SoftICE v3.x / 4.0x.
Your own favourite HEX editor (I use Hex Workshop).
I cracked this application a long time ago, it was hard for me and it took me several days. The hardest part was to break at the dongle check code. Back then I cracked it like a moron and it sometimes crashed. A few days ago, I was finishing another keygen and was kinda bored, so I thought about doing something else. What about AutoCAD 14?. BTW, dongles are the most expensive protection out there!, this application costs about $7000. I cracked it the good way in about 2 hours (including disassembling), this time NO more crashes ;-).
1). OK. Let's look at this target, I start to install which was very slow. Once installed go into the target directory. There is an executable Acad.exe and lots of dll files. I ran the target and it started by showing me a message box, saying :-
"ERREUR FATALE : Le system de securité (verrouillage
materiel..."
"FATAL ERROR : Security System is missing!..."
Well, it nags us because the dongle is missing. Let's have a deeper look. I fired up SoftICE and set the usual breakpoint on LPT1 (BPIO -H 378 R). We land here :-
MOV [ESP+05],AL ; Here.
MOV WORD PTR [ESI+68],0001
MOV AL,[ESP+05]
MOV [ESI+15],AL
MOV [ESI+14],AL
POP ESI
ADD ESP,04
RET
We are in the chat_to_dongle routine and if we look below the data section we see : SENTINELXXX. You probably know that there are several companies out there who provide dongle protections (e.g. HASP, Sentinel, DESKey, Activator/Unikey and many others). So, we can conclude that we are dealing with a Sentinel dongle. We are in the SENTINEL.VXD file. We want to see the big call that is responsible for the check so we have to hit F12 3 or 4 times and we now are here :-
PUSH EAX
PUSH EBP
PUSH EDI
CALL CE5B34B0 ; Our call.
SHR BYTE PTR [ESP+1F],01 ; Back here.
ADD ESP,0C
OR BL,AL
DEC SI
JNZ CE5B35CD
Having a look at the code above won't help us a lot :-(, I
have seen several dongle essays that are almost done when we do
the
steps we did!. Sometimes after the call we have a suspicious CMP
register, value if_dongle_plugged and jmp_beggar_off if not equal
setting a bad boy flag. Anyway, we aren't lucky, this won't be
that simple, after playing a bit with this code (tracing the call
, looking for some compares) I pressed F12 some times more but
couldn't find anything really interesting. I want to come back
to Acad.exe, I'm not going to crack the dongle driver because
most of the time the weakness is application side.
I tried next bpx CreateFileA since it is a VXD but didn't get very far, well, why not disassemble it, with some luck the error message will be in the string data references (don't dream too much though it isn't there). It's going to take ages to disassemble, that's why I didn't use IDA, our target executable file is about 7.24Mb. After a long time the target has been disassembled, first save the result, we don't want to wait again. So, with fools hope, we look in the string data reference and look, it won't be found, I already knew that though.
How can we attack it now?, what about looking in import references to see what the dongle uses, we could find an API to break on, I can't see anything good in Uer, lets have a look at Kernel, I found something interesting :-
DeviceIoControl
Never seen this before, but the name sounds pretty good, doesn't it?. Now fire up our target, it broke, press F12 to get out of the DLL and we are in Acad.exe, looking the code around, I pressed F12 sometimes, here comes my winice.log :-
:0098B1AF MOV AX,[ESP+02] ; AX = some value.
:0098B1B4 ADD ESP,04
:0098B1B7 RET 8
// After the RET we land here :-
:006ABE9A MOVSX EAX,AX
:006ABE9D CMP EAX,-01 ; Is EAX = FFFF?.
:006ABEA0 JZ 006ABEA7 ; Jump 6ABEA7.
:006ABEA2 AND EAX,0000FFFF
:006ABEA7 POP EDI
:006ABEA8 RET ; Return.
// the most important part here :-
:006ABDBD PUSH 00A770F4
:006ABDC2 CALL 006ABE80
:006ABDC7 ADD ESP,04
:006ABDCA CMP EAX,0000DCFD ; Is EAX=DCFD?.
:006ABDCF JZ 006ABDD9 ; Yeah! dongle.
:006ABDD1 INC EDI ; plugged :-).
:006ABDD2 CMP EDI,04
:006ABDD5 JLE 006ABD7A
:006ABDD7 JMP 006ABDF0 ; No thanks.
:006ABDD9 MOV ECX,[00A77188] ; Dongle here.
:006ABDDF XOR SI,SI
:006ABDE2 MOV EAX,[00A77184]
:006ABDE7 MOV EDX,[EAX*4+ECX]
:006ABDEA MOV DWORD PTR [EDX],00000002
:006ABDF0 MOV ECX,[00A77184] ; No dongle.
OK, first i thought about changing the :-
:006ABDCA CMP EAX,0000DCFD ; Is EAX=DCFD?.
:006ABDCF JZ 006ABDD9 ; Yeah! dongle plugged.
In :-
:006ABDCA CMP EAX,0000DCFD
:006ABDCF JMP 006ABDD9 ; Jump.
It looks like the value in EAX is important because AutoCAD started to run and crashed. What we have to do is to force EAX to be equal to DCFD. Where are we going to patch our target?, well remember the place where one value was placed in AX?. Let me refresh your memory with the code snippet below :-
:0098B1AF MOV AX,[ESP+02] ; AX = some value.
:0098B1B4 ADD ESP,04
:0098B1B7 RET 8
So we just need EAX=DCFD forever and this code becomes :-
66B8FDDC MOV AX,DCFD
90 NOP ; 1 NOP required.
C20800 RET 8 ; No change.
Simple isn't it ? ;-). Now patch your target and run it to see!.
It works, test it a bit , try several options in case of other checks. I let the program run for 25 minutes and it didn't crash or closed. I gave my crack to a friend who uses this application for his job and I asked him if it crashed or if he came across some *bugs*, he didn't. Of course this friend had a dongle and the licence! we aren't going to use AutoCAD without it, are we ;-).
In short, this is a poor protection for a $7000 application,
the dongle could have been replaced by a good serial-scheme or
keyfile protection.
ACiD BuRN [Immortal Descendants].