Log in

View Full Version : A Hidden Online Serial Key Check.


DaddyJTHC
February 29th, 2004, 00:20
Ok heres whut I have gathered. When you install the software, it access the file VISE_Key_Validator.dll in C:\Documents and Settings\UserName\Local Settings\Temp\{67e6a1f1-77cb-4c00-b113-c9cfa6d35bcd} under WinXP.

is there any way to show the values of the ASM registries while the program is running?

I extracted the installer, the only place it can be is in the VISE.dll file, it checks the key, if okay , it has to make a registry entry, if its not ok, it gives error.

i have found the website that triggers the response
look at
http://%/online_sales/validate2.html?code=Q5MDB-A5CG-YZEY-APBD9

sgdt
February 29th, 2004, 00:25
It would be a little helpful to see whats happening past the test eax, eax.

How does the program terminate? Could you find references to exit, or is it posting a close message?

DaddyJTHC
February 29th, 2004, 00:31
Sorry man,
after the test it performs

jne 00467041
mov eax, dword ptr [005CEF4C]
mov dword ptr [esp], eax
push 005D504C
lea ecx, dword ptr [esp+04]

sgdt
February 29th, 2004, 00:39
Could you PM me the download address? (not the URL for their site, it wants an email addr to spam me).

sgdt
February 29th, 2004, 00:46
I almost forgot, could you also edit your first message to remove the name of the software. The powers that be frown on code posted in the same thread as the software title the code is for. Legalities and stuff...

DaddyJTHC
February 29th, 2004, 00:47
The protection is a goto once website. Im figure a way around it could be to bounce it to a locally ran website, but you would need to know what code is returned.

DaddyJTHC
February 29th, 2004, 05:28
You think you got hacking skills, I got a piece of software that will stump even the most graceful hackers.

PM me if your interested. Great piece of software. Protection, Online Serial Number Verification.

sgdt
February 29th, 2004, 07:11
A small but important issue is that it is a crippled demo. The only way to get some of the features to work is to actually write them.

Regarding it crashing, could you try making the following modifications?

466fdd
from 75
to EB

46a1a9
from E8 22 F6 FF FF
to 90 90 90 90 90

46a515
from 74
to EB

dELTA
February 29th, 2004, 08:56
Quote:

...
:00466FC2 6848CF5600 push 0056CF48
:00466FC7 64A100000000 mov eax, dword ptr fs:[00000000]
:00466FCD 50 push eax
:00466FCE 64892500000000 mov dword ptr fs:[00000000], esp
...
I have heard that ASM code , runs in top to bottom order, so i follow the program code as best i can, but cannot bypass this. aside from the above mentioned.

An exception to these "top to bottom" semantics (except normal jumps and calls of course) are exceptions (no pun(s) intended ).

As can be seen in the quoted assembler code above, an exception handler frame is set up. Simply put, this means that the code flow will be redirected to the address set up in the exception handler frame if the processor raises an exception at any point in the code (e.g. inside the call at 00466FD6). This is often used to make protections a little bit trickier. My suggestion would be to put a breakpoint at the beginning of the exception handler code and then learn more about structured exception handling (SEH).

DaddyJTHC
February 29th, 2004, 18:47
[QUOTE][Originally Posted by sgdt]A small but important issue is that it is a crippled demo. The only way to get some of the features to work is to actually write them.

No sir, this is no crippled demo, if installed with the correct serial number, it is a full install. Like I said i have purchased this software, but have used my 5 install limit.

DaddyJTHC
February 29th, 2004, 18:51
I figure since i cant beat them, I join em. I figure a great way to beat the protection since i have a valid key, is to fake there website call.

GET http://%s/sales_online/jump.cgi?id=pro2

If we could find the array block return, we could modify the %s var. to localhost, and create jump.cgi that returns the correct array block. hence, verifing the software and enabling it.

This is a once per install check.

sgdt
February 29th, 2004, 20:19
[Originally Posted by DaddyJTHC][QUOTE][Originally Posted by sgdt]A small but important issue is that it is a crippled demo. The only way to get some of the features to work is to actually write them.

No sir, this is no crippled demo, if installed with the correct serial number, it is a full install. Like I said i have purchased this software, but have used my 5 install limit.

Why do I say it's a crippled demo?

First, the observations about the program.

The installer pretty much keeps everything in the program directory. While the app uses DLLs, pretty much everything it uses is either off the parent directory, or part of the base install of windows. There don't appear to be any hidden files stored elsewhere.

The DLLs fall into two categories, RealProducer (by Real) and a USB driver. None of the DLLs are encrypted, and it's pretty easy to see by looking at them that they won't secretly embed code into our application should we successfully talk to a web site.

Now on to the EXE...

The exe is a regular VC++/MFC application. There are no packers or encryptors, all the text an resources are plain text, there is NO anti-debugger code, no anti-tracing code, and no anti-disasm code. The only thing even remotely tricky is a check to ensure the user isn't running on a 80486. (uses the pushf/pop eax trick).

Yes, it has TCP/IP code. But if place a break point on EVERY import, you'll see they don't fire. This can be explained by the fact that the only references are the MFC socket library calls, and the MFC references aren't referenced. (god, that was a bad sentance!).

For every string that mentions the word "demo version", there is no corosponding "real version" string. Right clicking on the EXE and going to properties yeilds the words "special build".

About the only thing thats even slightly deceiving is an error that pops up saying "Error 421 - Trouble initializing Sound Card - check drivers". That message pops up if it you don't bypass the serial check fully. But it's kind of obvious, EVERY other driver error was in UNICODE, while this one was in ASCII. Duh!!!

OK, a little more on that error. In addition to the place I mentioned above, that error is called all over the place if a function that ALWAYS returns 1 returns 0. This function is a "registered" function that ISN'T in our demo, it's just a stub so they wouldn't have to change a bunch of code.

The code won't even load the website URL unless the license key is valid.


Another thing to consider is the only calls to LoadLibrary are for DLLs we know about. There is no way to "add on an additional DLL" that has all the real code in it.

It is my opionion that this is a crippled demo. I belive, at best, the we site will download the REAL version to you, after you provide a key that looks suspiciously like a credit card number.

Again, just my opinion.

As far as getting it to be a little less crippled, the date checks and checks to see how many samples you have loaded and whether it's allowed to load them, well, those all seem fairly trivial. But, IMHO, the only way to get it to say "thanks for registering" is to write that code yourself.

sgdt
February 29th, 2004, 20:57
OK, I know I may have came off harsh, and for that I appologize.

I realize the company screwed you on the 5 install thing. Protections are really bad for the end user, and sometimes they can even frustrate the technical folk as well.

Anyway, I just googled the program, and it's up on eDonkey. It's about a meg larger than the other one, but I don't think you wan't to write those code yourself (albeit it would be a learning experiance).

Anyway, it's at

Companyname.Productname.By.PeTeRPan.zip
hash c0f3b41340000961c4a9454dee3b0884
tamaņo 7.75 MB. ( 8129142 bytes)

Replace Companyname and Productname with the companies name and product name.

It just finished downloading as I type this, so if you don't want to mess with the Donkey, let me know how I can send it (does your FTP support uploads?)

[edit] 8MB for nothing. They did the samething (well, actually they only changed 66FDD). It was a "patch" that was the full executable for a one byte change... Goodthing Bandwidth is free even if disk space isn't...

DaddyJTHC
February 29th, 2004, 21:26
Anyway, I just googled the program, and it's up on eDonkey. It's about a meg larger than the other one, but I don't think you wan't to write those code yourself (albeit it would be a learning experiance).


I hate to be a pain, i know this program is available, but it doesnt work, the crack makes the software produce the Sound card error 421. Which you mentioned earlier.

There is NO KNOWN WORKING copy of this software. I told you i have owned this. and as far as program downloading the orginal, that is false, it cannot possiblly download a program that fast, as soon as you enter your key, it is running.

A note. I still have this program installed on one computer, and am not going to format, im running regmon, and determining the differnece in registry calls. Im figuring it has to be in there.
IF REGKEYVALUE=REAL then run else INVALIDKEY


blah blah blah

I do thank you for all input thou.

Also i can give you the Serial number for it if that helps.
it is stored in the registry also.

DaddyJTHC
March 1st, 2004, 00:05
Ok heres whut I have gathered. When you install the software, it access the file VISE_Key_Validator.dll in C:\Documents and Settings\UserName\Local Settings\Temp\{67e6a1f1-77cb-4c00-b113-c9cfa6d35bcd} under WinXP.

is there any way to show the values of the ASM registries while the program is running?

dELTA
March 2nd, 2004, 13:42
Quote:
is there any way to show the values of the ASM registries while the program is running?


Exactly what do you mean with this? The contents of the registers change between (practically) every instruction. To find out the value of them at a specific position in the code, set a breakpoint at this position and then read the contents of the registers from the debugger window when this breakpoint hits.