ; Yes, go ahead otherwise...
00024B9C: 68234E0000 push 000004E23 ; ...sorry,
00024BA1: 6804E55100 push 00051E504 ; prepare "CANTSAVE"
00024BA6: E8AE340B00 call 0000D8059 ; < That's where we come from
00024BAB: 83C408 add esp,008
00024BAE: 33C0 xor eax,eax
00024BB0: E99A020000 jmp 000024E4F ; Bye-bye
00024BB5: 837D0800 cmp d,[ebp][00008],000

As usual, the same old stupid trick:
'0'=Nice_Guy
'1'=Bad_Guy
(please note that this is the ONLY protection of the program besides the fact you cannot
debug/disassemble it!!)

We just have to find the "mov dword ptr[0051E084],00000001" instructions (their are 6
of them) and to change them to "mov dword ptr[0051E084],00000000" and our job is done.

By the way, we do not have to worry about the "created with the trial edition of Smartdraw"
message on any printed document, as it has gone away too.
(In fact, everything has gone away!)

You have now a fully licensed copy of Smartdraw.
What about a +HCU Award for the "Most Stupid Protectionists Of The Year" ??

Frog's Print, 4 July 1997

frog_s_print@thepentagon.com

You are deep inside fravia's page of reverse engineering, choose your way out:

homepage

links

anonymity

+ORC

students' essays

tools

cocktails

search_forms

mailFraVia

Is reverse engineering legal?

by Frog's prin+ (05 July 1997, slightly edited by Fravia)

by Frog's prin+

(05 July 1997, slightly edited by Fravia)