The Evolution of the Cool Edit Protection Scheme Part iv
Welcome back.
Incase you don't already know the +HCU entrance strainer is out
so get cracking, it is 2 billion times easier than the one that
was out last year, I didn't know +Orc existed last year so I will
be applying myself this year too. I've cracked the Instant access
strainer from last year and I think I might write another tutorial
on it as +Orc's is (purposly) incomplete. I think +Orc wants to
up the +HCU numbers, don't know really, but if you read through
the tutorials (4.1 and 4.2) you have no problems, except finding
the old version, I won't tell how I got mine, so don't ask :>.
Any way this tutorial as I've said will be concerned with Cool Edit 96
which, and I quote
'This version has a new registration scheme. Registered
users may receive a free registration number from syntrillium
for this version'
Bollocks, I sincerely hope that this 'new' registration does not parallel
with the new version of the program, if it has you are being ripped off.
This screen will only appear if you put in your code from version 1.50
(can you remember back that far) in the cool.ini file and get rid of
the license and garbleflux stuff.
Ok, you have you dead listing and you have isolated the protection scheme
(by simply look at the exportlist for REGISTERProc duh we will never look
there) and cut and copyed it into a sepatate file so that to don't have to
go for a cup of coffee (Wodka-Martina :>) everytime you press page down.
No, actually thats not fair and I take it back. The unassembled file is only
9,762,663 bytes, this may seem big, but after completing the +HCU strainer you
will know want a big file is I actually don't have a Windose program that would
open it (50+megs) I had to use my own dos program which has way too many bugs at
the moment. Anybody have a copy of Wordperfect for DosMail me
Anyway, you have you protection scheme and what is the first thing you notice
... yes its is practically the same.
Notics the two new strings
tdump cool96.exe cool.dmp -a
search for password and you get this
092800: from a BBS or el sewhere, please contact me..ID_P ASSWORD.About th
092840: e Creator...GODL UVSU....DIGITALW ....ARTHLOVE.... PEACEONE....LOVE
092880: LOVE....HOJDIVAD ....PLEASE_DON'T _PIRATE_SOFTWARE !!! (at least no
0928C0: t Cool Edit, eh? )...ifoobari.... %s\stats.xfm.... %s\dtmf.xfm.%s\r
Although you could have just looked at your unasm listing but I just felt
like showing you another way to find the strings. Remember : KNOWLEDGE is
REAL POWER. (by the way Tdump is part of the turboc kit find it on the net
or even better get Borland C, oh and Mail me if you find the new version.
Always use C, i is the best as any good non-commercial programmer will
inform you.
Right we have our two new string GODLUVSU, and DIGITALW will they be important,
lets see.
I was about to insert a listing of the complete protection scheme but it really
is the exact same as before so the is no real need here are the bits that differ
lea ebp, [GODLUVSU + EDX]
:00428FBE 8D541444 lea edx, [PEACEONE + EDX]
:00428FC2 8A4D00 mov cl , [ebp+00]
:00428FC5 8AC1 mov al , cl
:00428FC7 F6E9 imul cl
:00428FC9 8D4889 lea ecx, [eax-77]
:00428FCC 8A02 mov al , [edx]
:00428FCE 884D00 mov [ebp+00], cl
:00428FD1 B11F mov cl, 1F
:00428FD3 F6E9 imul cl
:00428FD5 041D add al, 1D
:00428FD7 6683FE07 cmp si, 0007
:00428FDB 8802 mov [edx], al
and so on basically the same.
As you can see are two new compare strings are modified in the same manner as
the others however the are not compared at the end of the protection scheme.
Therefore the have no use and are there to either confuse us (duh we real
confused) or they will serve us in the next version that comes out.
Although be careful of ol' david johnstan finds these files he might use these
strings to trick us and do something nasty to our computers. That would at least
be interesting.
Here is the complete listing of the scheme in C
#include
#include
void main(void)
{
int Length1, Length2;
unsigned char A, B, A1;
unsigned long C=0x0c;
register int counter1, counter2=0;
unsigned int temp, temp2;
char RESULT[] =" ";
char HOJDIVAD[] ="HOJDIVAD";
char HOJDIVAD2[]="HOJDIVAD";
char LOVELOVE[] ="LOVELOVE";
char PEACEONE[] ="PEACEONE";
char ARTHLOVE[] ="ARTHLOVE";
char GODLUVSU[] ="GODLUVSU";
char DIGITALW[] ="DIGITALW";
char ifoobari[] ="ifoobari";
char ID[20];
char UPPERID[20];
char PASSWORD[9];
printf("\n Enter Your Name Please => ");
gets(ID);
Length1 = strlen(ID);
strcpy(UPPERID, ID);
printf("\n Enter your Eight letter PASSWORD => ");
gets(PASSWORD);
strupr(PASSWORD);
for(counter1=0;counter17)counter2=0;
}
for(counter1=0;counter17)counter2=0;
}
temp = counter2;
for(counter1=0;counter17)counter2=0;
}
C = 0x0c;
counter2 = 0;
for(counter1=0;counter1<(Length2);counter1++)
{
C+= UPPERID[counter1];
A = HOJDIVAD2[counter2];
A *= 0x0D;
A += 0x11;
HOJDIVAD2[counter2] = A;
A = LOVELOVE[counter2];
A *= 0x11;
A += 0x17;
LOVELOVE[counter2] = A;
A = ARTHLOVE[counter2];
A *= 0x25;
A += 0x11;
ARTHLOVE[counter2] = A;
A = DIGITALW[counter2];
A *= 0x17;
A += 0x25;
DIGITALW[counter2] = A;
A = GODLUVSU[counter2];
A *= A;
A -= 0x77;
GODLUVSU[counter2] = A;
A = PEACEONE[counter2];
A *= 0x1F;
A += 0x1D;
PEACEONE[counter2] = A;
counter2++;
if(counter2 > 7) counter2 = 0;
}
for(counter1=0;counter1<(Length2);counter1++)
{
A = (char)C;
HOJDIVAD2[counter2] -= A;
LOVELOVE[counter2] -= A;
ARTHLOVE[counter2] -= A;
PEACEONE[counter2] -= A;
GODLUVSU[counter2] -= A;
DIGITALW[counter2] -= A;
counter2++;
if(counter2>7) counter2 = 0;
}
for(counter1=0;counter1<(Length2);counter1++)
{
A = UPPERID[counter1];
HOJDIVAD2[counter2] ^= A;
LOVELOVE[counter2] ^= A;
ARTHLOVE[counter2] ^= A;
PEACEONE[counter2] ^= A;
GODLUVSU[counter2] ^= A;
DIGITALW[counter2] ^= A;
counter2++;
if(counter2>7)counter2 = 0;
}
for(counter1=0;counter1<8;counter1++)
{
A = ifoobari[counter1];
temp = A;
temp2 = A;
B = 0x1A;
A = GODLUVSU[counter1];
temp = A;
temp += temp2;
A1 = (temp%B);
A1 += 0x41;
GODLUVSU[counter1] = A1;
A = ARTHLOVE[counter1];
temp = A;
temp +=temp2;
A1 = (temp%B);
A1 += 0x41;
ARTHLOVE[counter1] = A1;
A = DIGITALW[counter1];
temp = A;
temp +=temp2;
A1 = (temp%B);
A1 += 0x41;
DIGITALW[counter1] = A1;
A = LOVELOVE[counter1];
temp = A;
temp += temp2;
A1 = (temp%B);
A1 += 0x41;
LOVELOVE[counter1] = A1;
A = HOJDIVAD2[counter1];
temp = A;
temp +=temp2;
A1 = (temp%B);
A1 += 0x41;
HOJDIVAD2[counter1] = A1;
A = PEACEONE[counter1];
temp = A;
temp +=temp2;
A1 = (temp%B);
A1 += 0x41;
PEACEONE[counter1] = A1;
A = HOJDIVAD[counter1];
temp = A;
temp += temp2;
A1 = (temp%B);
A1 += 0x41;
HOJDIVAD[counter1] = A1;
}
printf( "\n Code for 'New' version [1.50]=> %s"
"\n 'Full' version [1.50]=> %s"
"\n 'Lite' version [1.50]=> %s"
"\n 'Full' version [1.51]=> %s"
"\n 'Lite' version [1.51]=> %s"
"\n extras v96 => %s %s\n"
,HOJDIVAD, HOJDIVAD2, LOVELOVE, ARTHLOVE,
PEACEONE, GODLUVSU, DIGITALW);
}
We already have our password program in C so lets look at the actual
algorithm a bit closer and see if we can really crack it.
char A, B;
int counter1, temp;
for(counter1=0;counter1<8;counter1++)
{
A = ifoobari[counter1];
B = PASSWORD[counter1];
temp = A;
temp += B;
temp += counter2;
temp += 0x00F7;
temp %= 0x1A;
temp += 0x41;
A = temp;
RESULT[counter1] = A;
counter2 += 0x1A;
}
This is the C code of the section that encrypts the password string
that you enter.
Ok, first things first, the hex value 0x1A should cause a little
light bulb to ignite, well maybe not it did for me ... why?
0x1A = 26 dec
26 letters in the alphabet
Bearing this in mind lets look at the MODULUS part first :
if we are to take the remainder when dividing by 26 then adding
any number that is a multiple of 26 to the Dividend will have no
effect on the remainder if the divsor is also 26 (its effects the
quotient).
Therefore, we can remove the counter2 stuff, as we are just
adding 26 which is then cancelled out be the MOD 26 so now we have this:
for(counter1=0;counter1<8;counter1++)
{
A = ifoobari[counter1];
B = PASSWORD[counter1];
temp = A;
temp += B;
temp += 0x00F7;
temp %= 0x1A;
temp += 0x41;
A = temp;
RESULT[counter1] = A;
}
NB this is what +Orc refers to as Junking, that is placing 'junk' into
to protection code to confuse us crackers.
Ok now lets look at the 0x00f7 => 247d MOD 26 = 0x0D or 13d
So we can change this to += 13d Note 13 is just half of 26 !!
for(counter1=0;counter1<8;counter1++)
{
A = ifoobari[counter1];
B = PASSWORD[counter1];
temp = A;
temp += B;
temp += 13;
temp %= 26;
temp += 0x41;
A = temp;
RESULT[counter1] = A;
}
Ok now what about the 0x41, mmm in decimal 65 MOD 26 also equals 13
WAIT, this time it is different, what else is familiar about 0x41...
Yes that's it 'A' in ASCII. Hence, after the MOD the value will be
from 0 to 25 giving us ASCII vaules 0x41 to 0x5A , ASCII 'A' to 'Z'.
Ok, know what, well to can't work backwards because you can't infer what
the DIVIDEND was before the MODULUS. So as with all types of mathmatical
problems we throw out all the details and get the simplest version
possible. This is what we have been doing, but to make it as simple as
possible lets set ifoobar' to 0 and PASSWORD to AAAAAAAA; the simplest
possible values. This means we know have :
for(counter1=0;counter1<8;counter1++)
{
B = PASSWORD[counter1];
temp = B;
temp += 13;
temp %= 26;
temp += 0x41;
A = temp;
RESULT[counter1] = A;
}
Not lets work through the code with these valuse and see what we get:
'A'(0x41)(65) + 13
= 'N'(0x4E)(78) MOD 26
= '\x0'(0x00)(0) Ah ha!!!
Do you get it? adding 0x41 and we are back to where we started.
Thus, all this code does bugger all.
So with ifoobari = 0;
The code now looks like this
for(counter1=0;counter1<8;counter1++)
{
A = PASSWORD[counter1];
temp = A;
A = temp;
RESULT[counter1] = A;
}
or
for(counter1=0;counter1<8;counter1++)
{
RESULT[counter1] = PASSWORD[counter1];
}
Cracked :>
Still don't see it :( do not despair
if we consider the PASSWORD(B)variable to be a value
0 < B < 26 ; ie A to Z but a number we can therefore get rid of the
temp += 0x41 and
temp += 13
Because this offsets the value in password to a value between 0 and 26
ie, ('A', 0x41) (65 + 13) MOD 26 = 0
('Z', 0x5A) (90 + 13) MOD 26 = 25
R = (A + B) MOD 26
ignoring the MOD 26 for the moment, because it is only the to keep the
values between A and Z
R = A + B
As we know the Result and ifoobari(A) we want B
B = R - A ; where 0 < (R - A) < 26
To keep R - A within the limits we MOD it with 26 to keep it within the
range -26 to 26 then add it to 26 if it is < 0
So our C code looks like this
A = ifoobari[counter1];
R = RESULT[counter1];
temp = R - A;
temp %= 26;
if(temp<0) temp += 26;
PASSWORD[counter1] = temp;
And thats your crack :)
Taking PASSWORD and RESULT to be uppercase char again we have
for(counter1=0;counter1<8;counter1++)
{
temp1 = (unsigned char)ifoobari[counter1];
temp2 = (unsigned char)RESULT[counter1];
temp2 -= 0x41; // Convert to integer
temp2 -= temp1;
temp2 %=26;
if(temp2<0) temp2 += 26;
temp2 += 0x41; // Convert back to ASCII;
PASSWORD[counter1] = temp2;
}
.... and there before you very eyes is your own Decrypt function;
Incorporate this into the above program for the complete Crack :)
I hope that was explained properly, if you still don't get it Mail me
and I will reveal all!
No infact if you don't get it, ... , get it learn to crack your self.
DON'T YOU THINK THATS A BIT MUCH?
================================
Is this all a bit to much work to crack one little program? If thats
is what you are thinkinh right know then you have learned nothing
(I sound like a wise old chinese dude') The whole point of this
is not to crack Cool edit 96 but to learn as much as we can from the protection
scheme, and observe its evolution. You should have picked up lots of tips
along the way, if you have Mail me to say thanx, and use your
newly obtained knowlegde to do some good in this greedy world.
Now go outside and listen to the birds singing or watch the stars if it is
late, and wonder how such a beautiful place can go by unnoticed by most peole
who are only thinking about Money or God or somthing
KoTToS
Mail me if you have any requests for a crack.