|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
|
On installation a Iconman.ini file is created and placed in you C:\Windows directory.
Here's what is inside this ini file:-
[evaluation]
Start=2450976
CheckNum=733254
[config]
VersMajor=3
VersMinor=4
FrameWnd=-1,-1,508,364
BitmapTool=0
[mrulist]
MRUCount=0
On selecting the Register option your asked
to provide:-
Name:
Reg No:
The name box accepts up to 28 Alpha numeric chars and the Reg code accepts a maximum of 8 Alpha numeric chars but only the 1st four are ever used.
This program is not compacted or encrypted in anyway.
|
|
Phew, sounds good but what-if like me, you don't know enough assembler to work out how the reg key is created, what then?. Well, I tried to see if the program ever stored the 'generated' keycode in memory by using lots and lots of Display Register / Memory location commands within Softice ( example: D CX or D 1123:31AC ) as I executed each line of Icon Manager's code but despite many attempts I never did find it..:(
+Orc tells us again and again that there is always more than one way to approach a program's protection system and it has to do with the way we think when it comes to finding that magical moment when the answer to our problem becomes clear to us.
So where was I going wrong?. Well, if you've read my other essays so far, you will see that my cracks have, by and large required very little understanding of Assembler Code and so, have been concentrating on feeling my way around to the right JNZ, JZ jump instruction. Once found I would then change it so that it will always jump to the routine that registers the program and not to the one that displays a message box that says something like 'This is an un-registered program....'.
But here I was trying to follow what 'everyone' else does by trying to de-code the regkey encryption code by hand, it just wouldn't make sense no matter how hard I tried. Then, it suddenly dawned on me, our entered User name has to be processed TWICE by a program using this regkey system, once when you first enter your User Name in the Registration Screen and secondly each time the program is run in order to 'see' if the program has been registered at some time. This program, like many Win 3.1 programs store the User Name and Regkey in an .INI file, usually in the C:\Windows directory, so when the program is run, it has to read this ini file ( which is just a simple text file ) and then performs the check on the User Name generates a valid Regkey then it compares this with the one in the ini file and if this does not match then it would probably say something like 'Invalid Registration No found' and there after proceed as an un-registered program. Again, if it finds no entry for the registration code in the ini file it will again assume that it is still un-registered and again proceed as an un-registered program. For those that haven't yet seen the light, what I came up was this:-
Title: The window is closed so lets
try the back door instead...
Wouldn't it be easier to locate the routine that reads this ini file using the system function: GetPrivateProfileString and change the JNZ instruction that does the deciding if the regkey is missing from the ini file so that it will always jump to the routine that accepts this 'missing Regkey', instead of automatically assuming you've not registered the program so therefore show the nag screens to annoy the user each time the program is run. Now I don't need to de-code the regkey routine and I can once again look for the CMP then Jump instructions without worry about how the encryption of the regkey works!. This method will work on almost all the Win 3.1 programs that uses this protection system and requires just a basic knowledge of Assembler and a sprinkling of Zen.
Back door was found and is open!...
Lets crack on..
As in the case of this program and many others the nag screen pops up before the main program is allowed to execute properly, so therefore the program has to check the ini file first in order to come to the decision of wether it has been registered or not.
Since this is a Win 3.1 program it does not know anything about the Registry file used in Win'95 so it keeps our registered status for this program in a plain ascii ini file. Lets examine what happens here in a little more detail so that you can see what we're looking for:-
1. When first run, the program looks for Iconman.ini file in your C:\Windows directory.
1a. If not found display
error message (.ini file not found etc ) then close down.
1b. If User Name &
Regkey found then check to see if they both match by generating a
Regkey in memory then compare it with the one in the ini file. If it checks
out ok then proceed as being a fully registered program and skip over any
nag screens
1c. If no match then
display error message 'Invalid registration key etc' then assume the role
of an unregistered program and display nag screens to annoy the hell out
of the User.
1d. If there is no User Name/Regkey
entry in the ini file assume it's not been registered.
Steps 1c and 1d lead to the program running as though it is an unregistered program so it was these steps I decided to locate and neutralize.
Before starting up Icon manager I created a Breakpoint in Softice using:
BPX getmessagebox
'Oldish' Win 3.1 programs I've noticed, uses this function quite a lot and in this case it was the right choice to make. Selecting this system function meant although I will return back into the Icon Manager's code after the nag screen has been displayed and therefore after that all important cmp then jump instruction that I'm after, it should at least, still be quite close by for me to scroll the code window up or down within Softice so that I should be able to see it quite easily. ( That was my original plan..)
If you think about
it, the process to crack this program takes the form of two steps:-
Step 1. Getting the program to save our dummy Reg Name & Reg Code in it's INI file.
Run Icon Manager without creating any breakpoints in Softice. The program is now in it's default Un-registered mode.
Select File then choose the option Register.
Type in your chosen Reg Name, then type in any 8 digit number you want.
Press Crtl + D to enter Softice and then type: BPX messagebox then press X to leave Softice.
From within Icon Manager press the OK button.
Softice now breaks at the start of the system messagebox routine, don't worry if Softice says it's in the Messagebeep function as it's part of the messagebox routine. At this point press the F11 key once then click the OK button to the message box that says:- 'Invalid Registration Information'.
Softice should now once more break but this time we're in the actual Icon Manager code and it's here we must ask ourselves several questions to how we got where we are right now.
If we simply now trace each step blindly from where we are by pressing F10 we will eventually find that the program is in fact, scanning the keyboard for any letters/numbers we might want to type into the Regcode box, we will also find ourselves lost in all of this code.
Why not scroll Softice's code window up and see what the previous code instructions were that brought us to this point in the program's code. You should see this set of code instructions.
** PLEASE, PLEASE
TAKE THE TIME TO UNDERSTAND IT! START FROM THE
BOTTOM THEN WORK
YOUR WAY UP TO THE TOP**
* Possible Reference
to String Resource ID=00005: "Unregistered"
|
:322D 6A05
push 0005
:322F 9AFFFF0000
call USER.GETDLGITEMTEXT
:3234 685E41
push 415E
:3237 9AA01F4632
call 0002.1FA0
:323C 5B
pop bx ; = Loc of our Regcode
:323D A34041
mov word ptr [4140], ax
:3240 687636
push 3676 ; = Loc of our Regname
:3243 9A221F8832
call 0002.1F22
:3248 5B
pop bx
:3249 3D0600
cmp ax, 0006
:324C 7641
jbe 328F ; We don't jump from here.
:324E E831FE
call 3082
:3251 0BC0
or ax,ax
:3253 743A
je 328F ; If our Regcode is wrong then
; jump to 328f else continue on
; and save the Regname & Regcode
; to the Icon Manager's INI file.
:3255 1E
push ds
:3256 68DE00
push 00DE
:3259 1E
push ds
:325A 689E00
push 009E
:325D 1E
push ds
:325E 687636
push 3676
:3261 1E
push ds
:3262 68C600
push 00C6
:3265 9A7B320000
call KERNEL.WRITEPRIVATEPROFILESTRING
;Save our Regname to the ini file.
:326A 1E
push ds
:326B 68DE00
push 00DE
:326E 1E
push ds
:326F 68A600
push 00A6
:3272 1E
push ds
:3273 685E41
push 415E
:3276 1E
push ds
:3277 68C600
push 00C6
:327A 9AFFFF0000
call KERNEL.WRITEPRIVATEPROFILESTRING
;save our Regcode to the ini file.
:327F C706DC000100
mov word ptr [00DC], 0001
:3285 9A14759231
call 0002.7514
:328A 56
push si
:328B 6A01
push 0001
:328D EB25
jmp 32B4 ;Your Reg details now saved.
There
are TWO places where it jumps to the start of this routine that then displays
the 'Invalid Regcode Information' message box:
The
first place is at: 0001.324C(C)
The
Second place is at: 0001.3253(C)
:328F 833EE43A00
cmp word ptr [3AE4], 0000
:3294 7407
je 329D ; Decide wether to give a beep or not.
:3296 6A10
push 0010
:3298 9AB3310000
call USER.MESSAGEBEEP
:329D 56
push si
:329E 1E
push ds
:329F 687E0E
push 0E7E
:32A2 6A00
push 0000
:32A4 6A00
push 0000
:32A6 6A10
push 0010
:32A8 9AC6310000
call USER.MESSAGEBOX
:32AD EB0A
jmp 32B9 ;Softice first returns here.
Looking and feeling our way through the code very carefully we can see that the program jumps to 0001.328F (The 'Sorry, invalide registration No') routine at line:
:3253 743A je 328F
You can test this out by double-clicking on this while still in Softice then typing bd 00 to disable our original breakpoint on Messagebox routine and re-trying to enter our fake registration details again. Softice will once again break on our new breakpoint and if you press the F10 key you will once more be in the routine that deals with the 'Sorry, Invalid Registration No' error message. But wait a minute, what would happen if, instead of jumping to a different part of Icon Manager's code we were to continue into the next line?.. Let's find out..
Exit out of Softice by typing X, then click on the OK button after you have your fake Registration details entered into it's registration screen and wham, you should now have landed once again here:-
:3253 743A je 328F
From here type into Softice: r eip=3255 which will tell Softice to ignore the instruction to jump but start on the next line down:-
:3255 1E push ds
At this point press press x while still in Softice and our fake Registration details will be saved to the Icon manager's .ini file just as though it was the correct details.
That's step one completed.. Please now edit C:\Windows\iconman.ini and make sure you have this extra section in your ini file:-
[install]
RegName=The Sandman
Reg#=7777
Your Regname & Reg# will be different to mine but you must have this [install] section in your ini file to complete the next step of the crack. If you don't then simply edit this ini file and make one up of your own as shown above but use a different Regname & Reg# to the one I've used here.
If you try and run Icon Manager it
will inform you that the Registration No we have just created is invalid,
we know, we're going fix this right now..:)
Step 2. The final step to our crack, it's plain sailing from here onwards...
Press Ctrl + D and within Softice type BC * to clear away our old breakpoints and then type: BPX getprivateprofilestring we're going to get Softice to break on the first instance when Icon Manager looks for our fake registration name and key.
Now start up Icon
Manger and before anything is shown on the screen Softice will break at
the start of the system function getprivateprofilestring. Press
the F11 once to get back into Icon Manager's main code. Again,
study this routine well if you are to understand why it's important to
crack the program here and no where else if our fake registration details
are to be accepted.
:30FC
56
push si
:30FD
1E
push ds
:30FE
68DE00
push 00DE
:3101
1E
push ds
:3102
689E00
push 009E
:3105
1E
push ds
:3106
68520E
push 0E52
:3109
1E
push ds
:310A
687636
push 3676
:310D
6A28
push 0028
:310F
1E
push ds
:3110
68C600
push 00C6
:3113
9A36310000
call KERNEL.GETPRIVATEPROFILESTRING
:3118
803E763600
cmp byte ptr [3676], 00 ;We land here
:311D
751B
jne 313A
:311F
1E
push ds
:3120
687A01
push 017A
:3123
1E
push ds
:3124
689E00
push 009E
:3127
1E
push ds
:3128
68520E
push 0E52
:312B
1E
push ds
:312C
687636
push 3676 ; Our Regname gets stored here.
:312F
6A28
push 0028
:3131
1E
push ds
:3132
68C600
push 00C6
:3135
9AFFFF0000
call KERNEL.GETPRIVATEPROFILESTRING
:313A
1E
push ds
:313B
687636
push 3676 ;Check length of our Regname
:313E
9A47140000
call KERNEL.LSTRLEN
:3143
8BF0
mov si, ax
:3145
EB06
jmp 314D
:3147
C684763600
mov byte ptr [si+3676], 00
:314C
46
inc si
:314D
83FE28
cmp si,0028 ;Max 28 chars for our Regname
:3150
7CF5
jl 3147
:3152
803E763600
cmp byte ptr [3676], 00
:3157
7471
je 31CA
:3159
1E
push ds
:315A
68DE00
push 00DE
:315D
1E
push ds
:315E
68A600
push 00A6
:3161
6A00
push 0000
:3163
1E
push ds
:3164
68C600
push 00C6
;Now lets get our fake Regcode from the ini file and process it.
:3167
9A81310000
call KERNEL.GETPRIVATEPROFILEINT
:316C
A34041
mov word ptr [4140], ax
:316F
0BC0
or ax, ax
:3171
7515
jne 3188
:3173
1E
push ds
:3174
687A01
push 017A
:3177
1E
push ds
:3178
68A600
push 00A6
:317B
50
push ax
:317C
1E
push ds
:317D
68C600
push 00C6
:3180
9AFFFF0000
call KERNEL.GETPRIVATEPROFILEINT
:3185
A34041
mov word ptr [4140], ax
:3188
0BC0
or ax, ax
:318A
743E
je 31CA
:318C
687636
push 3676
:318F
9A221F2B30
call 0002.1F22 ;Work out real regcode
:3194
5B
pop bx
:3195
3D0600
cmp ax, 0006
:3198
760F
jbe 31A9
:319A
E8E5FE
call 3082
:319D
0BC0
or ax, ax
:319F
7408
je 31A9 ;if 'real' regcode <> fake
;regcode then jump to 31A9 and
;say 'Invalid Registration
;Information' else proceed onto
;the next instruction below.
:0001.31A1
C706DC000100
mov word ptr [00DC], 0001
:0001.31A7
5E
pop si
:0001.31A8
CB
retf
In order to finally
*crack* the program all we need to do is replace:-
:319F
7408
je 31A9
with:-
:319F Nop
:31A0 Nop
Job Done.....
|
|
SEARCH FOR BYTES :0760FE8E5FE0BC07408
THEN REPLACE WITH :0760FE8E5FE0BC09090
|
|
If you can't get into a program through the obvious way, try looking for less guarded routes such as the one shown in this essay.
My thanks and gratitude goes to:
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
| Next | Return to Essay Index | Previous |