DEBUGGING WINPGP 5.0

by swann

Those of you who have already worked on previous versions of WinPGP (cf. +ORC's lesson 8.1) 
will notice that the protection scheme has changed significantly in this 32-bit / windows95 
version.
  
In version 4.1, it was enough to simply reverse a jump to disable the protection routine. 
In version 5.0, there is also a "grande finale" jump that will give you the "congrats" 
message when it's reversed, but doing so will also cause the program to crash. 
This means we actually have to figure out the protection itself. This protection is not 
terribly difficult to crack, yet it is somewhat interesting because it uses the co-processor 
for some of its algebraic manipulations of the input strings. This is still a bit uncommon 
today but we can expect more of these x87 instructions in future protection schemes, as with 
the pentium processor becoming more and more wide-spread, the programmer can simply assume 
that a co-processor is "inside".
And the unregistered version sure is nagging, forcing you to exit and reload the program 
after every four pgp operations.  So if you want to really test this program before deciding 
whether you'll keep using it, some debugging is required.

What we will be doing here is still not "higher cracking." This crack will only lead us a bit 
deeper into the "fiddling with input strings," the basics of which +ORC has described so well. 
I do hope that the reader of this "walk-thru" has spent a few thoughts on +ORC's lessons 8.2 
and 9.1, i.e.: has a minimum degree of familiarity with Softice for Windows and assembler.  

The first thing we notice when we get to the registration window is that it consists of four 
different entry fields, one for the user name and three for the "Registration Key Info." 
Smells like a lot of breakpoints on memory range. The only thing important when you make your 
first entries in these boxes is using a string you can easily recognize when you see its hex 
representation. And, of course, we want to be able to identify which entry field is being dealt 
with, and therefore use a different string for each one. So, in this case, we don't take the 
default string "9999" for both the first and the third section. Let's say we'll use "bcbcbcbc" 
for the name, and "3333" for section1, "12121212" for section2, and "1111" for section3. 
(The program itself, in winpgp_5.ini, calls these sections "Santamaria," "Nina," and "Pinta" 
respectively, but I don't think we have to go that far :-)

The starting procedure is standard, as explained several times by +ORC.  
This time GETDLGITEMTEXTA does the trick. You BPX on it, then search the memory for all 
four strings, and BPR on every one of them. Fortunately, initially there is only one 
occurrence of each string somewhere in the 30:80000000s.

By the way, for debugging Windows95 applications it is sometimes a good idea to modify the 
watchwindows somewhat. (Y'all did install the watchd's in your winice.dat, as the boss 
recommended, didn't you?)  Instead of es:di and ds:si, you might want to use es:edi and 
ds:esi.  Softice for Windows95 V.3 brought several of new features, such as mouse support 
and a new window for the stack of the co-processor. But the watchwindows suffered a bit, 
they don't display the memory locations anymore by default, which had been a nice convenience 
for keeping an eye on those string copy instructions, of which you'll see several in this 
cracking session. 

Now as usually we just relax as we follow the program copying our strings around, always 
BPR'ing on the new locations, then letting the program run until we hit the next breakpoint.

The next major event starts at cs:41c86e, a transformation of your input strings, starting 
with section2. The result goes into EAX. (Do a "? EAX" once all your digits have been 
processed, and you'll see something familiar: it's the value of your input string, only in 
a hex notation that is not so easily recognizable).  
The result then goes into [ebp-010c] and into [ecx+08c].  
A similar procedure is applied to the other sections of the password and to the name. 
In the case of our example, "3333" becomes "0D05", "12121212" becomes "B8F47C", and 
"1111" is being transformed into "0457". The name "bcbcbcbc" gets stored as "0314" 
(the sum of the hex values of the letters). Each of these 4 transformed strings is 
being copied to several different memory locations, so we've gathered quite a few 
breakpoints in the mean time.
  
So far this has all been routine stuff, more or less the same in most protections.  
But now the interesting part begins. If you've been a good boy / girl so far and have 
set all the breakpoints correctly, you'll pop out at cs:411312, yet another procedure!
  of copying the transformed section1 to yet another memory location. And right after 
that, at cs:41131f you encounter that bizarre instruction "FILD QWORD PTR [EBP-10]."   
What the heck is that, you ask. Well, sure enough, it's the first co-processor 
instruction in the protection scheme. They're bound to stay with us, so you might want 
to give that 8087-section of your assembler book a second look sometime soon (They 
often aren't very good either, so get one that works for you).


DEAD END STREET

But first, of course, we'll try to get around it.  
It won't work in this case, but we should always try whether there isn't a way to 
beat protection without bothering with its details.  And, hey, maybe YOU will find a way 
out of that dead end that I didn't see.  Give it a shot. 

Ok, so we're in sync now, right, at instruction cs:41131f? 
Take a look at the following sequence of instructions in the code window. From here 
down to cs: 41139d, that's the core part of the protection. If you're going to master 
this, nothing's gonna stop you. And sure enough, it ends with a comparison followed 
by a conditional jump at cs:41137e. They do somehow look different, don't they, those 
crucial jumps. You just know from the indexical context that this one is not like every 
other jump. This is the "finale grande" jump.  And so we can't just accept it 
"positivisticly". 
A cracker should seldom be a positivist. 
To the cracker, the conditional jump is rather like the western concept of woman. 
Always puzzling. Think about it, and note that I said "concept of...." 

Just take a look at this section as a whole now, we'll get into the details later. 

014F:0041130F  8B45F8            MOV     EAX,[EBP-08]
014F:00411312  8B4014            MOV     EAX,[EAX+14];load sector1
014F:00411315  8945F0            MOV     [EBP-10],EAX; hide sector1
014F:00411318  C745F400000000    MOV     DWORD PTR [EBP-0C],00000000
014F:0041131F  DF6DF0            FILD    QWORD PTR [EBP-10]; load sector1 in ST0
014F:00411322  83EC08            SUB     ESP,08
014F:00411325  DD1C24            FSTP    REAL8 PTR [ESP]; move sector1
014F:00411328  8B45F8            MOV     EAX,[EBP-08]
014F:0041132B  8B4018            MOV     EAX,[EAX+18]
014F:0041132E  8945E8            MOV     [EBP-18],EAX
014F:00411331  C745EC00000000    MOV     DWORD PTR [EBP-14],00000000
014F:00411338  DF6DE8            FILD    QWORD PTR [EBP-18];load sector2 in ST0
014F:0041133B  83EC08            SUB     ESP,08
014F:0041133E  DD1C24            FSTP    REAL8 PTR [ESP];move sector2
014F:00411341  E87AC30000        CALL    0041D6C0; make+get magic1
014F:00411346  83C410            ADD     ESP,10
014F:00411349  8B45F8            MOV     EAX,[EBP-08]
014F:0041134C  8B401C            MOV     EAX,[EAX+1C] ;load sector3 
014F:0041134F  8B4DF8            MOV     ECX,[EBP-08]
014F:00411352  2B4120            SUB     EAX,[ECX+20]; [sum from name]
014F:00411355  8B4DF8            MOV     ECX,[EBP-08]
014F:00411358  8B4914            MOV     ECX,[ECX+14]; load sector1
014F:0041135B  81E988130000 SUB  ECX,00001388 
014F:00411361  2BC1              SUB     EAX,ECX; make magic2
014F:00411363  8945E0            MOV     [EBP-20],EAX; hide magic2
014F:00411366  C745E400000000    MOV     DWORD PTR [EBP-1C],00000000
014F:0041136D  DF6DE0            FILD    QWORD PTR [EBP-20]; load magic2
014F:00411370  DEE1              FSUBRP  ST(1),ST; sub magic2, magic1
014F:00411372  E81DC30000        CALL    0041D694; get [magic2-magic1] into EAX
014F:00411377  8945FC            MOV     [EBP-04],EAX; move result of call
014F:0041137A  837DFC00          CMP     DWORD PTR [EBP-04],00 ;"grande finale" 
014F:0041137E  0F840F000000      JZ      00411393;  magic jump
014F:00411384  B840000000        MOV     EAX,00000040
014F:00411389  E90C000000        JMP     0041139A
014F:0041138E  E907000000        JMP     0041139A
014F:00411393  33C0              XOR     EAX,EAX
014F:00411395  E900000000        JMP     0041139A
014F:0041139A  5F                POP     EDI
014F:0041139B  5E                POP     ESI
014F:0041139C  5B                POP     EBX
014F:0041139D  C9                LEAVE

So, maybe we could ignore all that co-processor nonsense and just make sure 
we take the right branch at that jump? The point seems to be that if we come 
out of the CALL at cs:411372 with EAX=00, then we'll leave protection with 
EAX=00, otherwise we'll leave with EAX=40.  You guess what would be the 
right value.  I agree, let's try it with 00. So we reverse that switch at 
cs:41137e, make it "JNZ 00411393" (plus two couples of INCs and DECs: 
INC AX; DEC AX; INC AX; DEC AX) . And it works!  It gives you the "congrats, 
registration was successful" screen. Aren't you cool? And isn't it funny, 
by the way, how they always "congratulate" you for registering successfully, 
as if this were some major achievement unless you've cracked the thing? 
It's as if the program were saying "all this time I've been waiting for 
you to crack me."  

Unfortunately, though, if you make this modification, the program will 
crash during its normal execution.  That's what they do these days, they 
integrate those jumps into the normal flow of the program, where it will 
be necessary to take the other branch of that jump.  Play around with it, 
though .  Move the value 00 directly to [ebp-04], or step into the call 
at cs:411372 and try to manipulate the location [ebp-0c] that feeds EAX. 
I couldn't find that shortcut but maybe you can.

THE HIGHWAY TO THIS CRACK

So we'll have to make it a clean crack. Takes a little longer, but the 
reward for tackling this protection scheme head-on is that we'll get those 
real legit registration numbers for whatever stupid user name we can think 
of. 
Post it to alt.cracks with your handle as user name, that's better than 
posting "me too" messages. There are less annoying ways of saying one is 
tupid.

You're back at cs:41131f.  And you've switched the co-processor window 
on (in Softice for Windows95 V.3 with "wf"). Then you're ready to rumble.  
We have all the elements we need (our transformed input strings), and now 
the task is to figure out the right relation among those elements. 

The hard core of the protection consists of two parts. The first part is 
located at cs:41d6df.  You get there by tracing into the call at cs:411341, 
and from there into the call at cs:422436, which then at cs:4226E1 gives 
you a lift to [EBX]. What you see then should look somewhat like this:

014F:0041D6D6  833DEC63480001     CMP     DWORD PTR [004863EC],01
014F:0041D6DD  7404               JZ      0041D6E3
014F:0041D6DF  D9F8               FPREM;         <-- HERE
014F:0041D6E1  EB05               JMP     0041D6E8
014F:0041D6E3  E8E45A0000         CALL    004231CC
014F:0041D6E8  9B                 WAIT
014F:0041D6E9  DFE0               FSTSW   AX
014F:0041D6EB  9B                 WAIT
014F:0041D6EC  9E                 SAHF
014F:0041D6ED  7AE7               JP      0041D6D6
014F:0041D6EF  DDD9               FSTP    ST(1)
 
By the time you're at cs:41d6df, ST0 holds your section2, and  
ST1 holds your section1. Now what that instruction FPREM does is divide 
ST0 by ST1 and keep the rest (NOT the result).  
So in our case ST0 holds 12121212, ST1 holds 3333, and after FPREM, we 
continue with 2424 in ST0.
This result of the FPREM of section2 and section1 is PART ONE OF OUR 
MAGIC EQUATION (magic1). 

The second part we get as the result of a series of procedures that 
starts at cs:41134C (back in the main protection part of the code 
"segment)..class" tppabs="http://fravia.org/segment)..class"

014F:00411346  83C410             ADD     ESP,10
014F:00411349  8B45F8             MOV     EAX,[EBP-08]
014F:0041134C  8B401C             MOV     EAX,[EAX+1C]; sequence3
014F:0041134F  8B4DF8             MOV     ECX,[EBP-08]
014F:00411352  2B4120             SUB     EAX,[ECX+20]; transformed name
014F:00411355  8B4DF8             MOV     ECX,[EBP-08]
014F:00411358  8B4914             MOV     ECX,[ECX+14]; sequence1 
014F:0041135B  81E988130000       SUB     ECX,00001388
014F:00411361  2BC1               SUB     EAX,ECX
014F:00411363  8945E0             MOV     [EBP-20],EAX; hide away magic2

So PART TWO OF OUR MAGIC EQUATION is the result of a 3-step-procedure:
(a) SUB sequence3, transformed name      (cs:411352)
(b) SUB sequence1, const1388             (cs:41135B) 
(c) SUB [result of (a)], [result of (b)] (cs:411361)

In our example, this is:
(a) 0457  -  0314  = 0143
(b) 0D05 - 1388   = FFFFF97D
(c) 0143  - FFFFF97D = 07C6

And 07C6  transformed into decimal is 1990. Which is exactly what 
we get when this magic2 is being loaded into the co-processor through 
FILD.
 
014F:0041136D DF6DE0          FILD    QWORD PTR [EBP-20];  load magic2
014F:00411370  DEE1           FSUBRP  ST(1),ST;   SUB magic2, magic1
014F:00411372  E81DC30000     CALL    0041D694

So we have both parts of the magic equation in the co-processor here. 
The point of an equation, of course, is that both sides are equal.

And if they are, you've made it.

If magic1 and magic2 are equal, then after instruction cs:411370  
we have  ST0 = 0.

In our case, however, they are not equal. 
1990 - 2424 =  -434.    This is what ST0 holds for us. 

And obviously, this tells us what magic1 should have been: precisely 
434 less than it was. What can we do about this? Well, we just have to 
decrease the remainder of our FPREM by 434, and we can simply do this 
by subtracting 434 from our section2. 

12121212 - 434 = 12120778.  Now just enter this new section2, 
ceteris paribus:

name:         bcbcbcbc
serial:       3333 12120778 1111

You sure made it. Now of course you don't want to register as bcbcbcbc, 
being an elite hacker and all.  Here's our hand-made little _registration 
key generator_:  You set a BPX on cs:411372. When you hit the breakpoint, 
it will be right after the subtraction of the two magics, and the remainder 
in ST0 tells you by how much (and in which direction) you have to modify sector2.  
(Note that there are certain limits to the variability, e.g. you have more 
leeway if your sector1 is higher).  Wanna be j. alfred prufrock? Then sector2 
should 12121212-1360 = 12119852.  You're getting the idea. 

We're finished now. Just for the record you can trace into the call at 
cs:411372 and see how the difference of magic1 and magic2 is being fed to 
EAX, the value of which then determines the direction of the magic jump 
we've looked at before (cs:41137e).

(c) swann 1997 & reverser's page of reverse engineering 1997