ULTRAEDIT-32 V. 4.40a
(Slight Variations of the Serial Number-based protection scheme)
by Aesculapius
(21 August 1997, slightly edited by Fravia)
Courtesy of Fravia's page
of reverse engineering
Well, Aesculapius (a very good
cracker with a quite interesting homepage at
http://aesculapius.home.ml.org
that you should by all means visit) demonstrates here that our protectionists
friends are (slowly) beginning to learn some elementary precautions (I wonder if Ian
Mead, the author of this pretty good program, improved his -poor- protection scheme after
the critics he got from me on this page :-).
Yet it'll
take a very long time to see such improvements applied everywhere... curiously the
snowball effect on the web is incredibly slow... you may for instance
be able to hack right now quite a lot of unix servers using tricks that have
been used in 1992 and have been published everywhere... funny but true,
the exponential
growth of the web itself makes it at
the same time "easy and difficult" to spread information, keeping all kind of obsolete methods, ideas and procedures
jolly alive (let's not
forget that the "grandpapa" of many virii: the VERY old cascade virus,
is still alive and kicking
allover the world, in spite of all norton/solomon/skulasson protections...)
Well, this essay is interesting: in order to crack "perfectioned" password
protection schemes you need only a little patience, and your brain, as usual.
ULTRAEDIT-32 V. 4.40a
Slight Variations of the Serial Number-based protection scheme
By Aesculapius
Ultra Edit-32 is a useful application. It performs as a very
competent Hex&Text editor. It's probably in text editing, where most of its
strengths are shown. The program is able to create perfectly well formatted
80 columns ASCII text with the same look and feel of our beloved old DOS
edit.com, and at the same time it includes very powerful tools like unlimited
file size, spell checking, advanced searching capabilities, custom colors,
etc. It's to my knowledge the most near-perfect tool for creating cracking
essays, like this one.
You can find the most recent copy of this application at
http://www.idmcomp.com/. The file is less than 1 MB.
The protection scheme in this baby is serial number based, and to
honour the truth, it's actually nothing we haven't seen before, although
it includes some very particular characteristics.
To mention just a few of it, after the serial number has been typed, the
program won't warn you with a "Wrong serial number typed", instead, it'll
request your permission to restart itself before the registered state
could take effect.
Moreover, the author of the program changes the serial number generation
sequence very often as well as the instructions array near the code
location of the protection scheme, in an attempt to frustrate casual
crackers and serial numbers 'aficionados'.
The result from all these facts, has been that the serial codes
include not only numbers and letters, but also commas, periods, brackets,
parenthesis... almost every printable ASCII character, you name it and
it'll be there. This fact could also confuse new crackers, given the fact
that, when trying to 'hear the echo' as +ORC taught us, we'll be looking
for chains of characters (from A to F), numbers (from 1 to 9) and maybe some
dashes, but never a code with brackets, commas, periods, and only few
numbers and letters. For instance, the Serial Code for Aesculapius
is: P/-{T2,Yi5Y
Incredible isn't it? I couldn't even put a period at the end of the
last paragraph, because even a period could have been part of the code!!!
Enough ramblings, lets crack!
We'll need the following tools: Wdsm89, WinICE 3.01 and UltraEdit 4.40a
itself to study the disassembled text. Earlier versions of wdsm and WinICE
will also work.
As usual, we'll start by loading the main executable in SoftICE,
after it pops up, press Ctrl-D and the unregistered NAG with a 45 days
warning countdown will appear. Write all the text from that window, hit
the registration button and type your name with any number as serial
code, type OK and see what happens; the program requests to be restarted
before the changes can be applied. At this point, there is no
logical reason to set a breakpoint on Windows Message (bmsg) because the
valid serial code isn't calculated in this moment. The registration window
is simply gathering your input, and the valid code will be calculated when
the program is restarted. Terminate UltraEdit and load it again
with SoftICE, set several standard breakpoints:
bpx messageboxa
bpx getdlgitemtexta
bpx getwindowtexta
bpx updatewindow
Hit Ctrl-D and hope that one of these work. SoftICE takes
control over the application at USER!UPDATEWINDOW three times, after hitting
F4 to snoop at UltraEdit screen activities, you notice that the main
screen has been already drawn but still no NAG at all. Hit Ctrl-D once
again and another USER!UPDATEWINDOW break appears, hit F12 to return from
the CALL, hit F4 to snoop, and there it is, the NAG screen finally appeared.
The snippet from the surroundings of this fourth UPDATEWINDOW breakpoint are
shown here:
:004064C5 FF75C8 push [ebp-38]
:004064C8 80A63A02000000 and byte ptr [esi+0000023A], 00
:004064CF 8D862A020000 lea eax, dword ptr [esi+0000022A]
:004064D5 51 push ecx
:004064D6 50 push eax
:004064D7 FF352C8C4900 push dword ptr [00498C2C]
:004064DD E819F0FFFF call 004054FB ; EAX=0 Unreg ; EAX=1 Reg.
:004064E2 83C410 add esp, 00000010
:004064E5 85C0 test eax, eax
:004064E7 7458 je 00406541 ; Execute the NAG
:004064E9 833D208C490000 cmp dword ptr [00498C20], 0 ;Registered?
:004064F0 754F jne 00406541; Execute the NAG
:004064F2 833D088D490000 cmp dword ptr [00498D08], 0;
:004064F9 C705208C490001000000 mov dword ptr [00498C20], 1; Flag=1
:00406503 7412 je 00406517 Reg.
:00406505 6825430000 push 00004325
:0040650A 68C81D4900 push 00491DC8 ; ->"MousePos"
:0040650F 57 push edi
:00406510 8BCE mov ecx, esi
:00406512 E84C770500 call 0045DC63
* Referenced by a Jump at Address:00406503(C)
|
:00406517 837DF000 cmp dword ptr [ebp-10], 0
:0040651B 0F849A000000 je 004065BB ; Jump away from the NAG
:00406521 6A00 push 00000000
:00406523 68C81D4900 push 00491DC8 ;->"MousePos"
:00406528 57 push edi
:00406529 8BCE mov ecx, esi
:0040652B E833770500 call 0045DC63
:00406530 6AFF push FFFFFFFF
:00406532 68401D4900 push 00491D40 ;->"Days to expire"
:00406537 57 push edi
:00406538 8BCE mov ecx, esi
:0040653A E824770500 call 0045DC63
:0040653F EB7A jmp 004065BB ; Jump away from the NAG
* Referenced by a Jump at Addresses:004064E7(C), :004064F0(C)
|
:00406541 8B45E0 mov eax, dword ptr [ebp-20]; Days left in
:00406544 FF761C push [esi+1C] EAX
:00406547 8D8E08010000 lea ecx, dword ptr [esi+00000108]
:0040654D 898664010000 mov dword ptr [esi+00000164], eax
:00406553 894DD8 mov dword ptr [ebp-28], ecx
:00406556 E87F1A0000 call 00407FDA
:0040655B 85C0 test eax, eax
:0040655D 7506 jne 00406565
:0040655F 218624010000 and dword ptr [esi+00000124], eax
* Referenced by a Jump at Address:0040655D(C)
|
:00406565 837DF000 cmp dword ptr [ebp-10], 0
:00406569 0F8581080000 jne 00406DF0
:0040656F 83BE2401000000 cmp dword ptr [esi+00000124], 0
:00406576 0F8474080000 je 00406DF0
:0040657C FF75E8 push [ebp-18]
:0040657F 8BCE mov ecx, esi
:00406581 68C81D4900 push 00491DC8 ; ->"MousePos"
:00406586 57 push edi
:00406587 E8D7760500 call 0045DC63
:0040658C FF75E0 push [ebp-20]
:0040658F 8BCE mov ecx, esi
:00406591 68401D4900 push 00491D40 ; ->"Days to expire"
:00406596 57 push edi
:00406597 E8C7760500 call 0045DC63
* Referenced by a Jump at Address:00406E19(C)
|
:0040659C 833D208C490000 cmp dword ptr [00498C20], 0 ; Flag
:004065A3 7516 jne 004065BB ; Jump away from the NAG
:004065A5 8B4DD8 mov ecx, dword ptr [ebp-28]
:004065A8 6A05 push 5 ;ID=5: "ULTRAEDT.MAC"
:004065AA E80CF10400 call 004556BB
:004065AF FFB624010000 push dword ptr [esi+00000124]
* Reference To: USER32.UpdateWindow, Ord:0251h | :004065B5 FF15EC0E4A00
Call dword ptr [004A0EEC] ; ** NAG Screen is drawn **
Easy doesn't it? The CALL at :004064DD decides whether both codes
(the one you typed and the valid code) are equal, according to this, EAX=1 if
both codes are equal, otherwise EAX=0. If EAX=1 the Registration flag is
set to 1. The instruction at :004064E9 is a second check. Lets snoop at the
code inside this CALL (:004054FB):
* Referenced by a CALL at Addresses:004064DD , :0042FD93 , :0042FDAB
|
:004054FB 55 push ebp
... ** Several instructions eliminated to save space **
* Referenced by a Jump at Address:004056A0(C)
|
:004056C2 85DB test ebx, ebx
:004056C4 743C je 00405702
:004056C6 8D45C0 lea eax, dword ptr [ebp-40]; Points to the
:004056C9 50 push eax valid code
:004056CA 8D4580 lea eax, dword ptr [ebp-80]; Points to
:004056CD 50 push eax your code
:004056CE E89D900300 call 0043E770
:004056D3 59 pop ecx
:004056D4 85C0 test eax, eax
:004056D6 59 pop ecx
:004056D7 741E je 004056F7
:004056D9 8D8540FFFFFF lea eax, dword ptr [ebp+FFFFFF40]
:004056DF 50 push eax
:004056E0 8D4580 lea eax, dword ptr [ebp-80]
:004056E3 50 push eax
:004056E4 E887900300 call 0043E770
:004056E9 59 pop ecx
:004056EA 85C0 test eax, eax
:004056EC 59 pop ecx
:004056ED 7408 je 004056F7
:004056EF 8935088D4900 mov dword ptr [00498D08], esi
:004056F5 EB0B jmp 00405702
* Referenced by a Jump at Addresses:004056D7(C), :004056ED(C)
|
:004056F7 8325088D490000 and dword ptr [00498D08], 0 ; Invalid code
Flag is set
* Referenced by a Jump at Addresses:004056B2(C), :004056C0(C)
|
:004056FE 8BC6 mov eax, esi
:00405700 EB02 jmp 00405704
* Referenced by a Jump at Addresses:00405525(C), :0040552E(C), :00405545(C),
:0040568E(C), :004056C4(C) :004056F5(U)
|
:00405702 33C0 xor eax, eax; Invalid code EAX=0
* Referenced by a Jump at Address:00405700(U)
|
:00405704 5F pop edi
:00405705 5E pop esi
:00405706 5B pop ebx
:00405707 C9 leave
:00405708 C3 ret
As you can see, the valid code is located at ebp-40 and your code at
ebp-80; all we need to do is point both locations to the valid code:
change:
:004056CA 8D4580 lea eax, dword ptr [ebp-80]
to:
:004056CA 8D45C0 lea eax, dword ptr [ebp-40]
This change will crack the scheme, because no matter what serial
number you type, the program will always point to the valid one. You
can type any serial number and it'll be accepted. Additionally, cracking at
this point will have several advantages; the program will create a key file
named uedit32.reg. If you erase this file (and uedit32.ini, because that
file contains the registration data too) the program will be unregistered
again, and you'll be able to create as many uedit32.reg files as you wish,
turning the protection scheme itself in a key generator.
To find out the valid code for your name, simply set a breakpoint at
CS:004056C9
and execute:
d ebp-40
Your valid code will be displayed in SoftICE's data window.
As you can see, the disassembled text doesn't help much to locate
the key points of the protection scheme. There are no useful sentences as
'Wrong Serial Code' or 'Your Serial code is invalid'. This is a good, if
elementary precaution.
There is further no obvius 45 (0x2Dh) days "evidence" in the main stream
of the code. Another good, if elementary, precaution.
All these implementations help to enforce a Serial Number based protection
scheme which, unfortunately for its more clever than the norm programmer,
is essentially weak given its own nature.
Aesculapius - August 1997
aesculapius@cryogen.com
aesculapius.home.ml.org
(c) Aesculapius 1997. All rights reserved
You are deep inside fravia's page of reverse engineering,
choose your way out:
project 1
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering illegal?