|
Aug 1998
|
"Web Doctor V1.5"
( 'Cracking A TimeLock32 Program'
)
|
Win '95 PROGRAM
Win Code Reversing
|
|
|
by The Sandman
|
|
|
|
Code Reversing For Beginners
|
|
|
Program Details
Program Name: webdoctr.exe
Program Type: Disk Utility
Program Location: Here
Program Size: 1.8 Mb
|
|
|
Tools Used:
Softice V3.2 - Win'95 Debugger
W32Dasm V8.9 - Win'95 Dissembler
|
|
|
Rating
|
Easy
( X ) Medium ( ) Hard (
) Pro ( )
|
There
is a crack, a crack in everything. That's how the light gets in. |
Web Doctor V1.5
( 'Cracking a TimeLock32
Program' )
Written by The
Sandman
The author(s) of Web
Doctor says:-
"Welcome to Blue Sky Softwares Web Doctor.
Web Doctor simplifies your life as a Web
Author by automating the tedious job of ensuring that your Web document
hyperlinks connect correctly to their targets. Additionally, if you wish,
Web Doctor looks for those graphic files that inevitably find their way
into your working directory and then never get included in your site. Web
Doctor gives you a list of such lost graphic files, allowing you to move
or delete them with confidence. Also, Web Doctor will calculate the times
required to download your Web pages at the most used network speeds."
|
About
this protection system
|
This program uses a .DLL file called TLock32.DLL
(TimeLock) for it's protection system, perhaps they don't know how weak
this protection system is!!. I was able to *crack* this protection system
in less than 5 minutes and without resorting to using a 'Dead Listing'!.
There's no trick to this, once you've *cracked* one TimeLock32 protected
program all the others you may come across will be so easy to crack that
you'll wonder why anyone would want to use this protect system!.
On successful installation the program
creates a webdr.ini file with a number
of entries in it, but the one of any interest to us is:
[User]
UserName=Trial User
UserCompany=
RegNum=575360738917 ; This
serial code is the 'Shareware 40 day reg number,
; and will be different on your machine.
For all registration entries added to your
System Registry File load up RegEdit and search
for "Blue Sky"
Your 45 Day trial 'counter' is hidden inside
a file called wdebo.tdk which is placed in
your C:\Windows directory.
This file is ALSO used to store your *legal*
serial number and will look something like this:
910145337588
íh ìñh ïâù¿ò
[s÷¿�ðh ¥íh º�
� íh 48537359 �Föö0
x77xhsd wb %ld 0 902389439 ÷¿s÷¿
íh
The number 910145337588 was the 'Shareware
Serial' number for my copy of Web Doctor.
The number 48537359 is the *legal* registered
serial number based on my shareware serial #
The 'other' non-ascii letters represent
the 'days remaining till expire' and my 'User
details', all of which are encrypted.
The moment I saw
the familiar 'Nag Screen' telling me I had 45 days to evaluate this software
I wasted no time in cracking this babe, no need to create a dead listing,
I knew what to look for and how I was going to crack this program.
OK, once you've installed
Web Doctor fire it up. Your greeted with a Shareware nag screen,
you'll notice the 'familiar' blue bar at the bottom of the nag screen informing
you the number of days you have left to review this software..
From here just click
on the 'Purchase' button and fill in your Name,Organisation and
a fake Unlock code.
I used:
Unlock Code: 7777777
User Name: The Sandman
Organization: #
Before proceeding
with the Registration process press 'Ctrl-D' to activate Softice
then type bpx messageboxa then 'x' to leave Softice.
Now click once on the 'OK' button..
Softice breaks... Press 'F11' once and
the following message now appears: "You have entered
an incorrect code, please contact the vendor".
Click on the 'OK' button.
Softice breaks again, now we in the TLock32.DLL
code...
* Referenced by a (C)onditional
Jump at Address: :1000224C(C)
:10002278 6800200000
push 00002000
:1000227D 68D0F90010
push 1000F9D0
:10002282 68F0E10010
push 1000E1F0 ;"You have entered an
;"incorrect.."
:10002287 6A00
push 00000000
:10002289 FF159C130110
Call USER32.MessageBoxA
:1000228F 6A01
push 00000001 ;We land here.
:10002291 56
push esi
:10002292 FF15A0130110
Call USER32.EndDialog,
:10002298 B801000000
mov eax, 00000001
:1000229D E9F0FCFFFF
jmp 10001F92
If you check your dead listing ( I just
scrolled up Softice's Assembly Window until found a conditional jump statement
that jumped to memory offset 10002278) you will see that there is just
ONE conditional jump statement that calls this 'beggar off cracker' routine.
So lets see what made the program come to our 'beggar off cracker' routine...
Type bc * to clear away any softice
breakpoints.
Then type bpx 1000223D
Followed by 'x' to leave Softice.
Web Doctor now runs as normal. Now
go back into the 'Registration Screen' and fill in the User details and
the fake Unlock code again then press the 'OK' button once more.
Softice breaks at...
* Referenced by a (C)onditional
Jump at Address: :10002176(C)
:1000223D 8D442410
lea eax, dword ptr [esp+10] ;Fake Serial
:10002241 50
push eax
;Save it
:10002242 E809F0FFFF
call 10001250
;Extend Trail period?
;
Call 100001250 checks to see if BlueSky has given you a 'special'
;
8 digit serial number that will give you a further 45 days extended
;
evaluation period!.
;
The program has a in-built six digit number [619459] that it uses to
;
check if you used the 'special' serial number [19996489] that allows
;
you a further 45 days to evaluate this software with.
;
;
This call returns '0' in the EAX register if you don't have this 'special
;
serial' key, else it returns with EAX = 1 meaning your evaluation period
;
has been restored back to 45 days.
:10002247 83C404
add esp, 00000004
:1000224A 85C0
test eax, eax ;eax =0?
:1000224C 742A
je 10002278 ;yes? then beggar off
cracker
:1000224E C70598FA001001000000
mov dword ptr [1000FA98], 00000001 ;Flag it
:10002258 E883F9FFFF
call 10001BE0 ;now 'reset' trial counter
:1000225D 6A01
push 00000001 ;back to 45 days.
:1000225F E8ACF1FFFF
call 10001410
:10002264 83C404
add esp, 00000004
:10002267 6800200000
push 00002000
:1000226C 68D0F90010
push 1000F9D0
* StringData Ref from
Data Obj ->"Your trial period has been restored."
:10002271 6830E20010
push 1000E230
:10002276 EB0F
jmp 10002287
If you trace through the above code UNTIL
you land on the je 10002278 instruction then you'll come to understand
the following:-
All this routine does is to see if you've
entered the 'special' extend evaluation serial number, it doesn't check
your fake serial number. What this means in plain english is this:
The program has already checked
your fake serial number in a different routine to the one we're currently
in and found it to be invalid, now it's checking to see if our fake serial
number is the 'special' extend evaluation period serial key. If it's
not the 'special' serial number then it sends the program to our 'Beggar
off Cracker' routine and displays the message box that informs you that
you've entered an incorrect code bla bla...
So we must now find out where the above
routine was called from. If you now examine you dead listing you'll
see that it was called from just one place, at memory offset: 10002176
Let's now hop over there...
Type bd * to disable our previous
Softice breakpoint.
Type bpx 1000216C which will place
a new softice breakpoint 6 instructions above the actual conditional jump
that we know will send the program to the routine that checks for the 'special'
extended evaluation period when it finds our Unlock Code wrong.
Now type 'x' to leave softice and
re-run the 'Registration Screen' again, fill in your User details again
as well as a fake Unlock code. When you've done that press that 'OK'
button again..
Softice now breaks at:...
:1000216A 50
push eax ;Save your User Name
:1000216B 51
push ecx ;Save your Fake Serial #
:1000216C E8AFF1FFFF
call 10001320 ; Check serial's
; Returns:
eax=0 FAIL
;
OR eax=1 PASS
:10002171 83C408
add esp, 00000008
:10002174 85C0
test eax, eax ;eax=0?
:10002176 0F84C1000000
je 1000223D ;yes? then check if User
;wants extended trial time
We're almost there..
It's obvious then, we could perhaps nop out that conditional je 1000223D
instruction in which case (if you examine your dead listing) the program
will proceed to *register* itself regardless of what Unlock code we use.
However, wouldn't
it be better if we try and 'sniff' out the *real* unlock code ourselves,
that we if we come across another TimeLock program (highly likely) then
it will be safer to go for the serial number rather than patching because
the authors of Timelock will one day catch on to their .DLL being patched
and place extra safe guards against this sort of thing so even if you nop
out the conditional jump you may find other checks further down the code.
Right, once you land
at the above code press 'F10' TWICE so than your now resting on the call
10001320 instruction where you must now type T which tells
Softice you wish to follow where this call goes to, rather than just skip
over it.
If you've done this correctly Softice should
take you to this rather interesting routine, which I've commented for you..:)
* Referenced by a CALL
at Addresses :100010A9 , :1000216C
:10001320 83EC14
sub esp, 00000014
:10001323 8D442400
lea eax, dword ptr [esp] ;eax = Temp Workspace
:10001327 50
push eax ;Save eax address
:10001328 E843070000
call 10001A70 ;Generate *REAL* serial
;At this point TYPE D
EAX and you
;will see your *REAL* serial No.
:1000132D 8D442404
lea eax, dword ptr [esp+04] ;eax =*real* serial
:10001331 8B4C241C
mov ecx, dword ptr [esp+1C] ;ecx =*fake* Serial
:10001335 83C404
add esp, 00000004
:10001338 50
push eax
;Save eax
:10001339 51
push ecx
;Save ecx
:1000133A FF158C120110
Call KERNEL32.lstrcmpA ;Compare BOTH
serials
;Returns either:
;eax =1 if check fail
;eax =
:10001340 83F801
cmp eax, 00000001 ;eax=1?
Set Z flag then
:10001343 1BC0
sbb eax, eax
:10001345 83C414
add esp, 00000014
:10001348 F7D8
neg eax
:1000134A C3
ret
Once you have the real Unlock code then
re-run Web Doctor and use that serial code to register this babe.
Job Done.
None required.
If you intend
on using this program beyond it's evaluation period then please BUY IT!
This essay attempts to show you that programs
protected with a Software Protection based on TimeLock32 is open season
for *crackers*. Once you've figured it one example of it's use then any
others you may come across will offer you little or no resistance against
you finding out where it compares the User's Unlock Code against the one
it expects you to use.
This technique of sniffing out serial's
that are created in memory is commonly known as the 'memory echo' crack,
so called because the program compares directly, two memory locations against
each other and the use of the system function (KERNEL32) lstrcmpA
(list string then Compare) is a classic giveaway to such techniques.
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that these
software houses will be encouraged to producing even *better* software
for us to use and enjoy.
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
Essay
by: The
Sandman
Page Created: 5th August
1998