Are there any tutorials or tools available that deal with Copy Control protection?

Hello MuT !

There are some tutorials, but the ICA site is down at the moment.
Perhaps I can help you.
What's your problem?

I've got one package (unavailable thru dwld) having 2 cores. 1st part uses Netsentinel w/a license file while 2nd part uses Copy Control protection. I believe I can handle the 1st part myself. But for the 2nd part, I have no info. at all about it. Seem that it needs a serial from CD to activate. When the main program is invoked CCMV32xx.EXE and a data file is created. Before digging in, I'd like to study some tutorials if available. Would appreciate if you can provide one and any hints are welcomed.

Hi

Does your target have CClook.exe file ?
This file will gives some more info which is required
i.e. whats the copy control serail no. & product serial
no. What product code is used etc... etc...

Give us some more details.

Regarding Tuts i have one by Cbolo in Polish & also an
converted into english. But its very old. So i guess i might
be of no help. See attachment.

Regards,
Loren

Hello MuT !

CopyControl is a floppy disc protection system. There is an option available called Unlock-It, which can be used on media which is no floppy, like CDROM, internet or network.

It installs an copy of the product license to your program dir (hidden dir) and creates a temporary serial number. This number is random and will not be generated again, even on the same system and the same Windows installation.
You have to send this number to your software manufracturer and he will send you an unlock-code.
As far there are no tutorials on unprotection CopyControl protected files (DOS files can be unprotected with a freely available unprotector and Windows files can be "cracked" by patching three bytes. The tutorials are all about how to create master discs, since CopyControl is mainly used for floppy discs.

Creating an unlock-code is no nice work and pure DOS-cracking. (It will work only one time since you temporary serial is always different)
You should check how the program was protected by using CCLOOK.
Please tell us the product-code, the CopyControl serial and version and how the files are protected (shell or object). If the files have the shell option set, you should have an easy game, if it was by object method, it can be more easier, but also more difficult, depending on how the protection is bound to the program.

Thanks everybody for the info. Glad that I haven't yet started digging. Shown below are from CCLOOK. The product code and Serial Number are fake for obvious reason, it's an engineering software w/2 modules. I've just finished (I hope) with the one using Netsentinel. For the module using Copy Control, now it's expired. Where should I start? This module has many features to be activated. BTW, the title PROGWIN.EXE actually exist in different name in the installed directory. Perhaps, the name before protection?
============================================
Protection status : 0

Product Code: PROGNAME
Product Serial Number: 123456789
Master or installed copy: Unlock-it unactivated copy
CopyControl version number: 2.01
CopyControl serial number: 702
Install to drive type: Both hard and network
Number of concurrent network users: 1
Directory containing protection: C:\Prog\PROGDIR
Display error code: Yes
Action if illegal copy: Return to OS
Virus checking enabled ?: No
Next update number: 1

Filename:.Protect: Execs: Execs: Expiry: Max: Features
................Type: /Copy: Left: date: Days:
PROGWIN.EXE: object: no limit: no limit: 1.4.1999: no limit: 0

Secure sigon message
Unauthorised message
Expired message
Part or all of licence has expired
Diagnostic Information
0000fdff 0000 0000053a
b7a1 b8ae 3e 3c 008b
0a ff ff
0010,0010,0017,0009,000a,0015
0014,0016,0039,0009,0003,0015
000c,0012,002e,000a,0003,0014
0000,0000,0000,0000,0000,0000
0014,0017,0003,0009,000a,0015

Hello MuT !

Since I've written the serial is randomly generated, you could have posted it anyway. But that doesn't matter now.
We know that the program has been protected with CC 2.01, and is protected by the object method. This means that somewhere in the code there is a call to the CopyControl routine which fills the buffer given by stack with a special structure.
So I suggest to download CopyControl 2.01 from http://www.microcosm.co.uk and study their help file. You don't need to activate it (since you would have the same problem you've now: how to do it ???). It includes detailed information of the structure filled by CC routine.
You should the search for any code which checks data in this buffer. If you're lucky, the program only checks for the return value of the CC proc (0 = all OK) or the status word (0 = all OK).
It could also check for the number of network users, the expire date, the serial and some other (read the helpfile of CC).
Then you can change the check to whatever you like.

If you have problems finding the CC proc, just link the LIBs included in CC 2.01 to one of you programs and see how the code you're searching for should look like.

Hi, DakienDX

Thank you very much for the info. I've started looking at the prog. and see that the error messages are after some CMPs which really expect zero return values. Inside this main prog. there is no call to ext. CCxxxx.dll. In the separate chk/activation prog, the activation errors are after CALLs to CCCHANGE_SGO inside CCCHNG32.DLL. Is it worth tracking and patch the activation prog. (it's much smaller, 700kb compared with 6mb of the main prog) or should I concentrate on working with the main prog? I really appreciate your hints. The info you provided above is very helpful. Further suggestions are welcomed.

Hi

Can you upload your progname.ccc & ccontrol.sys ?
It would be inside your folder.

C:\Prog\PROGDIR

Regards,
Loren

The files I upl. are on the install CD. I'm not sure if it's exactly the same as the ones installed on my PC at home. Now I've only the CD image on my office's PC. If you need the ones installed, tell me. I'll upl again once I'm at home. BTW, this morning I saw 'CCMB' CMP in the routine jumped to by the CALL just before the zero CMP JMP to the expiry message. I planned to start checking the stack tonight. Hope that it's not equipped with anti-sice algos.

Hi,

can you provide the original *target*
Product Code : ?????????
ProductSerial No: ?????????

Regards,
ZenLoreN

CYM. BTW, it's using anti-sice. Still not sure what kind.

Best regards

Hi MuT !

The call to the CC proc needs not to resist in an external DLL, it could be linked into the program. There are some samples how to call the CC proc in the CCDir\SAMPLES dir.
Have you downloaded and read the CC help file?
If yes, you should know what to look for. For expample


Now you should find any references from the buffer start max. 512 bytes forward and check the values read and checked. The CC help file contains detailed information about the structure of the buffer.

Since I think you want to crack the program forever and not only generate one unlock-code which works only one time, the work on the routine which checks the unlock-code is a waste of time in my opinion. It is pure DOS debugging with many useless checks.
Why do you want to deal with much asm anti-debugging code, which at it's end will only generate a ONE-time unlock-code, when you can easy crack the program forever by just patching C++ or Delphi code?

From reading my text, you should know that it is NOT worth to trace through the activation program, since patching it will just show you an "Thank you for registering" message, but CopyControl will be still unactivated. So the .CCC and CCONTROL.SYS files are not needed for this task.

Please post any questions or email me any non-public questions.

Hi,

Thanks for guiding. I won't waste time playing with the activation routine as you wrote. Finally I got thru the antisice and explored the codes around the data block. I saw the code that decrypted and encrypted again the CC code block using 0x5A, and some kind of signature before and after the code block. The first call uses function '0' with expiry error code. I cleared the ret code and fixed the expiry date in the memory. This bypassed the expiry chk and the soft. ran with another 3 calls to function '3' with '0' ret. Then an error msg appears: Failed to load critical file(s), and the soft terminates. I could see the first screen after fcn'0' call and the menus appeared after the error msg. I'm not sure if this is relating to CC. From FileMonitor, there're a lot of NOT FOUND msgs with CCMV32AA.Lxx files. But I'm still not sure if they're related. Will dig deeper.

Hello MuT !

The CCMV32AA.Lxx (and the CCMV32AA.EXE) are used to verify the unlock-code. They're written to the tempdir or the windir and are DOS programs (only the .EXE). CCMV32AA.EXE gets some information on the commandline like the PCODE and reads the rest from CCMV32AA.Lxx.
Good you've found the call to the CC proc. You should set an breakpoint on the first instruction of the proc and see how often it is called. (normally only once, but it could be called more times for logging in network users, as documented in the CC help file)
You should patch the CMP instructions after all calls, since a new call to the CC proc will overwrite you patched memory locations.
I've never seen xoring the buffer with some value, but the author could have implemented it to confuse the "user".
Also it it possible, I wouldn't change something in the CC proc. I got strange results on some programs when doing that

Keep on working and you'll succeed soon. You're on the right way. (I hope so )

Hi friends,

Now it's clear that the Features field (offset 352) of the CCMB block must be filled with FFFF, otherwise nothing can be done even though I can enter the main menu. This soft. has many options and the CC routine is called from more than 200 locations. Where is the CCMB block from: .ccc or .sys? Is it possible to decrypt, modify, then encrypt again? Rewrite the CC routine is my current choice.

Best regards

Hello MuT !

In this case (>200 _cc calls) you should try to patch the CC proc itself. The CCMB is not stored in a readable form anywhere, it is rebuild every time by a _cc call. As I said, unlocking it is one possibility (but it's the worst), patching is the other, more easier.

Rewriting the CC routine should be the best choice in this case.

Hi,

I fixed the CC_body to clear the expiry and get the Feature field the way I want. Now, the soft. is usable but not 100%. Out of 39 options I can enable 33 max. Anyway, at the moment using 3 codes I can cover all, enough for my own use. Thanks a lot for all helping hands.

Best regards

Hello MuT !

Sometimes the feature word has values which disable some features. For example in CC 3.03 bit 2 (=2) disables floppy activation under WinNT and bit 7 (=128) converts the program into a demo version. So setting 65535 as feature word isn't what you want.

http://ids0a.cjb.net/

try the tutorial or you could mail UnforgiveN
he is ready to help

Hi,

DakienDX: I also saw similar things, eg. bit 7 has to be 0. The best I could get was from FFFFFFBF, BE (33 options enabled, some not the same). BD got 32 options. FF got 20 but contained 3 options not enabled by BF, BE, or BD.

Dissektor: Thanks for your info. My problem seems to be slightly different from what posted though.

Hello MuT !

It came just into my mind when reading "FFFFFFBF". You have probably set only the 32bit feature word. You should know that there is also a 16bit feature word at the beginning of the buffer. It's included for backwards compatibility only and includes only the bits 0 to 15 of the 32bit feature word, but it could be still checked for some values. (If you've set it too, please excuse my suggestion )
Do you know if all 39 options can be enabled in one copy? Is it possible that the Netsentinel license file unlocks the missing options?

Hi,

From BPR, it seems that the 16-bit Feature was not read at all, but I didn't try to change the value. Also I didn't trap the Netsentinel call. Seem to me that it should be possible to enable all 39. Will check it up again. Thanks for your suggestions.

Best regards