BEGINNERS: Prassi CD-REP trial stupid protection
(12 December 1997)
Well, a very simple essay on a very stupid protection, I know I should
not even publish anymore these articles (and pass them to +gthorne's new "Beginner
section"), yet this one has some elements that are pretty interesting... and this
whole section is anyway dedicated to 'stupid protections', so you cannot expect to find
here 'state of the art' reversing essays :-)
Anyway I like this short article because I like 'stubborn' reversers, that do not
"leave hold" of a target until they understand HOW the different elements of the
alien code they are investigating fit together... so I'm publishing this, and I'm sending
it over to +gthorne as well :-)
Enjoy!
In the world of protections you can still find stupid protections. Stupid protections are protection schemes you can remove as soon as you see the disassembly code. Here is another example of these. If you're a beginner in reverse engineering you can read this otherwise forget this article: it's only for beginners!
Soft : Prassi CD-REP 1.0.028 (www.prassi.com)
Protection : Time Trial Protection (30 days)
Tool : Wdasm32, any version
AWARD : MOST STUPID PROTECTION (for sure)
What's the problem ?
After you've installed CD-REP 1.0.028 you can use it 30 days.And 30 days later (or 2
seconds later with the system time) you can see a message box like : Sorry,this demo
version has expired or Sorry, this demo has expired because the system time has
been changed.
You're very disapointed because you need CD-REP to record your CDs, of course you have
others softs but this one looks like CDRWIN or DAO and you love this king of soft (I don't
understand why ... )
So you decide to look at protection sheme :
First Step
Run your favorite disassembler (like w32dasm89) and look for the nasty string : Sorry,this
demo version has expired
After few seconds you find out:
* Referenced by a Jump at Address:9038(C) | :9835 8D542458 lea edx, dword ptr [esp+58] :9839 52 push edx * Reference to String Resource ID=00078: "Sorry, this demo version has expired." :983A 6A4E push 4E :983C EB0F jmp 984D * Referenced by a Jump at Address:902C(C) | :983E 8D542454 lea edx, dword ptr [esp+54] :9842 6800020000 push 200 :9847 52 push edx * Reference to String Resource ID=00269: "Sorry, this demo has expired because the system time has bee" :9848 680D010000 push 10D * Referenced by a Jump at Address:983C(U) | :984D A12C3E4600 mov eax, dword ptr [00463E2C] :9852 50 push eax * Reference To: USER32.LoadStringA, Ord:0183h :9853 FF1540F74700 Call dword ptr [0047F740] ;Display the string
You notice two offsets :
9835 : Referenced by a Conditional Jump at 9038 , and 983E : Referenced
by a Conditional Jump at 902C
You found out where the strings are displayed, now let's find out why...
Second Step
We will now have a look at the code near 902C .....
:9013 E8684C0000 call DC80 ;A function that return something in EAX :9018 8BF0 mov esi, eax :901A 81E6FFFF0000 and esi, 0000FFFF ;In fact just LSB is important :9020 8BC6 mov eax, esi :9022 83E800 sub eax, 00000000 ;Strange :9025 7459 je 9080 ;Very Strange :9027 2DFEFF0000 sub eax, 0000FFFE :902C 0F840C080000 je 983E ;Display "you've changed the system time..;" :9032 48 dec eax :9033 6800020000 push 00000200 :9038 0F84F7070000 je 9835 ;Display "the demo version has expired..." :903E 8B0D2C3E4600 mov ecx, dword ptr [00463E2C] ;Ok the demo version remains available :9044 8D842458020000 lea eax, dword ptr [esp+00000258] :904B 50 push eax :904C 6A41 push 41 ;"This is a full functional demo version of the application" :904E 51 push ecx :904F FF1540F74700 Call dword ptr [0047F740] ;USER32.LoadStringA, Ord:0183h :9055 8D942454020000 lea edx, dword ptr [esp+00000254]
That's right you find out what you need. You could just change JE 983E and JE 9835 into NOPs and go back to your sleepy laziness, tomorrow you would be able to use CD-REP, and the day after as well, and so on... But we are NOT here in order to use software for free, we are here in oredr to understand the CODE! So let's now work on all this, and let's delve deeper inside our target... yeah, it's already cracked, so what? We'll still find some nice little fishes, just follow me...
In fact there is something strange at offset 9022. Why
this test? Is there another solution or is it another protection?
In fact if EAX=0 the program jumps into 9080. If you look at 9080 you will see
that the message box ("This is a full functional demo version of the
application...") is not displayed and the program runs without checking the
date !!
So there is an easier solution : force EAX to be NULL ... How ? ... Change AND
ESI,0000FFFF in AND ESI,00000000 at offset 901A.
However, I'm too curious, and I wonder why this test was
used and I decided to look at DC80 : the function that returns something in EAX.
Third Step
So what's going on ?
:DC75 81C458010000 add esp, 00000158 :DC7B C3 ret ;Ok DC80 cannot be run except by 0913 :DC7C 90 nop :DC7D 90 nop :DC7E 90 nop :DC7F 90 nop * Referenced by a CALL at Address:9013 ;This is our only call | :DC80 83EC7C sub esp, 7C :DC83 66833DE4BA450000 cmp word ptr [5BAE4], 0 ;Very interesting !! :DC8B 53 push ebx :DC8C 55 push ebp :DC8D 56 push esi :DC8E 57 push edi :DC8F 750B jne DC9C ;if [5BAE4]!=0 jump for calculous ... :DC91 6633C0 xor ax, ax ;else AX=0 :DC94 5F pop edi :DC95 5E pop esi :DC96 5D pop ebp :DC97 5B pop ebx :DC98 83C47C add esp, 7C :DC9B C3 ret ;That's all * Referenced by a Jump at Address:DC8F(C) | :DC9C 6A00 push 0 :DC9E E80DBF0000 call 00429BB0 Let's have a look at 5BAE4 .... :0045BAB8 00 00 00 00 00 00 00 00 ........ :0045BAC0 00 00 00 00 00 00 00 00 ........ :0045BAC8 00 00 00 00 00 00 00 00 ........ :0045BAD0 69 78 12 BE D5 E3 5D 3C ix....]<:0045bad8 D3 67 D4 81 FA 81 DC 77 .g.....w :0045BAE0 00 00 83 00 1E 00 02 00 ........ :0045BAE8 08 00 00 00 00 00 00 00 ........ :0045BAF0 00 00 00 00 00 00 00 00 ........
Oh ... 0x1E! So in fact 30 in decimal .... THIRTY! Ok like 30 days.... that's right if
it was 0000, the test in DC8F would be false and EAX would return a NULL value. So I have
to change 1E in 00 and that' s all ....
But the flag inside memory location [0045BAE4] could be important for the rest of the
protection scheme! So let's go for a "brutal" search of the text string
"45BAE4"...
The first occurence is :
:8DC2
8BCA
mov ecx, edx
:8DC4
83E103
and ecx, 00000003
:8DC7 663905E4BA4500
cmp word ptr [0045BAE4], ax ; Is this test important ?
:8DCE
F3
repz
:8DCF
A4
movsb
:8DD0
742B
je 8DFD ; No it displays (DEMO) in the main window
* Possible StringData Ref from Data Obj ->" (Demo)"
|
:8DD2
BF18C64500
mov edi, 0045C618
:8DD7
83C9FF
or ecx, FFFFFFFF
:8DDA
F2
repnz
:8DDB
AE
scasb
:8DDC
F7D1
not ecx
Cool, I shoot the word demo in the main window ... I guess that [0045BAE4] means "type of running application": demo (of n days) or not demo... that is the question?
The second occurence takes place in a part of program which deals with RegKey, so [45BAE4] is used to calculate a value written in the register base. If you reeinstall CD-REP after 30 days the program can't run because the date of first installation is frozen in the register base. So don't worry it's classical ...
No more occurences ... I think it's over.
Conclusion
After testing the program (with few copies in different modes for example) you valid
your patch and you think it's too easy ... but it is so ... let's write an article on Most
Stupid Protection.
I would add that CP-REP is a very good soft, better and safer than Easy-CD, and more convinient than DAO. It can be run on windows 95 and windows NT ( althrough Dr Watson disagree ). So have fun ... Bye, See you soon for another article of Pipoman (Anyone wondering what does "Pipoman" mean?... I will tell you...fravia+) (c) PipoMan All rights reversed