Some explanations

by Birdy Harry
(06 August 1997, slightly edited by Reverser)

Courtesy of Reverser's page of reverse engineering

Well, never sell a bear until you have killed it... here you go with some more Winice NT precisations... hey, I like it... crackers are precise and determined people... d'you agree?
This is actually NOT an's a letter, but it is nevertheless important for Winice cracking, and if you have been hooked on this protection scheme as much as I have been, you'll enjoy this letter just like any other essay on this subject... a little cryptic it is, I have to admit, though... here you go!

Dear Reverser+,
Looking through your pages I found an interesting comment from Squirlle
and would like to add some (hopefully) helpful hints. Also, I really
appreciated if Squirlle would email me and be more precise on which
difficulties he encountered, because as for now I have to guess them 
a bit. I don't have his email adress too, so I'm posting this request 
to you.

>I got lots of errors and even after I found out about the need for
>certain visual c++ libraries to follow phase 4.

So the problems began already in phase 4? 
The same happened to me, believe me. 
Maybe Ignoramus has got the same environmental dlls in his .\system32 
folder as I do and just forgot to mention it. 
Look... for example... most crackers are coders as well, so I would't 
wonder if he had VC++ which brings along all the debug dlls for Windows NT! 
If so, I apologize for having not mentioned it.

>Since I could not
>load pnpisa.sys as described (error requesting some debug data)

(This is a very important, unique and advantageous ability of NT and so
I'll talk in pictures now for chrissake! This has to go work!)

Now consider the following applet in your "Control" folder (look at the
caption and you'll understand why sometimes "my" names may not coincide
with yours =D):

By double-clicking it you get into

Now look at the name! "PnP ISA Enabler Driver" or shortly PNPISA.SYS!!!

Sometimes, I admit, you may have to guess a little the correct file name
itself... in order to rename your target to it. This happens because the 
line in this window will stay the same no matter the real file, that is,
it is not rechecked. But looking into .\System32\Drivers\ this shouldn't
be too hard. 
Again, this is system level business... therefore be careful!

This was the meaning of the other tip: If you experiment with these with
NT on an NTFS partition (as I always would recommend it), have another NT
installation onto another FAT partition! Because only then you can
exchange the faked ones with the real drivers... if you messed up somehow 
and erratically rebooted!

You can determine the usage of this driver mainly by looking at the
column in the middle - it says "not used"! This happens because if it was 
there would be a notion "Gestartet" or maybe "started" (in the american
language NT version). 
By the way, another driver suitable for our fake replacement would be the
"Pcmcia" on top of PnPISA or the "PCIDump" driver, because NT has not actually
loaded them - *it only tried to do it at system level... (blue screen)*.

To make it clear: "It is completely sausage", as another of these nice
german phrases goes, which driver you use as long as

   * it is listed here and
   * it is not used. Especially be careful about this one!

Now, for further information, look at "Startart" or let's make it easy,
the fourth button from top of the DialogBox above. You now have a look
at the *level* at which the highlighted driver is started. And, of course,
there are radio buttons, thus you can even change its startup behaviour:

This just is the way the startup mode of WinICE is adjusted (you know: 
the Startup Mode Setup). You can do this task much faster this way and  
you don't even get the CleanSweep SmartSweep popup window popping up...
where you may digit the "new installation" a name (as you can see I'm 
not in "cracking mode" at the moment =):

Is that chapter all clear now?
I don't have to mention that the appropriate drivers have to be backed
up in order to restore the system later on, do I?

>I could not get the new checksum.
Chile didn't I tell that you have to use HIEW 5.60 or above? This is
because of the maximum length of the checksum in earlier HIEWs, it was
WORD only, whereas now it is DWORD, which is what we need. I'm telling
you: Hit F8 in HIEW...

>I did some searching on the net and found a helpful news
>article describing how to AUTOMATICALLY change the checksum.
>Simple (although not as instructive, it WORKS) use vc++ editbin.exe
>as follows:  editbin /release   That's it.

It is the "MSVC COFF binary file editor" -- this is real smart trick,
congratulations! I tested it with a copy of 4NT:

Looking before there was no checksum at all. Then


and looking again. Phew -- A checksum there!!!

Of course it is done right the same way (same algorithm, that is) as it is 
done by NTOSKRNL.EXE, cause both EDITBIN and NTOSKRNL are M$ products; as we 
all know, they hardly change something they got running once =D, e.g. if you 
look at the CD serial number check routine of NT setup and Office setup and 
MSVC setup you will come to see that the total of the digits after the "-" 
always is 14(decimal), let's say "040-2025104". The three digit number before 
the "-" can be 038, 040 (just add an item :)

So I'm impressed! But the goal was also: reverse engineering. It was much 
more instructive for me to crawl into the guts of NT and find the sucka my 
way (sorry... I should have said "Ignoramus' way" ;-).

This was indeed a real challenge, then.

>NT is not an easy thing to understand without some good training!

Nobody would doubt it. But if a cracker does not understand it, who else ever will =) ?

And by the way what I had to fight more than NT was the win95 OS -- 
"Sinnlos 95" it's called in germany, this 
notion means "without purpose" =D


(c) Birdy Harry, 1997. All rights reserved.

You are deep inside reverser's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
antismut search_forms mailreverser
is reverse engineering legal?

The "save as" function is called at startup and at shutdown of the program, but honestly, I dunno why. greetz, Birdy Harry