DLL-based schemes are *dead*
A contribution to the 'Stupid Protections' project by +ReZiDeNt Target: 6x86 Configuration Control 3.15, by Olivier Gilloire 6x86cfg.exe, 950,272 bytes, download from http://www.chez.com/6x86config/ or any shareware site, such as http://www.softseek.com Tools: BRW 4.5 SoftICE 3.1 (we don't really even need this at all!) W32Dasm 8.9 This program is designed to tweak Cyrix 6x86 and 6x86MX CPUs to improve CPU performance. Since I have a 6x86 P166+ CPU I thought I'd give it a try, perhaps see whether it can speed things up under the dreaded Windoze 95. This program is also a classic case of 'bloatware' - nearly a megabyte of data (12 precious and expensive minutes of downloading time if you have a 14.4 modem as I do!) just to tweak a few settings. What makes this huge size even more ludicrous is the fact that there is a command line program by another author that does much the same thing, except it is only a few kilobytes! So much for Micro$haft's 'the road ahead'... Back to the crack...when you run the program it places itself in the system tray and in the startup folder - upon starting Windoze the CPU settings are altered and you see a nasty splash screen telling you how may days you have left in your evaluation period. Hmm...take a look at it with BRW and we can see that there is *another* splash screen, one for the registered users only, without any nag on it. However, within the program itself there is no option to register, so we will have to make a physical patch for this somehow. Now is the time to make a dead listing of the program, see what we can find...look at the imported functions and lo and behold, what do we see: SoftVer.?GetSoftVersion@@YAHXZ SoftVer.?GetUsedDays@@YAHXZ This is really far too easy...how on earth did the author hope to protect his program with this *pathetic* scheme, no doubt bought over-the-counter from some stupid and greedy protectionists who assured him that forking over $199 would save him from the evil +crackers ;-) So Olivier Gilloire, where ever you are, you might want to get your money back...these DLL-based schemes are *dead*, especially when you give the whole game away by naming everything so nicely for us :-) So let's search for the above string, 'SoftVer.?GetSoftVersion@@YAHXZ'. You'll see that we find just one relevant occurrence: * Reference To: SoftVer.?GetSoftVersion@@YAHXZ, Ord:0000h | :0040314E E867330000 Call 004064BA ; registered version? :00403153 A804 test al, 04 :00403155 743B je 00403192 ; jump if good guy! :00403157 53 push ebx ; else beggar off :00403158 8D8D60FFFFFF lea ecx, dword ptr [ebp+FFFFFF60] :0040315E E8882D0000 call 00405EEB :00403163 8D8D60FFFFFF lea ecx, dword ptr [ebp+FFFFFF60] :00403169 C645FC01 mov [ebp-04], 01 :0040316D E889A80100 call 0041D9FB :00403172 395DC4 cmp dword ptr [ebp-3C], ebx Take a look at the above lines in SoftICE if you really want to, you'll see that all we need to do to crack this program is to replace the following instruction: :00403155 743B je 00403192 ; jump if good guy! with: :00403155 EB3B jmp 00403192 ; jump always! In 6x86cfg.exe (430,592 bytes) at offset 0x2555 insert 0xEB to make the changes permanent! Just one byte to defeat a stupid protection scheme that probably describes itself as 'uncrackable' :-) It goes to prove that +ORC was of course right, we can never underestimate the stupidity of protectionists. Good Hunting, +ReZiDeNt, September 1997
(c) +ReZiDeNt 1997. All rights reversed