Lazy software programming
("The last essay on simple password protection schemes")

by Plushmm
(10 August 1997)


Courtesy of Reverser's page of reverse engineering

Well, Plushmm confirms what we already supposed... programming in "higher" (aka as "overbloated") languages fools overbloated programmers into forgetting the awesome power of "lower" disassembling... Judge by yourself: an obvious protection schema used for four (at least) similar targets... this is the LAST essay I'll publish about easy password checking, please, +HCUkers, don't work any more on such easy protection schemes (unless they are used by Micro$oft or unless they protect a program that we really need)... I think we have already made the point clear even to the most stupid and lazy programmers... name-password manipolation is no match at all

Lazy Software Companies EXPOSED!

Part 1

by Plushmm [PC'97]

8th Aug 97
 


Commercial Programmers are really SAD... In order to seek money, they have to leave their real interests, to forget their coding capacities (if they ever had some :-) and work hard on schedule on programs that they don't have any interest in.  I'm not just taking about SHAREWARE programmers here...
I'll show, in my later essays, how the larger companies like ULEAD and even Micro$oft's "protection" are basically lame and weak....Once you've made an initial crack on just one of their programs, then the cracks for the rest are done.

It is my objective to prove to you that you can exploit this laziness...human weakness...to crack ALL a software companies program once you cracked just ONE of them!

The general idea goes like this...
1)    You visit this software house that has the program you want.
2)    You download it...and you crack it...it may take you 5 minutes...it may take you 3 hours...it doesn't manner so long as you are learning. :=)
3)    Once you did your first crack...you'll basically be able to crack ALL the other programs on their site BECAUSE they are LAZY!

Ok...without further ado, let's meet our FIRST target...

Basta Computing, LLC
http://www.basta.com

This software house churns out heaps of software...the more popular ones are Filo, WhoSock and ExIcon.

Let's run Filo v1.7, we see the NAG, telling us how many more days we have to "Evaluate" the target and such.
Choosing REGISTER, we come across 2 Edit boxes for us to put our "numbers" in.

Enter some crap and choose register.  Ok...it tells you that the number is "invalid".  Dead-list  the program and you notice that there is no dialog to tell you that the program has been registered sucessfully.  Notice from the dead-listings that the codes are rather messed up with many, many Calls and Jumps...Hmm...no match for Zen cracking.  Ok, out comes Softice.

Go to the registration dialog
Enter 12121212 34343434 as the registration key
Fire up Softice
task ok...name is Filo
hwnd Filo
get the handles for the edit boxes
bmsg on the edit boxes for wm_gettext        ; As suggested by +ORC ;)
back to the proggie and click on "ok"
Softice breaks
Press F5 a couple of times...this is to let the program read in all the information from the different Edit Boxes...
Now search for your registration code with s 30:0 lffffffff "12121212"
BPR on the location given
Let the program run, Softice will break again...notice that the program has combined your Registration key to "1212121234343434"
BPR on this new location and let the program run again...

The program will break RIGHT IN THE MIDDLE OF THE COMPARISON ROUTINE...
Check this out...
* Referenced by a Jump at Address:00407901(C)
|
:004078E9 8A0431                  mov al, byte ptr [ecx + esi]
:004078EC 3C30                    cmp al, 30                           ;"0"
:004078EE 0F8CC4000000            jl 004079B8                          ;not a number
:004078F4 3C39                    cmp al, 39                           ;"9"
:004078F6 0F8FBC000000            jg 004079B8                          ;not a number
:004078FC 8BC1                    mov eax, ecx
:004078FE 49                      dec ecx
:004078FF 85C0                    test eax, eax
:00407901 75E6                    jne 004078E9
:00407903 0FBE5E0F                movsx ebx, byte ptr [esi+0F]
:00407907 83EB30                  sub ebx, 00000030
:0040790A 8D4301                  lea eax, dword ptr [ebx+01]
:0040790D 83F80F                  cmp eax, 0000000F
:00407910 7C03                    jl 00407915
:00407912 83E80F                  sub eax, 0000000F

* Referenced by a Jump at Address:00407910(C)
|
:00407915 40                      inc eax
:00407916 83F80F                  cmp eax, 0000000F
:00407919 7C03                    jl 0040791E
:0040791B 83E80F                  sub eax, 0000000F

* Referenced by a Jump at Address:00407919(C)
|
:0040791E 8BC8                    mov ecx, eax
:00407920 83C003                  add eax, 00000003
:00407923 83F80F                  cmp eax, 0000000F
:00407926 7C03                    jl 0040792B
:00407928 83E80F                  sub eax, 0000000F

* Referenced by a Jump at Address:00407926(C)

:0040792B 0FBE3C31                movsx edi, byte ptr [ecx + esi]
:0040792F 8BC8                    mov ecx, eax
:00407931 83C003                  add eax, 00000003
:00407934 83EF30                  sub edi, 00000030
:00407937 83F80F                  cmp eax, 0000000F
:0040793A 7C03                    jl 0040793F
:0040793C 83E80F                  sub eax, 0000000F

* Referenced by a Jump at Address:0040793A(C)
|
:0040793F 8BD0                    mov edx, eax
:00407941 83C003                  add eax, 00000003
:00407944 83F80F                  cmp eax, 0000000F
:00407947 7C03                    jl 0040794C
:00407949 83E80F                  sub eax, 0000000F

* Referenced by a Jump at Address:00407947(C)
|
:0040794C 0FBE0C31                movsx ecx, byte ptr [ecx + esi] ;always
:00407950 0FBE1432                movsx edx, byte ptr [edx + esi] ;suspect
:00407954 8D0C89                  lea ecx, dword ptr [ecx + 4*ecx];when you
:00407957 8D0C4A                  lea ecx, dword ptr [edx + 2*ecx];see codes
:0040795A 0FBE1430                movsx edx, byte ptr [eax + esi] ;like this
:0040795E 8D0C89                  lea ecx, dword ptr [ecx + 4*ecx];Key manipulations!
:00407961 8D844A30EBFFFF          lea eax, dword ptr [edx + 2*ecx - 000014D0]
:00407968 83F803                  cmp eax, 00000003               ;after manipulations
                                         &nb! sp;                        ;eax must be = 3
:0040796B 754B                    jne 004079B8                    ;jump if faker
:0040796D 33C0                    xor eax, eax
:0040796F B90F000000              mov ecx, 0000000F

* Referenced by a Jump at Address:00407982(C)
|
:00407974 0FBE1431                movsx edx, byte ptr [ecx + esi] ;futher manipulation
:00407978 0FAFD1                  imul edx, ecx
:0040797B 03C2                    add eax, edx
:0040797D 8BD1                    mov edx, ecx
:0040797F 49                      dec ecx
:00407980 85D2                    test edx, edx
:00407982 75F0                    jne 00407974
:00407984 8D4B0E                  lea ecx, dword ptr [ebx+0E]
:00407987 83F90F                  cmp ecx, 0000000F
:0040798A 7C03                    jl 0040798F
:0040798C 83E90F                  sub ecx, 0000000F

* Referenced by a Jump at Address:0040798A(C)
|
:0040798F 0FBE1431                movsx edx, byte ptr [ecx + esi]
:00407993 0FAFD1                  imul edx, ecx
:00407996 2BC2                    sub eax, edx
:00407998 49                      dec ecx
:00407999 7903                    jns 0040799E
:0040799B 83C10F                  add ecx, 0000000F

* Referenced by a Jump at Address:00407999(C)
|
:0040799E 8A1C31                  mov bl, byte ptr [ecx + esi]        ;more "magic"
:004079A1 0FBED3                  movsx edx, bl                       ;being done...
:004079A4 0FAFCA                  imul ecx, edx                       ;similar principle
:004079A7 2BC1                    sub eax, ecx                        ;to my previous
:004079A9 B90A000000              mov ecx, 0000000A                   ;essay...
:004079AE 99                      cdq
:004079AF F7F9                    idiv ecx
:004079B1 80C230                  add dl, 30
:004079B4 3AD3                    cmp dl, bl                          ;second check!
:004079B6 7406                    je 004079BE                         ;jump if
                                         &nb! sp;                            ;good guy...

* Referenced by a Jump at Addresses:004078C9(C), :004078DE(C), :004078EE(C), :004078F6(C), :0040796B(C)
|
:004079B8 33C0                    xor eax, eax
:004079BA 5F                      pop edi
:004079BB 5E                      pop esi
:004079BC 5B                      pop ebx
:004079BD C3                      ret

Based on the codes above, you can go write your own key generator...
Since this essay is NOT about KeyGen, let's just patch it...

:0040796B 754B                    jne 004079B8               ;jump if faker
to        4840                don't EVER jump

:004079B6 7406                    je 004079BE                ;jump if good guy
to        EB06                jump ALL the time
 

Ok...now that Filo v1.7 is done, lets look at WhoSock v1.91...lo and behold!  Check this out!
...
...same code as Filo...
...
* Referenced by a Jump at Address:00406737(C)
|
:0040673C 0FBE0C31                movsx ecx, byte ptr [ecx+esi]
:00406740 0FBE1432                movsx edx, byte ptr [edx+esi]
:00406744 8D0C89                  lea ecx, dword ptr [ecx+4*ecx]
:00406747 8D0C4A                  lea ecx, dword ptr [edx+2*ecx]
:0040674A 0FBE1430                movsx edx, byte ptr [eax+esi]
:0040674E 8D0C89                  lea ecx, dword ptr [ecx+4*ecx]
:00406751 8D844A30EBFFFF          lea eax, dword ptr [edx+2*ecx-000014D0]
:00406758 83F809                  cmp eax, 00000009           ;Slightly diff "checksum"
:0040675B 754B                    jne 004067A8                ;SAME jump length!
:0040675D 33C0                    xor eax, eax
:0040675F B90F000000              mov ecx, 0000000F

* Referenced by a Jump at Address:00406772(C)
|
:00406764 0FBE1431                movsx edx, byte ptr [ecx+esi]
:00406768 0FAFD1                  imul edx, ecx
:0040676B 03C2                    add eax, edx
:0040676D 8BD1                    mov edx, ecx
:0040676F 49                      dec ecx
:00406770 85D2                    test edx, edx
:00406772 75F0                    jne 00406764
:00406774 8D4B0E                  lea ecx, dword ptr [ebx+0E]
:00406777 83F90F                  cmp ecx, 0000000F
:0040677A 7C03                    jl 0040677F
:0040677C 83E90F                  sub ecx, 0000000F

* Referenced by a Jump at Address:0040677A(C)
|
:0040677F 0FBE1431                movsx edx, byte ptr [ecx+esi]
:00406783 0FAFD1                  imul edx, ecx
:00406786 2BC2                    sub eax, edx
:00406788 49                      dec ecx
:00406789 7903                    jns 0040678E
:0040678B 83C10F                  add ecx, 0000000F

* Referenced by a Jump at Address:00406789(C)
|
:0040678E 8A1C31                  mov bl, byte ptr [ecx+esi]
:00406791 0FBED3                  movsx edx, bl
:00406794 0FAFCA                  imul ecx, edx
:00406797 2BC1                    sub eax, ecx
:00406799 B90A000000              mov ecx, 0000000A
:0040679E 99                      cdq
:0040679F F7F9                    idiv ecx
:004067A1 80C230                  add dl, 30
:004067A4 3AD3                    cmp dl, bl                        ;SAME 2nd Check
:004067A6 7406                    je 004067AE                       ;SAME jump length!!!
 
 

Geez!  Now look at ExIcon v1.9a...
...
...same code as Filo...
...
* Referenced by a Jump at Address:0040AC77(C)
|
:0040AC7C 0FBE0C31                movsx ecx, byte ptr [ecx+esi]
:0040AC80 0FBE1432                movsx edx, byte ptr [edx+esi]
:0040AC84 0FBE0430                movsx eax, byte ptr [eax+esi]
:0040AC88 8D0C89                  lea ecx, dword ptr [ecx+4*ecx]
:0040AC8B 8D0C4A                  lea ecx, dword ptr [edx+2*ecx]
:0040AC8E 8D1489                  lea edx, dword ptr [ecx+4*ecx]
:0040AC91 8D8C5030EBFFFF          lea ecx, dword ptr [eax+2*edx-000014D0]
:0040AC98 83F902                  cmp ecx, 00000002              ;Slightly diff "checksum"
:0040AC9B 754B                    jne 0040ACE8                   ;SAME JUMP Length
:0040AC9D 33C0                    xor eax, eax
:0040AC9F B90F000000              mov ecx, 0000000F

* Referenced by a Jump at Address:0040ACB2(C)
|
:0040ACA4 0FBE1431                movsx edx, byte ptr [ecx+esi]
:0040ACA8 0FAFD1                  imul edx, ecx
:0040ACAB 03C2                    add eax, edx
:0040ACAD 8BD1                    mov edx, ecx
:0040ACAF 49                      dec ecx
:0040ACB0 85D2                    test edx, edx
:0040ACB2 75F0                    jne 0040ACA4
:0040ACB4 8D4B0E                  lea ecx, dword ptr [ebx+0E]
:0040ACB7 83F90F                  cmp ecx, 0000000F
:0040ACBA 7C03                    jl 0040ACBF
:0040ACBC 83E90F                  sub ecx, 0000000F

* Referenced by a Jump at Address:0040ACBA(C)
|
:0040ACBF 0FBE1431                movsx edx, byte ptr [ecx+esi]
:0040ACC3 0FAFD1                  imul edx, ecx
:0040ACC6 2BC2                    sub eax, edx
:0040ACC8 49                      dec ecx
:0040ACC9 7903                    jns 0040ACCE
:0040ACCB 83C10F                  add ecx, 0000000F

* Referenced by a Jump at Address:0040ACC9(C)
|
:0040ACCE 8A1C31                  mov bl, byte ptr [ecx+esi]
:0040ACD1 0FBED3                  movsx edx, bl
:0040ACD4 0FAFCA                  imul ecx, edx
:0040ACD7 2BC1                    sub eax, ecx
:0040ACD9 B90A000000              mov ecx, 0000000A
:0040ACDE 99                      cdq
:0040ACDF F7F9                    idiv ecx
:0040ACE1 80C230                  add dl, 30
:0040ACE4 3AD3                    cmp dl, bl                    ;Good old 2nd check
:0040ACE6 7406                    je 0040ACEE                   ;SAME jump length AGAIN!

 
Horas v2.1...SAME STORY!

Ok ok...I think I've proved my point...I cannot be bored to find out more, but I reckon that if 4 of their softwares have the EXACT SAME protection, then ALL the OTHER software their (about 8 others) should HAVE EXACTLY the same protection!
 

 
Anyway I have drafted a general crack patch below which should be able to crack ALL the software on their site...have fun!



Plushmm [PC'97]


done := False;
location := $FF;        {Skip the initial codes}
Repeat
        if thefile(location) =  $75 and thefile(location+1) = $4B then
            if thefile(location+$4B) = $74 and thefile(location+4C) = $06 then
                    begin
                            Patch_File
                            done := True;
                    end;
        location := location+1;
Until done or limit_reached;

(c) Plushmm 1997. All rights reserved


You are deep inside reverser's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
antismut search_forms mailreverser
is reverse engineering legal?