aUTOWINNET 95 v4.0b
(An interesting protection based on a "weird" use of a keyfile)

by xOANON / UnitedCrakingForce

(19 August 1997, slightly edited by Fravia)


Courtesy of Fravia's page of reverse engineering

Well, xOANON criticizes me, may be rightly, for being AGAINST keygenerators. Truly I believe that we should NOT deliver ready made cracks to the zombies, but teach anyone who cares to work at least a little how to tackle difficult software reverse engineering sessions... yet I'm ready to change my mind: if somebody can explain me the point of cracking one hundred times the same banale protection schemes in order to give to many luser, that will never in their life understand the difference between xoring and oring, the possibility to use for free some crap application I will, pheraphs, change my mind... (and yes, what xOANON writes is also true: I would like you all writing essays on difficult reverse engineering sessions... because this is the task that long ago +ORC entrusted to me and because everything you learn IS everything you teach :-)

This said, xOANON's essay, that we present to you today, is as usual outstanding AND interesting... gee! The name you enter copied 430 times... the protectionist must have thought: "this will give them a lesson! Try to breakpoint memory on this whole lot of locations, stupid cracker!"... Ah!

aUTOWINNET 95 v4.0b
An interesting protection based on a "weird" use of a keyfile
Your name copied 430 times and a "growing" file which modifyes the shadow!

by xOANON - uNITED cRACKING fORCE 1997


	Hi there! it's a lot of time i don't write an essay.... eh eh, ya know.... 
it's summer, i'm too busy molesting girls and stuff! :))) But, some 
days ago i mailed Fravia to ask him something ... and he replied "Don't waste 
your time cracking for the zombies that would not recognize a byte if it would 
stay up and bite them a finger off... write essays and teach the poor sods 
how to do it instead!". 
	I think Fravia is a little bit hostile to the work we all crackers do every 
day for our groups, like cracking warez, he'd want we all only write essays! 
But let's close this little parenthesis, and begin talking about this essay.

I got AutoWinnet 95 Pro v4.0b last day, and i'm really happy to see a kind of 
protection like this. I mean, there's nothing really difficult, as you will see, 
but it's a "new" mode of using a keyfile which maybe less experienced crackers 
could not be able to understand at all. 

I think this essay can be put also in the "stupidity" section..... but i leave 
the decision to Fravia himself. As i said, is not too hard to crack. It seems 
difficult at a first approach, but when you realize how it works... well, it
turns out to be one of the easiest. :)


Ok, let's start.


First of all, get the program at http://www.webcom.com/autownet/download.htm After installing it, prepare your cigarettes (if you smoke, but also some chips/coke/etc. would work fine) and SoftICE and run it. As you will see, a pretty nagscreen appears, reminding to register this app. Don't bother about it and step ahead. Locate the "Enter Registration" option in the "Tools" menu and... ooops, "No keyfile found" appears. Since the programmer is so clever to tell you also the name of the keyfile, choose your favourite hexeditor (mine is HexWorkshop) and immediately create in the installed directory a file named "autown95.key" with a bunch of bytes (ex. 121212121212 [TM of +ORC]). Now, retry. As you can see, now you can enter a name. Do it, and you will get the error "Your name did not match the keyfile". So, what do you think? Maybe in the keyfile there should be a registration number or something? Who knows? Let's start our LIVE approach with SoftICE. Setting a BPX on HMEMCPY you will get easily inside the code of the program, and after some steps you'll land here: :00481826 BAF8184800 mov edx, 004818F8 :0048182B E8D425F8FF call 00403E04 :00481830 8B55F8 mov edx, dword ptr [ebp-08] :00481833 A13CA94900 mov eax, dword ptr [0049A93C] > Your name at DS:EAX :00481838 E8FF90FFFF call 0047A93C > Here are done the calcs :0048183D 84C0 test al, al > AL=0? :0048183F 740C je 0048184D > Yes=Bad guy,jump over! :00481841 C70568A9490001000000 mov dword ptr [0049A968], 01 > AL=1? Good guy! :0048184B EB5F jmp 004818AC * Referenced by a Jump at Address:0048183F(C) | * Possible StringData Ref from Code Obj ->"The name you entered did not match " ->"your keyfile. Please read your " ->"registration Email again, then " ->"retry by using Tools/Enter Registration " ->"from the main menu" As you can see, NOPPING this JE will (maybe, i didn't tried it) crack the program too. But i think we're here to learn, no? So, it is better to examine the program a little bit deeper, in order to accomplish the real goal of this essay: making a working keyfile. So, back at work. If you trace inside the CALL 47a93c you will find something interesting. Look here: :0047A9A2 BBAE010000 mov ebx, 000001AE > sets ebx to 430 dec. * Referenced by a Jump at Address:0047A9B3(C) | :0047A9A7 8D45E4 lea eax, dword ptr [ebp-1C] > ds:eax = your name :0047A9AA 8B55FC mov edx, dword ptr [ebp-04] :0047A9AD E85294F8FF call 00403E04 > after this call, you can see at ds:edx :0047A9B2 4B dec ebx your name copied :0047A9B3 75F2 jne 0047A9A7 > for 430 times!!!! Hmmm.... what the f?@*k is happening? if you do a D EDX now, you will see your name repeated exactly 430 times....... ri-hmmmm.... let's step a little bit more: :0047A9B5 8D4DF4 lea ecx, dword ptr [ebp-0C] :0047A9B8 8B55E8 mov edx, dword ptr [ebp-18] > here comes a crypt_table in edx :0047A9BB 8B45E4 mov eax, dword ptr [ebp-1C] > your 430 names in eax :0047A9BE E8A5FEFFFF call 0047A868 > calculations with your name & cryptable :0047A9C3 33F6 xor esi, esi as you will see, no need to know much more about this. :0047A9C5 8B45F4 mov eax, dword ptr [ebp-0C] > the beginning of a new "table" coming from your name&cryptable :0047A9C8 E82F94F8FF call 00403DFC > other calculations with this table, result in eax :0047A9CD 85C0 test eax, eax :0047A9CF 7E13 jle 0047A9E4 :0047A9D1 BB01000000 mov ebx, 00000001 Here comes the interesting part: :0047A9D6 8B55F4 mov edx, dword ptr [ebp-0C] > ds:edx = new table :0047A9D9 0FB6541AFF movzx edx, byte ptr [edx+ebx-01] > Get each element of this table :0047A9DE 03F2 add esi, edx > and adds it to esi :0047A9E0 43 inc ebx > until ebx matches :0047A9E1 48 dec eax > the value in eax > coming from this CALL :0047A9E2 75F2 jne 0047A9D6 > above Well, now we have what i call a "MAGIC NUMBER" stored in EAX, coming from all the manipulations made to your name. Stepping further, you will see that the same routines are applied to your keyfile, with another MAGIC NUMBER (this time coming from what you entered in the keyfile) stored in EBX. :0047AA71 E8127DF8FF call 00402788 :0047AA76 3BDE cmp ebx, esi > That's what we're searching for, the CMP! :0047AA78 0F94C0 sete al :0047AA7B 8BD8 mov ebx, eax Now comes the ZEN part.... when i found the piece of code above, i told myself: oh, this is interesting! maybe i found the solution... probably if i would obtain esi=ebx, it would accept my keyfile. So, i BPXed the location, i exited SoftICE and i changed the contents of my keyfile.... simply, i typed in another string. What i saw when SoftICE popped up at the cmp location? Well, the number is a little bit changed, but remained about the same. Anyway, a lot (quite a lot) minor than the one in esi. Ok, let's change the keyfile again.... And now, i've had the "illumination" :) I noticed this: if the keyfile grows (I mean: if there are more bytes in it) the number in ebx grows. I said: what kind of weird algorithm is this? It means that no matter what's in the keyfile, the only thing checked is how many characters are in it?? YESSSSSSS, more or less YES! :) So, let's start creating an huge keyfile with anything you want.... you can also type in it your favourite song lyrics, no matter :) Just use the copy/paste feature (present in HexWorkshop) to repeat what you typed, else it will take too much time to create the keyfile. Obviously, everytime check with softice how your baby is going..... if ebx is going to be near to esi. When you are at this point (ex. EBX= 409CB and ESI=409DA), ZEN again. I already told you that not only the size of the file is checked, but something more. I don't know what (maybe some kind of sum of the value of the bytes.... i don't know), nor I care much... since i found a fast way to accomplish our goal. When you're near to match EBX with ESI, simply modify a byte in the file. Modify it in the following way: Get one byte (what you want), for ex. an A=0x41 hex. Now, assume that you have an EBX only minor of ESI by 2. So, change your A in C=0x43 (41+2). And.... IT MATCHES! :) Same if you have EBX major of ESI... in that case instead of adding, you have to subtract. After some experimentation with the BPX set on the cmp instruction you will easily find the correct way. I know, it's weird..... but works. Now you have a functional keyfile, maybe for all versions of AutoWinnet. Later..... PS: i'm like 100% sure that the programmer intended the keyfile to be the table we found there, calculated with your name and the program's cryptable.... but maybe he didn't know his routine would work also with our "handmade" keyfiles :)))
(c) xOANON 1997 cRACKRIGHTS RESERVED
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia
Is reverse engineering illegal?