(a clever, beautiful protection: wars between keys and the FFFFFFF8 monster)
by Hackmore Readrite , 7 January 1998
That's how the light gets in
An useful essay for intermediate and advanced crackers in order to see an example of some of the paths followed by clever protectionists when developing new protection schemes. Read and head: not all of them are stupid.
(a clever, beautiful protection: wars between keys and the FFFFFFF8 monster)
Written by Hackmore Readrite
No intro
~
Target URL
Softice is a must
~
Targets Size Description ------- ---- ----------- EFT111.EXE 690 Kb E-mail Ferret FFT111.EXE 724 Kb File Ferret IFT111.EXE 678 Kb IRC Ferret NFT111.EXE 694 Kb News Ferret PFT111.EXE 673 Kb Phone Ferret WEBFERRET110.EXE 620 Kb Web Ferret WFPEV.EXE 732 Kb Web Ferret Pro Evaluation Copy FROM: ftp://ferret.aitcom.net/pub/ferret AND: http://www.ferretsoft.com/ferret/
H
E
E
S
S
A
Y
Notes: Program descriptions are available at the "http" address, but
the "Web Ferret Pro" program is ONLY available at the "ftp" site. Also
available at the "ftp" site is a program named "NFupgrade111.exe", which
is just an upgrade utility to convert "older" versions of these programs
to the "current" version, which is Version 1.11 for all of the programs
listed except the Web Ferrets.
WFPEV.exe is time crippled at install AND at run-time. It is also
"missing" some code to turn off the advertising, but I'll show you how
to get around these problems later. Despite these "problems", you'll want
to download "WFPEV.exe" instead of "WebFerret110.exe" because "WFPEV.exe"
is the "PRO" version, which does boolean searches, allows deletes, and
has several other "nessesary" features. Get it as soon as you can,
because it has already expired and will probably be removed from the
server as soon as someone notices it's still taking up space.
---------------------------------------------------------------------------
WHAT DO THESE PROGRAMS DO?
--------------------------
These are very compact "search engines" which live on your hard drive.
You enter query strings, just like you would at any search engine, and
these programs will search ALL of the search engines you select. The
results can be saved for future use, or used imediately if you choose.
For instance, using Web Ferret and Win95 as an example, you would go
to "find" on your "start" menu, click "web pages" to start the program,
type in "fravia" and "cracking" as the items to search for, then click
"find", and you'll get a listing containing every web page listed on the
search engines that contain the text "fravia" and "cracking". Point your
mouse at any listing, and you'll see the begining text from that web page,
click on a listing to open your browser and load the web page.
The boolean feature in the Pro version is especialy helpful. You can
search for "cars AND trucks [but] NOT convertibles", as stated by the
company. Features like these can be real handy when searching for a
certain file, web-site, E-mail address, or IRC channel.
------------------------------------------------------------------------
WHAT'S THE PROBLEM?
-------------------
Cash flow, or boredom, depending on WHY you crack. These programs are
VERY reasonably priced, and worth the investment! It was the sales
tactics which drew my attention to these programs, and the encryption
technique which drew my interest.
When you install these programs, you enter your name and company, then
click the "next" button, and enter your serial number and registration
"key", or just leave these two feilds blank to take the program for a
test drive.
After installation, you'll want to run the program, of course. It is
then that you will discover the sales tactics. A banner will continualy
display adds, on YOUR monitor! This can NOT be tolerated! The "view"
menu has an "option" to turn OFF advertising, but this option has been
disabled, until you register the program.
They could have lost a sale because the time I WOULD have spent earning
money to pay for these programs HAD to be spent removing thier advertising
instead. How do they expect me to test drive thier product with those
awful banners constantly distracting me?
Even though we've got the program installed on our hard drives, the
original install program is nessesary to register the program, so don't
delete it yet. Let's fix these programs so we can test them without all
of those distractions! The Web Ferret Pro is totaly different from all
of the other programs listed above, so I'll cover it a bit later in this
essay, but here is what you'll need to fix ALL of the other programs.
------------------------------------------------------------------------
Even though we will NOT be going into the encryption scheme used in
this program in this essay, I urge you to study it. It wont be nessesary
for cracking these programs, but the author has done a very fine job of
encrypting things, and deserves honors for his style and technique.
Unfortunately, he forgot that, no matter how well he encrypts his
passwords, it MUST always boil down to a simple "go here, or go there"
instruction in the end.
For those of you who are too lazy to study, I'll give you a short
description of how this encryption scheme is implimented. For those of
you who DO study this, be VERY careful, one slight miscalculation will
crash your computer! You should become very familiar with the "hboot"
command inside Soft-Ice. Even minimizing the loader screen to the
taskbar will lock up your computer.
The serial number must contain five digits for reasons I'll explain
later, and the "key" number must contain nine digits to activate the
"next" button, which is deactivated as soon as you enter the first
digit of the serial number.
After you've typed in your serial number and registration key number,
locate them, and set BPR's on them inside Soft-Ice. Then click on the
"next" button. You'll break into the protection scheme at CS:004026D4.
The "key" that you typed in, as you'll learn, is the "key" to unlocking
the program. The serial number is only used to set a counter.
The "key" value does it's usual trip through memory addresses until
it finaly ends up on the stack. The center digit has been removed, so
now your "key" is a "handy" eight characters long, so it fits nicely
into the registers. After the string was shortened to eight characters,
it was counted in the usual mannor by placing FFFFFFFF in ECX. The result
was inverted, as usual, to obtain the "decimal" byte count of "8", but it
was also saved, uninverted as FFFFFFF8, to crash your computer!
At this point, we find another key already waiting for us at DS:0041C540.
This second key is 12h bytes long, and is comprised in three parts,
using the starting values:
"12345678" "23456789" and "34567890"
To make a long story short, these three groups of eight numbers are
sent to war against the "key" value you typed in, AND against the other
"eight number" groups. It's like a war between four countrys, with EACH
country fighting the other three countrys. They are beat against each
other in just about every way imaginable until nothing is left but a
mangled, un-recognizable, eight character string of garbage.
From time to time, the 12h byte string is "refreshed" with the
original numbers I've listed above. But the war continues. And when the
smoke has cleared, we can finaly do a few comparisons. If you've followed
this through, you should find yourself at CS:0040EC3D.
Again, the author was very clever. Every time you THINK EAX should be
set to "01", it should be a "00", and vise versa. Keep this in mind,
because, as I mentioned earlier, we're set up to crash! Any time you
choose the "wrong" path to take after a CMP or TEST instruction, the
program will find its way back to that FFFFFFF8 monster, and use it to
crash your system. So choose wisely. Remember that you've entered bad
data, so if the program "wants" to go one way, it probably "should" go
the other way instead. Also remember, thats NOT always true!
But, alas, we've made it to the check point. Lamers can just set your
breakpoints to the following addresses. Lamers are lamers because they
miss all of the fun stuff, YOU decide who you are!
------------------------------------------------------------------------
1st check: ; [ESP+0C] holds the
; encrypted value of
; your input "key"
:0040EC3D 8B44242C mov eax, dword ptr [esp+2C] ; the GOOD number
:0040EC41 83C40C add esp, 0000000C
:0040EC44 3944240C cmp dword ptr [esp+0C], eax ; the first "test"
:0040EC48 7525 jne 0040EC6F ; a bad place to go!
------------------------------------------------------------------------
Here, the GOOD value is stored at [ESP+2C]. Then it's MOVed to EAX to
be CoMPared to the encrypted value of the "key" you typed in, which is
stored at [ESP+0C]. Assuming EAX is "59 42 55 f8" and [ESP+0C] is
"22 47 39 23", you might encounter a slight "problem" when you arrive at
the JNE instruction. To repair this "problem" when the two numbers do NOT
match, simply edit memory in Soft-Ice, as follows:
d esp+0c <--- dumps the "defective" bytes on the stack eb <--- places your cursor ON the first "defective" byte in the data box f8554259 <--- remember, things are stored backwards in memory, so you have to enter the correct bytes into the data box in reverse as well. <--- puts your cursor back into the command box This "problem" is now solved, but don't hit "F5" or yet! We
still have a couple of checks left, and FFFFFFF8 is sitting on the stack
just WAITING for us to make a mistake so it can crash our computers! If
you decided to "repair" the JMP instruction above, instead of entering
the proper data, you'll learn just how effective that FFFFFFF8 monster
can be, when you have to re-start your computer.
Wander through the code just a while longer, and eventualy you'll come
across the next check. Again, the lamers can just set thier breakpoints
here, but they'll miss the full beauty of the authors protection scheme.
------------------------------------------------------------------------
2nd check:
:0040E92F 8B8D70FFFFFF mov ecx, dword ptr [ebp+FFFFFF70] ; the GOOD number
:0040E935 3B01 cmp eax, dword ptr [ecx] ; the 2nd "test"
:0040E937 0F850E000000 jne 0040E94B ; a BAD place
------------------------------------------------------------------------
Here we find another instance of the encrypted version of the "key"
you entered being CoMPared to a "good" number. You might notice that
both of these numbers are quite different from the numbers you used
to fix that last "problem" we had.
The repair technique is the same though. Simply copy the value you
find at ECX into EAX. Please note that ECX holds the ADDRESS of the
proper number, NOT the proper number itself! So DO NOT copy the ADDRESS
into eax, and DO NOT try to "repair" the JMP instruction, or the FFFFFFF8
monster will get you!
There is one more check that must be made, but if you typed in a five
digit serial number like I told you to, feel free to hit "F5" or
at any time now. Your program will be fully registered. When the program
is registered, it will write a 398 byte (18Eh) "lic" key into your
registry, and any disabled functions and menu items will be enabled.
For those of you who typed in more than five digits, follow the code
a bit further. The program will simply count the number of digits you
entered, then use the result of the count to check some strings in
memory. So if you entered seven digits, it will look for seven strings.
The problem here is that there are only FIVE strings in memory to be
checked. And the FFFFFFF8 monster is STILL waiting!
You can fix this problem by fixing the count when the result is placed
in EAX. Simply change the value to "5", then quit Soft-Ice and your
program will be fully registered.
These techniques will fully register ALL of the FerretSoft programs
except for the Web Ferrets. Web Ferret is a "crippled" version of the
Web Ferret Pro program, which is offered just to get you interested in
the product, so you'll break down and "pay" for the "real" program.
Web Ferret Pro is NOT offered in any form as a demo. Fortunately for
us, FerretSoft left an evaluation copy on thier ftp server for us to
play with. Since it's an evaluation copy, we'll need to treat it just
a bit differently.
------------------------------------------------------------------------
WHAT ABOUT THAT MONSTER?
------------------------
If ANY of the "checks" fail, (and there are MANY more than I've
mentioned here), the program begins encrypting data against the 12h byte
string. Each pass through the encryption process will decrement the
FFFFFFF8 monster by "1", so you "could" go through the encryption process
4,294,967,288 times, theoreticaly! Of course, this would never happen
because each pass is directed towards a different byte in memory, so
eventualy you encounter a "Memory Out Of Range" error message. With
Soft-Ice running, you'll never get back into the program to see that
message though. And, as I mentioned earlier, even minimizing the Loader
window used to load the program will cause a crash.
------------------------------------------------------------------------
WEB FERRET PRO
--------------
Now let's install the Web Ferret Pro program. This program has a time
lock when we try to install it. All we get is an error message informing
us that the trial period is over. Later, when we get to run this program,
we'll see that it expired December 31st, 1997. We can "fix" that though.
So lets get to work!
STEP 1
------
In Soft-Ice, set a BPX on GetLocalTime. Then start the "WFPEV.EXE"
program. When Soft-Ice breaks, you'll be at the first line of the
GetLocalTime function. Press "F12" to return to the WFPEV code, (read
the title on the line that runs across your screen inside Soft-Ice.)
Trace through the code about fifteen steps until you find the following
line of code:
:00413716 0594F8FFFF ADD EAX, FFFFF894
As soon as this instruction has executed, change EAX to "0" with the
instruction:
r eax=0
Then let the installation run its course. The program will install,
but as soon as you try to run it, you'll get the same "expired" error
message.
If you cancelled your breakpoint, re-set it. If you did not cancel it,
you should already be where you need to be. We're just going to do that
last "fix" all over again, except this time we'll need to make it a
permanent repair using a hex editor.
When Soft-Ice breaks at GetLocalTime, just press "F12" again, to return
to the WFPEV code, then trace about fifteen instructions again, and you
should see:
:004BD162 0594F8FFFF ADD EAX, FFFFF894
Which we need to change to:
:004BD162 B800000000 mov eax, 00000000
This will ALWAYS tell the program that this is the first time you
have ever used it. Be sure to write down the hex bytes of the
instructions around this instruction. You will need them to locate this
spot in your hex editor when we make these changes permanent.
STEP 2
------
This step is strictly cosmetic. You can skip it if you're in a hurry
and don't care what your menu looks like. Because this is an "evaluation"
copy, they didn't bother to put in all that code it takes to enable or
disable a menu item. They also left out the code needed to make the
function work, in case "WE" got a copy of the program.
What function? The one to turn off the advertising, of course! They
just tossed in a few lines of code to make sure the adds would ALWAYS
run. So skip these steps if you like to see advertisments, too!
To enable the menu item "advertisment" on the "view" menu, set a
breakpoint on "EnableMenuItem". When Soft-Ice breaks, use "F12" again
until you return to the WFPEV code. Then, back-trace through the code
until you reach this line of code:
:0048DD7A 6A00 push 00000000 <--- disable menu item Which we'll have to change to: :0048DD7A 6A01 push 00000001 <---enable menu item Write down those bytes again, so you'll be able to locate this spot in your hex editor. Even though you will be "enabling" this menu item, please keep in mind, it's ONLY cosmetic! The code "is.class" tppabs="http://fravia.org/is.class" missing from the program to make this function work. STEP 3 To add or remove the checkmark on the menu item, set a breakpoint on "CheckMenuItem". When Soft-Ice breaks, "F12" again to return to the WFPEV code, then back-trace some more until you find: :0046FDE4 B001 mov al, 01 <--- enable checkmark Which you can change to: :0046FDE4 B000 mov al, 00 <--- disable checkmark Again, this is just cosmetic, so turn the checkmark "on" or "off" according to your own preferences. The code inside the program has been reduced and set so that the "advertising" item on the menu is always checked, clicking the "advertising" item does nothing, and the advertisements will just keep displaying on your screen regaurdless of how you have these menu items set up. STEP 4 And finaly, a cut to the heart of this well thought out advertising ploy. It's time to stop those adds! But first a small confession. I only used a dead listing generated from WDASM when cracking this program, and I can't remember what led me to the next line of code. I can tell you, I searched for "GIF" in the dead listing, then followed the code until I reached this line: :004379C4 7305 jnb 004379CB <--- jump to a new image Which we change to: :004379C4 EB00 jMP 004379C6 <--- don't bother to jump This turns off the advertising because the program will never go to get the next advertisment. So now you can load WebFerret.exe into your hex editor, search for the byte strings you've written down, and make the modifications you desire to get this program up and running. That's it! Now you should be able to search the web much more effectivly, but please keep this in mind...
These programs are the ONLY programs sold by FerretSoft. If you make a
key generator, or crack these programs and give them away for free to lamers
in ANY form, you will be damaging FerretSoft in a way which COULD put them
out of business and you will still remain a lame idiot anyway, since anybody
on the scene will know that you just ripped my essay off!
Please STUDY these protection schemes, and use them all you like in
order to implement and ameliorate your own protections, but if you
decide to KEEP the ferret programs, please PAY for them. The programmer(s)
(must be at least two: a clever one that devised the protection and an
idiot that devised the advertising cram) have worked very hard to create
these beautiful protections for us, they studied encryption techniques the
same way you have, and worked very hard to implement those techniques in
an effective manner. They did a great job, but messed up just a bit at
the end.
This is NOT a "greedy" company like M$, they have priced thier products
very reasonably. Even thier advertising techniques are "original" to say
the least. So be kind, and treat this company with a bit of respect. If
you do, they might dream up even BETTER stuff for our private pleasure.
Search well...
Hackmore Readrite
Data Miners Inc.
Back to advanced cracking
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia+
Is reverse engineering legal?