advanced
How To Crack A Ferret
(a clever, beautiful protection: wars between keys and the FFFFFFF8 monster)
by Hackmore Readrite , 7 January 1998
f
Courtesy of Fravia's page of reverse engineering
fravia's comments
An incredibly clever and 'sturdy' reversing of a difficult and intelligent protection. I don't use this kind of programs, and I hate people that throw me advertisement rubbish without asking, yet after having seen this, I admit that I respect the programmer that devised this protection, he deserves recognition! As sign of respect we will never again reverse (publicly) his future protection schemes (yet we'll seek and await them eagerly for our private cracking sessions: they are delicious!), I anyway wont publish any more on my sites any essay about Ferret's clever protection schemes, this one is the first and the last, yet what for an essay! Read, head and enjoy this BEAUTIFUL essay by Hackmore. My congratulations, Hackmore, Good work! I love your style: not much code and a lot of explanations! And your image of the FFFFFFF8 Monster lying in ambush is really great!
f
There is a crack, a crack in everything
That's how the light gets in
Rating
( )Beginner (x)Intermediate (x)Advanced ( )Expert
An useful essay for intermediate and advanced crackers in order to see an example of some of the paths followed by clever protectionists when developing new protection schemes. Read and head: not all of them are stupid.
Title
How To Crack A Ferret
(a clever, beautiful protection: wars between keys and the FFFFFFF8 monster)

Written by Hackmore Readrite
Introduction

No intro
Tools Required

~

Target URL
Usual tools
Softice is a must
~
   Targets                Size           Description
   -------                ----           -----------
   EFT111.EXE              690 Kb        E-mail Ferret
   FFT111.EXE              724 Kb        File Ferret
   IFT111.EXE              678 Kb        IRC Ferret
   NFT111.EXE              694 Kb        News Ferret
   PFT111.EXE              673 Kb        Phone Ferret
   WEBFERRET110.EXE        620 Kb        Web Ferret
   WFPEV.EXE               732 Kb        Web Ferret Pro Evaluation Copy

 FROM: ftp://ferret.aitcom.net/pub/ferret
  AND: http://www.ferretsoft.com/ferret/
Program History
No history
T
H
E

E
S
S
A
Y
 Notes: Program descriptions are available at the "http" address, but
 the "Web Ferret Pro" program is ONLY available at the "ftp" site. Also
 available at the "ftp" site is a program named "NFupgrade111.exe", which
 is just an upgrade utility to convert "older" versions of these programs
 to the "current" version, which is Version 1.11 for all of the programs
 listed except the Web Ferrets.

    WFPEV.exe is time crippled at install AND at run-time. It is also
 "missing" some code to turn off the advertising, but I'll show you how
 to get around these problems later. Despite these "problems", you'll want
 to download "WFPEV.exe" instead of "WebFerret110.exe" because "WFPEV.exe"
 is the "PRO" version, which does boolean searches, allows deletes, and
 has several other "nessesary" features. Get it as soon as you can,
 because it has already expired and will probably be removed from the
 server as soon as someone notices it's still taking up space.

 ---------------------------------------------------------------------------

    WHAT DO THESE PROGRAMS DO?
    --------------------------

    These are very compact "search engines" which live on your hard drive.
 You enter query strings, just like you would at any search engine, and
 these programs will search ALL of the search engines you select. The
 results can be saved for future use, or used imediately if you choose.

    For instance, using Web Ferret and Win95 as an example, you would go
 to "find" on your "start" menu, click "web pages" to start the program,
 type in "fravia" and "cracking" as the items to search for, then click
 "find", and you'll get a listing containing every web page listed on the
 search engines that contain the text "fravia" and "cracking". Point your
 mouse at any listing, and you'll see the begining text from that web page,
 click on a listing to open your browser and load the web page.

    The boolean feature in the Pro version is especialy helpful. You can
 search for "cars AND trucks [but] NOT convertibles", as stated by the
 company. Features like these can be real handy when searching for a
 certain file, web-site, E-mail address, or IRC channel.

 ------------------------------------------------------------------------

    WHAT'S THE PROBLEM?
    -------------------

    Cash flow, or boredom, depending on WHY you crack. These programs are
 VERY reasonably priced, and worth the investment! It was the sales
 tactics which drew my attention to these programs, and the encryption
 technique which drew my interest.

    When you install these programs, you enter your name and company, then
 click the "next" button, and enter your serial number and registration
 "key", or just leave these two feilds blank to take the program for a
 test drive.

    After installation, you'll want to run the program, of course. It is
 then that you will discover the sales tactics. A banner will continualy
 display adds, on YOUR monitor! This can NOT be tolerated! The "view"
 menu has an "option" to turn OFF advertising, but this option has been
 disabled, until you register the program.

    They could have lost a sale because the time I WOULD have spent earning
 money to pay for these programs HAD to be spent removing thier advertising
 instead. How do they expect me to test drive thier product with those
 awful banners constantly distracting me?

    Even though we've got the program installed on our hard drives, the
 original install program is nessesary to register the program,  so don't
 delete it yet. Let's fix these programs so we can test them without all
 of those distractions! The Web Ferret Pro is totaly different from all
 of the other programs listed above, so I'll cover it a bit later in this
 essay, but here is what you'll need to fix ALL of the other programs.

 ------------------------------------------------------------------------

    Even though we will NOT be going into the encryption scheme used in
 this program in this essay, I urge you to study it. It wont be nessesary
 for cracking these programs, but the author has done a very fine job of
 encrypting things, and deserves honors for his style and technique.
 Unfortunately, he forgot that, no matter how well he encrypts his
 passwords, it MUST always boil down to a simple "go here, or go there"
 instruction in the end.

    For those of you who are too lazy to study, I'll give you a short
 description of how this encryption scheme is implimented. For those of
 you who DO study this, be VERY careful, one slight miscalculation will
 crash your computer! You should become very familiar with the "hboot"
 command inside Soft-Ice. Even minimizing the loader screen to the
 taskbar will lock up your computer.

    The serial number must contain five digits for reasons I'll explain
 later, and the "key" number must contain nine digits to activate the
 "next" button, which is deactivated as soon as you enter the first
 digit of the serial number.

    After you've typed in your serial number and registration key number,
 locate them, and set BPR's on them inside Soft-Ice. Then click on the
 "next" button. You'll break into the protection scheme at CS:004026D4.
 The "key" that you typed in, as you'll learn, is the "key" to unlocking
 the program. The serial number is only used to set a counter.

    The "key" value does it's usual trip through memory addresses until
 it finaly ends up on the stack. The center digit has been removed, so
 now your "key" is a "handy" eight characters long, so it fits nicely
 into the registers. After the string was shortened to eight characters,
 it was counted in the usual mannor by placing FFFFFFFF in ECX. The result
 was inverted, as usual, to obtain the "decimal" byte count of "8", but it
 was also saved, uninverted as FFFFFFF8, to crash your computer!

    At this point, we find another key already waiting for us at DS:0041C540.
 This second key is 12h bytes long, and is comprised in three parts,
 using the starting values:

                   "12345678" "23456789" and "34567890"

    To make a long story short, these three groups of eight numbers are
 sent to war against the "key" value you typed in, AND against the other
 "eight number" groups. It's like a war between four countrys, with EACH
 country fighting the other three countrys. They are beat against each
 other in just about every way imaginable until nothing is left but a
 mangled, un-recognizable, eight character string of garbage.

    From time to time, the 12h byte string is "refreshed" with the
 original numbers I've listed above. But the war continues. And when the
 smoke has cleared, we can finaly do a few comparisons. If you've followed
 this through, you should find yourself at CS:0040EC3D.

    Again, the author was very clever. Every time you THINK EAX should be
 set to "01", it should be a "00", and vise versa. Keep this in mind,
 because, as I mentioned earlier, we're set up to crash! Any time you
 choose the "wrong" path to take after a CMP or TEST instruction, the
 program will find its way back to that FFFFFFF8 monster, and use it to
 crash your system. So choose wisely. Remember that you've entered bad
 data, so if the program "wants" to go one way, it probably "should" go
 the other way instead. Also remember, thats NOT always true!

    But, alas, we've made it to the check point. Lamers can just set your
 breakpoints to the following addresses. Lamers are lamers because they
 miss all of the fun stuff, YOU decide who you are!

 ------------------------------------------------------------------------

 1st check:                                         ; [ESP+0C] holds the
                                                    ; encrypted value of
                                                    ; your input "key"
 
 :0040EC3D 8B44242C    mov eax, dword ptr [esp+2C]  ; the GOOD number
 :0040EC41 83C40C      add esp, 0000000C
 :0040EC44 3944240C    cmp dword ptr [esp+0C], eax  ; the first "test"
 :0040EC48 7525        jne 0040EC6F                 ; a bad place to go!

 ------------------------------------------------------------------------

    Here, the GOOD value is stored at [ESP+2C]. Then it's MOVed to EAX to
 be CoMPared to the encrypted value of the "key" you typed in, which is
 stored at [ESP+0C]. Assuming EAX is "59 42 55 f8" and [ESP+0C] is
 "22 47 39 23", you might encounter a slight "problem" when you arrive at
 the JNE instruction. To repair this "problem" when the two numbers do NOT
 match, simply edit memory in Soft-Ice, as follows:

   d esp+0c  <--- dumps the "defective" bytes on the stack eb  <--- places your cursor ON the first "defective" byte in the data box f8554259 <--- remember, things are stored backwards in memory, so you have to enter the correct bytes into the data box in reverse as well.           <--- puts your cursor back into the command box This "problem" is now solved, but don't hit "F5" or  yet! We
 still have a couple of checks left, and FFFFFFF8 is sitting on the stack
 just WAITING for us to make a mistake so it can crash our computers! If
 you decided to "repair" the JMP instruction above, instead of entering
 the proper data, you'll learn just how effective that FFFFFFF8 monster
 can be, when you have to re-start your computer.

   Wander through the code just a while longer, and eventualy you'll come
 across the next check. Again, the lamers can just set thier breakpoints
 here, but they'll miss the full beauty of the authors protection scheme.
 
 ------------------------------------------------------------------------

 2nd check:

 :0040E92F 8B8D70FFFFFF  mov ecx, dword ptr [ebp+FFFFFF70] ; the GOOD number
 :0040E935 3B01          cmp eax, dword ptr [ecx]          ; the 2nd "test"
 :0040E937 0F850E000000  jne 0040E94B                      ; a BAD place

 ------------------------------------------------------------------------

    Here we find another instance of the encrypted version of the "key"
 you entered being CoMPared to a "good" number. You might notice that
 both of these numbers are quite different from the numbers you used
 to fix that last "problem" we had.

    The repair technique is the same though. Simply copy the value you
 find at ECX into EAX. Please note that ECX holds the ADDRESS of the
 proper number, NOT the proper number itself! So DO NOT copy the ADDRESS
 into eax, and DO NOT try to "repair" the JMP instruction, or the FFFFFFF8
 monster will get you!

    There is one more check that must be made, but if you typed in a five
 digit serial number like I told you to, feel free to hit "F5" or 
 at any time now. Your program will be fully registered. When the program
 is registered, it will write a 398 byte (18Eh) "lic" key into your
 registry, and any disabled functions and menu items will be enabled.

    For those of you who typed in more than five digits, follow the code
 a bit further. The program will simply count the number of digits you
 entered, then use the result of the count to check some strings in 
 memory. So if you entered seven digits, it will look for seven strings.
 The problem here is that there are only FIVE strings in memory to be
 checked. And the FFFFFFF8 monster is STILL waiting!

    You can fix this problem by fixing the count when the result is placed
 in EAX. Simply change the value to "5", then quit Soft-Ice and your
 program will be fully registered.

    These techniques will fully register ALL of the FerretSoft programs
 except for the Web Ferrets. Web Ferret is a "crippled" version of the
 Web Ferret Pro program, which is offered just to get you interested in
 the product, so you'll break down and "pay" for the "real" program.

    Web Ferret Pro is NOT offered in any form as a demo. Fortunately for
 us, FerretSoft left an evaluation copy on thier ftp server for us to
 play with. Since it's an evaluation copy, we'll need to treat it just
 a bit differently.

 ------------------------------------------------------------------------

    WHAT ABOUT THAT MONSTER?
    ------------------------

    If ANY of the "checks" fail, (and there are MANY more than I've
 mentioned here), the program begins encrypting data against the 12h byte
 string. Each pass through the encryption process will decrement the
 FFFFFFF8 monster by "1", so you "could" go through the encryption process
 4,294,967,288 times, theoreticaly! Of course, this would never happen
 because each pass is directed towards a different byte in memory, so
 eventualy you encounter a "Memory Out Of Range" error message. With
 Soft-Ice running, you'll never get back into the program to see that
 message though. And, as I mentioned earlier, even minimizing the Loader
 window used to load the program will cause a crash.

 ------------------------------------------------------------------------

    WEB FERRET PRO
    --------------

    Now let's install the Web Ferret Pro program. This program has a time
 lock when we try to install it. All we get is an error message informing
 us that the trial period is over. Later, when we get to run this program,
 we'll see that it expired December 31st, 1997. We can "fix" that though.
 So lets get to work!

    STEP 1
    ------

    In Soft-Ice, set a BPX on GetLocalTime. Then start the "WFPEV.EXE"
 program. When Soft-Ice breaks, you'll be at the first line of the
 GetLocalTime function. Press "F12" to return to the WFPEV code, (read
 the title on the line that runs across your screen inside Soft-Ice.)
 Trace through the code about fifteen steps until you find the following
 line of code:

 :00413716 0594F8FFFF              ADD EAX, FFFFF894

    As soon as this instruction has executed, change EAX to "0" with the
 instruction:

 r eax=0

    Then let the installation run its course. The program will install,
 but as soon as you try to run it, you'll get the same "expired" error
 message.

    If you cancelled your breakpoint, re-set it. If you did not cancel it,
 you should already be where you need to be. We're just going to do that
 last "fix" all over again, except this time we'll need to make it a
 permanent repair using a hex editor.

    When Soft-Ice breaks at GetLocalTime, just press "F12" again, to return
 to the WFPEV code, then trace about fifteen instructions again, and you
 should see:

 :004BD162 0594F8FFFF              ADD EAX, FFFFF894

    Which we need to change to:

 :004BD162 B800000000              mov eax, 00000000

    This will ALWAYS tell the program that this is the first time you
 have ever used it. Be sure to write down the hex bytes of the
 instructions around this instruction. You will need them to locate this
 spot in your hex editor when we make these changes permanent.

    STEP 2
    ------

    This step is strictly cosmetic. You can skip it if you're in a hurry
 and don't care what your menu looks like. Because this is an "evaluation"
 copy, they didn't bother to put in all that code it takes to enable or
 disable a menu item. They also left out the code needed to make the
 function work, in case "WE" got a copy of the program.

    What function? The one to turn off the advertising, of course! They
 just tossed in a few lines of code to make sure the adds would ALWAYS
 run. So skip these steps if you like to see advertisments, too!

    To enable the menu item "advertisment" on the "view" menu, set a
 breakpoint on "EnableMenuItem". When Soft-Ice breaks, use "F12" again
 until you return to the WFPEV code. Then, back-trace through the code
 until you reach this line of code:

 :0048DD7A 6A00                    push 00000000 <--- disable menu item Which we'll have to change to: :0048DD7A 6A01 push 00000001 <---enable menu item Write down those bytes again, so you'll be able to locate this spot in your hex editor. Even though you will be "enabling" this menu item, please keep in mind, it's ONLY cosmetic! The code "is.class" tppabs="http://fravia.org/is.class" missing from the program to make this function work. STEP 3 To add or remove the checkmark on the menu item, set a breakpoint on "CheckMenuItem". When Soft-Ice breaks, "F12" again to return to the WFPEV code, then back-trace some more until you find: :0046FDE4 B001 mov al, 01 <--- enable checkmark Which you can change to: :0046FDE4 B000 mov al, 00 <--- disable checkmark Again, this is just cosmetic, so turn the checkmark "on" or "off" according to your own preferences. The code inside the program has been reduced and set so that the "advertising" item on the menu is always checked, clicking the "advertising" item does nothing, and the advertisements will just keep displaying on your screen regaurdless of how you have these menu items set up. STEP 4 And finaly, a cut to the heart of this well thought out advertising ploy. It's time to stop those adds! But first a small confession. I only used a dead listing generated from WDASM when cracking this program, and I can't remember what led me to the next line of code. I can tell you, I searched for "GIF" in the dead listing, then followed the code until I reached this line: :004379C4 7305 jnb 004379CB <--- jump to a new image Which we change to: :004379C4 EB00 jMP 004379C6 <--- don't bother to jump This turns off the advertising because the program will never go to get the next advertisment. So now you can load WebFerret.exe into your hex editor, search for the byte strings you've written down, and make the modifications you desire to get this program up and running. That's it! Now you should be able to search the web much more effectivly, but please keep this in mind...
Final Notes
    These programs are the ONLY programs sold by FerretSoft. If you make a
 key generator, or crack these programs and give them away for free to lamers
 in ANY form, you will be damaging FerretSoft in a way which COULD put them
 out of business and you will still remain a lame idiot anyway, since anybody 
 on the scene will know that you just ripped my essay off!

    Please STUDY these protection schemes, and use them all you like in 
 order to implement and ameliorate your own protections, but if you
 decide to KEEP the ferret programs, please PAY for them. The programmer(s) 
 (must be at least two: a clever one that devised the protection and an 
 idiot that devised the advertising cram) have worked very hard to create 
 these beautiful protections for us, they studied encryption techniques the 
 same way you have, and worked very hard to implement those techniques in 
 an effective manner. They did a great job, but messed up just a bit at 
 the end.

   This is NOT a "greedy" company like M$, they have priced thier products
 very reasonably. Even thier advertising techniques are "original" to say
 the least. So be kind, and treat this company with a bit of respect. If
 you do, they might dream up even BETTER stuff for our private pleasure.

                                                      Search well...
                                                      Hackmore Readrite
                                                      Data Miners Inc.
Ob duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
way out
You are deep inside fravia's page of reverse engineering, choose your way out:

advanced
Back to advanced cracking
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia+
redIs reverse engineering legal?