Cronos
Task 5 try
Sat Jan 2 13:11:41 1999


My solution to task 5, although I have just one patch, not two ?

Solution to Task 5
==================

I was convinced that Cover Your Tracks was in some way generating the strings for msffs.dll and win64os.cpl in a similar way to the serial strings. I therefore decided to go back to the string scan which I had initially done. There were still the strange 'cythid.reg' and 'system.cyt' strings which I had not checked out yet. I scanned for these in the executable file. What I now found was another string table, similar in structure to the one used for forming serial numbers from. I went through this and found a number of strings in it, some much longer like directories,etc. Most of this would be of obvious use, but there were some strings which I couldn't explain initially. Until I noticed which strings appeared strange. We have the following in the table I was looking at:

1000:004442cc 776900 ds "wi"
1000:004442e4 6e3600 ds "n6"
1000:004442fc 346f00 ds "4o"
1000:00444348 732e00 ds "s."
1000:004443b0 6d7300 ds "ms"
1000:00444288 666600 ds "ff"

and in a table just a bit further on we have these, once again:
1000:00444f08 776900 ds "wi"
1000:00444f20 6e3600 ds "n6"
1000:00444f38 346f00 ds "4o"
1000:00444f84 732e00 ds "s."
1000:00444fec 6d7300 ds "ms"
1000:00444ec4 666600 ds "ff"

So, I started with the first set and traced the references to these. Theses references didn't appear to be that interesting and looked to be mostly reading keys,etc. So I had a look at the second string table and traced the next set of references. I found code like:

1000:00444a5f b830a84400 mov eax, offset 44a830h
1000:00444a64 baec4f4400 mov edx, offset s_ms
1000:00444a69 e85eeefbff call strcpy

Further down we find references to 44a830h, along with the rest of the string making up msffs.dll, as we would expect. We see one call involving file accesses, followed by a conditional jump. There are then further references to these strings, a few more calls and one more conditional jump. Looking at the addresses of the targets of these jumps it is only the second jump which changes anything significant, and straight after it's target address there is a reference to a 'Registered' string:

1000:00444bad ba30504400 mov edx, offset s_Registered

I therefore decided to check the effect of changing this second jump:

1000:00444b7c 741b jz 444b99h

from jz to jmp (74->eb), having already unregistered the program.

The result is that CYT runs, and does not mention registration at all. The advanced options appear to work. Next I registered CYT, deleted the two files, and reran the patched copy again. The program still worked as before, and neither of the files had returned. Note that if the patch had been from jz to jnz, the program registered and the files deleted then the 'you have tried to crack this program' message is back, because the jump is not taken.

I think that I must be patching in a different place to Princess, since this is not quite the patch being asked for.

Cronos.