kqt
June 2nd, 2002, 00:38
hello all
I recently bought a used prog for $2 with a bunch of fonts on it.
Its a multi-os cd that will work with win, mac, or 2 different kinds of unix. Its old 16-bit. It works this way..you browse the cd for fonts you want to buy, call the manufacturer, give them your customer key and credit card, and they give you unlock key to the fonts you bought. I thought "interesting". So I install in win 98. Installation takes a 23 digit password and your name, after install, I find in c:\windows a xxx.ini file with my name and a 20 digit "serial number". I run the prog and choose a font. Dialog informs me of my 22 digit "customer key" which is very similar but not the same as "serial number" in xxx.ini. Dialog then asks for 15 digit "unlock key"-box only accept numbers and auto-arranges into groups like:xxx xxxx xxxx xxxx. So I type fake unlock key and bpx getdlgitemtext.Previous dissasembly provided no clues to strings in error message about "wrong key", so I trace slow to find the offending call. I find the call, and inside are 20+ other calls. Watching registers as close as I can I find in memory my name, the original install pass,the 20 digit "serial number" from xxx.ini and my fake "unlock key".Also there is a 10 digit mystery number that is read from and written to several times, and my unlock key gets converted to other numbers than I originally entered. The check is not obvious, every time I think I see a check moving through ax 1 byte at a time, it is really one the other strings being read. Also there are pointers to a thing that looks like : 0 # 0 # 0 # 0 # 0 # 0 #.....And in the install directory and the cd is wierd hidden file "cdr0m.des" with no obvious entry point to dissasemble from. What should I be looking for here??? I can manage to reverse all conditional jumps leading to error message, forcing prog to spit out a font, but its still encrypted the way its stored on the cd, so......proper "unlock key"=decrypt key.....Right?? Are there ways to identify encryption algo similar to ways of identifying commercial protections like dongles and packers? Could "unlock key" be bruteforced by attaching to the process of the dialog box? I actually own 1 font that is on the cd in non-crypt form, could it be compared to the crypt one to find key like "known plain-text"?? Some searching revealed that the cd was supposedly made from a number of different masters to prevent a generic crack from being made, encryption algorythm different on each master, and that each time you install, new "serial number" is generated. Also, unamed graphics software giant no longer makes or supports this product, couldnt buy the fonts anymore if you wanted to, which makes it even more interesting to me. A last note, prog traces in softice with no apparent problem, but out of curiosity I loaded frogsice and crash! error 10 debug registers..something about call dos3call...jn zxxx.... int 21...is this just a fice bug or real antidebug???
Any input appreciated
thanks
kqt
I recently bought a used prog for $2 with a bunch of fonts on it.
Its a multi-os cd that will work with win, mac, or 2 different kinds of unix. Its old 16-bit. It works this way..you browse the cd for fonts you want to buy, call the manufacturer, give them your customer key and credit card, and they give you unlock key to the fonts you bought. I thought "interesting". So I install in win 98. Installation takes a 23 digit password and your name, after install, I find in c:\windows a xxx.ini file with my name and a 20 digit "serial number". I run the prog and choose a font. Dialog informs me of my 22 digit "customer key" which is very similar but not the same as "serial number" in xxx.ini. Dialog then asks for 15 digit "unlock key"-box only accept numbers and auto-arranges into groups like:xxx xxxx xxxx xxxx. So I type fake unlock key and bpx getdlgitemtext.Previous dissasembly provided no clues to strings in error message about "wrong key", so I trace slow to find the offending call. I find the call, and inside are 20+ other calls. Watching registers as close as I can I find in memory my name, the original install pass,the 20 digit "serial number" from xxx.ini and my fake "unlock key".Also there is a 10 digit mystery number that is read from and written to several times, and my unlock key gets converted to other numbers than I originally entered. The check is not obvious, every time I think I see a check moving through ax 1 byte at a time, it is really one the other strings being read. Also there are pointers to a thing that looks like : 0 # 0 # 0 # 0 # 0 # 0 #.....And in the install directory and the cd is wierd hidden file "cdr0m.des" with no obvious entry point to dissasemble from. What should I be looking for here??? I can manage to reverse all conditional jumps leading to error message, forcing prog to spit out a font, but its still encrypted the way its stored on the cd, so......proper "unlock key"=decrypt key.....Right?? Are there ways to identify encryption algo similar to ways of identifying commercial protections like dongles and packers? Could "unlock key" be bruteforced by attaching to the process of the dialog box? I actually own 1 font that is on the cd in non-crypt form, could it be compared to the crypt one to find key like "known plain-text"?? Some searching revealed that the cd was supposedly made from a number of different masters to prevent a generic crack from being made, encryption algorythm different on each master, and that each time you install, new "serial number" is generated. Also, unamed graphics software giant no longer makes or supports this product, couldnt buy the fonts anymore if you wanted to, which makes it even more interesting to me. A last note, prog traces in softice with no apparent problem, but out of curiosity I loaded frogsice and crash! error 10 debug registers..something about call dos3call...jn zxxx.... int 21...is this just a fice bug or real antidebug???
Any input appreciated
thanks
kqt