Files available on request (requires DirectX).
I'm back once again, this time I'm using ART's Chief Architect as my target, Chief uses a combination of a serial number and dongle for its protection, although the implementation is somewhat dubious to say the least. Also, if you should need to ever call upon ART's technical support I only hope you have very deep pockets, at $2 per minute your problems are their profits.
The dongle being used is a Super Sentinel Pro, you'll note the installed file superpro.dll as being the manufacturer's dll, interestingly you can delete this file without any error messages from the program which suggests that the dll isn't actually linked by the main program. Starting Chief gives rise to a nag box, legitamate users are supposed to insert their name, Serial No. and Password (obtained from ART) and then start the program without hassles (this crazy order of events negates the entire point of using a dongle!).
The serial number check itself is so trivial that anyone could bypass it and settle for clicking O.K each time to accept a bad password. Use the standard bpx's (GetWindowTextA) and make your way to this code (remember to format your name in the correct style i.e. CrackZ N. Cracker and ensure your serial number has length < 3).
:00683261 MOVSX EAX, WORD PTR [006E3050] <-- trigger location.
:00683268 CMP EAX, 358 <-- The good result.
:0068326D JZ 006832A7 <-- Good_serial_number_jump.
:006832AD CALL USER32.EndDialog <-- Goodbye to the nag screen.
This check is so weak that many crackers would elect to patch this and put up with the nag box, evidently there isn't any real advantage in working through the password calculation routine because the ART code changes each time. Instead we'll focus our efforts on cracking the dongle check, the dongle determines whether or not the nag screen is displayed and for some strange reason ART decided that just a start-up check was sufficient and the dongle is never called whilst the program is actually running (how stupid is that?).
A bpio -h 378 rw works well but prepare for some serious F12 work. You'll find the most convenient entry point at 006835BF, a disassembly listing will also help (note how many times this CALL is referenced).
:006835BA CALL 00683306 <-- Read dongle.
:006835BF ADD ESP,04 <-- Correct stack (SoftICE stops here).
:006835C2 MOV WORD PTR [EBP-04], AX <-- Use value of AX.
:006835C6 MOVSX ECX, WORD PTR [EBP-04] <-- Now retreive it for ECX.
:006835CA CMP ECX,01 <-- Check it.
:006835CD JNZ 006835E1 <-- Jump_and_we'll_check_EBP-04_again.
:006835CF MOV WORD PTR [006DF5E0],0001 <-- Nice flag.
This single check is pitiful and the only thoughts you might be having is how
to patch this efficiently (use the address space of the JNZ). Whats actually mildly interesting is tracing a
little further on, the checking code following is diabolical, the programmer
obviously thought he was making extra checks by swapping variable values but
under the ASM spotlight that isn't my analysis. You might like to observe
what happens when this code fails, some information wrt the API can be gleened.
In fact once the dongle check is patched there is worse to come. You would think a valid serial number might be checked for (even with a dongle connected), incredibly the program doesn't care a damn. This protection is so weak I don't think I need comment any further upon it.