|
Cracked Metal, runtime dll creation
How to crack HoTMetaL Pro 4 Evaluation
|
Programmers
|
4 February 1998
|
by
Fallen
|
|
|
Courtesy of Fravia's page of
reverse engineering ~ very
slightly edited
|
|
fra_00E1 980204 Fallen 1100 PC XX
|
Well, from what Fallen writes it seems that our protectionists friends are
finally beginning to learn some (elementary) aspects of code protection, i.e.
DO NOT give immediate signs that the protection has discovered that somebody
is cracking it... as Fallen
writes:when I ran the program everything worked fine until I
tried to create a new document or load an existing HTML document.
It would THEN give me a message about a corrupted rules file Nice!
of course even this sort of messages is not necessary (if you are SURE that someone is
fiddling with your code and that no poor luser is just trying to install your crappy
software, that is, which you can only be sure if you are not programming in overbloated
languages, that is :-)
and anyway we can easily zen-crack all
these schemes nevertheless in two minutes flat, yet it's a good sort of feeling to constate
that at least some protectionists are listening and delivering us something more
palatable (like a run-time encrypted dll-creation) than the usual boring flag_good_guy
dinosaurier that still rule the earth :-(
Bravo Hotmetal... that's the right way... only, s'il vous plaît, may be a little better implemented
next time. Enjoy!
|
|
|
There is a crack, a crack in everything
That's how the light gets in
| |
Rating
|
(x)Beginner (x)Intermediate ( )Advanced ( )Expert
|
|
A very interesting protection scheme about an encrypted file used to
create a DLL at runtime
Cracked Metal, runtime dll creation
Cracking HoTMetaL Pro 4 Evaluation Version
Written by
Fallen
I fully agree with Fravia+ that HTML should be written using a simple
text editor.
I downloaded this target solely for cracking purposes and was quite
pleased with it as
a target.
I found the protection scheme both simple and interesting at the same
time. I feel
that this was one of my more fun cracks!
SoftICE (of course.)
BoundsChecker (Not necessary, but it was helpful.)
Hex Workshop (or any other hex editor.)
Web Site: http://www.sq.com
FTP Site: http://ftp4.softquad.com
It took me numerous tries to get the complete application. Keep trying.
I also
suggest getting the files by way of the web site. I can't remember the
path to
the zip files and the FTP site will not allow access to directory lists.
I encountered HoTMetaL Lite a couple of years ago and decided to see how
it had
progressed since then. I haven't much in the way of history... sorry.
I'm still new to cracking, and this is my first attempt at an essay, so
forgive me if I seem a little bad at it. I have cracked numerous DOS and
Windows programs, a lot of them I was able to locate a password in memory,
and I've done a few Nag screen/Time Trial schemes also.
This one however, I found very interesting, and fun!
PART 1:
When you first run HoTMetaL Pro you will see a message box saying
something about file date inconsistencies, after this there will be
a Dialog Box that will not allow you to close it for an agonizing
amount of time. Then it will run the program.
Well, first lets find out where this NAG screen comes from.
Once the OK button became enabled I popped into S-ICE and checked
the window handle list.
I placed a breakpoint on that handle for the message wm_destroy:
BMSG Handle_you_ll_get_on_your_own_machine WM_DESTROY
Now get back out of S-ICE and hit the OK button.
You should pop into S-ICE somewhere in USER, if I remember right, now
disable the breakpoints and press F12 a few times until you end up
in a DLL that the name begins with EFY???? where the four question
marks represent four numbers. This is where our protection scheme
lies, but don't get excited, it's not that simple.
The first time I tried to crack this, I removed the call to this
DLL and eliminated the Time Protection, Nag Screen and a MessageBox
that pops up about file date inconsistencies all at once.
However, when I ran the program everything worked fine until I
tried to create a new document or load an existing HTML document.
It would then give me a message about a corrupted rules file.
So back to the cracking board.
If you search your hard drive for a matching DLL you will find that it
exists in the system temp directory, usually C:\WINDOWS\TEMP, and that
the four numbers at the end change every time you run the program.
Hmmm... this could be a problem, nah not really.
I came to the obvious conclusion that this DLL was created by HMPRO4.EXE
every time the program was run. Now to figure out how to alter the code
it writes. For this I used BoundsChecker to find out how it creates the
file. I tried using SmartCheck at first but for some reason it would
crash every time I tried to run it in SmartCheck, so I used BoundsChecker.
I loaded it up in BoundsChecker and watched for the function CreateFile.
I'm not going to get specific about BoundsChecker, but I found the portion
of code where it created the DLL and looked above that for the ReadFile
function.
I found that it loaded it's information from a file named ASDFLKJH.IUY this
is disguised to look like a temporary file, but it's not.
After examining this file you will see that this file is the DLL in an
encrypted format.
So our problem lies here. How do we decrypt it, crack it, and re-encrypt
it. No need, a simpler way exists.
The method I used of locating these functions in SoftICE may seem
lengthy, but I wasn't having any luck using the addresses I retrieved
from BoundsChecker.
The first thing I did was set a breakpoint on LoadLibrary. I could see
from my BoundsChecker listing that this was the first DLL that HMPRO4.EXE
loads so of course we need to break on the first LoadLibrary and look at
the code above it to see what we need.
This is what I ended up with:
:00422A37 push 006309C8 - This address holds the name of the DLL to load
* Reference To: KERNEL32.LoadLibraryA, Ord:0021h
|
:00422A3C Call dword ptr cs:[0065032C] - and of course this loads it.
If you look up from this segment of code you will see this:
* StringData Ref from Data Obj ->"asdflkjh.iuy" - This is the name
of the encrypted DLL.
|
:00422A0F mov edx, 005D537C - The address of the encrypted DLL filename.
... - Unimportant code. - Removed
:00422A27 call 004227E8 - This call is shown below, it creates the
new DLL file.
The call from above ^.
:004227E8 - Code to open the encrypted DLL,
read it into memory and then
close the handle.
:004228CE call 00411520 - This call decrypts the file!
This is what we need to eliminate for this crack.
Code to write the
un-encrypted DLL to a file. - Removed
The point of the above section of the essay is to allow us to work with
an unencrypted protection DLL. How? you may ask! Well, here's how we do it:
1. Run HoTMetaL Pro and let the Dialog Box pop up.
2. Make a copy of the efy????.dll file from you windows\temp directory
and place it in your HoTMetal Pro directory.
3. Rename it to the encrypted DLL file name, ASDFLKJH.IUY
4. Now patch HMPRO4.EXE at address 004228CE to eliminate the call that
decrypts the DLL. You choose your own method.
Well, I believe the point of this is self evident.
We can now crack the file ASDFLKJH.IUY as a DLL and patch it accordingly.
Since all of the protection scheme (ie. The messagebox about file date
inconsistencies, Nag screen, and time protection) exist in ASDFLKJH.IUY,
that will be the target of the remainder of this essay.
Part 2
The remainder of this crack is very simple.
My first trip through, I patched the file ASDFLKJH.IUY in two places,
once to eliminate the message box and Dialog Box, and another
to eliminate the time protection.
However, writing of this essay, I found that if you apply the following
patch, it eliminates both.
If you patch the time check call with this code:
:01D91BC6 XOR EAX,EAX
:01D91BC8 RET
It will prevent the program from exiting after March 1, 1998 and will
also eliminate the messagebox and DialogBox Nag screens.
I found this program a lot of fun to crack and also learned something
very useful during
the process of writing this essay. I re-installed the software and as I
went through the
cracking process, I entered my steps into the essay without applying the
patches to the
executable. During this process I was able to eliminate one of the
patches as I mentioned
above.
MORAL: Document your cracks and you may learn an easier or more
efficient way to crack them. This can also be useful, later, if you
happen to find
something interesting for the +HCU, btw.
Also, pay attention to the code and you'll see a lot of things you may miss if
you don't!
I wont even bother explaining you
that you should BUY this target program if you intend to use it for a longer
period than the allowed one. Should you want
to STEAL this software instead, you don't need to crack its protection
scheme at all: you'll
find it on most Warez sites, complete and already regged, farewell.
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Programmer's corner
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_Fravia
Is reverse engineering legal?