Dear All,

I am assisting in coordinating a mini research project on the topic of "Software Copy Protection Reverse Engineering".

This is a very simple experiment aiming to understand more about "software copy-protection reverse engineers".

Attached is a simple "crackme" written by the project team.

Even an amateur can attempt it. But participation from experts are also very much appreciated to make the experiment a success.

What you need to do:


(1) Read the description of the crackme program (Research_Crackme.txt)
(2) Break the software copy protection of the program (the level of difficulty is set to minimum to ensure optimum participation)
(3) Complete the questionnaire (Questionnaire.txt)
(4) Password protect (zip/rar) and attach your patcher/loader/keygen/serial & questionnaire. Then PM me the password (so that others cannot see your answer/response).

If you have questions about the experiment, you can post it here. But if you have questions about the crackme, please PM me instead so that you will not confuse/influence the thought process of other participants.


Thank you for your time.

Hi.

Could you please provide some more information on the experiment and its purpose?
Who do you represent, what is the overall goal, how will results be compiled and presented etcetera.

Regards, sna

We need a legally binding informed consent, with a confidentiallity clause.
We also need tangible proof that you are who you say you are. . .
By the way, who are you?

Hello,

I agree with Sna and Naides. It seems that you're awaiting something for reversers without providing much infos on who you are, at least, who you are representing...

What will be the result of all gathered informations. Will you publish something ? Does it will help your company to make a stronger protection ? Will you make a blacklist of all nicknames ? Will you enforce protection against tools we use ? ...

well many questions without an answer....

Regards, Neitsa.

Dear All,

My apologies for not providing more information.

I'm not representing any companies. The purpose of the research is to gather statistics via a controlled experiment on the topic of software copy protection reverse engineering, for a final year project (university). The aim is to understand the behaviour and "thinking process" of a reverse engineer.

If you need more information, I can provide via PM. The reason for not disclosing publicly is also not to turn the research into something high profile.

In the final report, only the number of participants will be mentioned, and the results from the experiment (e.g. tools that are commonly used, methods that are preferred, etc.). Although this information can be found on the web, they cannot be substantiated without a formal controlled experiment. I'm sure many of us who have graduated know this fact.

You do not need to disclose any information about yourself other than your nick name.

I hope I have answered most of the questions.

Apologies & regards.

Why is the nickname needed?

hi dELTA,

Any nickname is accepted. It is to "identify" the participant in the experiment. If you choose to be completely anonymous, then we will just give it a number, e.g. participant001.

Appreciate all the feedback. We are really sincere about this mini research. Hope that you can participate (and help us graduate) .

Thank you.

If we do choose to participate, how do we return the rar to you? I doubt woodmann will want a load of attachments on a forum thread that no-one can open because they're password protected

Also, can I ask exactly what you're hoping to achieve from the questions you ask in the questionnaire? They don't seem to be targeted enough IMO. You're going to come out with x people with x years experience used tools x, y and z. That's not going to provide you with any inisght to the thought process, because you have already admitted that the protection is trivial (I've not looked at it myself yet, BTW). The only conclusions you'll make are that most reverse engineers use similar techniques of a, b and c to achieve their goals, a conclusion that will hold true only for the type of reverse engineering required for this crackme.

I'm just having trouble seeing why/how the results of this "experiment" are going to help you with a final project...

hi Silver

Thank you for the feedback. After the experiment is over, I will post the discussion/solution/findings for everyone's benefit. The main reason is not to influence the thought process of others.

Actually, this experiment is only a small part of the project. The thought process needs to be inferred from the final results (based on the experience, what method is preferred, e.g. to prove or disprove that those with less experience may not write keygens etc).

Whilst the conclusions will hold true only for this crackme, generalisations are also made based on other research and findings.

This forum is a good avenue, because it reaches out to more people. Interviewing face-to-face is time consuming and limited to people whom you know.

I know this may not be very convincing, but it does contribute to the project.

I hope you can participate too.

tq & regards.


----------------
So far, I have received 10 participations, and had really good discussion with the participants. Really appreciate it. I hope I can get 30 participations to increase the credibility of the results.
----------------

I dont know but i got a felling that we are like ginny pigs in here,,

Maybe i was wrong.. He can be fbi agent colletiong infos about us



Bye NeOXQuiCk

What can i say.. maybe i was doing to much fuss over nothing .. but i can tell you guys this is too easy..2s of everyones time..

If this would be real protection i would surelly pay money for it..Its worth -100$ code something more interesting something more hard ..that you will involve ppl with good and bad knowledge ..with your crackme you cant really do a research since everyone can do it..


Bye,, everyone even guys that dont crack can get a light on this one


NeOXQuiCk

Hi NeO,

Thank you for your feedback.



You are right. The crackme should not be difficult for almost all who is a member of this forum.

But I would really appreciate if you could help by participating since it should not take a lot of your time, and yet it means a lot to the project team.

rgds.

NeO,

<flame>
You often brag about things beeing easy, while you fail on them. (then say it seems easy and you don't have time blabla)

Don't try to guess who i am, you won't find.

But please, stop bragging, because you really don't have the skills to do so..

And im sure you forgot most of the hidden checks..
</flame>

Err, ok, let's be civil now...

Hi SL0rd

Thank you for your point. But to clarify, no tutorial is required. Just to complete the questionnaire (and try to break the crackme).

I hope you can participate too.

regards.

I am beginning to get thoroughly confused by the attitude of the crackers here.

Just a few posts in a different forum, has people falling at each other's feet (try reading INT 3) to help the protectionist make his protection better.

Here he is trying to get a university project (real or faked: don't care) and people are jumping on him, calling him names and general crap by bored crackers.

How comez the difference?

Have Phun

Aimless, Hear, Hear!

I had a quick look at aikons little project and I can say I'm truly impressed. Maybe it's my fault that I have low expectations from people on Internet messageboards asking for university help (check out the homework threads at win32asmboard). Most people asking for help don't know a single thing and don't care about anything as long as someone does their work for them. Aikon here actually did research on tools used by most people here and added quite a couple of checks for them including SI detection. What I'm trying to say is that writing this sample prog was work, if someone doesn't want to do it fine, but there's no reason to beat him up for doing a survey.

Hold on here...........

The bus will be here to pick up a few of you people very soon

Here is a tip my dad used to give me. "If you dont have something nice to say, keep your fucking mouth shut".

That meant shut yer yappin pie hole before I smack it shut.

Here are a few more tips.
If the FBI or CIA or MI5 or KGB or Scotland Yard or BSA were really concerned about this place it would have been shutdown long ago.
Keep yer yappin pie hole shut.

I can adjust certain settings on this board that will automatically rate each user. If you want to continue to post "you suck, Lamer" and other such shit
including poor posts with no real value,
I will allow all the users to contribute to your removal from the board VIA voting. Keep yer yappin pie hole shut.

This same rating system can be used in a variety of ways.
Contribute or keep yer yappin pie hole shut.

Woodmann

Thank you all for your support

In fact, I have also received many positive support via Private Messages (though not posted here on this thread).

If you have already spent time analysing the research_crackme.exe file, but have not completed the questionnaire, I hope you can just spend another few minutes to do so.

I will definitely share the preliminary findings on this thread when the experiment is over.

Ehh i need to replay on Hopcode :

You are right,, i am lameass but sometimes i can do it..
its just poor luck! i dont brag but sometime stuff are easy,,that all i was saying ..

And i didnt know i ofended you so much while i didnt want to look at your code !Next time i will!I am not skilled ,you are right about that i am not coder like you !So there for i dont pretend to do all!But if you looked at the stuff he coded i am sure you would agreed!If not then you are better then me ,,what can i say,...

So never the less i am not trying to quess who you are


NeO

Wootmann,
You mean the driver is ORC? LOL

I think Kayaker was the one who said it.
The guy who drives the bus get's paid in cash so,
it is no matter to me what his name is.

Woodmann

Quote:

[Originally Posted by aikon987654321] I am assisting in coordinating a mini research project on the topic of "Software Copy Protection Reverse Engineering". This is a very simple experiment aiming to understand more about "software copy-protection reverse engineers".

Interesting I find it that you ask for a very short question are of the methods used to break the protection.

Yet you state your interest is in the "reverse engineers". Yet no census or psychological type questions are asked.



Such as:

What country we reside in?
What fields we work in?
Why we do this?
Etc...

The few questions that are asked are in relation to solving the protection.
If that is your interest in common methods of defeating anti-debugging tricks and general R.E. why post this thread?



Why not simply browse existing threads and make notes?

Or read the thousands of existing tutorials http://zor.org/krobar ("http://zor.org/krobar")


I don't mean to act like I am flaming you, I just don't understand.

hi %UNDEFINED%

Thank you for your feedback & interest in this thread.


A few more days and the experiment will be over, and I would be able to answer your questions in more detail, as well as sharing the results.

I'm sorry if my explanation sounds rather not convincing. Those who have participated (11 so far) would have understood my predicament. For those who have not participated, appreciate your patience.

y u guy are so panic to take part in the project ?
if u want to remain anonymous then u just dun put ur nick under the questionnaire...
( i think aikon987654321 dun care about the nick....)
and continue answering the remaining questions.....

I don't know as much as what the newest newbie has already forgotten, but this one is stupid - it's a 1 byte fix.

SiGiNT

Hi, you obviously miss the whole point, as well as not having understood the earlier posts in this thread. Instead of calling it stupid for absolutely no reason take it for what it is. At some point in your "newbie" career, you would have been completely lost at how to proceed. Now you're too cool for it. Well, that's great, but if you can't learn at least something from it, then you're doing it all wrong. Your contribution has been much more worthy, thanks. GEESH!

Kayaker

Don't mis-understand me, my motto is "when you stop learning you start dying", I definitely learned from this one, not to be distracted by the obvious diversions, and thanx, (really!), for reminding me of that. No flames intended - the "stupid" remark was a reflection of my realization that I was being mis-lead by some of the code. I hope to make friends here and I don't need to give the wrong impression, if anything it was fun and gratifying when I found what I needed to do.

SiGiNT

Hi, that's a good motto

Kayaker

I'm looking forward to the closing of this crackme and aikon posting the results, as it raises some interesting questions...

Ok, the experiment is over

To clarify some earlier queries:

(1) No, i'm not a lamer looking for "free" tutorials, this is in fact a serious research. But i'll always consider myself a newbie ...
(2) I've been doing reverse engineering since 1996. My first debugger was SoftICE 2.0, did my first keygen in 16-bit assembly ..

and about the experiment:

(1) The "real" aim is to see how effective it is to "mislead/trick" reverse engineers into thinking a copy-protection seems easy, using debugger detection methods to lead them to the decoy algorithm, rather than using offensive anti-debugging tricks

and the results:

(0) 12 participated - 4 amateurs, 6 intermediates, 2 experts
(a) All participants rated the copy-protection as “Easy”, but not one provided a completely working solution at first attempt (i.e. all was tricked into prematurely attacking the decoy algorithm). The participants were told to retry until they succeeded or opted-out.
(b) Only one provided a completely working “key generator” on the third attempt.
(c) Three provided serial numbers that only defeated the fake algorithm.
(d) The remaining eight provided patches; only 3 were completely working (2 to 6 attempts taken).
(e) Eight opted-out from the experiment after the first attempt on the reason that it would have taken them too much time to provide a working solution.


And, I have to specifically mention these 2 participants:

(1) N*****a - the one and only participant who did a completely working keygen => you have the BEST solution
(2) I******t - really respect your endurance, you did it in 6 attempts with a patch!

And for saying "thank you", I have 6 Gmail invites - those who have participated can ask for it if you're interested by sending me a PM

For those who have not participated, you can give it a try, now knowing that the crackme is "a little harder than easy" and is good for your brain



p/s: and those who said "this is just a 1-byte solution", you obviously fell for the fake algo. You need at least "2-bytes", if you know where to find them

OOPS! just realized explaining my 1 byte fix would ruin the fun for others - deleted that info in this post. I've explained it in a PM to you Aiken - it does work, and opens, edits, and saves - fully functional.


SiGiNT

As it turns out, I didn't fully test the prog - print is not enabled, and Aikon tells me that opening files sequentially will disable some menu functions.

well i read the read me after i double clicked the exe in w98 it crashes and takes the os along with a bsod
any way i loaded it the next time using ollydbg and see it working perfectly till int 41 it crashes on int 41 (w98 se) hope to look into it some time in w2k posted this in the hope to elicit info if some one has successfully ran it in w98 se

Disable int41 it's a debugger trap.

SiGiNT

dear sigint,
thanks for reply
yes i know int41 is checking for debugger

the point i was raising was why should it crash the os and also corrupt the stack in w98 se i can understand if the return value 0xF386 was used to manipulate but just by executing int 41 the stack gets corrupt and eip is changed to some absurd value so when a ret is processed it returns to
some doomsday palace and takes the os along i was hoping for an explanation to this peculiarity
yes i can disbale int 41 or disable the whole SetUnhandledExceptionFilter crap and jump directly to WinMain
any way thanks for reply and still hope for an explanation

btw int41 does not crash in w2k even after execution as i patched the SetUnhandled it returns to the winmain via unhandled handler in w2k

is int 41 supposed to crash w 98 se on its own even when run without a debugger any tips,links are welcome thanks again

Hello,

I have completely forgot this topic... Well, now it is up and the project is trully over, I can post the working keygen I've submitted to aikon if someone is interested :

It is coded in Asm, and little bit commented (this is not a tutorial).

Source code (radasm project) + binary file included

Just hope it could help...

Regards, Neitsa.

Hi there Neitsa

Very nice of you to share your great piece of work.

I didn't expect that it would generate any further interest ..., since most of us know that the trick is not to get tricked

Hello,

Thanks a lot aikon987654321, but as you've say previously :



Three attempts to make a working keygen ! I'm definitely not a 'master of the art'.



Like, i think, many of the participants, I was fooled by the apparent simplicity of this crackme (I rated it "simple", but it was more tricky than it was looking at first sight.

BTW, it was fun

Will your project/research results will be available to everyone (maybe on the net) ?

Regards, Neitsa.