Ulead PhotoImpact Trial 3.01
"Protections" spitting the name of the calling dll and of the calling function

STUPID Training 97

by PNA

(29 August 1997)


Courtesy of Fravia's page of reverse engineering

Well, if they call "protection" the giving away of the calling dll and of the calling function, they deserve to be cracked black and blue until they'll learn better. Since this is a very short essay, and since there is a "sbb" construction inside it, I could not resist to the temptation of offering a small +HCU training exercise for all future +HCUkers (and all other interested reverse engineers :-)
Solve it! (And get some nice gamez as "reward" :-)

Target: Ulead PhotoImpact Trial 3.01 (http://www.ulead.com)
Protection Scheme: 30 day time protection

The stupidity of this protection is hard to beat. I recently switched
from the C64 to PC and was really surprised by the lack of
sophistication of modern protection schemes compared to protections on 
the old C64 which provided much more of a challenge (of course a pure 
von Neumann architecture allows much more creativity than modern 
computers (PE-header, etc.)
The Crack: 
Starting UPI after expiration-date brings up a messagebox with the
common bla bla BUT with the name of a dll (U32cfg.dll) inside its caption!
If you think this is stupid read on and enjoy the climax.
Loading U32cfg.dll in a disassembler and listing the export functions
(there are only a few) reveals the true extent of the programmer's brain
damage: one of the functions is called ulcCheckLegality !!!
The following wdasm listing doesn't need to be commented I suppose


Exported fn(): ulcCheckLegality - Ord:0004h
:4EB04160 8B442408                mov eax, [esp + 08]
:4EB04164 6A00                    push 00000000
:4EB04166 8B4C2408                mov ecx, [esp + 08]

* Possible Reference to Dialog: DialogID_0001
                                  |
:4EB0416A 6A01                    push 00000001
:4EB0416C 50                      push eax
:4EB0416D 51                      push ecx
:4EB0416E E80D000000              call 4EB04180
:4EB04173 83C410                  add esp, 00000010
:4EB04176 83F801                  cmp eax, 00000001
:4EB04179 1BC0                    sbb eax, eax			;<-- see below :4EB0417B 40 inc eax :4EB0417C C20800 ret 0008 This is it. PNA (Post Natal Abortion) 
PNA 1997. All rights reversed.
Training 97
Well, let's not forget that there are also young future crackers reading these pages... "Hey? How comes that there is a compare and no conditional jump there?"
So I thought that the following small +HCU training exercise could have some interest for future +HCUkers... have a look once more at the following three lines from PNA's target code, I'll comment them a little:
:4EB04176 83F801 cmp eax, 1    ;this cmp sets the carry flag ON (if 0) or OFF (if not 0)
:4EB04179 1BC0   sbb eax, eax  ;if ax<>0 -> ax=0 if ax=0->ax=FFFF
:4EB0417B 40     inc eax       ;ax=0 only if 0 at the beginning
                               ;else ax=1, whatever it was
See, sbb is "integer subtract with borrow", the contrary of adc (add with carry). If the carry flag is set, the result of the instruction sbb ax,ax changes and is equivalent to dec ax (a decrement of one).
Here the instruction cmp eax,1 sets the carry flag (CY) if ax was zero, and it will be NC (Non Carry) if ax was anything else but zero.
What does this mean? It means that after these three instructions you'll have in ax either zero or one, zero if ax was zero and one if ax was not zero, indipendently of the starting value of ax. So now we'll return either with zero and carry set or with 1 and carry not set.

Here are some other interesting examples... see if you understand these snippets (best answers will be premied with nice strategic gamez):
From Ecstatica2... a nice game I'm cracking right now
(sbb and or)
:A9D68 38EC      cmp ah, ch
:A9D6A 19C0      sbb eax, eax
:A9D6C 0C01      or al, 01
:A9D70 C3        ret

(sbb, inc and je)
:B53F4 668B38    mov di, word ptr [eax]
:B53F7 668B7002  mov si, word ptr [eax+02]
:B53FB B405      mov ah, 05
:B53FD B003      mov al, 03
:B53FF CD31      int 31          ;Ah! By the way... Int31 05/03	:-)
:B5401 19C0      sbb eax, eax
:B5403 40        inc eax
:B5404 7410      je 000B5416


From Textpad32... an interesting application that has already been cracked black and blue
(a simple "neg" variation)
:401EAA 83F801                  cmp eax, 00000001
:401EAD 1BC0                    sbb eax, eax
:401EAF F7D8                    neg eax

(Hey: what's going on here?)
:40380F 8945EC                  mov [ebp-14], eax
:403812 837DDC01                cmp [ebp-24], 00000001
:403816 1BC0                    sbb eax, eax
:403818 F7D8                    neg eax
:40381A 8945DC                  mov [ebp-24], eax
:40381D 8B45EC                  mov eax, [ebp-14]

(Somebody else is compared...)
:405BC5 837DD401                cmp [ebp-2C], 00000001
:405BC9 1BC0                    sbb eax, eax
:405BCB F7D8                    neg eax

(The last two snippets for today's exercise :-)
:4086CB FF30                    push dword ptr [eax]
:4086CD 83FA01                  cmp edx, 00000001
:4086D0 1BC0                    sbb eax, eax
:4086D2 24FD                    and al, FD
:4086D4 0529010000              add eax, 00000129
:4086D9 50                      push eax

:415CD0 83F801                  cmp eax, 00000001
:415CD3 1BC0                    sbb eax, eax
:415CD5 24FC                    and al, FC
:415CD7 83C009                  add eax, 00000009
:415CDA 50                      push eax
Well... explain the above snippets, just looking at the code, you don't need to dig out the relevant programs... use symdeb if you really don't understand, for instance:
a 100/nop/nop/nop/cmp ax,1/sbb ax,ax/inc ax/nop/nop/nop/enter
And now that you have assembled your example, test it:
u 100/t=100/t/rf/CY/t/rax=1/t/ t=100/rax=FFAA/t/ and so on... flags changing through rf CY or rf NC, new register values in ax for testing through rax=whatever :-)
This will teach you how much FUN you can have testing assembly code, and, moreover, you'll begin to understand that EACH compiler uses slightly different constructions, and that the reverse engineering of the sbb instruction "sequences" can be also used pretty effectively in order to understand which compiler has been used by the programmers of your target...

You are deep inside Fravia's page of reverse engineering, choose your way out:

Project 7
homepage links red anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_Fravia
Is reverse engineering illegal?