Ok, load your protected target in order to disassemble the progress and watch how
softSENTRY does work. For disassemble we will use SoftICE, because Wdasm89 seem to
crash when we try to load this target. The Protected file, and the original file
have a different size. Good, you'll probably expect, as I did, some encryption and
variable random protection scheme inside the target. You're in for a surprise.
Now hold your breath: this is the entry point for ALL PROTECTED FILES:
:004B066F CC int 3
:004B0670 55 push ebp ; <----- We start here
:004B0671 8BEC mov ebp,esp
:004B0673 83EC48 sub esp,00000048
:004B0676 53 push ebx
:004B0677 56 push esi
:004B0678 57 push edi
:004B0679 E950000000 jmp 004B06CE
:004B067E 0000 add [eax],al
:004B0680 7006 jo 004B0688
Look! All protected files, have the same pattern, whit the same JUMP (coded as E950000000)!
This is very useful, for us; it means that searching any 'protected' file for this pattern:
55 8B EC 83 EC 48 53 56 57 E9 50 00 00 00
Will give us, the entry-point of the program, and tell us if the program has been
'protected' with SoftSentry2 Scheme! I told you you would have opened your mouths in
awe. Incredible, and very very silly. The stupid JUMP 4b6ce (very insolit),
points the EIP to the real protection routine (you can easy realize it tracing over
the code).
This routine jumps different for each type of 'protection scheme' that the programmer have
selected to use: Time limit, splash...etc. If the Protection fails, you will land AT
00093C9B:
00093C82: 8B4508 mov eax,[ebp][00008] ; Load right value to pass to the call..
00093C85: 50 push eax ; ..push it!..
00093C86: 68A0324B00 push 004B32A0 ; idem
00093C8B: FF156C744B00 call [0004B746C] ; This is a Call [User32!UnregisterClass]
00093C91: E88A000000 call 001279B1 ; *** LOAD THE RESOURCE OF THE
MAIN PROGRAM!
00093C96: E825000000 call 00127956 ; *** This CALL, Run THE MAIN
PROGRAM!
00093C9B: 8B45B8 mov eax,[ebp][0FFB8] ; *** HERE YOU LAND! If the check
routine fails!
; Load handle of the main?
00093C9E: 50 push eax ; prepare for the call
00093C9F: FF15E4734B00 call [0004B73E4] ; This is CALL [Kernel32!ExitProcess]
; and the program terminate
This 2 Calls at 93C91, 93C96 are the FULL programs completely free from any NAG, Splash,
time-limit, whatever 'ptotection' had been chosen (I know, because I have execute it!);
and if you compare this source with any other program protected, you'll see that both
calls are ALWAYS coded as
E8 8A 00 00 00 E8 25 00 00 00
^^^^^ ^^^^^
1st CALL 2nd Call
(use a hex editor to search)
Very nice!.. so the protection scheme work as:
:MAINPROGRAM-PROTECTED
Jmp SoftSentriProtection (Always E950000000)
:End MAINPROGRAM-PROTECTED
:SoftSentriProtection
// Put Here your nag-splash-timelimit code //
// made whit the SoftSentr2.007 //
IF (TrialPeriod==OK) Then
CALL LoadResouce_FullProgram (Always E88A000000)
CALL Run_Fullprogram (Always E825000000)
Else
Kernel21!CallExitprocess
:End SoftSentriProtection
OK? Now we can write a GeneralCrack for this incredibly silly Commercial Protection Scheme,
simply changing the first jump (coded as E950000000) with the right code of the 2 CALL
(which, as you remember, was always E88A000000 E825000000). OK?
1) Search for 55 8B EC 83 EC 48 53 56 57 E9 50 00 00 00
^^^^^^^^^^^^^^ THE JUMP!
2) Replace With E8A2040000 E83D040000 (*)
1St Call 2nd Call
(*) Note the code of the 2 call has been recalculated for the new position
(always the same! Just track it whitin your debugger!)
Ok, we have killed another Commercial 'Protection' Scheme.
Hope you'll understand the whole point: Never never never use 'commercial' ready-made
protections! Commercial oriented programmers are the most useless and stupid programmer
breed, they will NEVER be able to offer you any real protection whatsoever... for
godzilla's sake create your own protections, it's not so difficult after all, and you
will at the very least know what you're doing.
|
00. INDEX
09. Commerical Protection Systems
5 softSENTRY