progcor
Programmer's corner

An incredibly stupid "commercial" Protection
06 September 1998

by LSD
(slightly edited by fravia+)


Courtesy of fravia's pages of reverse engineering

**Title: An incredibly stupid "commercial" Protection: 
         (4 Very Stupid Programmers)

**SubTitle: Another Ready-Made Protection Suck!
**Writer  : Lsd     Email: LSD-LSD.USA.NET

**INTRODUCTION:
Plz, excuse my very bad English 'coz i'm an Italian boy (da Cesenatico 
un "Forza Pantani!")
I will show, how to crack a stupid Ready-Made commercial protection scheme:
SoftSentry 2.07 of the 20/20 Software. Download the Full Trial (very 
easily crackable) version at www.twenty.com.
This software allows zombie-programmers (IMHO does not deserve to be called 
"programmer" somebody that has fallen for this bogus protection), to  easyly 
'automagically' transform their FULL program in a Trial/Demo version. Sounds 
like a snakeoil vendor uh? It is exactly that: bogus comm∙ercialism at his 
best, as usual when they do something for money.

This is what they say: read yhe following and open your mouth in awe:
...softSENTRY 2 allows people who develop and market software to increase their 
sales by cutting down on unlicensed use of their software and by making it 
easy to provide effective trial versions that let prospects try out the products 
for a limited period. 
SoftSENTRY offers a range of software protection and trialware options to fit a 
variety of needs.
How softSENTRY is used?
The softSENTRY product is currently sold in three models: softSENTRY, softSENTRY 
Lite 16 and softSENTRY Lite 32. They all work alike, but the Lite versions do not 
have all the capabilities of the full version. (See Feature Summary for differences 
between the models.) 
When started, the main softSENTRY program is displayed, allowing you to select 
the types of limitations that are to be applied and what forms are to be displayed. 
When the appropriate Edit buttons are clicked, softSENTRY's Form Editor is invoked 
allowing the text, buttons and edit boxes on the forms to be visually created and 
arranged. Clicking the "Build .EXE" button and selecting a target Windows executable 
file will let you produce a protected copy of that file. 
Clicking the "Build .DLL" button will create a dynamic link library file which can 
be called from your program. (Use of a .dll is required for .exe files created with 
certain development systems. See Reference for more detail.) Each combination of 
limitation definitions and forms is saved as a softSENTRY project that can be 
reopened in softSENTRY for future use.
Absolutely No Programming Necessary (sic!)
You can protect your completed application or create fully-functional "trialware" 
without the need to modify your product's source code in any way. SoftSENTRY works 
directly on your 16 or 32 bit Windows .EXE files. Plus, softSENTRY lets you specify 
the protection methods and forms to be displayed working solely with selection boxes 
and visual layout tools.
....[and more]..


**ToolZ: 
Soft-Ice 3.x
an Hex Editor
SoftSentry 2.007 Trial Version (www.twenty.com)

**Essay:
Let's go.. Download the demo program at www.twenty.com
I will not show how to crack this demo, 'coz it is not interesting, and it's incredibly 
easy to do (Do it youself! Tip: delete C:\windows\system\ss.drv and the "magicKey" 
located in  HkCLassRoot\{XXXXXXXXXX} to restore the trial period) but i will show how 
to kill its protection schemes (ANY kind!)
(BTW: the fact that the protection of the supposed protecting application is so 
easy to crack says a lot about the quality of the product itself :-)

Ok, now you will have to use your target: protect some small file, in order to 
disassemble the process and watch how SoftSentry does work.
For disassemble we will use SoftIce, 'coz Wdasm89 seem to crash when we try to 
load this target.
The Protected file, and the original file have a different size. Good, you'll 
probably expect, as I did, some encryption and variable random protection scheme 
inside the target. You'r in for a surprise.

Now hold your breath: this is the entry point for ALL PROTECTED FILES:

:004B066F CC             int    03
:004B0670 55             push   ebp     ; <----- We start here
:004B0671 8BEC           mov    ebp,esp
:004B0673 83EC48         sub    esp,00000048
:004B0676 53             push   ebx
:004B0677 56             push   esi
:004B0678 57             push   edi
:004B0679 E950000000     jmp    004B06CE ; Very Strange jump, whattd'ya say? 
:004B067E 0000           add    [eax],al
:004B0680 7006           jo     004B0688

Look! All protected files, have the same pattern, whit the same JUMP (coded as E950000000)!
This is very useful, for us; it means that searching any 'protected' file for this pattern :
55 8B EC 83 EC 48 53 56 57 E9 50 00 00 00
will give us, the entry-point of the program, and tell us if the program has been 
'protected' whit SoftSentry2 Scheme! I told you you would have opened your mouths in awe.
Incredible, and very very silly.
The stupid JUMP 4b6ce (very insolit), points the EIP  to the real protection routine 
(you can easy realize it tracing over the code).
This routine jumps different for each type of 'protection scheme' that the programmer 
have selected to use: Time limit, splash...etc.
If the Protection fails, you will land AT 00093C9B:
 
 00093C82: 8B4508       mov    eax,[ebp][00008]	;Load right value to pass to the call..
 00093C85: 50           push   eax		;..push it!..
 00093C86: 68A0324B00   push   004B32A0		;idem
 00093C8B: FF156C744B00 call   [0004B746C]    	;This is a Call [User32!UnregisterClass]
 00093C91: E88A000000   call   001279B1		;*** LOAD THE RESOURCE OF THE MAIN PROGRAM!
 00093C96: E825000000   call   00127956		;*** This CALL, Run THE MAIN PROGRAM!
 00093C9B: 8B45B8       mov    eax,[ebp][0FFB8]	;*** HERE YOU LAND! If the check routine fails! 
						;Load handle of the main?
 00093C9E: 50           push   eax	  	;prepare for the call
 00093C9F: FF15E4734B00 call   [0004B73E4] 	;This is CALL [Kernel32!ExitProcess]
						;and the program terminate
 
This 2 Calls at 93c91,93c96  are the FULL programs completely free from any Nag, Splash, 
time-limit, whatever 'ptotection' had been chosen (I know, coz i have execute it!); and 
if you compare this source with any other program protected, you'll see that both calls 
are ALWAYS coded as

E8 8A 00 00 00 E8 25 00 00 00
^^^^^		^^^^^^
1st Call	2nd Call
(use a hex editor to search..)


Very nice!.. so the  protection scheme work as:

:MAINPROGRAM-PROTECTED
	Jmp SoftSentriProtection (Always E950000000)
:End MAINPROGRAM-PROTECTED

:SoftSentriProtection	
	// Put Here your nag-splash-timelimit code "..//.class" tppabs="http:///.class"
	// made whit the SoftSentr2.007	           //
	IF (TrialPeriod==OK) Then
		CALL LoadResouce_FullProgram (Always E88A000000)
		CALL Run_Fullprogram (Always E825000000)
	Else
		Kernel21!CallExitprocess
:End SoftSentriProtection	

OK? Now we can write a GeneralCrack for this incredibly silly Commercial Protection Scheme, 
simply changing the first jump (coded as E950000000) whit the right code of the 2 CALL 
(which, as you remember, was always E88A000000 E825000000).OK?
Then :
1) Search for  55 8B EC 83 EC 48 53 56 57 E9 50 00 00 00
               			           ^^^^^^^^^^^^^THE JUMP!
				
2) Replace Whit E8A2040000 E83D040000 (*)
		1St Call   2Nd Call

(*)Note the code of the 2 call has been recalculated for the new position (always the 
same! Just track it whitin your debugger!)

Ok, we have killed another Commercial 'Protection' Scheme.

Hope you'll understand the whole point: 
Never never never use 'commercial' ready-made protections! Commercial oriented 
programmers are the most useless and stupid programmer breed, they will NEVER be 
able to offer you any real protection whatsoever... for godzilla's sake create 
your own protections, it's not so difficult after all, and you will at the very 
least know what you'r doing. 


redhomepage red+ORC redanonimity academy redcounter measures redtools redbots' wars
redjavascript wars redreality cracking redstudents' essays redacademy database redprogrammer's corner
redantismut CGI-scripts redcocktails redsearch_page redhow to search redmail_fravia+
redIs reverse engineering legal?