|
Dec 1999
|
How to Reverse
Crypkey Protection Scheme
|
Win '95 PROGRAM
Win Code Reversing
|
|
|
by YuGung
|
|
|
|
Code Reversing For Beginners
|
|
|
Program Details
Program Name: ******
Program Type: Professional
Decision Making Tool
Program Location: ********
Program Size: > 28 mb
|
|
|
Tools Used:
IDA - Dissembler
|
|
|
Rating
|
Easy
(X) Medium ( ) Hard ( ) Pro (
)
|
There
is a crack, a crack in everything. That's how the light gets in. |
How to Reverse
Crypkey Protection Scheme
Hi guys, this time i want to write about a commercial protection scheme
that someone already reversed and write a tutorial too. (please read the
good Marigold essay on Fravia - marycri1.htm) Why ? First because when
i try to use the Marigold lesson i find that with my target was useless,
then because the Marigold essay incredibly stop at the first stage reversing
the protection dll. So i decide to continue Marigold work completing the
reverse of this protection scheme. The target that use Cripkey it's a big
(> 28 mb) tech program for "Decision Making" coded in Vb4 16 bit that i
have found into an hidden directory of the software house web site. This
program itself is not important for this essay because i have worked (and
patched) directly the herat of protection code Lcrypkyd.dll, so anyone
can use this essay to reverse any other program protected with this method.
|
About this protection system
|
First the program was packed with PackageForTheWeb™ v1.32 and cryplled
with a password, but in just 2 minutes using the right tools anyone can
read the password used. Then arrive the real Crypkey protection:
from Marigold essay
"We believe that CrypKey is the best copy protection system available,with
an approximate 2 year technological lead on the nearest competition.
With our strong growth, world-wide acceptance and continual enhancements,
we believe that CrypKey will help keep YOU at the forefront of technology
if you choose to join our list of satisfied customers, who include Motorola,
Panasonic, SEGA, IBM, Sybase, and Hewlett Packard to name a few."
What a flagrant boasting! What ignorance! Hope, the crack I made
will let some light into their heads (and into the heads of their satisfied
customers... no wonder Motorola is there: sunset boulevard!).....
Under Windows 95, when your license is expired, the program scans
all directories on disk C: and writes in some of them at random 4-byte-long
strangely named files with content "00 00 00 7C" (in my case). At every
start, the program scans directories in search for these files and, if
at least one was found, displays message about license expiration and quits.
Removing these files (I found about a dozen) improves the matter, but not
decisively. Now program tells that it can't access id information on your
HD, which obviously means that there is another mark somewhere.
With my target these little 4-byte-long files are written at random
in my hd immediately when i start the 30 days limited version and this
make me furious: i don't like programs that write useless files randomly
in my hd !
First i disassemble the target just to find that is coded with Visual
Basic 4 16 bit; this mean that the beautiful reversing work of Marigold
is completely useless for me because i can't "Cracking in the best traditions
of virginity restoration". Also no Smartcheck and no disassembling.
This time the main protection scheme (that read and validate different
key files) is coded in Lcrypkyd.dll in \windows\system dir: about 80 kb,
4-5 minutes of work for IDA.
After disassembling i try first the Marigold approach that patch
the cryp9516.dll (a different version of the same protection) to restore
the 30 days when licence is expired, but this method leave the nag screen
at the beginning and permit to write many (more than 20) little files around.
Looking at the IDA output i find that Marigold patch a section of the code
named READYTOTRYDAYS - very easy to understand ! but in the names section
of IDA i found a more interesting GET_AUTHORIZATION section:
0682 8C D8
public GET_AUTHORIZATION
0682
GET_AUTHORIZATION proc far
; CODE XREF: SAVE_SITE_KEY+3AF�P
0682
mov ax, ds
; LCRYPKYD_5
0684 90
nop
0685 45
inc bp
0686 55
push bp
0687 8B EC
mov bp, sp
0689 1E
push ds
068A 8E D8
mov ds, ax
068C 81 EC 28 03
sub sp, 328h
0690 C7 46 FA 67 01
mov [bp+var_6], offset aXxxxxx
0695 8C 5E FC
mov [bp+var_4], ds
0698 9A 22 9D 00 00
call sub_0_9D22 ******
THIS CHECK THE AUTHORIZATION
069D 89 86 E0 FD
mov [bp+var_220], ax ****** THIS PASS THE RESULT
IN MEMORY
06A1 0B C0
or ax, ax
06A3 75 03
jnz loc_0_6A8
****** HERE THE GOOD/BAD GUY JUMP
06A5 E9 F7 04
jmp loc_0_B9F
It's very easy to patch this code using the same Marigold method:
069D 89 86 E0 FD
mov [bp+var_220], ax ****** patch to xor
ax,ax
06A1 0B C0
or ax, ax
****** patch to mov [bp+var_220], ax
06A3 75 03
jnz loc_0_6A8
****** patch to or ax,ax
06A5 E9 F7 04
jmp loc_0_B9F
and you get a Lcrypkyd.dll ready to run all the programs you want
!
After read all the essay on Crypkey, i think that even if your target use
a different CrypKey dll or a different method of protection (counting runs
instead of days) just looking with some attention to the dll can help you
to find the right place where to patch, because all the section inside
the dll seem to use the same scheme: move two vars in memory + call the
routine + move result to memory + check the result.... Absolutely boring
!!!!
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
Ripping off software through serials and
cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
Essay by:
YuGung
Page Created: 08 December
1999