1998-09-20 - WARNING: softSENTRY is a SCAM

Header Data

From: qweasd123@my-dejanews.com
To: comp-lang-pascal-delphi-announce@moderators.isc.org
Message Hash: aacf796637bf45becf6b5d89a1c928873e57eb388f733a2aa12e4d9e77e1948c
Message ID: <6u39v4$89r$1@nnrp1.dejanews.com>
Reply To: N/A
UTC Datetime: 1998-09-20 03:27:29 UTC
Raw Date: Sun, 20 Sep 1998 11:27:29 +0800

Raw message

From: qweasd123@my-dejanews.com
Date: Sun, 20 Sep 1998 11:27:29 +0800
To: comp-lang-pascal-delphi-announce@moderators.isc.org
Subject: WARNING: softSENTRY is a SCAM
Message-ID: <6u39v4$89r$1@nnrp1.dejanews.com>
MIME-Version: 1.0
Content-Type: text/plain



Windows developers, DO NOT purchase 20/20 Software's outrageously priced
($695) softSENTRY utility. The package IS A SCAM. Before reading the below
document I found on the Web, understand that DLL- and component-based copy
protection systems are inherently easy to crack. (softSENTRY incorporates a
DLL-based protection as one of its options, in addition to direct .exe
"protection".) Also understand that utilities such as Shrinker and WWPack are
only useful for compression, NOT protection from reverse engineering.
EXE-compressors are notorious for being easy to crack.

Do you want me to convince you?

http://209.44.62.170/pir8/files/ak.html provides cracks for Vbox, SalesAgent,
softSENTRY, TimeLock, and many other copy protection schemes. (Yes, the much
overbloated Vbox is now WORTHLESS as a copy protection system.)

For cracks of just about any EXE-compressor/encryptor you can think of
(including WWPack32, Protect!, and Shrinker), visit
http://www.nettaxi.com/citizens/caligo/main.htm.

Yes, you can also forget about using Shrinker or WWPack to protect your app's
code. They are both absolutely WORTHLESS in that respect as well. Cracks for
them are now everywhere on the Web.

-----------------------
e-mail: LSD-LSD@usa.net
-----------------------

Hello out there. I am somewhat of a newbie at cracking (with some knowledge
of assembly) but thought I'd try my luck at a commercial protection scheme
for one of my first cracks.

I will show you how to crack an extremely stupid, ready-made protection
scheme, softSENTRY 2.07 from 20/20 Software. Download the trial version
(itself extremely easy to crack) from http://www.twenty.com/pgs/dlidx.html.

This software allows zombie programmers (who, IMHO, do not deserve to be
called programmers if they have fallen for this disgustingly bogus
protection) to "automatically" convert their FULL programs to "protected"
trial versions. Sounds like a snake oil vendor, right? It is precisely that:
bogus commercialism at its very best. (This crappy, $695 piece of junk really
is worth only ten bucks. I have encountered far better utilities priced five
times less.)

Okay, what tools do we need to crack softSENTRY?

- Numega's Soft-Ice
- a good hex-editor

I will not show you how to crack the demo of softSENTRY, because the process
is boringly easy to do. (Do it youself! Tip: Delete c:\windows\system\ss.drv
and the "magic key" located at HKEY_CLASSES_ROOT\{XXXXXXXXXX} to restore the
trial period.) I shall, however, show how to murder its weak protection
scheme! (By the way, the fact that softSENTRY's own protection is so weak
indicates a lot about the quality of the product itself!!)

Prepare a test target by protecting some small program like Notepad in order
to disassemble the process and watch how softSENTRY "works". For disassembly,
we will utilize SoftIce because W32Dasm89 seemed to crash when I attempted to
load the target. The protected file and the original file have different
sizes. "Clever", you would have thought, as I did, "Maybe there's some
encryption and variable random protection scheme inside the target." Well,
you're in for quite a surprise. Now hold your breath; THIS IS THE ENTRY POINT
FOR ALL PROTECTED FILES:

:004B066F CC             int    03
:004B0670 55             push   ebp
:004B0671 8BEC           mov    ebp,esp
:004B0673 83EC48         sub    esp,00000048
:004B0676 53             push   ebx
:004B0677 56             push   esi
:004B0678 57             push   edi
:004B0679 E950000000     jmp    004B06CE ; This is a very strange jump,
wouldn't you say?
:004B067E 0000           add    [eax],al
:004B0680 7006           jo     004B0688

All protected files possess the same pattern, with the exact same JMP (coded
as E950000000)! This is very fortunate for us; it means that searching any
"protected" file for the pattern { 55 8B EC 83 EC 48 53 56 57 E9 50 00 00 00
} will give us the entry point of the program and indicate to us that the
program has been "protected" with softSENTRY! (Has your jaw hit the floor
yet?) Yes, softSENTRY is very silly. The very insolent JMP 004B06CE points
the EIP to the actual protection routine. The routine then jumps depending on
the "protection" scheme the programmer specified for use: time limit, splash,
etc. Read carefully:

 00093C82: 8B4508       mov    eax,[ebp][00008]	;
 00093C85: 50           push   eax		;
 00093C86: 68A0324B00   push   004B32A0		;
 00093C8B: FF156C744B00 call   [0004B746C]    	;
 00093C91: E88A000000   call   001279B1		;THIS CALL LOADS THE RESOURCES
OF THE MAIN PROGRAM!
 00093C96: E825000000   call   00127956		;THIS CALL WILL RUN THE MAIN
PROGRAM!
 00093C9B: 8B45B8       mov    eax,[ebp][0FFB8]	;
						;
 00093C9E: 50           push   eax	  	;
 00093C9F: FF15E4734B00 call   [0004B73E4] 	;

(If the protection fails, you will land at 00093C9B.)

The two calls at 00093C91 and 00093C96 load the FULL program completely free
of all nag, splash, time-limit, etc. functions that have been chosen.

If you compare the above source with any other "protected" program, you will
see that both calls are ALWAYS coded as:

E8 8A 00 00 00 E8 25 00 00 00
1st Call       2nd Call

Now we can write a general crack for this amazingly retarded protection
scheme. Simply replace the first jump (coded as E950000000) with the code of
the two calls, which, again, is always E88A000000 E825000000.

1) Search for: { 55 8B EC 83 EC 48 53 56 57 E9 50 00 00 00 }
               			            ^^^^^^^^^^^^^^ (This is the jump.)

2) Replace it with E8A2040000 E83D040000.

Note that the two calls have been recalculated accordingly but remain the
same. (Track them with your debugger!)

So, cracking a softSENTRY-"protected" application is only a matter of
switching a few bytes. I certainly wouldn't pay $695 for some silly
"protection" that took me only 10 minutes to crack!

-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/rg_mkgrp.xp   Create Your Own Free Member Forum





Thread