A Rose Unfolds Before Us A License by any Other Name	Not Assigned
7 September 1999	by Sojourner
	Courtesy of Fravia's page of reverse engineering	slightly edited by fravia+
fra_00xx 980907 Sojourner 0100 NA PC	A well-written essay about a huge free-package, reversed for the interest of it.
	There is a crack, a crack in everything That's how the light gets in
Rating	()Beginner (x)Intermediate ( )Advanced ( )Expert

w32dasm8.9

ultraedit 6.xx (or your favorite hexeditor)

www.rational.com

This is the Rational home page and there are many directions you can go with it from the beginning. Enjoy the variety! : - ))

This program is a super tool for all around programmers and can be downloaded for free as noted above. Of course there is the need for a special license key which Rational will send to you, IF, you provide a REAL email address, phone number, etc. That's really about it. This essay is not to help defeat that protection. There is no need to defeat something that is freely open. I will help you to learn to get around the license key stuff. I really like it because there are other progs using this exact setup, albeit with a slighly different key structure. The license dat files are too similar. We need familiarity with different schemas to be more well-rounded and this provides one that opportunity. Just for your info, Nichimen makes Mirai, a high-end graphics package with the same protection base. See them at www.nichimen.com and get your own eval cd sent to you.

Unfolding Steps
1. Get Rational Rose located and downloaded
2. Install
3. Run it
4. Disassemble it
5. Fix the broken license key
6. Enjoy a superlative prog!

By the way, this Rose program is large for a web-based product, almost 40 megabytes! Prepare for several hours download with a 56K modem. After getting your program downloaded, install to the directory of your choice. I had to use a download tool (GetRight 3.3.4) to get this program because of disconnect problems. Now run the rose.exe about 5200 kb and install the license key. Ah, now you can take some time and look around inside the directories and play with the program a littler bit if you wish. Remember, you only have 20 days to eval this product.. 20 days hardly seems like enough time on such a complex piece of software. I'm sure they've made a mistake. We may be programmers, but there are other things in life, like, umm, well, like, umm--alright there are so few things to compare what we do let's just drop it for now. Still 20 days is way too short to give this prog a purposeful run for the money. As always, pay attention to the names of windows which popup on the screen and keep notes. There are often useful strings associated with these. As you wander, you find that there are tons of .dlls in several separate directories for Rational Rose Enterprise 98i, including the x:\windows\ system directory. Did you pay attention to that when it was installing. No matter, you will be able to see all after you disassemble it in w32dasm8.9. Some of the .dll names will jump out at you and you should disassemble several- which one's?-have a look around first and think-visualize the setup inside w32dasm. Use the tools inside wdasm32 as it is running the disassembled rose.exe. That is really the only executible you need to deal with. It will open up to almost 70 megabytes of code. Whoa. Be sure to have enough disk space again- say over 200 meg of free space, before beginning the disassembling of rose.exe.(I have used w32dasm 8.93, but I don't like it as well as the older version because of its printing problems, even though the newer version is a bit faster on the disassembly time-use whichever you like)

We have already reached step 5 in the lesson. That was fast! This is where the rubber meets the road as they say, the business end of the stick Did I say the 20 day limit was way too short. We need to work on that now, so we won't be upset when the prog gives us that nasty little box:

Rational Licensing Key Error
Failed to check out a rose_enterprise_windows licensing key
Feature has expired
If you are evaluating this product blah, blah,blah.
            OK             Launch License Key

Now that you've played with the prog enough, you've either reached the time limit by yourself or you set it ahead like I did just to get past the suspense. You will have already seen that even with the "good" prog working, a User32.DialogBoxParamA box pops up with the "Rational Licensing Key Error." You can't do much about it yet, but it will be important to help us. The point is, there is no error at this time even though it implies there is. This is the only box they use. Just diffferent messages are displayed internally. I guess they were too lazy to create another API call.

Go ahead and load your disassembled prog and run it from w32dasm. Set w32dasm to break on .dll load. This will make it easier to follow the flow of the program as it runs. There will be a splash screen and a short time later you will encounter the failed license screen as seen above. you won't immediately see the correct .dll on the window, but the program stops anyway because this DialogBoxParamA expects a choice from you and you must choose either OK, or Launch License Key. Before you push any other keys, click the single-step key on w32dasm so the program won't go anywhere until you release it. Now you may click the "OK" button and find out where the dialog box came from.

Man oh man, look at this stuff. I included this lengthy section of code to show you but one thing-there is no easy way out-no jumps. We are at the very beginning of this .dll. Where we should be is: HERE 102A109b USER 32 DialogBoxParamA This is WHY the message pops up in the first place. So, we really need to get in front of all this crap. But, how? Good question. Jump to the end of this code-JUMP

 +++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++

//********************** Start of Code in Object .text **************

Program Entry Point = 102A45AF (RSCOMMONUI.DLL File Offset:000095AF)

:102A1000 B8F8482A10 mov eax, 102A48F8

* Reference To: MSVCRT._EH_prolog, Ord:0042h

|

:102A1005 E8F6320000                Call 102A4300 :102A100A 83EC48 sub esp, 00000048
:102A100D 56                                push esi
:102A100E 57                                push edi
:102A100F E85F310000               call 102A4173
:102A1014 50                                push eax
:102A1015 8D4DE8                      lea ecx, dword ptr [ebp-18]
* Reference To: MFC42.MFC42:NoName0057, Ord:1943h
                           |
:102A1018 E8C32E0000              Call 102A3EE0
:102A101D FF750C                      push [ebp+0C]
:102A1020 8365FC00                   and dword ptr [ebp-04], 00000000
:102A1024 8D4DF0                      lea ecx, dword ptr [ebp-10]
:102A1027 E8B1000000               call 102A10DD
:102A102C 8D4DF0                     lea ecx, dword ptr [ebp-10]
:102A102F C645FC01                  mov [ebp-04], 01
:102A1033 E80C010000               call 102A1144
:102A1038 83EC10                       sub esp, 00000010
:102A103B 8BF8                           mov edi, eax
:102A103D 89650C                       mov dword ptr [ebp+0C], esp
:102A1040 8A450F                       mov al, byte ptr [ebp+0F]
:102A1043 8BF4                           mov esi, esp
:102A1045 6A00                           push 00000000
:102A1047 8BCE                          mov ecx, esi
:102A1049 8806                           mov byte ptr [esi], al
* Reference To: MSVCP60.?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, Ord:03F8h
                     |
:102A104B FF1534522A10        Call dword ptr [102A5234]
:102A1051 57                              push edi
* Reference To: MSVCRT.strlen, Ord:02BEh
                    |
:102A1052 E89B320000             Call 102A42F2
:102A1057 59                              pop ecx
:102A1058 50                              push eax
:102A1059 57                              push edi
:102A105A 8BCE                        mov ecx, esi
* Reference To: MSVCP60.?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@P, Ord:0420h
                   |
:102A105C FF1538522A10        Call dword ptr [102A5238]
:102A1062 8D4DAC                   lea ecx, dword ptr [ebp-54]
:102A1065 E8EA020000             call 102A1354
:102A106A C645FC02                mov [ebp-04], 02
* Reference To: USER32.GetActiveWindow, Ord:00DDh
                   |
:102A106E FF15EC522A10       Call dword ptr [102A52EC]
:102A1074 8BF0                         mov esi, eax
:102A1076 8D45AC                   lea eax, dword ptr [ebp-54]
:102A1079 50                             push eax
:102A107A 8D45B4                   lea eax, dword ptr [ebp-4C]
:102A107D 50                            push eax
:102A107E 6880742A10            push 102A7480
:102A1083 E8BA010000           call 102A1242
:102A1088 A188742A10           mov eax, dword ptr [102A7488]
:102A108D 6A00                       push 00000000
* Possible StringData Ref from Code Obj ->"VWh"
                   |
:102A108F 68FE112A10           push 102A11FE
:102A1094 56                             push esi
* Possible Reference to Dialog: DialogID_00C9
                   |
*Possible Reference to Dialog: DialogID_00C9, CONTROL_ID:00C9, "Launch License Key Administrator"
                   |
:102A1095 68C9000000           push 000000C9
:102A109A 50                           push eax
* Reference To: USER32.DialogBoxParamA, Ord:0093h
                   |
:102A109B FF15F0522A10      Call dword ptr [102A52F0] HERE
:102A10A1 8D4DAC                 lea ecx, dword ptr [ebp-54]
:102A10A4 C645FC01              mov [ebp-04], 01
:102A10A8 E82A040000           call 102A14D7
:102A10AD 8B4DF0                 mov ecx, dword ptr [ebp-10]
:102A10B0 85C9                       test ecx, ecx
:102A10B2 7405                        je 102A10B9
:102A10B4 E8CE000000           call 102A1187
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:102A10B2(C)
                   |
:102A10B9 8B45EC                  mov eax, dword ptr [ebp-14]
:102A10BC 8B4DE8                 mov ecx, dword ptr [ebp-18]
:102A10C0 5E                           pop esi
:102A10C1 894804                   mov dword ptr [eax+04], ecx
:102A10C4 8B4DF4                  mov ecx, dword ptr [ebp-0C]
:102A10C7 33C0                       xor eax, eax
:102A10C9 64890D00000000   mov dword ptr fs:[00000000], ecx
:102A10D0 C9                           leave
:102A10D1 C20800                   ret 0008
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:102A48E3(U), :102A4B17(U)
                     |
:102A10D4 8B4104                    mov eax, dword ptr [ecx+04]
:102A10D7 8B09                        mov ecx, dword ptr [ecx]
:102A10D9 894804                     mov dword ptr [eax+04], ecx
:102A10DC C3                            ret

We're still running the prog through w32dasm and your windows are still open. Go ahead and place breakpoints at the two rets at:

                                      102A10D1 and

                                      102A10DC             see above

This way we can slow down things a bit and eventually get to where we ned to be. +orc said in one of his earlier writings that cracking sometimes involved luck. It is possible that there may be times when we end up at a place that helps us to see through this dark code forest, as it has been referred to, but we don't remember how we got there or if we even did it conciously, nevertheless, the end result was the same. Once you are there though, take notes on the way out, so you CAN get back in. I am an extreme note taker when I go through these progs and some times it takes hours and even multiple days to sort through all this "logical" mess. All we readers ever see in the tutorials are highly condensed versions of the time and effort involved. Keep the spirit. Not all of this is easy and sometimes spouses may not understand, but educate them to your life and passion-you'll need their support. Ok, I got off on a soapbox-back to the business at hand. Let the prog run now. Keep that .dll break on and you will eventually find yourself in a brand new .dll- the suite_objects.dll-exactly where you need to be. Why exactly, because we end up at a call- HERE

:10581613 56                               push esi
:10581614 57                               push edi
:10581615 8BF1                          mov esi, ecx
:10581617 8B5D08                     mov ebx, dword ptr [ebp+08]
:1058161A 33C0                         xor eax, eax
:1058161C 3BD8                        cmp ebx, eax
:1058161E 8945FC                     mov dword ptr [ebp-04], eax
:10581621 7402                          je 10581625
:10581623 8B03                         mov eax, dword ptr [ebx]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
                |:10581621(C)
                          |
:10581625 8B0E                         mov ecx, dword ptr [esi]
:10581627 50                              push eax
:10581628 56                              push esi
:10581629 FF511C                    call [ecx+1C] HERE
:1058162C 8BF8                        mov edi, eax
:1058162E 85FF                         test edi, edi
:10581630 7D0C                         jge 1058163E
* Possible StringData Ref from Data Obj ->"s"
                          |
:10581632 6850605810               push 10586050
:10581637 56                               push esi
:10581638 57                              push edi
:10581639 E8560F0000              call 10582594
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
              |:10581630(C)
                        |
:1058163E 85DB                         test ebx, ebx
:10581640 7407                          je 10581649
:10581642 8BCB                        mov ecx, ebx
:10581644 E82FFBFFFF            call 10581178
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
              |:10581640(C)
                      |
:10581649 8B4DF4                    mov ecx, dword ptr [ebp-0C]
:1058164C 8BC7                       mov eax, edi
:1058164E 5F                             pop edi
:1058164F 5E                             pop esi
:10581650 5B                             pop ebx
:10581651 64890D00000000     mov dword ptr fs:[00000000], ecx
:10581658 C9                             leave
:10581659 C20400                     ret 0004

Of course, you would never be able to find this call in the "normal" way, since it wouldn't be referenced. That's why breaks are important whether you're using softice or w32dasm. You will note above in this code that you cannot jump around this call. So what do you do? Ah, if you have the answer to that then the puzzle is solved already. But be careful, you will have to "fix" the code in several locations--it's not too hard to find.

You may email me at: jomamameister@yahoo.com

I will be glad to help anyone after they have examined this lesson and the aforementioned files. Additionally, you may find the answer hidden in this tutorial somewhere. Where? Good hunting!

Alright, one clue--seek from whence cometh rivers!! That's it. :-)

Until later-Sojourner

homepage links search_forms +ORC students' essays academy database
reality cracking how to search java-script wars
tools anonymity academy cocktails antismut CGI-scripts mail_fravia+
Is reverse engineering legal?