DLL-based schemes are *dead*
A contribution to the 'Stupid Protections' project
by +ReZiDeNt
Target: 6x86 Configuration Control 3.15, by Olivier Gilloire
6x86cfg.exe, 950,272 bytes, download from
http://www.chez.com/6x86config/ or any shareware site, such as
http://www.softseek.com
Tools: BRW 4.5
SoftICE 3.1 (we don't really even need this at all!)
W32Dasm 8.9
This program is designed to tweak Cyrix 6x86 and 6x86MX CPUs to
improve CPU performance. Since I have a 6x86 P166+ CPU I thought I'd
give it a try, perhaps see whether it can speed things up under the
dreaded Windoze 95.
This program is also a classic case of 'bloatware' - nearly a
megabyte of data (12 precious and expensive minutes of downloading
time if you have a 14.4 modem as I do!) just to tweak a few settings.
What makes this huge size even more ludicrous is the fact that there
is a command line program by another author that does much the same
thing, except it is only a few kilobytes! So much for Micro$haft's
'the road ahead'...
Back to the crack...when you run the program it places itself in the
system tray and in the startup folder - upon starting Windoze the CPU
settings are altered and you see a nasty splash screen telling you how
may days you have left in your evaluation period. Hmm...take a look at
it with BRW and we can see that there is *another* splash screen, one
for the registered users only, without any nag on it. However, within
the program itself there is no option to register, so we will have to
make a physical patch for this somehow. Now is the time to make a dead
listing of the program, see what we can find...look at the imported
functions and lo and behold, what do we see:
SoftVer.?GetSoftVersion@@YAHXZ
SoftVer.?GetUsedDays@@YAHXZ
This is really far too easy...how on earth did the author hope to
protect his program with this *pathetic* scheme, no doubt bought
over-the-counter from some stupid and greedy protectionists who
assured him that forking over $199 would save him from the evil
+crackers ;-) So Olivier Gilloire, where ever you are, you might want
to get your money back...these DLL-based schemes are *dead*,
especially when you give the whole game away by naming everything so
nicely for us :-)
So let's search for the above string,
'SoftVer.?GetSoftVersion@@YAHXZ'. You'll see that we find just one
relevant occurrence:
* Reference To: SoftVer.?GetSoftVersion@@YAHXZ, Ord:0000h
|
:0040314E E867330000 Call 004064BA ; registered version?
:00403153 A804 test al, 04
:00403155 743B je 00403192 ; jump if good guy!
:00403157 53 push ebx ; else beggar off
:00403158 8D8D60FFFFFF lea ecx, dword ptr [ebp+FFFFFF60]
:0040315E E8882D0000 call 00405EEB
:00403163 8D8D60FFFFFF lea ecx, dword ptr [ebp+FFFFFF60]
:00403169 C645FC01 mov [ebp-04], 01
:0040316D E889A80100 call 0041D9FB
:00403172 395DC4 cmp dword ptr [ebp-3C], ebx
Take a look at the above lines in SoftICE if you really want to,
you'll see that all we need to do to crack this program is to replace
the following instruction:
:00403155 743B je 00403192 ; jump if good guy!
with:
:00403155 EB3B jmp 00403192 ; jump always!
In 6x86cfg.exe (430,592 bytes) at offset 0x2555 insert 0xEB to make
the changes permanent!
Just one byte to defeat a stupid protection scheme that probably
describes itself as 'uncrackable' :-) It goes to prove that +ORC was
of course right, we can never underestimate the stupidity of
protectionists.
Good Hunting,
+ReZiDeNt, September 1997
(c) +ReZiDeNt 1997. All rights reversed