Log in

View Full Version : interesting target(s)?


Rackmount
May 20th, 2003, 17:03
I have been toying with a couple of proggies that have a bunch of embeded protections that could interest a few of the "newbies" in here. To start, they will all default to demo versions with the option to enable being presented on run (ok this doesn't sound interesting..I know). What is interesting is that the proggies can be enabled by a variety of options...password, hardware lock, or network lock. Another wonderful feature of the developer is that they will give you a temp password to enable these proggies for a limited time. The main protection is disabled menu function. You cannot save or print in demo mode. The programs are gui interfaces to fortran modules (these are all freeware and are not really of importance to our study). In the enable screen we see that all modules are initially listed as "disabled" with some or all changing to "enabled" depending on your level of access. The hardware protection is sentinel (imagine that...lol) as is the network protection. I have followed through a few versions and noted a few improvements by the authors on the protection schemes (gone are the messageboxes and messagebeeps that used to yell at you when you tried to save or print in demo mode). The password option brings up an enable screen which presents you with a unique identifier (based on comp hardware most likely). Serial fishing is not an option as the actual password check routine seems to be well coded (oh...perhaps we shouldn't go there...there is a connection to DoD and we DONT want to break their codes eh? (secondary note: the DoD is most likely the old fortran proggies)) So to make a long story short, I have approached this from the point of menu reversing...who care if its demo if I can save and print right? For menu reversing, my favorite BP in SICE is courtesy of +Spath:

bpx Enablemenuitem if((@(ssesp+0c))&1)==1)

Gotta love that one! So, unfortunately at this point after all the hard work they put into their protection I found that I could change a push 01 to push 00 and re-enable the two functions in one of the proggies (this no longer works in current version...ah an old dog learns new tricks) For the others, I was following the initial splash dialog to see what triggered it to know that I wasn't enabled..this led to other interesting places. So to summarize, in each one of the proggies we have :
1) Splash screen
2) Disabled menus
3) Password protections
4) Time restrictions (password can enable for varying periods)
5) Hardware protections (time restrictions again here)
6) Network protections (again time restrictions)

A downside to these programs are their size, most are larger than what newbies like to deal with as the disassembly can take a bit of time even on fast machines, but as the old ones used to say...take the opportunity to have a nice sip of your fav bevvie as you wait...eh?

If nothing else is gained by this rather long babbling...take to heart the above breakpoint as it is wonderful in menu reversing. As for the identities of the proggies...I would bet if you searched for hydraulic modeling software and watershed you would in turn know the answer.

Until my next ramble,

Rackmount

dELTA
May 21st, 2003, 05:52
No more smiley.

(You can edit your own posts to fix that)


dELTA

JMI
May 22nd, 2003, 11:40
This Thread was inadvertantly deleted and now it's restored.

Regards.

Rackmount
May 22nd, 2003, 13:12
I have noticed in one of these targets that deals with groundwater...durring the password check routine there is an area where we can change a conditional jump to always jump. The results are a bit strange...The jump is to set two flags, one to zero the other to 1. Once this is patched, some of the modules will be enabled regardless of the password you enter (empty will not get this far) however, which modules are enabled will change periodically. No permanent flag is set, so each time the proggie starts it will say...Hey buddy, you need to enable this in order to play (or something of a similar nature...eh) So as you enter the password and hit enable, it is a toss of the dice to see what modules become enabled. Without restarting, you can reset by simply choosing to go from normal mode back to demo mode. Now, I wonder...the same flags are set, but the enabled modules keep changing...seems like the path traveled is not carved in stone? This occurs even if you repeat the same password entry, as my first thought was that I had inadvertantly gotton some part of the password correct such as the string length or beginning character(s). My second thought is that this behavior could be due to the flag variable being stored in something similar to ebx+117 rather than a fixed address (ie. ebx can be different depending on how we get to this point).

Enough said, one of these days I need to really take the time to follow this password routine completely to understand fully rather than just poking needles into it to see how it twitches. (I have always loved the voodoo approach...) Combine voodoo with zen and then add some actual knowledge...wow!

Cya

Rackmount