|
SpeedTec v2.0
|
|
|
|
|
|
Subject: Cracking |
|
|
This essay is for knowledge purposes only!! Software developers spend much time in making their programs. They live from the money we give them! Please buy good software!! |
|
| I. Introduction | |
|
Hi cracker! Some time ago I wrote an essay (due to my studies), but yesterday I cracked a program that was worth a tutorial for sure: SpeedTec. It's a little visual basic program that optimizes your Internet connection, resulting in higher download speeds and faster webpage viewing. (certainly worth to download!) |
|
| II. About the protection | |
| 30-day trial / nagscreen / disabled functions | |
| III. Cracking it | |
Okay. This time it won't be regular cracking....no something different this time :) I've found
out a "little" (actually a big) bug in the program. Try out for yourself: when starting up
click on "Register"....fill in an excessive long username and excessive long serial number.
Click ok and see what happens......!! Yup, it's true! The program overflows and registers
itself! Funny isn't it? :)
Now, how did I came up with the idea to try entering a very long serial? Well, as this is a
visual basic program, I tried to reverse the serial routine with smartcheck. I noticed that
the serial was moved into a float variable (which has limitations) and that there wasn't a
built-in overflow check. There was only an overflow check in the VB library file. So....I
just gave it a try...and I couldn't believe my own eyes it worked :))
Now, the only thing that remains is a little message with an OK button (which gives the
overflow error). You can also hear a little beep before the message appears. To remove it, we
gotta find out where the "call-error-window" code is. To do that we set a breakpoint
on messagebeep (bpx messagebeep). Re-run the program, SoftICE will break and start executing
the code with F10. Now, to find out where exactly the call is made to display the window, use
my technique described in my WS_FTP cracking tutorial. But if you are a quick-understanding
guy (girl?) I'll summarize: 1. execute with F10 until window is drawn 2. clear all breakpoints
set breakpoint on that
call that draws the window 3. re-run the program 4. sice breaks on the call you previously
set a breakpoint on 5. trace into that call 6. goto 1. until you got the real "draw-window"
call.
When you'll find the real call and the window is drawn, you should see this:
--------Start-of-partial-code--------
* Referenced by a CALL at Addresses:
|:0041C516 , :0041C94E , :0041CE1E , :0041D6A3 , :0041D9D9
|:0041DCB1 , :0041E107 , :0041E499 , :0041F19E , :0041F9E7
|:004211F5 , :004215A6 , :00421B10 , :00421E31 , :00422322
|:00422806 , :00422BB6 , :00422F61 , :004231DD , :004238A4
|:00424911 , :00424B8E , :00424E32 , :004250CB , :004256BB
|:004268CF , :00426FE8 , :00427767 , :00427C6C , :00427FE8
|:0042834F , :0042860A , :004291D0 , :0042A002 , :0042ACBE
|:0042C154 , :0042C662 , :0042D3E1 , :0042E538 , :0042F86A
|:00430514 , :00430A4C , :004314BE , :00431A6B , :00432816
|:00433328 , :00433C43 , :00434194 , :00434A9D , :00435322
|:00435DB5 , :00436EE3 , :00437A1E , :0043913E , :0043B862
|:0043BBF5 , :0043BEAA , :0043C153 , :0043C3F3 , :0043CAE7
|:0043CE27 , :0043D167 , :0043D537 , :0043D959 , :0043DD89
|:0043E76D , :0043EACA , :0043EDA3 , :0043F4E7 , :004418FC
|:00441D24 , :00442233 , :0044290C , :0044399E , :00443DBE
|:004444B3 , :00444B7B , :004457C8 , :00445A90 , :00445D76
|:00446040 , :004462E3 , :004465B0 , :00446988 , :00446D99
|:0044719A , :00447491 , :004479B9 , :00447D98 , :0044823E
|:004485B4 , :00448A80 , :00449191 , :00449AC5 , :0044B964
|:0044BD45 , :0044C013 , :0044D014 , :0044D4DB , :0044D93D
|:0044DD4E , :0044E925 , :0044EBD8 , :0044F631 , :0044FA67
|:0044FE0C , :00450788 , :00450C1E , :00451AE9 , :004522BF
|
:004223E0 83EC10 sub esp, 00000010
:004223E3 53 push ebx
:004223E4 55 push ebp
:004223E5 56 push esi
:004223E6 57 push edi
:004223E7 C744241000000000 mov [esp+10], 00000000
* Reference To: MSVBVM50.rtcBeep, Ord:0216h
|
:004223EF FF1568844500 Call dword ptr [00458468]
:004223F5 8B442428 mov eax, dword ptr [esp+28]
* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h
|
:004223F9 8B35C0844500 mov esi, dword ptr [004584C0]
:004223FF 66C7054E304500FFFF mov word ptr [0045304E], FFFF
:00422408 B950304500 mov ecx, 00453050
:0042240D 8B10 mov edx, dword ptr [eax]
:0042240F FFD6 call esi
:00422411 8B4C2424 mov ecx, dword ptr [esp+24]
:00422415 8B11 mov edx, dword ptr [ecx]
:00422417 B954304500 mov ecx, 00453054
:0042241C FFD6 call esi
:0042241E 8B54242C mov edx, dword ptr [esp+2C]
:00422422 B958304500 mov ecx, 00453058
:00422427 8B12 mov edx, dword ptr [edx]
:00422429 FFD6 call esi
:0042242B 8B442430 mov eax, dword ptr [esp+30]
:0042242F B95C304500 mov ecx, 0045305C
:00422434 8B10 mov edx, dword ptr [eax]
:00422436 FFD6 call esi
* Reference To: MSVBVM50.rtcGetErl, Ord:025Dh
|
:00422438 FF1538844500 Call dword ptr [00458438]
:0042243E BF03000000 mov edi, 00000003
:00422443 8D542410 lea edx, dword ptr [esp+10]
:00422447 B960304500 mov ecx, 00453060
:0042244C 89442418 mov dword ptr [esp+18], eax
:00422450 897C2410 mov dword ptr [esp+10], edi
* Reference To: MSVBVM50.__vbaVarMove, Ord:0000h
|
:00422454 FF15E4824500 Call dword ptr [004582E4]
:0042245A A1B4304500 mov eax, dword ptr [004530B4]
:0042245F 85C0 test eax, eax
:00422461 7510 jne 00422473 <- If overflow error then jump
:00422463 68B4304500 push 004530B4
:00422468 685C634000 push 0040635C
* Reference To: MSVBVM50.__vbaNew2, Ord:0000h
|
:0042246D FF15A4844500 Call dword ptr [004584A4]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422461(C)
|
:00422473 83EC10 sub esp, 00000010
:00422476 B90A000000 mov ecx, 0000000A
:0042247B 8BEC mov ebp, esp
:0042247D B804000280 mov eax, 80020004
:00422482 83EC10 sub esp, 00000010
:00422485 8B35B4304500 mov esi, dword ptr [004530B4]
:0042248B 894D00 mov dword ptr [ebp+00], ecx
:0042248E 8B4C2434 mov ecx, dword ptr [esp+34]
:00422492 BA01000000 mov edx, 00000001
:00422497 897C2430 mov dword ptr [esp+30], edi
:0042249B 894D04 mov dword ptr [ebp+04], ecx
:0042249E 8BCC mov ecx, esp
:004224A0 89542438 mov dword ptr [esp+38], edx
:004224A4 8B1E mov ebx, dword ptr [esi]
:004224A6 894508 mov dword ptr [ebp+08], eax
:004224A9 8B44243C mov eax, dword ptr [esp+3C]
:004224AD 56 push esi
:004224AE 89450C mov dword ptr [ebp+0C], eax
:004224B1 8B442438 mov eax, dword ptr [esp+38]
:004224B5 8939 mov dword ptr [ecx], edi
:004224B7 894104 mov dword ptr [ecx+04], eax
:004224BA 895108 mov dword ptr [ecx+08], edx
:004224BD 8B542440 mov edx, dword ptr [esp+40]
:004224C1 89510C mov dword ptr [ecx+0C], edx
:004224C4 FF93B0020000 call dword ptr [ebx+000002B0]
:004224CA 85C0 test eax, eax
:004224CC 7D12 jge 004224E0 <- Here you land after window is drawn
:004224CE 68B0020000 push 000002B0
:004224D3 6814E94000 push 0040E914
:004224D8 56 push esi
:004224D9 50 push eax
---------End-of-partial-code---------
If we want to take out the error message we'll have to take out the whole call. How?
By setting a "RET" at the start of the call.
:004223E0 83EC10 sub esp, 00000010
becomes....
:004223E0 C3 ret
:004223E1 90 nop
:004223E2 90 nop
This way our program is cracked :) Thx to a stupid bug in the prog. Now you probably wonder
HOW this could be possible? Well, after executing the error call, the program jumps to the
"make-registered" part of the code instead of the "remain-unregistered" part ;)
|
|
| IV. In the end | |
|
Thx goto Nitrus (for helping me out with some c++ source concerning this program). Greets to all guyz who ever helped me out! BlackB |
|
|
Essay written by The Blackbird © 1999-2000 This essay can be freely distributed/ published/ printed etc... as long as no modifications are made. |
|