Cracking Micro$oft Visual SourceSafe 5.00 Cracking a quite easy timeprotection	Microsoft bashing
31 March 1998	by TWD
	Courtesy of Fravia's page of reverse engineering	slightly edited by fravia+
fra_00xx 98xxxx handle 1100 NA PC	Well, TWD is specialising in Micro$oft bashing, as it seems. That's very good. I'm a little deceived that so many reversers ignore totally Micro$oft's awful applications (and silly protections). This is a MISTAKE! Micro$oft's programs are extremely overbloated and buggy, yet they are also SOLD and WIDESPREAD. Let's take account of this simple (if very sad) reality. Reversing Micro$oft's application is therefore USEFUL for a series of reasons: 1) It could be helpful -say for some far-away forgotten study institute in Africa without any money- to have the possibility to use the SAME (stupid) applications that all other study institutes all over the 'developed' world are (unfortunately) using... excel instead of 1-2-3, so to say: not that it works better (it does not) nor quicker (it does not), but excel is unfortunately, like it or not, the de facto 'standard' of these aera of software decadence. 2) We could find -reversing deep and reversing well- some of the faul TRICKS that the Micro$oft's programmers have hidden inside their applications in order to get, say, a complete list of the software running on a given machine, or to delay a little netscape's browser, or to send to their sites on line some registration informations without asking you.
(TWD) >	Life is but a dream therefore, where there is no dream, there is no life - it's your life
Rating	(x)Beginner ( )Intermediate ( )Advanced ( )Expert

  You wont believe it, but Micro$oft distributes a german developer CD-ROM
  With a lot of crap on it, but also with on or two "time-protected" programs.
  One of the programs is Visual SourceSafe 5.00

After starting Visual SourceSafe 5.00 and logging in, a window appears and 
tells us that only 30 days a remaining, before VSS expires.

Thanx a lot, I finished it and started it again. Before finishing the login,
I set a breakpoint on   GetLocalTime   and continued.

SoftICE breaks up here :

10037843 8D 44 24 08                 lea eax, [esp+18h+var_10]
10037847 50                          push eax
10037848 FF 15 34 44 06 10           call ds:GetLocalTime
1003784E 66 8B 44 24 08              mov ax, word ptr [esp+18h+var_10]
10037853 8A 4C 24 0A                 mov cl, [esp+18h+var_E]


Nice, nice, but not the thing we are looking for. You can look around by pressing
some "^p ret;" in your SoftICE, but this is not the right position, at least not 
in the moment.

After carrying on, SoftICE pops up at exact the same position as the last time, but
this time called by another procedure :


100025C7 E8 74 52 03 00              call ?DT_GetCur@@YAJXZ      ; <-- Our proc
100025CC 2B 44 24 78                 sub eax, [esp+204h+var_18C]   <-- eax=days passed
100025D0 B9 80 51 01 00              mov ecx, 15180h
100025D5 99                          cdq
100025D6 F7 F9                       idiv ecx
100025D8 83 F8 3C                    cmp eax, 3Ch
100025DB 7C 23                       jl  short loc_10002600
100025DD C7 05 18 86 05 10 01 00+    mov dword_10058618, 1
100025E7 6A 3C                       push 3Ch
100025E9 68 70 D6 FF FF              push 0FFFFD670h
100025EE E8 0D 83 01 00              call ?Error@MSERR@@SAHHZZ   ; <-- Output Error 1


The call at  "100025C7"  checks the time. The days since installation are stored in eax.
If more than sixty days are gone, a special message box pops up. (Error 1).
There are more error messages like this one. This one is called if more than 30 days 
have passed since SourceSafe expired. If you have just installed Visual SourceSafe, 
it shouldn't be expired, that means it jumps to :

10002600 83 F8 1E                    cmp eax, 1Eh
10002603 7C 17                       jl  short loc_1000261C
10002605 68 71 D6 FF FF              push 0FFFFD671h
1000260A E8 F1 82 01 00              call ?Error@MSERR@@SAHHZZ   ; <-- Output Error 2
1000260F 83 C4 04                    add esp, 4
10002612 33 C0                       xor eax, eax
10002614 5E                          pop esi
10002615 81 C4 00 02 00 00           add esp, 200h
1000261B C3                          retn

If more than 30 days and less than 60 days passed by, another message box pops up (Error 2).
Else we keep going on jumping to :

1000261C B9 1E 00 00 00              mov ecx, 1Eh
10002621 2B C8                       sub ecx, eax
10002623 51                          push ecx
10002624 68 72 D6 FF FF              push 0FFFFD672h
10002629 E8 D2 82 01 00              call ?Error@MSERR@@SAHHZZ   ; Error 3
1000262E 83 C4 08                    add esp, 8
10002631 33 C0                       xor eax, eax
10002633 5E                          pop esi
10002634 81 C4 00 02 00 00           add esp, 200h
1000263A C3                          retn

If less than 30 days are gone, SourceSafe calculates the remaining days, stores them
in ecx and outputs it with a message box. This is no real error, but it disturbs.

To kick this silly protection and to remove the message box (Error 3), the only thing 
to do, is to change the 

    100025DB 7C 23                       jl  short loc_10002600

to 

    100025DB EB 54                       jmp 10002631


This will jump short behind the message box (error 3), but it shouldn't jump on
the 

    1000262E 83 C4 08                    add esp, 8

because this will kill the program by modifying the stack.


As usual questions, ideas, suggestions, etc can be send to 

   mailto:twd(point)rulez(at)gmx(point)net
   http://twdrulez.home.ml.org

Cracking this program was very simple. One breakpoint on GetLocalTime was enough.
Why some one should use this program is very easy to explain. The overbloated 
M$ - programs make it necessary. 

Microsoft bashing

homepage links search_forms +ORC students' essays academy database
reality cracking how to search javascript wars
tools anonymity academy cocktails antismut CGI-scripts mail_fravia+
Is reverse engineering legal?