FrontPage 98 English beta 1 for Windows 95 & NT 4.0
(They are getting tougher)

by Epic Lord

(14 August 1997, slightly edited by Fravia)


Courtesy of Fravia's page of reverse engineering

Well, Epic Lord has worked 'in a hurry', but his crack is nevertheless quite effective and interesting... so Micro$oft is now writing "scarecrow" phrases like "This copy of Microsoft FrontPage has been modified in a way which is in violation of the license aggreement"... poor sods! And some antiwinice tricks as well... mmm, we'll have to keep half-awake to drefeat M$ protections in the future :-)

Well, I hope this essay will become my contribution to Project 9, 
namely reverse engineering all the Micro$oft products' protection 
schemes! I apologize for my English.

The target is "FrontPage 98 - English Beta 1 for Windows 95 & NT 4.0 - US
English Version". A long name. It can be found at Microsoft, located at 
http://www.microsoft.com/msdownload/fp98/05000.htm, if you're lucky, 
anyway, even if they retire/modify it after the publication of this essay, 
too many people will already have downloaded it (and too many magazines 
will have already published it) to halt this snowball rolling :-)

BTW, it is approximately 20 MB. Pretty big to download with a 14400
connection, but I wanted to be the first one on the subject :=)

The product is really overbloated; it spans more than 80 folders and 950
files. In the BIN folder alone there are more than 30 files.

Let's begin.

I started the FrontPage Explorer (fpexplor.exe), target starts. Changed my
system time to a couple of years ahead, started again, target did not start. 
Started FrontPage editor (fpeditor.exe), target started. 
Tried again, it did not. 
Well, the various programs under examination are writing something 
somewhere (huh? a clever conclusion :=)

I disassembled first of all the target file (fpeditor.exe) and found 
nothing. The same happened while I was working on M$ Publisher. 
The protection must dwell somewhere outside the main code, it must be 
easily editable and must be undercover. 
YES! look at the .dll files.

Well there are 22 .dll files in the BIN folder. A couple more are in the
SYSTEM directory. 
Lets get tougher :=) 
I searched the files to find the word "expired" and couldn't get 
anything at all (DUH). 
Multibyte characters !!! Therefore I searched the sequence 
"65 00 78 00 70 00 69 00 72 00 65 00" 
which is "expired" interpolated with 0h seperators. 
I could forget cracking this target... I couldn't find the target itself yet! 
The search string is in "fp30cutl.dll"... bingo!

Ok ok. I cheated. I could not feel the multibyte problem at the beginning 
so I did start Softice and checked what actually was going on. 
This approach let me suspect the file "fp30cutl.dll". 
Do what I say, not what I did. 
BTW try softice. 
You will not find anything. The "Expiry" dialog box will pop and in spite of 
all the debugging capability you have, none of the breakpoints will
activate. 
Fravia+ is right. They are getting tougher.

Using a debugger will not be enough. 
This target calls the .dll, and the .dll calls in turn another one. 
"FpEditor.Exe" I added "fp30cutl.dll" to the exports list of Softice and 
restarted my system. 
I put a breakpoint on fp30cutl.!ORD_0074 and let the babe run.
Nothing happened. No bp popup. Gee! hat was wrong? 
Well... I put a memory RW breakpoint at [67B5546B] and now! Look! it pops! 
I played a little with the code, and wow! a system error dialog appeared,
saying "This copy of Microsoft FrontPage has been modified in a way which 
is in violation of the license aggreement".

Nice! We are getting somewhere!

I studied the code and found no CRC, nor any similar checking. 
It was because of comparing fixed memory locations. 
However, it's getting late 05:30 in the morning, the cracking session 
was heavy... sorry for the short climax, but that's all, the rest you'll 
understand yourselves...

I will not dwelve into the details of date checking and other comparisons
(put 1990 in EAX, add 7 find 1997 etc) let's crack it stright on.

The suspect culprit is the jump below:
:67B2CC74 750B                    jne 67B2CC81

Patching the values of BX in order to get some correct flags after the 
comparison makes you Micro$oft_guilty. 
Study the code piece above. 
Therefore, quite simply...

	LETS IGNORE THE JUMP, REPLACE IT WITH 40 48

Ok. Thats all folks. I'm fast ha? :=). BTW, with this patch, all other
components will run smoothly.

Best wishes, Epic Lord, epic@lords.com.

Thank you Fravia+

note: I do not claim any right for this essay :=)
(c) Epic Lord 1997. No rights whatsoever reserved
You are deep inside fravia's page of reverse engineering, choose your way out:

project 9
homepage links red anonymity +ORC students' essays Academy database
tools cocktails antismut CGI-scripts search_forms mail_Fravia
Is reverse engineering illegal?