----------------------------------------------------------------------------- + + + AAAAA AAAAA AAAAA AAAAA A AAAAA A A A AAAAA AAAAA AAAAA + + A A A A A A A A A A A A A A A A + + AAAAA AAAAA A AAAAA A AAAAA A A A AAAAA A AAAAA + + A A A A A A A A A A A A A A A A + + A A AAAAA A A A AAAAA A A A A AAAAA A A A + + + ----------------------------------------------------------------------------- + Date : 7. Sept 2000 + + Title : LICENSING PERFECT DISK 2000 FROM DEMO VERSION + + Source : http://www.AstaLaVista.com + + Writer : FoolFox + ----------------------------------------------------------------------------- --- [ INTRO ] --------------------------------------------- Title : Perfect Disk 2000 - License Key Type of Crack : Registry Licence Autor : FoolFox OS : M$ Windows 2000 --- [DETAILS] --------------------------------------------- Software : Raxco PerfectDisk 2000 URL : http://www.raxco.com Version : 3.0.024 - English OS : Windows2000 (MS) Autor : Raxco Software, Inc. Editor : Raxco Software, Inc. --- [TOOLS USED] ------------------------------------------ W32Dasm (Debugger/Disasembler) Hexpert (Hex editor) Regedit.exe (Registry editor) --- [HANDS ON] -------------------------------------------- Defragmentation of Hard Drive is certainly a task you HAVE to acomplish sometimes if you don't want to see your latest baby swaming more and more heavily as time pass... So, even if Windows 2000 give you a little defragmentation tool within his system utilities (NT does not... :->), a GOOD defragmentation tool is still a good co-worker for all users. Raxco software offer you a little tools of few Mo, that can make, as THEY say, more than others products, (extract of their web page : Engineered for unprecedented performance and reliability, Exclusive! Patented Smart Placement for disk optimization!, bla bla bla....) and better. I have to say that if defragmentation of hard drives is a non-complex operation, still need a big reliabilty and a good thinking during developement phase, a bad bug can be really dramatic for data that lies on your HD. So I was a bit surprised when I saw on the web page (this was on the french version, english page differ, and I didn't go back to check if they have changed that) : Supported Platforms : Processors : INTEL, ALPHA AXP-Windows 95, Windows 98, Windows 98SE, Windows NT4, Windows 2000 OS : Windows NT 4.x from service pack 'SP5' Totally compliant Windows 2000 In my mind, classify windows95, 98, 98se, NT4 and Windows 2000 in the category "Processors" show a monster lack of knowledge. Well, I guess that it was not developers that write this down. And personaly, I'm waiting at least from a software (but maybe I'm asking for too much..) that work on a Windows 2000 "processor", that he is "compliant" Enough of that. Anyway, if Raxco software give us a nice software, it still have a 30-days limitation. Let's see if Raxco Software are as good in protection than marketing advisories.. (may I say : pseudo-technical ?) Starting the application throw out a window showing following informations : License type : Demo License options : Defragmenting Smart placement Scheduling System type : Workstation Days left : 30 Days We'll directly start by playing with the Windows Date. Just to see how the protection react. Double-clic on the time in the tray bar. Push time by 26 hours. 26 hours cause license start probably the first time we run the program, but probably take care only of the round value of the time. ( so, 26 hours = 24 hours (1 day) + a little security margin..). Running again PerfectDisk : License type : Demo License options : Defragmenting Smart placement Scheduling System type : Workstation Days left : 29 Days Well. Apparently, they use a Windows function to retrieve the actual time. ( A much efficient way and as easy would have been to seek the last modification of a system file (daily touch), a more efficient way and a much more elegant way to do that is to retrieve the date from the BIOS (imagine the numbers of shutdown/restart you'll have to deal with if you want to play with date in such a case..). So now, we change the date to go 40 days after the installation date. Running again the target result of : License type : Expired Demo License options : Defragmenting System type : Workstation Less options :->>. Getting our system back to the actual date, running another time : License type : Demo License options : Defragmenting Smart placement Scheduling System type : Workstation Days left : 30 jours Excellent (from a cracker point of view. From a security point of view, this is a pity). A protection that didn't see that his previous execution was expired prove a low-level control of the date....that is GOOD for us.... Before analysis the main executable, we'll have a look on what is written in the registry about Raxco. Of course, there is all the classical entries, but one more is added : [HKEY_LOCAL_MACHINE\SOFTWARE\Raxco\PerfectDisk\3.0] "LogSettings"=hex:01,00,00,00,01,00,00,00,27,43,3a,5c,.... "Password"=hex:d4,1d,8c,d9,8f,00,b2,04,e9,80,09,98,ec,... "ProductId"="3.0" "Build"=dword:00000018 "License Key"=hex:c6,45,45,60,1e,84,0c,31,47,51,88,38,... "Display"=hex:00,00,ff,00,ff,ff,00,00,ff,00,00,00,c0,... Paticuliary interesting point is (guess why..): "License Key"=hex:c6,45,45,60,1e,84,0c,31,47,51,88,38,cc, 40,4c,da,f1,40,ea,51,db,2f,96,e1 It seems thay buying the software using Internet will lead you to receive a registry key that replace the one we have, and most probably this key is enough to unlock the software. Notice that at this time, we've used NO tools, we've made no reverse engineering, just stuffing around and we know already so much on the target... Time now to goes on our favourite disassembler (W32Dasm) and load the main executable of our target (PerfectDisk.exe). At this time, there is many way to proceed. Personaly, I'll have a close look to that "License Key" that will probably de-activate all protection mechanism if we can lead the program to think that is has got a GOOD key. But we can also track messages given by the first windows, or playing with the date... So, we make a little search with W32Dasm on the term "software" (this term is contained in the registry key that contain the license.) First result : * Possible StringData Ref from Data Obj ->"The license key entered is either " ->"invalid or expired. Please enter " ->"another key or contact Raxco Software " ->"to obtain a valid license key." And we can found, few line before : * Reference To: PDCommon.?DecodeKey@CLicense@@QAEHVCString@@000@Z, Ord:00A3h | :00412E8B FF15D0FD4400 Call dword ptr [0044FDD0] :00412E91 85C0 test eax, eax :00412E93 752D jne 00412EC2 :00412E95 6A00 push 00000000 :00412E97 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"The license key entered is either " ->"invalid or expired. Please enter " ->"another key or contact Raxco Software " ->"to obtain a valid license key." Call to a function of the libray PDCommon.dll (this library is installed by the software) that is sweetly named : DecodeKey@CLicense@@QAEHVCString@@000@Z. DecodeKey. I imagine that I've no need to explain anyone out there what could be this function... Few lines below, we found : * Reference To: PDCommon.?GetCurrentVersion@CLicense@@QAEKXZ, Ord:00BDh | :00412ED0 FF15D4FD4400 Call dword ptr [0044FDD4] :00412ED6 3BF0 cmp esi, eax :00412ED8 742D je 00412F07 :00412EDA 6A00 push 00000000 :00412EDC 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"The license key entered is either " ->"invalid or expired. Please enter " ->"another key or contact Raxco Software " ->"to obtain a valid license key." | and if we continue the search, we'll found : * Possible StringData Ref from Data Obj ->"Software\Raxco\PerfectDisk\3.0 \" | :00413D75 6874364600 push 00463674 * Reference To: MFC42u.MFC42u:NoName0282, Ord:021Ah | :00413D7A E8D13F0300 Call 00447D50 :00413D7F 8945C8 mov dword ptr [ebp-38], eax * Possible StringData Ref from Data Obj ->"Software\Raxco\PerfectDisk\3.0 \" | :00413E22 68C4364600 push 004636C4 * Reference To: MFC42u.MFC42u:NoName0282, Ord:021Ah | :00413E27 E8243F0300 Call 00447D50 * Possible StringData Ref from Data Obj ->"Software\Raxco\PerfectDisk\3.0 \" | :0041F1AD 6868544600 push 00465468 * Reference To: MFC42u.MFC42u:NoName0282, Ord:021Ah | :0041F1B2 E8998B0200 Call 00447D50 :0041F1B7 8945C0 mov dword ptr [ebp-40], eax :0041F1BA 8D4DD0 lea ecx, dword ptr [ebp-30] * Possible StringData Ref from Data Obj - >"Software\Microsoft\Windows\CurrentVersion\App " ->"Paths\PerfectDisk.exe" | :0041F2EF 689C554600 push 0046559C :0041F2F4 8D4DCC lea ecx, dword ptr [ebp-34] * Reference To: MFC42u.MFC42u:NoName0266, Ord:035Dh | :0041F2F7 E8F4890200 Call 00447CF0 :0041F2FC 51 push ecx * Possible StringData Ref from Data Obj - >"Software\Microsoft\Windows\CurrentVersion\App " ->"Paths\PerfectDisk.exe" | :0041F4D6 6838574600 push 00465738 :0041F4DB 8D4DCC lea ecx, dword ptr [ebp-34] * Reference To: MFC42u.MFC42u:NoName0266, Ord:035Dh | :0041F4DE E80D880200 Call 00447CF0 * Possible StringData Ref from Data Obj - >"Software\Microsoft\Windows\CurrentVersion\App " ->"Paths\PerfectDisk.exe" | :004471BC 68508E4600 push 00468E50 :004471C1 8D4DB0 lea ecx, dword ptr [ebp-50] * Reference To: MFC42u.MFC42u:NoName0266, Ord:035Dh | :004471C4 E8270B0000 Call 00447CF0 :004471C9 51 push ecx A LOT of results. Damn. Examination of the two first tests give us (lame and quick examination) : Call dword ptr [0044FDD0] Call function DecodeKey test eax, eax test jne 00412EC2 jump if test ok ...show message 00412EC2 ... Call dword ptr [0044FDD4] Call fonction GetCurrentVersion cmp esi, eax compare je 00412F07 jump if test ok ...show message Before going more far away, we'll give a try to a simple test : just modify the two jumps to see if it's enough to deprotect the software. I can already say that this would probably not work (there is a test on the date that we have NOT found with our search), but if few minutes are enough to check, it's worth the try. So with a Hexeditor, modify following instructions : :00412E93 752D jne 00412EC2 :00412ED8 742D je 00412F07 by : :00412E93 742D je 00412EC2 :00412ED8 752D jne 00412F07 Ran the software, no results. It could be interesting to take a closer look at this library, wich could be the origin of the protection. We load the file PDCommon.dll and we seek for the term "license" on the list of exported functions, wich result of about 20 functions that contain this word : Addr:1000CB40 Ord: 15 (000Fh) Name: ??0CLicense@@QAE@XZ Addr:1000CC00 Ord: 51 (0033h) Name: ??1CLicense@@UAE@XZ Addr:1001CB90 Ord: 91 (005Bh) Name: ??_7CLicense@@6B@ Addr:1000DA20 Ord: 131 (0083h) Name: ?ComputeChkSum@CLicense@@AAEEK@Z Addr:1000D7F0 Ord: 133 (0085h) Name: ?ComputeNumDaysLeft@CLicense@@QAEHXZ Addr:1000CA80 Ord: 153 (0099h) Name: ? CreateObject@CLicense@@SGPAVCObject@@XZ Addr:1000CFE0 Ord: 164 (00A4h) Name: ? DecodeKey@CLicense@@QAEHVCString@@000@Z Addr:1000D9A0 Ord: 165 (00A5h) Name: ?Decrypt@CLicense@@AAEXAAK0@Z Addr:1000D930 Ord: 176 (00B0h) Name: ?Encrypt@CLicense@@AAEXAAK0@Z Addr:1000CE00 Ord: 180 (00B4h) Name: ? GenerateKey@CLicense@@QAEXKKGAAVCString@@000@Z Addr:1000D860 Ord: 190 (00BEh) Name: ?GetCurrentVersion@CLicense@@QAEKXZ Addr:1000D660 Ord: 193 (00C1h) Name: ?GetDemoDays@CLicense@@QAEKXZ Addr:1000D640 Ord: 216 (00D8h) Name: ?GetInstallDate@CLicense@@QAE? AU_FILETIME@@XZ Addr:1000CAF0 Ord: 287 (011Fh) Name: ? GetRuntimeClass@CLicense@@UBEPAUCRuntimeClass@@XZ Addr:1000DAD0 Ord: 327 (0147h) Name: ? InsertChkSumToFlags@CLicense@@AAEKXZ Addr:1000D3C0 Ord: 339 (0153h) Name: ?IsDemo@CLicense@@QAEHXZ Addr:1000D3F0 Ord: 340 (0154h) Name: ?IsDemoExpired@CLicense@@QAEHXZ Addr:1000D3D0 Ord: 341 (0155h) Name: ?IsDemoExtend@CLicense@@QAEHXZ Addr:1000D3E0 Ord: 345 (0159h) Name: ?IsFull@CLicense@@QAEHXZ Addr:1000D670 Ord: 352 (0160h) Name: ? IsNormalDemo@CLicense@@QAEHVCString@@000@Z Addr:1000D400 Ord: 360 (0168h) Name: ?Load@CLicense@@QAEHXZ Addr:1000D2E0 Ord: 364 (016Ch) Name: ? LoadLicenseRegistryVer@CLicense@@QAEXXZ Addr:1000D520 Ord: 401 (0191h) Name: ?Save@CLicense@@QAEHXZ Addr:1000CC10 Ord: 416 (01A0h) Name: ? Serialize@CLicense@@UAEXAAVCArchive@@@Z Addr:1000D870 Ord: 461 (01CDh) Name: ? SetInstallDate@CLicense@@QAEXVCTime@@@Z Addr:1000D370 Ord: 466 (01D2h) Name: ?SetLicenseRegistry@CLicense@@QAEXXZ Addr:1000DA10 Ord: 532 (0214h) Name: ?Shift@CLicense@@AAEEKH@Z Addr:1000DA60 Ord: 550 (0226h) Name: ?VerifyChkSum@CLicense@@AAEHXZ Addr:1000CAE0 Ord: 567 (0237h) Name: ? _GetBaseClass@CLicense@@KGPAUCRuntimeClass@@XZ Addr:10029328 Ord: 583 (0247h) Name: ? classCLicense@CLicense@@2UCRuntimeClass@@A Apparently, we've a complete product in hands (DLL can check the license to determine if it's a "demo", a "normaldemo" (they release abnormal demo ?) or a "full"). We find here functions to crypt/decrypt license, and inside those functions there is one paticuliary attractive... Name: ?GenerateKey@CLicense@@QAEXKKGAAVCString@@000@Z A license generator ? Go and see what it looks like : Exported fn(): ?GenerateKey@CLicense@@QAEXKKGAAVCString@@000@Z - Ord:00B4h :1000CE00 6AFF push FFFFFFFF :1000CE02 6810A60110 push 1001A610 :1000CE07 64A100000000 mov eax, dword ptr fs:[00000000] :1000CE0D 50 push eax :1000CE0E 64892500000000 mov dword ptr fs:[00000000], esp :1000CE15 83EC10 sub esp, 00000010 :1000CE18 53 push ebx :1000CE19 56 push esi :1000CE1A 8BF1 mov esi, ecx :1000CE1C 8D4C2410 lea ecx, dword ptr [esp+10] * Reference To: MFC42u.MFC42u:NoName0085, Ord:021Ch | :1000CE20 E869BE0000 Call 10018C8E :1000CE25 8D4C240C lea ecx, dword ptr [esp+0C] ... Function is quit long, but first two lines could be the start of an official license key, to which are appended supplemental infos. And IF validity test goes only on the first caracters of the license, we could always try to modify the registry key.. (I did not include that part of the code in this paper (it's quit long..), but if you look at the PerfectDisk.exe dead listing at the level of the first two tests we've found when researching "software", you'll see that the pointer used by the license check retrieve values at the beginning of the key). So, we start the registry editor (regedit.exe) and in the key [HKEY_LOCAL_MACHINE\SOFTWARE\Raxco\PerfectDisk\3.0], we replace the 8 first caracters of the LicenseKey value (c64545601e840c31) by FFFFFFFF1001A610 and we ran again the software. Windows that popped-up previously didn't show, and we're directly in the main software. Clic on Help menu, then View License, and we find : License type : Permanent License options : Defragmenting Smart placement Scheduling System type : Workstation Moving again the system date by few months, and it's still functionning. So, to unlock the software and use it beyond the 30-days limit, install the demo version, copy following lines ( between --8<- ) in a file (named crack.reg for example), and the execute the file : ---8<---8<---( file crack.reg )-----8<-----8<-----8<-----8<-----8<-----8< Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Raxco\PerfectDisk\3.0] "License Key"=hex:ff,ff,ff,ff,10,01,a6,10,47,51,88,38,cc,40,4c,da,f1,40,ea,51,\ db,2f,96,e1 ---8<---8<---( EOF crack.reg)-8<-----8<-----8<-----8<-----8<-----8<----8< ATTENTION : This software have been tested and unprotected on Windows 2000. If you ran this file on Windows 95/98/NT, it's possible that the chain "Windows Registry Editor Version 5.00" cause you some troubles. If it's the case, launch Regedit.exe on your computer, select any key of the root ([HKEY_LOCAL_MACHINE] for example), export the key in a file, open the file with notepad and replace the first line of the CRACK.REG file by the first line of your file. FoolFox Award AWARD AWARD SW AWARD?SW AWARD_PS AWARD_PW AWARD_SW j256 j262 J256 J262 J64 q_l27&z ALFAROME BIOSTAR BIOSSTAR AMI-BIOS: ami AMI AMI_SW AMI?SW AMI?PW A.M.I. oder PASSWORD Phoenix-BIOS: BIOS CMOS phoenix PHOENIX generell: aLLy awkward BIOSTAR CONDO HLT lkwpeter LKWPETER SER setup SKY_FOX Sxyz Syxz SZYX Wodj ------------------------------------------------------------------------------- Ermitteln des Passworts aus dem Arbeitsspeicher Dieser Schritt setzt voraus, dass der Computer bereits erfolgreich zum Laufen gebracht wurde. Hat man dann freien Zugriff auf ihn laesst sich das gesetzte oder ein anderes funktionierendes Passwort mit Hilfe einiger kleiner Programme ermitteln. Leider funktioniert nicht jedes Programm fuer jeden BIOS. Es gibt z. T. auch erhebliche (Sicherheits-)Unterschiede zwischen den einzelnen BIOS- Versionen eines Herstellers. Es lohnt sich auf jeden Fall, wenn es nicht gleich klappt, alle hier angebotenen Programme fuer den entsprechenden BIOS- Hersteller auszuprobieren. Alle Programme sind fuer DOS. "!BIOS" ist das mit grossem Abstand beste Programm zum Knacken bzw. Loeschen des BIOS-Passworts, das ich kenne. Es unterstuetzt eine Vielzahl von verschie- denen BIOS-Typen und verfuegt auch ueber eine gute Dokumentation. Die aktuelle Version ist die folgende, die sogar den Award-BIOS v4.6 unterstuetzt: Name: !BIOS 3.20b (build: 200000209) Autor: Eleventh Alliance / Bluefish ( / ) Datum: 09.02.2000 geeignet fuer: Award v4.5x und v4.6, AMI, IBM (PS2, Aptiva etc.) BIOS (nach eigenen Angaben) Download: , ge- packt (ZIP): 44.392 Bytes, entpackt: 45.584 Bytes Ausserdem gibt es noch: Name: AMIDECOD Autor: Danny Soft / Daniel Minder Datum: 07.11.1993 geeignet fuer: Ami BIOS Besonderheit: Als einziges hier genanntes Programm in deutsch. Download: , ge- packt (ZIP): 2.106 Bytes, entpackt: 2.599 Bytes Name: Award Modular BiOS crack tool Autor: The Immortal Datum: 14.11.1996 geeignet fuer: Award BIOS v4.50PG (nach eigenen Angaben) Besonderheit: Das Passwort wird nicht angezeigt, sondern kann vielmehr (de)ak- tiviert werden (sowohl "Supervisor"- als auch "User"-Passwort). Ausserdem kann die Passwortabfrage auf "Setup" bzw. "System" gestellt und der aktuelle Sicherheitsstatus des BIOS angezeigt werden. Dem Programm liegen eine "Readme"-Datei und der Source-Code (Assembler, ASM) bei. Download: , ge- packt (ZIP): 4.523 Bytes, entpackt: 14.126 Bytes Name: CrackAmiBios 1.1 Datum: 23.08.1994 geeignet fuer: AMI BIOS Besonderheit: Dem Programm liegt der Source-Code (Assembler, DEBUG) bei. Download: , gepackt (ZIP): 555 Bytes, entpackt: 508 Bytes Name: Password Autor: Oren Levy - Dynamic L.T.D. Datum: 16.04.1994 Download: , ge- packt (ZIP): 2.582 Bytes, entpackt: 2.460 Bytes Name: Password (C)alculator for AWARD BIOS 4.22 Autor: FalCoN 'N' AleX Datum: 12.10.1994 geeignet fuer: Award BIOS v4.22 (nach eigenen Angaben) Download: , gepackt (ZIP): 1.881 Bytes, entpackt: 1.771 Bytes ------------------------------------------------------------------------------- Softwaremaessiges Loeschen des CMOS Wenn kein Programm das Passwort herausfinden kann, bleibt keine andere Wahl als das Loeschen des CMOS, in dem das Passwort und alle weiteren BIOS-Einstel- lungen gespeichert sind. Damit gehen zwar ein paar Systemeinstellungen verlo- ren, aber auch das Passwort wird zurueckgesetzt. Dabei hilft die folgende Software: Name: KiLLCMOS32 v1.0 Autor: John Hale Jr. Datum: 29.09.1996 geeignet fuer: alle BIOS-Arten (nach eigenen Angaben) Download: , ge- packt (ZIP): 31.247 Bytes, entpackt: 97.819 Bytes Sie setzt eine ungueltigen Wert in das CMOS und bewirkt so, dass alle dort ge- speicherten Daten (einschl. Passwort) neu eingegeben werden muessen. Bedingung ist aber wieder, dass der Computer laeuft und man freien Zugriff hat. Das gleiche soll man "von Hand" auch dadurch bewirken koennen, dass man unter DOS oder im DOS-Fenster unter Windows 95 QBasic startet, die folgenden zwei Zeilen eingibt und das Programm ausfuehrt. (Quelle: Opultys Website) 10 OUT &H70,17 20 OUT &H71,0 Details zum CMOS-Zugriff inkl. einer "CMOS Memory Map" findest Du unter . ------------------------------------------------------------------------------- Hardwaremaessiges Loeschen des CMOS Dies ist wohl der radikalste Schritt. Er erfordert den freien Zugriff auf das Computergehaeuse und beinhaltet den Verlust aller veraenderten BIOS-Einstel- lungen. Wie genau es geht, steht im Mainboard-Handbuch ("clearing the CMOS"). Meist muss man einfach eine Verbindung kurzschliessen. Aber: Vorsicht - Stecker zie- hen!