Aug 1998
"Calypso V2.40.41"
( 'Exploiting a program Bug'  )
Win '95 PROGRAM
Win Code Reversing
 
 
by The Sandman 
 
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: calypso.exe
Program Type: Multi Email Utility
Program Location: Here 
Program Size: 3.3 MB 
 
    
Tools Used:
 Softice V3.23 - Win'95 Debugger
W32Dasm V8.9 - Win'95 Dissembler
 
Rating
Easy ( X  )  Medium (   )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
 
   
 
Calypso V2.40.41
( 'Exploiting a program Bug'  )
Written by The Sandman
 
 
 
Introduction
 
The author(s) of Calypso  says:-
 
"Calypso makes handling multiple e-mail accounts easy.

Calypso organizes e-mail accounts, messages, and information into a collection of folders called a mailbox. You can create more than one mailbox, each with its own password, to allow different users to share the same computer. Each mailbox can manage multiple e-mail accounts, and you can have more than one mailbox open at a time."
 
About this protection system
 
The protection system in this program relies on you entering a valid serial number (the program refers to this serial number as the 'Activation Code').
 
You can access the 'Registration Screen' by selecting the Help menu option then choosing the 'About Calypso' sub menu option. From here click once on the 'Change Activation Code' button.

When you do this you will notice that the program ONLY requires a serial number from you, this tells us that the actual serial number is NOT based on our User details such as our Name/handle, it's a single, generic registration code.

The program creates a number of entries in your System Registry file, the one we are interested in can be found right here:-

HKEY_LOCAL_MACHINE\SOFTWARE\MCS\Calypso

ActivationCode      = "279FQBZ9SERUR6D4Z5LR"  ;Encrypted Install Date?
BrandName            = "The Sandman"
BrandOrganization = "-"
Language                = "USA"
LoadTraymon          = 01h
RegDone                 = 01h
 
The installation date for this program is stored and encrypted in the actual default ActivationCode. I'm not 100% certain of this but from the tests I've done on this ActivationCode it seems highly likely that I'm correct.
 
The Essay 
     
As far as I'm a aware, the 'bug' I found has not been documented anywhere on the web, in which case your reading it here FIRST before anyone else discovers it!.
 
There's a good chance that this 'bug' will also be present in any future versions of Calypso... until that is they find it too..:)

By the time I started looking at Calypso with view to writing an Essay on it I found someone else had beaten me to it!.  However, all was not lost,  after reading this other tutorial on Calypso I found that it does not explain how to crack this program, instead it describes three undocumented features about this program which I recommend you all read.  Rather than duplicate work already done I suggest you go HERE and read this other tutorial written by a +Cracker called +MaLaTTiA.
 
Right, back to this essay...

The first thing I recommend is to create a dead listing of Calypso, the main code is found in calypso.exe so create a dead listing from this.  If you check the directory where this program resides in you'll notice a whole bunch of .DLL files, just thought I would mention this.

Checking the program's String Data Resources you'll see *most* of the shareware messages used within this program, I say *most* because some are not shown.  I refer to the shareware messages shown on startup when your 30 day evaluation period runs out, perhaps these are stored in a .DLL file..:).  You can see this message box for yourself if you change your pc's date so that it's more than 30 days in front of your present date.
 
I original began my crack using the softice bpx messageboxa command on the error message generated when you get the Activation code wrong but I quickly found out that the routine that handles these message is ALSO use throughout the whole program as well. This means the message to be displayed is created elsewhere within the program's code and once created, it comes to this routine that I've just bpx'd on to be displayed. My initial attempts to backtrack through the code failed, it snakes in and out of conditional jumps like there's no tomorrow so it was time for plan 'B'.

Plan 'B' was to create a new breakpoint using Softice so that it would break on the system function GetLocalTime.  The idea being was that the program had to FIRST check the current time in order that it could determine wether or not the User's evaluation period had ended or not. The program makes two calls to this system function before it displays the Nag screen.
 
After tracing through the program's code, reversing conditional jumps as I went along and causing many General Protection Faults I decided to try plan 'C'..

Plan 'C' was based on this idea.  The program had to store it's day counter somewhere safe, as a rule this would be either in your System registry file or, in some cases in a innocent looking file stored in your C:\Windows directory.
 
Filemon didn't show anything out of the ordinary, and Regmon too didn't tell me anything new.  However, some programs use the default registration code inserted in your System Registry File as an encrypted form of the install date. The way this method works is like this.

On installation the program accesses your pc's clock and encrypts THIS date and inserts it into your system registry file, the program will call this encrypted date  your Installation or product key.  Now, when you run the program it reads this encrypted date and is able to then calculate how many days you have used this program just be checking the current date your pc is set to.
 
After locating where the default activation key was:-

HKEY_LOCAL_MACHINE\SOFTWARE\MCS\Calypso

ActivationCode      = "279FQBZ9SERUR6D4Z5LR"  ;Encrypted Install Date?
 
 

I accidentally deleted it, so rather than make up a random one of my own I left it empty thinking the program would put put it back for me when it notices it empty!

HKEY_LOCAL_MACHINE\SOFTWARE\MCS\Calypso

ActivationCode      = ""

Whoa, what!.  Running the program again produces No expire notice, it runs straight into the main program menu!.  Quickly checking the 'About' screen shows that I am now the *Registered* owner of Calypso!. No, it can't be true, I found a bug in this great software!..

Checking my System registry file using RegEdit I now see these entries..
 
HKEY_LOCAL_MACHINE\SOFTWARE\MCS\Calypso

ActivationCode      = "3C7RPAX69WFYLZPHHX2V"  <--The *REAL* Serial Code!
BrandName            = "The Sandman"
BrandOrganization = "-"
Language                = "USA"
LoadTraymon          = 01h
RegDone                 = 01h
 
heheh, it seems this program cannot understand how to handle an empty ActivationCode entry, it expects some sort of code but finds nothing. Why the program then decides to place the *real* ActivationCode in the System Registry file instead of generating an error message or just assume that the code is invalid I haven't a clue...

Incidentally, this also works if you delete the whole Key:-

[ HKEY_LOCAL_MACHINE\SOFTWARE\MCS\Calypso] and all the settings contained within.  The program will re-generate these for you..:)

So here you have possibly one of the first programs you can register without requiring any patches or serial sniffing.
 

Job Done...(Anyone care to show how this program can be patched?)
 
The Crack
     
None required.
 

If you intend on using this program beyond it's evaluation period then please BUY IT!
 
Final Notes 
    
Overal this program is well worth registering legally, that means paying for it. It's slick and does it's job admirably.  As for it's protection system I would say it's quite good, there's lots of twists & turns to follow through and it will be interesting to see you write up a tutorial on how this babe can be patched or have it's REAL serial number sniffed out.
 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 
Ob Duh 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 


 
 
 Next   Return to Essay Index   Previous 
 

Essay by:          The Sandman
Page Created: 30th August 1998
Last Updated: 2/10/2023, 7:57:24 PM