Log in

View Full Version : online-RegCode-check trick

Solomon
November 27th, 2001, 05:19
Target: Ace Clock Pro 3.6
hxxp://w*w.aceclock.com/files/ace_clockpro36.exe

This prog uses registration code. It is packed with two packers(one is ASPack). I successfully unpacked it(OEP = 605F70) and found the boolean flag of unregistered/registered with DeDe.
Code:


* Reference to field TAceClock.OFFS_044D

|

005FEFAB   80B84D04000000         cmp     byte ptr [eax+$044D], $00   <----Registered or not?

005FEFB2   0F8596000000           jnz     005FF04E


By patching this flag I got a fake registered version. The time-limit and nag disappeared. The reg info is stored in the following places.
Code:


HKEY_CURRENT_USER\Software\ECrewDev\AceClockPro\Info\1  <----Name

HKEY_CURRENT_USER\Software\ECrewDev\AceClockPro\Info\2  <---Company

HKEY_CURRENT_USER\Software\ECrewDev\AceClockPro\Info\3  <--- Mail?

HKEY_CURRENT_USER\Software\ECrewDev\AceClockPro\Info\4  <--- Key?

But you still can not use the "Adjust data/time via Internet" feature, coz it will always check whether you are a legal user by sendind the following http request to its home:
Code:


GET /products/aceproclock/check.php3?user=xxx&email=yyyy HTTP/1.0


If your name is not in the database, it will refuse to adjust date/time. Simply blocking it with a firewall will not work. With a "BPX WS2_32!connect" I have found this online check and patched the "JZ", but the date/time of my machine still kept unchanged. Strange? Don't know why. It may use non-blocking socket, coz the return value of GetLastError() after connect( ) is 0x2733. I didn't see the data sent to internet time server even with a sniffer.

Code:


001B:005D38C1  CALL      005D3778     <--------- check if you are a legal user

001B:005D38C6  TEST      AL,AL

001B:005D38C8  JZ        005D39DB       <-------jump if illegal

001B:005D38CE  LEA       EAX,[EBP-04]

001B:005D38D1  PUSH      EAX

001B:005D38D2  LEA       ECX,[EBP-18]

001B:005D38D5  MOV       EAX,[0060A488]

001B:005D38DA  MOV       EAX,[EAX]

001B:005D38DC  MOV       EDX,005D3A14 <-------msgConnecting to time server

001B:005D38E1  CALL      005BF780
Idcrisis
November 28th, 2001, 03:49
First of all your problem cannot be solved by changing a flag because it relies on data which is sent from the server. It is like a save-disabled menu item with the code for saving not there at all. Therefore it is impossible, what you are trying to do.

If you insist, persist, desist and resist common sense, which is why you have come till here on this target anyway then...

you can manually telnet to <whatever their server> and do

GET /products/aceproclock/check.php3?user=dummy&email=dummy@email.com HTTP/1.0

Then get the response. You can take a look at it and figure out what it can be changed to to reflect a proper return.

Then you can look at the code which is meant to execute after the program supposedly gets the date time from the server and see what it does with the values. There will be a call to one of the brethren of SetSystemTime with these values.

You can try changing the URL it is accessing to something you can control, point the base URL to 127.0.0.1 or whatever. You can change the PHP reference too if you wish. Then you can run a small web server (use indy TCP components in Delphi) at that URL to keep getting the date/time from an independent time server and returning values in the format that you think the server should return.

It will be an extremely interesting task.

The word impossible usually means superstition
Solomon
November 28th, 2001, 04:38
Thank you Idcrisis for your reply

yes the traffic of this prog can't be blocked, no matter whether it is connectiing to its registration-check server at home or internet time server

I just tried other winsock APIs as breakpoints such as send//recv etc. It's a challenge to analyze its 'protocol'.

Your substitution way is really good