|
by flipper, 1 January 1998 |
here | |
|
This new smart "colored bar" look will be used throughout this new year and is
a present of Flipper as well :-) Note that all this is obtained through a simple
TABLE, and does not slow down your loading of these pages at all. It would be very
nice if all people sending essays would from now on use this as *THE* model to
follow. I don't need to present you neither flipper (one of the best +HCU's contributors and friends) nor this essay, since flipper's approach is outstanding clear. Just read on. |
|
Cracking Seattle Labs' SlMail 2.6 Build 1098
Written by Flipper (upg) on December 30th, 1997. |
|
( )Beginner (x)Intermediate ( )Advanced ( )Expert
An understanding of how to create a dead listing of a program is required, as well as a basic understanding of procedure calling. |
|
It's been a while since my last essay, so I hope this one more than makes up for my leave of absence while trying to program another ultimate protection in Visual Basic. Today we have here another protection that many new crackers have stayed away from, thinking that it was too difficult, or the program files were just too big. Another complaint by newbies is that the protection is not contained inside a DLL or inside just one EXE, it actually spills over into a control panel applet. |
|
Windows Disassembler v8.x Hackers View v5.66 Of course, you may choose any tools you like to complete the job :-) |
|
It always helps to look back at a software company's previous protections
to get a better undetstanding of the new target's inner workings. In the
case of SlMail, the protection scheme used up to v2.4 was a simple date
expiry check using GetSystemTime, nothing more. A serial number
could be entered from the control panel applet, and a message box alerted
you if you made a mistake. SoftIce quickly took care of that little mess,
but even I still had problems using a debugger to grab a serial number
out of memory.
Knowing that there had to be some kind of date check, I figured why not crack that directly; That would most likely prevent all of my discovered serial numbers from being blacklisted, right? Seattle Labs likes to make money just like anyone else writing software, so they started using a new protection scheme as of v2.5. Many serial number 'addicts' cried for a new number that would let their precious software run, but alas.. none have surfaced -- the company's investment saved. But wait! Lo and behold, there is another method which I'll show you that involves nothing more than a basic understanding of how any procedure stores and returns a value in register EAX. |
H E E S S A Y |
~ Dead List SLMAIL.CPL It's in your windows system directory. Don't worry, it's just a control panel applet. It is no different than a normal executable file except it uses CONTROL.EXE as a stub to perform configuration tasks at a system level. Why start with the control panel applet you ask? Because you'll find the method of protection almost instantly. Beginners may need to poke around the code a little before figuring out which jumps to follow, but seasoned crackers will almost immediately see the patch right before their very eyes. Now, we need to search for a string, preferrably one that puts us right after the protection call. Think logically for a second, (make a chart if you have to) and observe your target. Set the date ahead one year, what happens? Since I've already done all the hard work for you, I'll give you the steps I used to figure out what string to choose. Set clock ahead one year. Applet still loads, but it says "There are too many lists..." Clearly a violation of the license agreement for our trial period. Click on the "tab" that shows the registration information. Still says it's in DEMO mode, but at the bottom there's a new message that reads "This version of SlMail expired on..." Well, what did it say before? "This version of SlMail will expire on..." Clearly, if the program still thinks it's in the demo period, it will run forever. We must search for the string that is displayed on the registration screen, at the bottom, before our trial period is up. ~ Search for "This program will expire on %A, %B %d, %Y" Use dasm's built in String Reference list to find it, or search for it by hand using CTRL+F. You'll find it at 010B6099. Look above this string reference for a minute, and gaze deeply into the code.. see anything yet? If you missed it, here's a complete browsable listing of the procedure and the important calls it makes. Please note that the assembly listing shown has the starting address where the code begins, and the actual commands below without line numbers or file offsets. * Referenced by a CALL at Addresses:010B4DED, :010B52FD | :010B6040 push FFFFFFFF push 010F9B78 mov eax, dword ptr fs:[00000000] push eax mov dword ptr fs:[00000000], esp sub esp, 00000008 push esi mov esi, ecx push edi lea ecx, dword ptr [esp+08] call 010E3375 mov eax, dword ptr [esi+00000140] lea edi, dword ptr [esi+00000140] test eax, eax mov [esp+18], 00000000 je 010B611F push ecx mov eax, esp mov dword ptr [esp+10], esp push eax call 010DE6E3 mov ecx, edi call 010B6350 ; call the check procedure and return a value in EAX. test eax, eax ; an otherwise good protection given away in one line! je 010B60DC * "This program will expire on %A, %B %d, %Y" | push 0000073A lea ecx, dword ptr [esp+0C] call 010E3A1D mov ecx, dword ptr [esp+08] lea edx, dword ptr [esp+0C] push ecx push edx mov ecx, edi call 010DE6F6 push eax lea ecx, dword ptr [esi+00000128] mov [esp+1C], 01 call 010E35B9 lea ecx, dword ptr [esp+0C] mov [esp+18], 00 call 010E34C0 jmp 010B61BC * Referenced by a CALL at Addresses: |:010B49AD, :010B4B17, :010B4B7F, :010B4BE7, :010B4C4F |:010B576D, :010B5852, :010B58DA, :010B5962, :010B59EA |:010B6090 | :010B6350 mov ecx, dword ptr [ecx] mov edx, dword ptr [esp+04] xor eax, eax ; set EAX to 0. How quaint. cmp ecx, edx setg al ret 0004Right before the jump that decides whether or not we're still in the demo period there is a call to a procedure that assigns some values to ECX and EDX. In that same procedure, EAX is set back to 0 with the command 'XOR EAX, EAX'. When the procedure returns there is a 'TEST EAX, EAX' which is testing the zero flag of EAX. Jump if Equal (JE) to 0 right into the code which tells us the program has expired. A simple deduction can now be made. If EAX is not equal to zero when the procedure returns, the program has expired. At this point, I'm not going to bother exploring the workings of the code, I'll leave that as an exercise for the reader. Patching SLMAIL.CPL Load up SLMAIL.CPL with Hackers View (you'll soon see why I settle for nothing less than this extraordinary hex editor). +-- how to convert dead list addresses for use with 'hiew' --+ | | | find the address you want in the dead listing. let's say | | it's 010B6356. All you have to do is change the first 3 | | digits to zeros, and add a period in front of the number. | | | | examples | | | | 010B6356 becomes .000B6356 00408BF1 becomes .00008BF1 | | | +------------------------------------------------------------+Press F5, type in .000B6356 and press enter. You'll soon find yourself at the proper location with the cursor positioned over the bytes 33 C0. Press F3 and type right over top of those bytes either one of these two possibilities. Since we don't want EAX to ever equal 0, the XOR statement must be replaced by code that does not affect the status of EAX. Two NOPs will do the trick, but I like the INC EAX/DEC EAX approach. They both have no effect on EAX. 1. 90 (NOP) 2. 40 (INC EAX) 90 (NOP) 48 (DEC EAX)~ Dead List SLMAIL.EXE Same deal, only this time we know what the protection code will most likely have the same TEST EAX, EAX instruction somewhere after a license violation messagebox. Set clock ahead one year. Program still loads, but it says "Registration check has failed." Clearly a violation of the license agreement for our trial period once again. Same old trick as before, if the program thinks it's in the demo period, it will run forever. We must search for the string that is displayed upon loading the program after the demo period has expired. ~ Search for "Registration check has failed." Below is a listing of the code, with all important calls linked so you can follow the path of execution. Once again I'll be showing the quickest route to the protection code. When cracking, it's always a good idea to 'trace' through an important procedure/function call just to make sure you haven't missed anything. In this case, it paid off. :0041F057 "SLMail Control Panel" | mov ebp, 00000001 push esi push edx mov dword ptr [esp+24], ebp call 0041EB80 mov ecx, dword ptr [esp+24] add esp, 0000000C test ecx, ecx mov dword ptr [0045B594], eax jne 0041F08C mov eax, dword ptr [0045B5E0] push edi push esi * "Registration check has failed." | push 00001459 push eax * USER32.LoadStringA | Call dword ptr [0045D6FC] jmp 0041F0B2 * Referenced by a CALL at Address:0041F062 | :0041EB80 call 00420C10 mov ecx, dword ptr [esp+04] mov dword ptr [ecx], eax * Referenced by a CALL at Addresses:0041EB80 , :0042D98E | :00420C10 sub esp, 00000020 lea eax, dword ptr [esp] lea ecx, dword ptr [esp+10] push eax push ecx call 004211A0 add esp, 00000008 test eax, eax je 00420C44 lea edx, dword ptr [esp] lea eax, dword ptr [esp+10] push edx push eax call 00420BA0 add esp, 00000008 neg eax sbb eax, eax inc eax add esp, 00000020 ret * Referenced by a CALL at Address:00420C1D | :004211A0 sub esp, 0000003C >> large ammount of code removed to save space. call 00438060 add esp, 00000030 test eax, eax jne 0042131D * Referenced by a Jump at Address:0042121E(C) | :0042131D mov eax, dword ptr [esp+50] >> large amount of code removed to save space. cmp word ptr [eax+06], 0000 jne 0042136B xor eax, eax ; set EAX to 0. What a surprise. pop edi pop esi pop ebp pop ebx add esp, 0000003C retWhat do we have here? Before the message box there is a call that takes us deep into the code.. but if we trace through the clutter and spend a little time organizing our thoughts, we'll soon see the jump to the final block of code where EAX is set back to zero. Since we don't want EAX equalling zero (thus bypassing the license violation) after the demo period has expired, we'll use the same technique as described above. Patching SLMAIL.EXE Load up SLMAIL.EXE with Hackers View. Press F5, type in .00021361 and press enter. You'll soon find yourself at the proper location with the cursor positioned over the bytes 33 C0. Press F3 and type right over top of those bytes either one of these two possibilities. Since we don't want EAX to ever equal 0, the XOR statement must be replaced by code that does not affect the status of EAX. Two NOPs will do the trick, but I like the INC EAX/DEC EAX approach. They both have no effect on EAX. 1. 90 (NOP) 2. 40 (INC EAX) 90 (NOP) 48 (DEC EAX)That's as far as we have to go with SlMail. The control panel applet will never expire (thus allowing you to manage the user database without the restrictions imposed by the demo version), and the main program will never expire allowing you to actually process the mail. A pair of nice byte patches for a well written program. |
|
I wont even bother explaining you that you should BUY this program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell. |
|
I just wanted to thank all those who need thanking before I forget. Greets
to fravia+ for the best page on the net, and to +RCG for one
hell of a
protection.
Before I finish up this essay, I just wanted to say a few words to all newbie crackers who tried to crack SlMail and just couldn't find the right code fragment, etc. Don't be discouraged. Cracking takes time, and as we all learn to break more and more complex protections, the more challenging the good non-commercial protection schemes get. Protectors (slowly) learn too. I can remember a time when most computer users either had an Atari or a C64, and a program by the name of GEOS was being shown off as the 'windows' clone of the decade. What Micro$oft had stolen from Xerox and IBM, Berkely Softworks decided a Commodore port was in order. Using such tricks as half-tracking and physical disk sector density checks, no one was able to copy this widely used desktop application. Time passed, and finally a cracker broke the protection (which was by now used on _every_ major C64 game at the time, about a year later) and many software companies went under, due to the fact that all of their software was now being pilfered over QuantumLink and Compuserve. The golden age of cracking died out long before IBMs took over the corner of your office cubicle, but it has now returned like never before. Thanks to +ORC and his students you too can learn to defeat the latest and greatest protections -- and that my friends, is just the beginning of a new golden era in cracking. (c) flipper (upg) 12/30/97 All rights reversed. |
|
tools cocktails antismut CGI-scripts search_forms mail_fravia+ Is reverse engineering legal? |