Instant removing of CrypKey (together with a lock)
Unwrapping the wrapped
progcor
Programmer's
corner
7 May 1998
by Marigold
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
98xxxx
handle
1100
NA
PC

"We believe that CrypKey is the best copy protection system available, with an approximate 2 year technological lead on the nearest competition. With our strong growth, world-wide acceptance and continual enhancements, we believe that CrypKey will help keep YOU at the forefront of technology if you choose to join our list of satisfied customers, who include Motorola, Panasonic, SEGA, IBM, Sybase, and Hewlett Packard to name a few."

Ah ah ah! Commercial assholes! Enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate (x)Advanced ( )Expert

Protection by "wrapping", "injection" and similar methods seems to be on rage nowadays. Here is another example.
Instant removing of CrypKey (together with a lock)
Unwrapping the wrapped
Written by Marigold


Introduction
CrypKey protection (by Kenonic Controls Ltd) struck me as very cracker-friendly, especially in comparison with Vbox. I would never bother to write about it, had I not received a piece of spam from the company. You only read this:
"We believe that CrypKey is the best copy protection system available,
with an approximate 2 year technological lead on the nearest
competition. 
With our strong growth, world-wide acceptance and continual
enhancements, we believe that CrypKey will help keep YOU at the
forefront of technology if you choose to join our list of satisfied
customers, who include Motorola, Panasonic, SEGA, IBM, Sybase, and
Hewlett Packard to name a few."
What a flagrant boasting! What ignorance! Hope, the crack I made will let some light into their heads (and into the heads of their satisfied customers... no wonder Motorola is there: sunset boulevard!).
BTW, "2 year lead" places them into year 2000 and makes an ideal target for next millenium +crackers :-)))
Our real target is CrypKey Instant 4.3.1. As with all similar protections, the protected proggy itself (the actual target of this reversing session) is irrelevant, so we'll take CrypKey Slot Machine, which is distributed as a protection demo.
Methods, with which protections of this kind are cracked, are quite standard in their own way. So, it is strongly recommended to read the relevant essays, for instance my own ones on TimeLock and, maybe, Vbox. I rely on reader's knowledge of PE-file structure and SoftDumping.

Tools required
SoftIce - master debugger (everywhere on the Web)
+Quine's SoftDump
Hiew566 - disassembler/hexeditor (everywhere on the Web)

Target's URL/FTP
HTTP :Slotz.exe
or
FTP :Slotz.exe

Program History
Never heard before

Essay

Disassembly of the target gives a strong deja vu feeling: again an obviously extra section CODE with the Entry Point in it; again some trouble with imported objects.
Let's go to .idata section. Of course, it is mutilated. With close look one can see that the first 100h bytes are removed and some crap is placed in here. (With those PE-files one have to feel not only the code, but the idata section, as well! ;-)
Well, it seems we have no choice but go to CODE section.
Never seen such a well-commented protection! For cracker not to miss the "hidden" chunk of .idata, his attention is attracted by a string "Resolve Imports". Almost immediately after it, at 41150, (all addresses are RVA) we have our 100h bytes! Of course, we are returning them to where they belong.
Code itself begins with a loop that decrypts the next 0DCh bytes (XORing them with an openly stored mask). These bytes do the usual dirty work of license-checking, and let them do. We go to the following code:
0041FBD: 5B              pop    ebx ; = (4)41E53
0041FBE: 8BC3            mov    eax,ebx
0041FC0: 83EB04          sub    ebx,004
0041FC3: 8B0B            mov    ecx,[ebx]
0041FC5: 2BC1            sub    eax,ecx
0041FC7: FFE0            jmp    eax
For me it reads like: "Take a DWORD preceding the Entry Point and subtract it from the Entry Point address to get the real Entry Point." (41E53 - 387D3 = 9680) Do you see now why they inserted a string "EntryMarkHere" at 41E3E?
Having looked at the real Entry Point, we can instantly see that 1000(dec)=3E8h bytes here are encrypted. (We feel code +ORC's way, don't we?) Encryption is made by XORing with a pseudo-random mask, but we shouldn't bother about it: we're just waiting for the protection to decrypt code to dump then those 3E8 bytes with SoftDump to a file. (To patch them, of course, in place of encrypted crap).

I hope, you already know what to do next:
1. Cut the CODE section off the file.
   In PE-header correct:
2. Number of Sections  |086: 06 -> 05
3. Entry Point         |0A8: 531E0400 -> 80960000
4. Image Size          |0D0: 00304000->00104000 (optionally for 95, but obligatory for NT!)
5. Erase the CODE section header

Cracking in the best traditions of "virginity restoration" is done.


Any trialware, which limits number of runs, has necessarly to mark in some way the computer to prevent "the license prolongation trick" by simple reinstallation. As Slots issues a license only for 2 runs, it may be of practical interest to prolong it (if you failed to crack it within the legitimate trial period). CrypKey Instant marks computers differently under Windows95 and NT.
Under NT it all is simple enough. Additional NT driver start the service "CrypKey License". License information is recorded in the file esnecil.ind ("license" inverted, ah ah ah) in the system directory. This file cannot be deleted (which is our objection) or changed when the service is running (even if disabled). So, to renew your license you may:
1. Remove drivers with
 setup_ck /D 
command, delete the file and then reinstall drivers! ; or
2. Load computer from a floppy in DOS mode and delete the file.

Under 95, when your license is expired, the program scans all directories on disk C: and writes in some of them at random 4-byte-long strangely named files with content "00 00 00 7C" (in my case). At every start, the program scans directories in search for these files and, if at least one was found, displays message about license expiration and quits. Removing these files (I found about a dozen) improves the matter, but not decisively. Now program tells that it can't access id information on your HD, which obviously means that there is another mark somewhere. I had no patience to explore the problem to the bottom and solved it with a simple patch in cryp9516.dll.
File 
offset
007A56: FF76F4             push   w,[bp][-000C]
007A59: FF76F2             push   w,[bp][-000E]
007A5C: 9AD071BC71         call   001:071D0 
007A61: 83C404             add    sp,004
007A64: 8946FC             mov    [bp][-0004],ax -> xor    ax,ax
007A67: 0BC0               or     ax,ax          -> mov    [bp][-0004],ax
007A69: 752B               jne   .0000171C6      -> or     ax,ax ; to avoid nop-ing 
007A6B: 837E0800           cmp    w,[bp][00008],000
007A6F: 7408               je    .0000171A9  
Now the license is renewed automatically when expired.

Final Notes
Targets, protected with CrypKey, may be regged with some license code. Some other approaches to cracking in this case may exist. But, IMHO, this kind of protection is specially conceived to be totally removed from target.

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepageredlinks redsearch_formsred+ORCredstudents' essaysredacademy database
redreality crackingredhow to searchredjavascript warsredtoolsredanonymity academy redcocktailsredantismut CGI-scriptsredmail_fravia+
redIs reverse engineering legal?