FrontPage 98 English beta 1 for Windows 95 & NT 4.0
(They are getting tougher)
by Epic Lord
(14 August 1997, slightly edited by Fravia)
Courtesy of Fravia's page
of reverse engineering
Well, Epic Lord has worked 'in a hurry', but his
crack is nevertheless quite effective and interesting... so Micro$oft is now writing
"scarecrow" phrases like "This copy of Microsoft FrontPage has been modified in a way which
is in violation of the license aggreement"... poor sods! And some antiwinice tricks as well...
mmm, we'll have to keep half-awake to drefeat M$ protections in the future :-)
Well, I hope this essay will become my contribution to Project 9,
namely reverse engineering all the Micro$oft products' protection
schemes! I apologize for my English.
The target is "FrontPage 98 - English Beta 1 for Windows 95 & NT 4.0 - US
English Version". A long name. It can be found at Microsoft, located at
http://www.microsoft.com/msdownload/fp98/05000.htm, if you're lucky,
anyway, even if they retire/modify it after the publication of this essay,
too many people will already have downloaded it (and too many magazines
will have already published it) to halt this snowball rolling :-)
BTW, it is approximately 20 MB. Pretty big to download with a 14400
connection, but I wanted to be the first one on the subject :=)
The product is really overbloated; it spans more than 80 folders and 950
files. In the BIN folder alone there are more than 30 files.
Let's begin.
I started the FrontPage Explorer (fpexplor.exe), target starts. Changed my
system time to a couple of years ahead, started again, target did not start.
Started FrontPage editor (fpeditor.exe), target started.
Tried again, it did not.
Well, the various programs under examination are writing something
somewhere (huh? a clever conclusion :=)
I disassembled first of all the target file (fpeditor.exe) and found
nothing. The same happened while I was working on M$ Publisher.
The protection must dwell somewhere outside the main code, it must be
easily editable and must be undercover.
YES! look at the .dll files.
Well there are 22 .dll files in the BIN folder. A couple more are in the
SYSTEM directory.
Lets get tougher :=)
I searched the files to find the word "expired" and couldn't get
anything at all (DUH).
Multibyte characters !!! Therefore I searched the sequence
"65 00 78 00 70 00 69 00 72 00 65 00"
which is "expired" interpolated with 0h seperators.
I could forget cracking this target... I couldn't find the target itself yet!
The search string is in "fp30cutl.dll"... bingo!
Ok ok. I cheated. I could not feel the multibyte problem at the beginning
so I did start Softice and checked what actually was going on.
This approach let me suspect the file "fp30cutl.dll".
Do what I say, not what I did.
BTW try softice.
You will not find anything. The "Expiry" dialog box will pop and in spite of
all the debugging capability you have, none of the breakpoints will
activate.
Fravia+ is right. They are getting tougher.
Using a debugger will not be enough.
This target calls the .dll, and the .dll calls in turn another one.
"FpEditor.Exe" <- "fp30cutl.dll" <- "mfc42.dll" and so on. For this crack, I used both the "live" Softice and the "dead listing" approach. I pressed F12 and kept pressing till the nag screen appeared, and eventually I found the following code "snippet.class" tppabs="http://fravia.org/snippet.class" in "fp30cutl.dll": :67B497CD E89A760000 Call 67B50E6C ;MFC42:NoName0103, Ord:09D2h :67B497D2 5F pop edi :67B497D3 5E pop esi :67B497D4 C3 ret not very informative ha? I backtraced to the caller in the editor (not through Softice, through the dead code) and found the activator... here it is: Exported fn(): ExpFn0115() Ord:0074h :67B2CC60 55 push ebp :67B2CC61 8BEC mov ebp, esp :67B2CC63 81EC50010000 sub esp, 00000150 :67B2CC69 53 push ebx :67B2CC6A 33DB xor ebx, ebx :67B2CC6C 381D6B54B567 cmp byte ptr [67B5546B], bl :67B2CC72 56 push esi :67B2CC73 57 push edi :67B2CC74 750B jne 67B2CC81 :67B2CC76 891D6054B567 mov dword ptr [67B55460], ebx :67B2CC7C E941020000 jmp 67B2CEC2 Well, I added "fp30cutl.dll" to the exports list of Softice and
restarted my system.
I put a breakpoint on fp30cutl.!ORD_0074 and let the babe run.
Nothing happened. No bp popup. Gee! hat was wrong?
Well... I put a memory RW breakpoint at [67B5546B] and now! Look! it pops!
I played a little with the code, and wow! a system error dialog appeared,
saying "This copy of Microsoft FrontPage has been modified in a way which
is in violation of the license aggreement".
Nice! We are getting somewhere!
I studied the code and found no CRC, nor any similar checking.
It was because of comparing fixed memory locations.
However, it's getting late 05:30 in the morning, the cracking session
was heavy... sorry for the short climax, but that's all, the rest you'll
understand yourselves...
I will not dwelve into the details of date checking and other comparisons
(put 1990 in EAX, add 7 find 1997 etc) let's crack it stright on.
The suspect culprit is the jump below:
:67B2CC74 750B jne 67B2CC81
Patching the values of BX in order to get some correct flags after the
comparison makes you Micro$oft_guilty.
Study the code piece above.
Therefore, quite simply...
LETS IGNORE THE JUMP, REPLACE IT WITH 40 48
Ok. Thats all folks. I'm fast ha? :=). BTW, with this patch, all other
components will run smoothly.
Best wishes, Epic Lord, epic@lords.com.
Thank you Fravia+
note: I do not claim any right for this essay :=)
(c) Epic Lord 1997. No rights whatsoever reserved
You are deep inside fravia's page of reverse engineering,
choose your way out:
project 9
homepage
links
anonymity
+ORC
students' essays
Academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_Fravia
Is reverse engineering illegal?