Frame-It V1.23

June 1998	"Frame-It V1.23" ( 'Hidding the registration details' )	Win '95 PROGRAM Win Code Reversing
	by The Sandman
	Code Reversing For Beginners
	Program Details Program Name: fit11232.zip Program Type: WebPage Frame Maker Program Location: Here Program Size: 337K
	Tools Used: Softice V3.2 - Win'95 Debugger Regmon - Registry Entry tracker W32Dasm V8.9 - Win'95 Disassembler
Rating	Easy ( X ) Medium ( X ) Hard ( ) Pro ( )	There is a crack, a crack in everything. That's how the light gets in.

Frame-It V1.23 ( 'Hiding the registration details' ) Written by The Sandman

Introduction

The author says about Frame-It:

"The easy to use, fast, resource friendly HTML Frame generator.
Frame-IT! is a feature-packed HTML frame generator, which allows you to generate complex and impressive HTML frames, using only your mouse. Within a few minutes of starting the program you will have developed and tested a complex frames document."

About this protection system

You are given just 14 days to evaluate this program before it expires, then after this period subsequent uses will produce the registration screen.

To enter the registration screen you will need to select the 'Help' menu then choose the 'Register' option. You will be asked for the following information.

Name:
Company (Optional):
Registration Code:

The protection system employed in this program while not unique, is very interesting for for all newbies to study and learn from. Here's how it works...

When you first run this program it creates a file called fi32110.dll in your C:\Windows\System directory.

Filename: fi32110.dll
File Size: 272 bytes

Contents of fi32110.dll

00000000 FF000000 00000000 E090E140 20000000 ...........@ ...
00000010 00000000 00000000 00000000 00000000 ................
00000020 00000000 00000000 00000000 00000000 ................
00000030 00000000 00000000 00000000 00000000 ................
00000040 00000000 00000000 00000000 00000000 ................
00000050 00000000 00000000 00000000 00000000 ................
00000060 00000000 00000000 00000000 00000000 ................
00000070 00000000 00000000 00000000 00000000 ................
00000080 00000000 00000000 00000000 00000000 ................
00000090 00000000 00000000 00000000 00000000 ................
000000A0 00000000 00000000 00000000 00000000 ................
000000B0 00000000 00000000 00000000 00000000 ................
000000C0 00000000 00000000 00000000 00000000 ................
000000D0 00000000 00000000 00000000 00000000 ................
000000E0 00000000 00000000 00000000 00000000 ................
000000F0 00000000 00000000 00000000 00000000 ................
00000100 00000000 00000000 00000000 00000000 ................

The 'Shareware/Registered' status byte is stored at offset 00000000
FF=Not Registered - Default value
00=Gives you 99 Days evaluation period!
01=Signals that the program has been registered!

Your 14 day counter is stored at offset: 00000008 to 00000011

When you register the program then here's what the SAME file looks like!

00000000 01000100 8902CB8E 1791E140 200B5468 ...........@ .Th
00000010 65205361 6E646D61 6E01A701 4401A801 e Sandman...D...
00000020 70850176 4704AE05 EE050100 0000B885 p..vG...........
00000030 E711AE05 0455C75E 2B5B315B 8A854517 .....U.^+[1[..E.
00000040 5EF80A00 43104310 BF17E711 24860000 ^...C.C.....$...
00000050 06000A00 EE050200 EE050200 E085A885 ................
00000060 2C530600 24864701 C085661D 3F01B485 ,S..$.G...f.?...
00000070 E711B885 E711BC85 E711D8EF B4590200 .............Y..
00000080 9001F6BF D4850E0F E7170000 00000000 ................
00000090 00001502 E8090600 00002486 0000FF16 ..........$.....
000000A0 F0858103 E7170100 00000000 00000000 ................
000000B0 1502B459 02002E10 BF178603 24862335 ...Y........$.#5
000000C0 1F170100 00000000 00000000 1502E809 ................
000000D0 2E10BF17 E8091502 00000000 00000000 ................
000000E0 00000000 02002AC0 00000500 182C1F17 ......*......,..
000000F0 D615F7BF 4F010000 34F66E00 57010000 ....O...4.n.W...
00000100 4416F7BF 15020000 E0F66E00 0424C200 D.........n..$..

I haven't a clue what significance the rest of the 272 bytes relates to because if you open up the fi32110.dll when it's just been created and change the FIRST byte (FFh) to a (01) then the program runs as a fully registered program there-after and does not show any signs of instability due to the fact that the fi32110.dll is empty. The only difference is that it doesn't show your name/handle in the 'About' screen, but does still show the message 'REGISTERED' instead of 'SHAREWARE'.

One last thing, deleting the fi32110.dll file will reset the 14 day trial counter back to 14 days again. If you wish to re-register the program again for what-ever reason then again, just delete this file.

The Essay

This is an interesting crack, even more so when you actually work out how the protection system works. Remember, we're not just *cracking* a program, we're also learning as we go along.

While our tools are helpful, don't always rely on them, I used Regmon to try and track where the program was storing the counter and later, where my registration details were stored and it failed to find them!. It was just by chance I saw a something in the program's String Data Resources that gave me the clue I needed, but full marks to the programmers for using an innocent *looking* file disguised as a DLL file!. It *almost* got me!!.

Regmon is a GUI/device driver combination that together monitor and display all Registry activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows 95 works, seeing how applications use the Registry, or tracking down problems in system or application configurations.

The first thing I did before running Frame-It was to start up Regmon, I wanted to see where it was storing the 'counter', I assumed it was located in the System Registry File. Here's what Regmon told me..

0 Frameit OpenKey HKCU\Control Panel\Desktop SUCCESS hKey: 0xC11B31C4
1 Frameit QueryValueEx HKCU\Control Panel\Desktop\SmoothScroll NOTFOUND
2 Frameit CloseKey HKCU\Control Panel\Desktop SUCCESS
3 Frameit OpenKey HKCU\Control Panel\Mouse NOTFOUND
4 Frameit OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion SUCCESS hKey: 0xC11B31C4
5 Frameit QueryValueEx HKLM\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber SUCCESS 2042 0
6 Frameit CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion SUCCESS
7 Frameit OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion SUCCESS hKey: 0xC11B31C4
8 Frameit QueryValueEx HKLM\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber SUCCESS 2042 0
9 Frameit CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion SUCCESS
10 Frameit OpenKey HKCR\ClsID SUCCESS hKey: 0xC11B2BF0
11 Frameit OpenKey HKCR\AppID SUCCESS hKey: 0xC1193020
12 Frameit OpenKey HKLM\SOFTWARE\Microsoft\OLE SUCCESS hKey: 0xC11849C0
13 Frameit QueryValueEx HKLM\SOFTWARE\Microsoft\OLE\EnableDCOM SUCCESS "Y"
14 Frameit QueryValueEx HKLM\SOFTWARE\Microsoft\OLE\EnableRemoteLaunch NOTFOUND
15 Frameit QueryValueEx HKLM\SOFTWARE\Microsoft\OLE\EnableRemoteConnect SUCCESS "N"
16 Frameit QueryValueEx 0xC4F32464\C:\FITIT\frameit.ini NOTFOUND

At this point I decided to leave the searching for the location of the program's 14 day 'counter' and take a peek at it's source code instead.

Run up W32Dasm and take a look at it's String Data Resources, make notes on what you see, you never know how useful notes are until you need them!.

Right, if you've already tried to register this program then you'll know that the program uses the text "Invalid Registration Code' each time you get it wrong, so lets start from there.. While still in W32Dasm search for the text "Invalid Registration Code"

You'll be taken here..

* Referenced by a (C)onditional Jump at Address: :004509FE(C)

:00450A64 837DF400                cmp dword ptr [ebp-0C], 00000000
:00450A68 7504                    jne 00450A6E ;Jumps to 'beggar off
                                               ;cracker' routine.
:00450A6A 3BDF                    cmp ebx, edi
:00450A6C 740F                    je 00450A7D ;Jumps to our 'Good Guy'
                                               ;Routine!

*The Beggar Off Cracker* Routine..

* Possible StringData Ref from Code Obj ->"Invalid Registration Code"

:00450A6E B8500C4500              mov eax, 00450C50
:00450A73 E89C38FEFF              call 00434314
:00450A78 E9D1000000              jmp 00450B4E

If you try and search for any other instances of this text then you'll find there aren't any, so we can safely start back-tracking from this point until we find where the program decides that our serial number was incorrect.

There is just one conditional jump into our 'Beggar off cracker' routine, W32Dasm tells us that it is called from memory offset 00450A68 which is the next routine above our 'Beggar off Cracker' routine. Look closely at this routine....

* Referenced by a (C)onditional Jump at Address: :004509FE(C)

:00450A64 837DF400                cmp dword ptr [ebp-0C], 00000000
:00450A68 7504                    jne 00450A6E ;Jumps to 'beggar off
                                               ;cracker' routine.
:00450A6A 3BDF                    cmp ebx, edi
:00450A6C 740F                    je 00450A7D ;Jumps to our 'Good Guy'
                                               ;Routine!

There are TWO checks performed by the program, both of which could take us into our 'Beggar off cracker' routine and both are governed by two separate cmp instructions. The first cmp instruction will trigger the jne 00450a6E jump if the memory location pointed to by the [ebp-0C] address is found to contain '0's and the second cmp instruction (if the second check fails) will 'unset' the je 00450A7D jump instruction so that it does NOT jump and allow the program to 'fall-in' to our Beggar off Cracker' routine.

It is clear then, if we change and re-direct the FIRST jump instruction (jne 00450A6E) so that it will ALWAYS jump to our 'Good Guy' routine instead of at present, to the 'Beggar off cracker' routine we can skip of the second check the program performs and straight into the Good Guy Routine.

So here it is, the BEFORE:

:00450A64 837DF400                cmp dword ptr [ebp-0C], 00000000
:00450A68 7504                    jne 00450A6E ;Jumps to 'beggar off
                                               ;cracker' routine.
:00450A6A 3BDF                    cmp ebx, edi
:00450A6C 740F                    je 00450A7D ;Jumps to our 'Good Guy'
                                               ;Routine!

and the AFTER:-

:00450A64 837DF400                cmp dword ptr [ebp-0C], 00000000
:00450A68 EB13                    jmp 00450A7D ;Jumps directly to the
                                               ;'good Guy' routine.
:00450A6A 3BDF                    cmp ebx, edi
:00450A6C 740F                    je 00450A7D ;Jumps to our 'Good Guy'
                                               ;Routine!

Once the program has been 'patched' it will accept any serial number you give it..

One final loose string to tie up before this essay is finished...How did I find out about the fi32110.dll file and it's association with this program...

Well, after re-checking the String Data Resources in W32Dasm, looking for any mentions of entries in the System Registry File that this program may use I saw this: "\fi32110.dll" and after checking the list of 'Imported Modules' for Frame-It (Found near the top of your dead listing) it didn't mention this .DLL file at all, which was odd.

So this prompted me to find the file (I used File Manager and searched the whole hard disk) and see what was inside. When I saw my handle (The Sandman) that I used to register this program with I knew at once what the program was doing and how.

From here I poked around with some of the bytes within it and later moved it to somewhere the program couldn't get to it (Trash Can) and noted down what Frame-It did once it couldn't find it. If you look in the downloaded .ZIP file for this program then again, fi32110.DLL isn't included so it had to be created by the program itself!

Job Done.

The Crack

Load up frameit.exe into your favorite hex editor then:-

SEARCH FOR THE FOLLOWING BYTES: 837DF40075043B
THEN REPLACE HIGHLIGHTED BYTES: 837DF400EB133B

Final Notes

It was dead easy to patch this file but finding out where it stored the 14 day trial counter was a bit of a pain. Had the programmers been able to make the program as difficult to 'patch' as hiding the 'counter' then I'm sure this essay wouldn't have been written until a much later date..

My thanks and gratitude goes to:-

Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.

+ORC for showing me the light at the end of the tunnel.

Ob Duh

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

Next

Return to Essay Index

Previous

Essay by: The Sandman
Page Created: 21th June 1998