Lightspeed v461.01

Lightspeed v461.01
A Second Approach
by ytc_ [tNO '99]

Target	Lightspeed v461.01
URL	Not available (but target can be found in ORCPAK3.ZIP at +Greythorne's website)
Tools used	Softice v3.x (I'm using WinNT version)


	Hex editor (I'm using my previously cracked PSEdit v4.4 ;-)
Protection	Paper protection
Level	Beginners/Newbies

Introduction

This one puzzled me at first. The first reason is because I can't find some parts of code that +ORC mentioned in his lesson. Secondly, I don't see any SMC (self-modifying code) at all. And lastly, the crack that +ORC denied (changing the 'JNZ' to a 'JZ') worked perfectly for me, and his lesson mentioned "And then you would like to change the JNZ instruction in a JZ instruction... Please feel free to try it... it will NOT work!". Can anyone tell me why?

Essay

I will assume that you have already set up your copy of Softice and know how to use it well, including knowing what the shortcut function keys are (F8, F10, F11 and F12). If not, I suggest you read some other essays on how to set up Softice first before continuing. I will also assume that you have a fair knowledge of assembly language.

This time, we can use our usual loop trick again ;-) Do you see the pattern here? Almost ALL protection schemes uses the SAME type of mechanism. The code might vary a bit, but the concept is still the same. So, I'll make this tutorial short and sweet. You should be able to notice this loop very soon if you followed my previous tutorials correctly.

1816:0062  9AEA008B0E          CALL    0E8B:00EA <== retrieve pressed key
1816:0067  8946F8              MOV     [BP-08],AX
1816:006A  0BC0                OR      AX,AX <== anything entered?
1816:006C  74F4                JZ      0062 <== loop if none
1816:006E  3D0800              CMP     AX,0008
1816:0071  742D                JZ      00A0
1816:0073  3D0D00              CMP     AX,000D <== is enter key pressed?
1816:0076  7442                JZ      00BA <== jump if yes

Do you see that? Do you see that pattern now? The loop, then the 0Dh compare and a JZ? Can you recognized all this? IT IS SO FAMILIAR!! Immediately bpx on CS:00BA and follow the RETF instruction from there and you land here.

1816:0233  E8CAFD              CALL    0000 <== retrieve input
... lowercase input ...
1816:025A  FF76EA              PUSH    WORD PTR [BP-16]
1816:025D  8D46D7              LEA     AX,[BP-29]
1816:0260  50                  PUSH    AX
1816:0261  9A3E48010F          CALL    0F01:483E <== CALL compare
1816:0266  83C404              ADD     SP,04
1816:0269  0BC0                OR      AX,AX <== is equal?
1816:026B  7509                JNZ     0276 <== jump if not
1816:026D  B80100              MOV     AX,0001 <== set good_cracker flag!!
1816:0270  5E                  POP     SI
1816:0271  5F                  POP     DI
1816:0272  8BE5                MOV     SP,BP
1816:0274  5D                  POP     BP
1816:0275  CB                  RETF
1816:0276  2BC0                SUB     AX,AX <== set bad_cracker flag!!
1816:0278  5E                  POP     SI
1816:0279  5F                  POP     DI
1816:027A  8BE5                MOV     SP,BP
1816:027C  5D                  POP     BP
1816:027D  CB                  RETF

Must I say more? Can't you see the protection yet? My previous tutorials didn't help you even a little bit? ;-) (I think I am going insane, hehe.) Sooner or later, you WILL learn the tricks after some practicing... just like everyone says, practice makes perfect. You now bring out your freshly cracked version of PSEdit (or any other hex editors) and start search for the byte sequence.

Hmm... there's something fishy here. Where's that bloody byte sequence?! You keep searching, searching, searching. You look again at Softice and confirm that this part of code resides in the lightspd module. Then you look at the directory contents containing the files to run Lightspd.exe.. and WHAM!! Do you see what I see? LIGHTSPD.OVL!!! It loads another file which contains the protection scheme!! Load that in your hex editor and search the byte sequence again. Then you patch the file accordingly. Here, I changed 7509 JNZ 0276 to 7500 JNZ 026D, redirecting the jump to THE NEXT LINE, setting the good_cracker flag and continue the game.

Final Notes

That's it for today. Protection schemes which uses 'outside' files are getting pretty popular nowadays and in various forms (dlls, etc.) Some even goes to the extent of HIDING those files among Windows system files (which is pretty useless too, otherwise how do you think most experienced crackers know about this? ;-)

Greets

There's a lot of people that I know, so I'll just greet everyone, especially those in #tno, #win32asm, #cracking4newbies and #cracking at EFNet.

Email : y_t_c@usa.net
Website : http://ytc98.cjb.net