T

H

E



E

S

S

A

Y

Notes: Program descriptions are available at the "http" address, but the "Web Ferret Pro" program is ONLY available at the "ftp" site. Also available at the "ftp" site is a program named "NFupgrade111.exe", which is just an upgrade utility to convert "older" versions of these programs to the "current" version, which is Version 1.11 for all of the programs listed except the Web Ferrets. WFPEV.exe is time crippled at install AND at run-time. It is also "missing" some code to turn off the advertising, but I'll show you how to get around these problems later. Despite these "problems", you'll want to download "WFPEV.exe" instead of "WebFerret110.exe" because "WFPEV.exe" is the "PRO" version, which does boolean searches, allows deletes, and has several other "nessesary" features. Get it as soon as you can, because it has already expired and will probably be removed from the server as soon as someone notices it's still taking up space. --------------------------------------------------------------------------- WHAT DO THESE PROGRAMS DO? -------------------------- These are very compact "search engines" which live on your hard drive. You enter query strings, just like you would at any search engine, and these programs will search ALL of the search engines you select. The results can be saved for future use, or used imediately if you choose. For instance, using Web Ferret and Win95 as an example, you would go to "find" on your "start" menu, click "web pages" to start the program, type in "Fravia" and "cracking" as the items to search for, then click "find", and you'll get a listing containing every web page listed on the search engines that contain the text "Fravia" and "cracking". Point your mouse at any listing, and you'll see the begining text from that web page, click on a listing to open your browser and load the web page. The boolean feature in the Pro version is especialy helpful. You can search for "cars AND trucks [but] NOT convertibles", as stated by the company. Features like these can be real handy when searching for a certain file, web-site, E-mail address, or IRC channel. ------------------------------------------------------------------------ WHAT'S THE PROBLEM? ------------------- Cash flow, or boredom, depending on WHY you reverse. These programs are VERY reasonably priced, and worth the investment! It was the sales tactics which drew my attention to these programs, and the encryption technique which drew my interest. When you install these programs, you enter your name and company, then click the "next" button, and enter your serial number and registration "key", or just leave these two feilds blank to take the program for a test drive. After installation, you'll want to run the program, of course. It is then that you will discover the sales tactics. A banner will continualy display adds, on YOUR monitor! This can NOT be tolerated! The "view" menu has an "option" to turn OFF advertising, but this option has been disabled, until you register the program. They could have lost a sale because the time I WOULD have spent earning money to pay for these programs HAD to be spent removing thier advertising instead. How do they expect me to test drive thier product with those awful banners constantly distracting me? Even though we've got the program installed on our hard drives, the original install program is nessesary to register the program, so don't delete it yet. Let's fix these programs so we can test them without all of those distractions! The Web Ferret Pro is totaly different from all of the other programs listed above, so I'll cover it a bit later in this essay, but here is what you'll need to fix ALL of the other programs. ------------------------------------------------------------------------ Even though we will NOT be going into the encryption scheme used in this program in this essay, I urge you to study it. It wont be nessesary for cracking these programs, but the author has done a very fine job of encrypting things, and deserves honors for his style and technique. Unfortunately, he forgot that, no matter how well he encrypts his passwords, it MUST always boil down to a simple "go here, or go there" instruction in the end. For those of you who are too lazy to study, I'll give you a short description of how this encryption scheme is implimented. For those of you who DO study this, be VERY careful, one slight miscalculation will crash your computer! You should become very familiar with the "hboot" command inside Soft-Ice. Even minimizing the loader screen to the taskbar will lock up your computer. The serial number must contain five digits for reasons I'll explain later, and the "key" number must contain nine digits to activate the "next" button, which is deactivated as soon as you enter the first digit of the serial number. After you've typed in your serial number and registration key number, locate them, and set BPR's on them inside Soft-Ice. Then click on the "next" button. You'll break into the protection scheme at CS:004026D4. The "key" that you typed in, as you'll learn, is the "key" to unlocking the program. The serial number is only used to set a counter. The "key" value does it's usual trip through memory addresses until it finaly ends up on the stack. The center digit has been removed, so now your "key" is a "handy" eight characters long, so it fits nicely into the registers. After the string was shortened to eight characters, it was counted in the usual mannor by placing FFFFFFFF in ECX. The result was inverted, as usual, to obtain the "decimal" byte count of "8", but it was also saved, uninverted as FFFFFFF8, to crash your computer! At this point, we find another key already waiting for us at DS:0041C540. This second key is 12h bytes long, and is comprised in three parts, using the starting values: "12345678" "23456789" and "34567890" To make a long story short, these three groups of eight numbers are sent to war against the "key" value you typed in, AND against the other "eight number" groups. It's like a war between four countrys, with EACH country fighting the other three countrys. They are beat against each other in just about every way imaginable until nothing is left but a mangled, un-recognizable, eight character string of garbage. From time to time, the 12h byte string is "refreshed" with the original numbers I've listed above. But the war continues. And when the smoke has cleared, we can finaly do a few comparisons. If you've followed this through, you should find yourself at CS:0040EC3D. Again, the author was very clever. Every time you THINK EAX should be set to "01", it should be a "00", and vise versa. Keep this in mind, because, as I mentioned earlier, we're set up to crash! Any time you choose the "wrong" path to take after a CMP or TEST instruction, the program will find its way back to that FFFFFFF8 monster, and use it to crash your system. So choose wisely. Remember that you've entered bad data, so if the program "wants" to go one way, it probably "should" go the other way instead. Also remember, thats NOT always true! But, alas, we've made it to the check point. Lamers can just set your breakpoints to the following addresses. Lamers are lamers because they miss all of the fun stuff, YOU decide who you are! ------------------------------------------------------------------------ 1st check: ; [ESP+0C] holds the ; encrypted value of ; your input "key" :0040EC3D 8B44242C mov eax, dword ptr [esp+2C] ; the GOOD number :0040EC41 83C40C add esp, 0000000C :0040EC44 3944240C cmp dword ptr [esp+0C], eax ; the first "test" :0040EC48 7525 jne 0040EC6F ; a bad place to go! ------------------------------------------------------------------------ Here, the GOOD value is stored at [ESP+2C]. Then it's MOVed to EAX to be CoMPared to the encrypted value of the "key" you typed in, which is stored at [ESP+0C]. Assuming EAX is "59 42 55 f8" and [ESP+0C] is "22 47 39 23", you might encounter a slight "problem" when you arrive at the JNE instruction. To repair this "problem" when the two numbers do NOT match, simply edit memory in Soft-Ice, as follows: d esp+0c yet! We still have a couple of checks left, and FFFFFFF8 is sitting on the stack just WAITING for us to make a mistake so it can crash our computers! If you decided to "repair" the JMP instruction above, instead of entering the proper data, you'll learn just how effective that FFFFFFF8 monster can be, when you have to re-start your computer. Wander through the code just a while longer, and eventualy you'll come across the next check. Again, the lamers can just set thier breakpoints here, but they'll miss the full beauty of the authors protection scheme. ------------------------------------------------------------------------ 2nd check: :0040E92F 8B8D70FFFFFF mov ecx, dword ptr [ebp+FFFFFF70] ; the GOOD number :0040E935 3B01 cmp eax, dword ptr [ecx] ; the 2nd "test" :0040E937 0F850E000000 jne 0040E94B ; a BAD place ------------------------------------------------------------------------ Here we find another instance of the encrypted version of the "key" you entered being CoMPared to a "good" number. You might notice that both of these numbers are quite different from the numbers you used to fix that last "problem" we had. The repair technique is the same though. Simply copy the value you find at ECX into EAX. Please note that ECX holds the ADDRESS of the proper number, NOT the proper number itself! So DO NOT copy the ADDRESS into eax, and DO NOT try to "repair" the JMP instruction, or the FFFFFFF8 monster will get you! There is one more check that must be made, but if you typed in a five digit serial number like I told you to, feel free to hit "F5" or at any time now. Your program will be fully registered. When the program is registered, it will write a 398 byte (18Eh) "lic" key into your registry, and any disabled functions and menu items will be enabled. For those of you who typed in more than five digits, follow the code a bit further. The program will simply count the number of digits you entered, then use the result of the count to check some strings in memory. So if you entered seven digits, it will look for seven strings. The problem here is that there are only FIVE strings in memory to be checked. And the FFFFFFF8 monster is STILL waiting! You can fix this problem by fixing the count when the result is placed in EAX. Simply change the value to "5", then quit Soft-Ice and your program will be fully registered. These techniques will fully register ALL of the FerretSoft programs except for the Web Ferrets. Web Ferret is a "crippled" version of the Web Ferret Pro program, which is offered just to get you interested in the product, so you'll break down and "pay" for the "real" program. Web Ferret Pro is NOT offered in any form as a demo. Fortunately for us, FerretSoft left an evaluation copy on thier ftp server for us to play with. Since it's an evaluation copy, we'll need to treat it just a bit differently. ------------------------------------------------------------------------ WHAT ABOUT THAT MONSTER? ------------------------ If ANY of the "checks" fail, (and there are MANY more than I've mentioned here), the program begins encrypting data against the 12h byte string. Each pass through the encryption process will decrement the FFFFFFF8 monster by "1", so you "could" go through the encryption process 4,294,967,288 times, theoreticaly! Of course, this would never happen because each pass is directed towards a different byte in memory, so eventualy you encounter a "Memory Out Of Range" error message. With Soft-Ice running, you'll never get back into the program to see that message though. And, as I mentioned earlier, even minimizing the Loader window used to load the program will cause a crash. ------------------------------------------------------------------------ WEB FERRET PRO -------------- Now let's install the Web Ferret Pro program. This program has a time lock when we try to install it. All we get is an error message informing us that the trial period is over. Later, when we get to run this program, we'll see that it expired December 31st, 1997. We can "fix" that though. So lets get to work! STEP 1 ------ In Soft-Ice, set a BPX on GetLocalTime. Then start the "WFPEV.EXE" program. When Soft-Ice breaks, you'll be at the first line of the GetLocalTime function. Press "F12" to return to the WFPEV code, (read the title on the line that runs across your screen inside Soft-Ice.) Trace through the code about fifteen steps until you find the following line of code: :00413716 0594F8FFFF ADD EAX, FFFFF894 As soon as this instruction has executed, change EAX to "0" with the instruction: r eax=0 Then let the installation run its course. The program will install, but as soon as you try to run it, you'll get the same "expired" error message. If you cancelled your breakpoint, re-set it. If you did not cancel it, you should already be where you need to be. We're just going to do that last "fix" all over again, except this time we'll need to make it a permanent repair using a hex editor. When Soft-Ice breaks at GetLocalTime, just press "F12" again, to return to the WFPEV code, then trace about fifteen instructions again, and you should see: :004BD162 0594F8FFFF ADD EAX, FFFFF894 Which we need to change to: :004BD162 B800000000 mov eax, 00000000 This will ALWAYS tell the program that this is the first time you have ever used it. Be sure to write down the hex bytes of the instructions around this instruction. You will need them to locate this spot in your hex editor when we make these changes permanent. STEP 2 ------ This step is strictly cosmetic. You can skip it if you're in a hurry and don't care what your menu looks like. Because this is an "evaluation" copy, they didn't bother to put in all that code it takes to enable or disable a menu item. They also left out the code needed to make the function work, in case "WE" got a copy of the program. What function? The one to turn off the advertising, of course! They just tossed in a few lines of code to make sure the adds would ALWAYS run. So skip these steps if you like to see advertisments, too! To enable the menu item "advertisment" on the "view" menu, set a breakpoint on "EnableMenuItem". When Soft-Ice breaks, use "F12" again until you return to the WFPEV code. Then, back-trace through the code until you reach this line of code: :0048DD7A 6A00 push 00000000