|
|
|
|
|
|
I patched SNWin at 004720c2. Changing 740F
to E900 (jmp 004720c4)and it works the same as using RegisteredVersion
(1)in the registry. What's peculiar is why does the program check the time
left (or whatever it is) and test it when the next step is a mandatory
jump, no matter
the test results?
And the program does not seem to use UserName/UserOrganization/RegistrationNumber?
:004720BB E840DBFFFF
call 0046FC00 <-- Check reg
:004720C0 84C0
test al, al
:004720C2 740F
je 004720D3 <-- Jmp to nag screen if reg bad
:004720C4 8B45F0
mov eax, dword ptr ebp-10]
:004720C7 E830DDFFFF
call 0046FDFC <-- time left ck?
:004720CC 84C0
test al, al <-- test it
:004720CE E91D030000
jmp 004723F0 <-- mandatory jmp
|
|
The Sandman - System Notebook - Your
Views - Thu Oct 29 13:58:46 1998
Greetings Crackers,+,
I think that *most* of us are now at the stage of examining this program that we can now give our views and opinions regarding this program..
What do YOU think about this program's protection system?.
Is it easy for newbies to crack? Does it teach us anything we didn't already know before we started examining this program?. Does the protection system behave as you would expect or does it do anything that you think seems irrelevant?.
By all means add your own views, the questions above are just possible examples you could use.
I'm interested in hearing what you think since this is the first time anything like this has been tried and will help me greatly to know you better..:)
Kind regards
The Sandman
Jeff - Hi I'm back! No salmon for
the wicked! - Fri Oct 30 23:56:48 1998
Protection:
In my 6 week newby status; i feel this protection was more than adequate. It was impossible without the guidance of this group for me; with each posting...it gave me more ideas on what to do and where to go; and although I think my thought processes must have had me in far left field miles from where I should have been...the trip was fun and imformative anyway.
I learned to open and look at; (not use really; how do I filter?)RegMon and noticed things there that were helpful to follow others posts. Me thinks the future will include opening this tool again.
I finally figured out how to bpx getlocaltime; which was certainly much easier once I remembered to first shut down my ISP connection! ...Have you ever noticed how much code is in Explorer??
Watch eax;
enable "wf"<<<---what is this anyhow...I found the Configflag
number in this window... ST0 bla bla...
Long story short; More exciting than any crack to me was I saw that
people from all lands and languages, from all varying degree of program
debug knowledge can come together and
work on one project, together, in co-operation, and sharing...and be
excited in the process!
Every post added spice and diverse direction. And what seems so COOL is that most of us are saying...HEY! THIS THING AIN"T DONE!!! (Is it?) Lets DO IT!
Jeff
DawnRun - SN-conlusion or doubts?
- Fri Oct 30 05:43:42 1998
Hi Sandmann and everbody,
"What do YOU think about this program's protection system?. Is it easy for newbies to crack? Does it teach us anything we didn't already know before we started examining this program?. Does the protection system behave as you would expect or does it do anything that you think seems irrelevant?."
Yes indeed, nice lil exercise I really (still) enjoy. At first it seemed easy - if one does not forget to use REGMON as I was in the habit :). No nag, unlimited use, what more to ask for?
There are however a few questions I'm still asking myself. Why, for ex. can't we find the caption "Registered" or "Registered to:" somewhere? The HELP/ABOUT screen still invites to registration. Just a programming glitch? There's also one feature the author talks of:
"In the registered version of System Notebook, the list of named backups also contains all of the changes made to the Registry by System Notebook. You can select one of these items and press the Restore button to undo any registry-based edit made with System Notebook."
This function can be accessed in FILE/OPTIONS/BACKUP/UNDO. Unregistered the box:"Create backup files for Registry-based operations" can't be enabled. "Registered", the box is checked but can't be disabled. Irrelevant or just another glitch or is there more to "really register" the program?
Anyway I'm still enjoying prowling through the code. For once I havn't
fully understood how the
ConfigFlags number that's used for the 30 days countdown is calculated.
Well,take the system date and then what?
If s.o could answer these question, I'd be ready for the next challenge :)
Read you later
DawnRun
Abott - Re: SN-conlusion or doubts? -
Fri Oct 30 15:38:19 1998
btw DawnRun u can enable that greyed out box in backup/undo with the customizer.... just a thought =)
work well
Abott
the snake - Re: System Notebook - Your Views - Fri Oct 30 01:34:18 1998
Hello to all
at the beginning i found the 3 of 4 answers, the i learnd to
use thing i didn't know, (regmon etc.) it make my mind
to think other way i did till now !! i stilll feel that i have a
lot to learn, and i have a filing that some of the people involved are
1-2 levels above me, or they are not newbies..
Sandman, keep this forum up !! it give me (and the others) good challenges !! please , what is IMHO ???
the snake
D0gBytes - IMHO Snake - Fri Oct 30 02:09:18 1998
Hello Snake,
IMHO is initials for "In My Humble Opinion"
You will be a great cracker, IMHO.
Regards,
Bytes
LatexX - Views... - Thu Oct
29 21:05:37 1998
Hi there!
First of all : i think that this you did with this little proggy is
EXCELLENT. why? it helped a LOT of people and OF COURSE it teached lots
of things to newbies.
i find it to be a weak protection :) but whether its a difficult one
or an easy one, i think that the
main point,is this thing you did in itself. Selecting a target,
and then asking a couple of questions to be answered , related to the reverse
engineering/cracking of the target, was a neat idea. May be you make a
lot of people do things that by their own means would have never done them.
Thanks to the other people's comments and posts we have all learned,this 'board thingy'is, IMHO the BEST 'live cracking/re' tutorial that ANY newbie can have. Im happy with this, and im desperate for another 'target'
Bye now :)
LatexX
|
|
the snake - REGISTRY BACKUP TOOL -
Wed Oct 28 12:45:06 1998
Hello to all
Some of you know this one, for those not : some times that us crackers making changes at our registr file, we can get our system *crash*. or .... if we want to erase the last install information we need to get to the state before of it, hmmmmmmm. (think about 30 days sharware progee.. uninstall, restore reg file, get date forword 1 year and re-install, back to todate date and check what happend now.. see a prev post by me) this tool backup your registry file. keeps up to 9 backups.
it's recommanded to do it once a day - just dubble click. the name is cfgback, i don't know the url, but if anyone want it, let me know, i'll post it by e-mail (72k). take care (of your reg file :) )
the snake
Latigo - urls for cfgback - Thu Oct 29 12:42:42 1998
hi there, here are some addresses for that little proggy :
1 ftp.ipm1.sci-nnov.ru/pub/archive/WINDOWS/95SETUP/OTHER/MISC/CFGBACK
2 ftp.ipm1.sci-nnov.ru/pub/archive/WINDOWS/95SETUP/OTHER/MISC/CFGBACK/CFGBACK.EXE
3 ftp.ipm1.sci-nnov.ru/pub/archive/WINDOWS/95SETUP/OTHER/MISC/CFGBACK/CFGBACK.HLP
4 ftp.hkstar.com/.2/simtelnet/win95/util/cfgback.zip
Laters
Latigo
|
|
Greetings Crackers,
For some, System Notebook is perhaps the first program you have ever explored in any depth and yet, we are still not finished, there are still one or two areas still to explore before we know enough about this program to go-in-the-for-kill..
I think it's safe to say that if we had simply jumped into the program's code looking for the 'crack' we would have learned very little about the protection systems used and as for increasing our knowledge, well, that just would not have happened..
Interestingly, but not surprisingly, many of you can already 'feel'
the 'ZEN' crack from your knowledge gained from examining this program,
that is good, for it's this feeling that will help you to tackle even harder
protection systems that you may not have already come across.. It's these
skills no tutorial or essay can teach or pass onto you, but here you
are, much wiser and no longer the same 'newbie' you were, before you joined
in this project.
For those still feeling that they are still behind 'everyone' else in
this project then let me assure you that this is only a temporary stage
your going through, just remember, there will
ALWAYS be someone much better than you when it comes to cracking, you
must find your niche in this community and develop this rather than try
and encompass the whole spectrum of cracking..
Now for the next and final stage of this project...
We have tackled the time checking protection system used within System Notebook and found that it relies heavily on the System Registry, using it to store our 30 day evaluation period in a some-what 'hidden' manner, which REGMON was able to identify with ease for us. A number of you have also worked out that this time checking protection system can also be 'disabled' by patching the program's code in one of many places.
Let us now focus our attention to the 'Nag Screen' which has haunted us throughout this project and which we know is tied into the time checking protection system.
Question 8. Explain how you would completely disable the Nag Screen used within System Notebook so that if you were running this program the Nag Screen never shows.
Question 9. Considering what we already know about how this program uses the System registry, what method do you think the Software Authors use to make System Notebook a fully registered program?. Would they email perhaps a .REG file that once the User double-clicks on it, the information contained within this file is automatically inserted into the User's System Registry file. Or, would they send a .KEY file of some sort, that, when System Notebook checks for the presence of this file it will read it and again, transfer the data contained within it into the User's System Registry file?. Or is their another way the program does this?.
Question 10. What do you consider is the most efficient way to crack this program?. Patching the program's code or via it's use of the System Registry file?.
Well that's about wraps this babe up. Should you still have any further questions regarding this program then by all means post to this forum, I'm sure someone will have the answers you seek..:)
Special thanks goes to everyone who has taken the time to follow this project from start to end, I hope that everyone has learned at least some of the basics to cracking and that you will continue to share your knowledge with those less knowledgeable than yourselves..
The 'next' project will begin when everyone has completed this current exercise.
Kind Regards
The Sandman
Jeff - Conclusions - Sat Oct 31 15:11:29
1998
Hi Sandman!
Question 8. Explain how you would completely disable the Nag Screen used within System Notebook so that if you were running this program the Nag Screen never shows.
I think the simplest solution; possibly the very quickest way if your input worked: would be to type into the registry the value found in RegMon:
RegisteredVersion=
and by playing with the values arriving at the number (1) that disables
the Nagscreen.
Question 9. Considering what we already know about how this program uses the System registry, what method do you think the Software Authors use to make System Notebook a fully registered program?. Would they email perhaps a .REG file that once the User double-clicks on it, the information contained within this file is automatically inserted into the User's System Registry file. Or, would they send a .KEY file of some sort, that, when System Notebook checks for the presence of this file it will read it and again, transfer the data contained within it into the User's System Registry file?. Or is their another way the program does this?.
I have searched high and low for some indication in RegMon and in FileMon (niether of which I am well versed in) to determine a hidden file; my limited experience has recognized nothing.
Without a hidden file I assume there is nothing to COMPARE too... but there simply must be some (something) to recognize whatever there is that the author would send...
I have tried without success to create a .key;.lic;.cfg; file; I even
created a .reg file (I have no experience with this so I may well have
done these all wrong) and I installed each after
filling in notepad and renameing file, into the directory holding Swin;
and expecting to get a "error message" if indeed it was recognizing and
kicking out my attempt ... nothing...
Although Dogbytes may well be correct I wanted to explore it to see
if I could give him a Jeff smile... I believe that the author is going
to send some type of file; what its extention will be...I don't know...I
do believe the contents may very well include a registration number as
RegMon
indicates...1) to disable the 30 day flag & 2) to change the appearance
of the "about" box with your user name...
Question 10. What do you consider is the most efficient way to crack this program?. Patching the program's code or via it's use of the System Registry file?.
For me entering info and playing with values in the Registry was much easier; faster; and more understandable; than searching asm...
This excercise was terrific and I can not wait for the conclusionary findings on this one!
Also am starting to crave the next one!
Thanks everyone for participation! Was this great or what?
Thanks Sandman!
Jeff
Jeff - Question First? - Sat Oct 31 00:45:52
1998
Hi Sandman; Everyone!
I did not want to post a thread above yours so put it here instead...
I have a question before completeing my answers to above... Suspiciously in Regmon there were 4 files that the results category stated were "not found"
RegisterVersion
Username
UserOrganization
RegistrationNumber
Has anyone opened FileMon? And then opened SystemnoteBook?
I just found "4" files "not found" all stating an enu.dll file...not
found...and it stated "Getattributes"...(?) Can someone explain what
significance this is please, if any...is
this the missing file? If so can it be created-falsely by us?
Sorry if Im off track; I don't know how to use FileMon yet.
Thanks
Jeff
The Sandman - REGMON & FILEMON - Sat
Oct 31 04:40:59 1998
Greetings Jeff,
REGMON & FILEMON
-------------
When using either REGMON or FILEMON its always best to use the 'Filter'
option on the program you wish to examine. This will cut out any and all
other processes running in
Windoz allow just the data from your program comming into either of
these two utilities..
Here's how to use the 'Filter' option..
Run Regmon or Filemon. Next, run the target program and under the heading
of 'Process' make a note of what the target program's 'Process' name is..
System Notebook uses 'SNWIN'. Once you have the process name of your target
program close both your target program AND either
REGMON or FILEMON, whichever you happen to be using. Now we can begin
properly.
Now run FILEMON or REGMON and select the menu option 'EVENTS' then choose
'FILTER' and in the 'Process' box type in lower case 'snwin'. By defualt,
this box contains an '*', meaning monitor all running processes in Windoz.
Once you've typed in your program's process
name click on the 'Apply' button.
Now startup the program you wish to monitor, which in this case would be System Notebook. This apply's to both programs (Regmon & Filemon).
While using REGMON, if it comes across any references to actual files
like .DLL,.INI files etc then it will ALWAYS mark them as 'NOTE FOUND'
because it does not recoqnize or
handle file accesses. That's why we must also use FILEMON on our target
programs in order to check and verify, what files the program tries to
read or write to.
The file accesses you noticed in Filemon:
snwin.ENG
snwin.ENG.DLL
snwin.EN
snwin.EN.DLL
are INHO, nothing to worry about. The program is looking for these files
(using a combination of nameing conventions) in it's own directory and
maybe are to do with the way this program was originally created. I suspect
they might have been present durring the development of System
Notebook and from the namig convention used they look like they might
be connected with English Language support files.
Hope this helps..
The Sandman
Smasher - Does I can to post not answer
for question in this forum ? - Sat Oct 311998
Hi Sandman!
Firstly, sorry, that I'm not one of the *most* who explore SNwin and who had answered your questions. (I'm know that this bad only for me) I have a question: Is I can to post not answer for question in this forum ?
For example following:
Hi everyone!
I just want to tell that if we will set up breakpoint at 004270EB &
after that two times manually change flag Z (to Z=1), then will be enable
(not grey) Help menu item "Examine this
item". For what ? Had Not discovered yet - I had posted this
as fast as I had discovered this potential interesting (but may be not
interest quite) thing.
Best regards.
Smasher.
_L - Re: Does I can to post not answer for question in this forum - Sun Nov 1 11:33:43 1998
Hi,
Help Explain this item menu can be ungrayed and be replaced if you click
in one of the icons inside in each category.Also the Create Backup files
for Registry-based operations
options in FilesOptionsBackup/undo can be ungrayed by changing the
Enabled=09 properties using hexeditor.(Since we know this was created using
delphi).
_L
The Sandman - Nice job Smasher..:)
- Sat Oct 31 13:32:18 1998
Greetings Smasher,
Hey no problem, I think you are doing a great job with this cracking project, it can't be easy trying to use English and learn English while still trying to crack.
Your 'discovery' warrants further examinination and is exactly the kind of thing I'm looking for from everyone. Being able to narrow the code down to individual routines that performs such tasks as handle disabled/enabled buttons is what this forum is all about..:)
Kind Regards
The Sandman
Smasher - Re: Thanks - Sat Oct 31 15:35:45 1998
Hi Sandman!
Thanks for answer. I want to say that my problem isn't only in English, but I'm had a terrible week (in real life), therefore had very a little time. F.e. after I had 'discovered' enable_function, I had not free time at all, therefore my problem that when I have found something, it will be raw for me long time, as I haven't free time.....Hmm...I entangling myself :) Sorry.
Enough :)
But tommorow (at sunday) I hope dedicating some hours to this programm:) I have hope that I will understand main program's logic in "registering" area.
Best regards to everybody.
Smasher.
|
|
The Sandman - System Notebook - Extra Info
- Mon Nov 2 14:22:47 1998
Greetings Crackers,
Having now read all the postings on this forum some of you are still a little unsure about how this program is registered and what 'effect' this may have on it..
All indications show that the Sofware Authors send an .REG file to the registered User via an email, the name of this file will possible be called snwin.reg or key.reg.
It seems that System Notebook does not display the User's details such as name, company etc in the About Screen, don't forget that this program is still at version one.
Since the .REG file inserts the User's details into the Registry file I suspect that in later versions this information will be displayed in the About screen.
Anyone who has used REGMON will note that the program also checks for a serial number, but as we know, it does not matter what is used for a serial number, the program pays no attention to it, other than see if one exists in the Registry File.
The one item of information the program DOES check for in the System registry file is called RegisteredVersion which is a DOUBLE-WORD value.
If absent from the System Registry then the program will assume that it is still 'Unregistered' and use the default value of '0'. However, if this entry is found and given the value of '1' then the program becomes FULLY registered, irrespective of wether the User's details are present.
The actual .REG file is a simple ASCII file, such as those created with Notepad but saved with the extention of .REG instead of .TXT
I'm almost 100% certain that this listing, taken from a .REG file I
created myself is what the developers of System Notebook send to it's registered
Users, just subsitute my info for the Registered User's details.
REGEDIT4
[HKEY_CURRENT_USERSoftwareSystem Notebook]
[HKEY_CURRENT_USERSoftwareSystem Notebook1.0.0.4]
"BackupPath"="C:\PROGRAM FILES\SNWIN\"
"DoBackups"=dword:00000000
"StartupLogoBackupPath"="C:\PROGRAM FILES\SNWIN\"
"ExitOption"=dword:00000001
"ViewStyle"=dword:00000003
"RestartWithWindows"=dword:00000000
"RegisteredVersion"=dword:00000001
"UserName"="The Sandman"
"UserOrganization"="None"
"RegistrationNumber"="12349876"
Kind regards
The Sandman
Abott - Re: System Notebook - Extra
Info - Mon Nov 2 16:27:58 1998
i want to thank u sandman for this exercise....
this is a wonderful thing u are doing ... im so happy that some crackers
arent to "busy" to help those with less knowledge .i've learned many
things from yours and others postings like how to use softice , filemon
and regmon. im looking forward to your next challenge.. and
hopefully this time i can keep up with the others ;)
D0gBytes - A most enjoyable project. Thanks
Sandman - Mon Nov 2 16:05:00 1998
I want to thank you Sandman for this exercize. I would also like to
thank those who took part in the the project. With the help of The
Sandman and my fellow students, I have learned
a few things about the registry that I did not know.
I looked at the default file association for .REG files and see that it is opened with "RegEdit." Once it is opened, Regedit can make the necessary entries into the registry.
Key files, on the other hand, seem to not have a default file association
which would mean that the program it self would have to find it to read
it. Since we saw nothing in Filemon to give us an indication that the program
was looking for another file to read, we could eliminate a key, dll or
some other kind of file used to register it.
I also learned some things for using Regmon and Filemon. Filtering and just what to look for were two obstacles that we tackled. Clearing that up has been a big help to me.
Over all, it was a fun project for me.
Regards,
Bytes
LenraV - A little Belated: Most intriguing: - Mon Nov 2 22:07:55 1998
Questions 5-7
Greetings Sandman and fellow crackers,
This are my answers:
Question 5. Where in the computer's memory is the 'Days remaining' value
stored?. List all locations where this program either 'reads' or 'writes'
to this 'Days remaining' memory
location.
Example of a numeric value being 'read'.
Mov EAX [XXXXXXXX] ;Register EAX is being given
the value 'stored' at address XXXXXXXX
Example of a 'write' being performed.
Mov [XXXXXXXX],1E ;1E = 30 Decimal, is being
stored at memory address XXXXXXXX
Answers: There are lots of memory location where it store the remaining days this is only one of those location.
:0046F98C E83379F9FF call 004072C4
:0046F991 8945F8 mov dword ptr [ebp-08], eax
:hex value in eax is the days left
:0046F994 33C0 xor eax, eax
it is being written at address [ebp-8] = 70fc78
Question 6. Where does this program keep the 'number of days you have to evaluate this software'?. If you uninstall this program and then re-install it again in the hope of somehow 'fooling' the program into giving you another 30 'free' days and then try and run the program, then the program will STILL know how many days left you have, or, if you've used all your 30 days then it will refuse to work there-after. How does it do this?
Answer: The number of days are computed from value found in HKCUCONFIGOOOOSYSTEMIXOYECONFIGFLAGS
The year is first ANDed with a constant which is 0x80000003 this is
how it detects if the year is
leap year.
This is how the value can be computed.
Add the number of days from the month of jan up to the present date lets call it _DaysTotal.
Subtract year by 1 = Lets call this value as A
Divide A by 400 = Lets call this value as B(take
only the integer part,discard fractional part)
Divide A by 4 = Lets call this value as C(discard
fractional part)
Divide A by 100 = Lets call this Value as
D(discard fractional part)
Mul A by 365 (days in a year i guessed) Lets
call this value E
Now,
Initial Value = (B + C - D + E + _DaysTotal)
- 693594
Expiration value = Initial + 30 days
Number days remaining = Expiration Value - Initial Value
oh ya, theres is a table of number of days in each month located at
4740e0 and 4740e0 for leap year
Question 7. Once you have been able to find the answers to the above,
explain in detail, how someone *could* disable this 30 day counter. You
MUST however, allow the nag screen to
operate as normal, that is based on a different protection system so
we will leave this alone for now. Remember, I'm looking for ways to disable
the 30 day counter ONLY.
Answer:
:0046F9B1 8B45F8 mov eax, dword ptr [ebp-08]
<-----Patch this
:0046F9B4 8BE5 mov esp, ebp
:0046F9B6 5D pop ebp
:0046F9B7 C3 ret
Replace with:
:0046f9b1 6a1e push 1e
:0046f9b3 58 pop eax
this should always give you a 30 day trial
(infinity)
Question 8. Explain how you would completely disable the Nag Screen used within System Notebook so that if you were running this program the Nag Screen never shows.
Answer: Well i guess the easiest way is by filling in the RegisteredVersion key in the system registry.
Question 9. Considering what we already know about how this program
uses the System registry, what method do you think the Software Authors
use to make System Notebook a fully registered program?. Would they email
perhaps a .REG file that once the User double-clicks on it, the information
contained within this file is automatically inserted into the User's System
Registry file. Or, would they send a .KEY file of some sort,
that, when System Notebook checks for the presence of this file it will
read it and again, transfer the data contained within it into the
User's System Registry file?. Or is their another way the program does
this?.
Answer: perhaps the author will send a reg file with all of the user information.
Question 10. What do you consider is the most efficient way to crack this program?. Patching the program's code or via it's use of the System Registry file?.
Answer: since we all know that by filling in registeredversion key will make the program a registered version. This must be the most efficient way.
Thanks a lot sandman and to all of you.
Regards,
Lenrav
LenraV - Corrections...my mistakes. - Tue
Nov 3 04:13:04 1998
Hi,
my typo error, anyway the table for leap is at address :4740e0 and :4740c8 for an ordinary year.
the value stored at system registry is the expiration value.
Expiration value = initial value + 30
kind regards,
LenraV
|
|
| Next Page | Return | Previous Page |