+HCU 1997, Project2: Winice cracking
Phase 2

Courtesy of Reverser's page of reverse engineering
PHASE 2 by +Rcg
	Another approach to crack SoftIce 3.01 14 day trial.

After having read the phase 1 of this project, by Frog's print, I thought: 
let's analize a little the NmGetNumDaysLeft function

So with W32dasm8 I got the next code fragment.

Exported fn(): NmGetNumDaysLeft - Ord:000Dh 
:100263F0 83EC20                  sub esp, 00000020
:100263F3 8D442404                lea eax, [esp + 04]
:100263F7 53                      push ebx
:100263F8 56                      push esi
:100263F9 57                      push edi
:100263FA 55                      push ebp
:100263FB 50                      push eax
:100263FC 6819000200              push 00020019
:10026401 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Software\Microsoft\Windows\Help"
:10026403 6888880710              push 10078888
:10026408 6802000080              push 80000002

* Reference To: ADVAPI32.RegOpenKeyExA, Ord:012Eh
:1002640D FF15F8411C10            Call dword ptr [101C41F8]
:10026413 85C0                    test eax, eax
:10026415 755A                    jne 10026471
:10026417 BF04000000              mov edi, 00000004
:1002641C 8D442410                lea eax, [esp + 10]
:10026420 8B4C2414                mov ecx, [esp + 14]
:10026424 50                      push eax
:10026425 68D8201C10              push 101C20D8

* Reference To: ADVAPI32.RegQueryValueExA, Ord:0136h
:1002642A 8B35F4411C10            mov esi, [101C41F4]
:10026430 897C2418                mov [esp + 18], edi
:10026434 6A00                    push 00000000
:10026436 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"OleGUIDLow"
:10026438 687C880710              push 1007887C
:1002643D 51                      push ecx
:1002643E FFD6                    call esi
:10026440 85C0                    test eax, eax
:10026442 752D                    jne 10026471
:10026444 897C2410                mov [esp + 10], edi
:10026448 8D7C2410                lea edi, [esp + 10]
:1002644C 8B442414                mov eax, [esp + 14]
:10026450 57                      push edi
:10026451 68E8231C10              push 101C23E8
:10026456 6A00                    push 00000000
:10026458 6A00                    push 00000000 

* Possible StringData Ref from Data Obj ->"OleGUIDHigh"
:1002645A 6870880710              push 10078870
:1002645F 50                      push eax
:10026460 FFD6                    call esi
:10026462 85C0                    test eax, eax
:10026464 750B                    jne 10026471
:10026466 8B442414                mov eax, [esp + 14]
:1002646A 50                      push eax

* Reference To: ADVAPI32.RegCloseKey, Ord:0117h
:1002646B FF15F0411C10            Call dword ptr [101C41F0]

* Referenced by a Jump at Addresses:10026415(C), :10026442(C), :10026464(C)		
:10026471 8D442420                lea eax, [esp + 20]
:10026475 50                      push eax

* Reference To: KERNEL32.GetSystemTime, Ord:0134h
:10026476 FF1538421C10            Call dword ptr [101C4238]
:1002647C 8B742420                mov esi, [esp + 20]	
:10026480 33C0                    xor eax, eax
:10026482 668B442426              mov ax, [esp + 26]
:10026487 81E6FFFF0000            and esi, 0000FFFF
:1002648D 8B0DC0A50710     ***    mov ecx, [1007A5C0]	;Get 1st constant value
:10026493 8944241C                mov [esp + 1C], eax
:10026497 33C0                    xor eax, eax
:10026499 330DD8201C10     ***    xor ecx, [101C20D8]	;Xor with Date 1st value
:1002649F 668B442422              mov ax, [esp + 22]	
:100264A4 8BD9                    mov ebx, ecx
:100264A6 81E300F00000            and ebx, 0000F000
:100264AC 8BF9                    mov edi, ecx
:100264AE C1EB0C                  shr ebx, 0C
:100264B1 83E70F                  and edi, 0000000F
:100264B4 C1E704                  shl edi, 04
:100264B7 8BE9                    mov ebp, ecx
:100264B9 81E50000000F            and ebp, 0F000000
:100264BF 89442418                mov [esp + 18], eax
:100264C3 C1ED10                  shr ebp, 10
:100264C6 8BC1                    mov eax, ecx
:100264C8 250000F000              and eax, 00F00000
:100264CD C1E814                  shr eax, 14
:100264D0 0BF8                    or edi, eax
:100264D2 8BC1                    mov eax, ecx
:100264D4 2500000F00              and eax, 000F0000
:100264D9 81E1F0000000            and ecx, 000000F0
:100264DF 0BE8                    or ebp, eax
:100264E1 C1ED08                  shr ebp, 08
:100264E4 0BE9                    or ebp, ecx
:100264E6 B9FFFFFFFF              mov ecx, FFFFFFFF
:100264EB 2BCB                    sub ecx, ebx
:100264ED 8D443D00                lea eax, [ebp + edi 
:100264F1 0FAFCF                  imul ecx, edi
:100264F4 49                      dec ecx
:100264F5 40                      inc eax
:100264F6 0FAFCD                  imul ecx, ebp
:100264F9 0FAFC3                  imul eax, ebx
:100264FC 2BC8                    sub ecx, eax
:100264FE 8BC7                    mov eax, edi
:10026500 33C5                    xor eax, ebp
:10026502 33C3                    xor eax, ebx
:10026504 2BC8                    sub ecx, eax
:10026506 A1C4A50710         **** mov eax, [1007A5C4]	;2nd contant value
:1002650B 3305E8231C10            xor eax, [101C23E8]
:10026511 3305D8201C10            xor eax, [101C20D8]
:10026517 03C8                    add ecx, eax
:10026519 2BCF                    sub ecx, edi
:1002651B 7402                    je 1002651F
:1002651D FFD1                    call ecx
:1002651F 8D4C6D00                lea ecx, [ebp + 2*ebp]
:10026523 8D0C8B                  lea ecx, [ebx + 4*ecx]
:10026526 8D1C76                  lea ebx, [esi + 2*esi]
:10026529 8BC1                    mov eax, ecx
:1002652B C1E105                  shl ecx, 05
:1002652E 2BC8                    sub ecx, eax
:10026530 8B442418                mov eax, [esp + 18]
:10026534 8D1439                  lea edx, [ecx + edi]
:10026537 8D0C98                  lea ecx, [eax + 4*ebx]
:1002653A 8BD9                    mov ebx, ecx
:1002653C C1E105                  shl ecx, 05
:1002653F 2BCB                    sub ecx, ebx
:10026541 034C241C                add ecx, [esp + 1C]
:10026545 3BCA                    cmp ecx, edx
:10026547 7202                    jb 1002654B
:10026549 2BCA                    sub ecx, edx
:1002654B B800000000              mov eax, 00000000
:10026550 83F90E                  cmp ecx, 0000000E
:10026553 7307                    jnb 1002655C
:10026555 B80E000000              mov eax, 0000000E
:1002655A 2BC1                    sub eax, ecx
:1002655C 5D                      pop ebp
:1002655D A3DC201C10              mov [101C20DC], eax
:10026562 5F                      pop edi
:10026563 5E                      pop esi
:10026564 5B                      pop ebx
:10026565 83C420                  add esp, 00000020
:10026568 C3                      ret

Obviously, I was thinking that this crack couldn't be 
so easy... yet after studying a little the routine above, I 
noticed that there are two contant (fixed) values:

		FCB32679 and 7866EDBA

these values are used to decrypt the instalation date, and after
having done the hard work in order to analyze the code, I just made a 
simple check: I searched these values INSIDE the winice.exe file and...
tachantachan.... only ONE ocurrence. Bingo! Therefore I figured that the
winice.exe file uses theses values too, in order to determine if you are 
a good or a bad guy (until this moment I kept thinking that the NuMega 
boys were just laughing at my efforts). Look what I found:

I found this:

46 75 6E 63 74 69 6F 6E 20 6E 75 6D 62 65 72 20  Function number 
28 25 64 29 20 63 61 6E 27 74 20 62 65 20 67 72  (%d) can't be gr
65 61 74 65 72 20 74 68 61 6E 20 E7 00 00 00 00  eater than 7....
79 26 B3 FC BA ED 66 78 00 00 00 00 00 00 00 00  y&....fx........

so now the next question is, 
	Does really winice use the date numbers with the curious caption
"Eval expiration date - DO NOT REMOVE!" inside the winice.dat file? Or is
it just a "smoke" to take all crackers on a boot ride?

The next step was to change, inside winice.exe, one of these two constants,
then rerun again Sice and look!... Ctrl+D has no effect. Sice does
not pop, protection has snapped!

But, I thought, this could be caused just by the "modification" of the file,
may be there is a checksum, if you alter anything it snaps... let's check! 
With the original file, I wrote uppercase FUNCTION on the lowercase "Function"
among the above bytes, and... nothing happens, SoftIce ran perfectly, OK!!! 
No file checksum routine.

Now, I was completely sure that THESE values were used by the protection shceme.

Where are these values hidden?  In the winice.dat (of course) AND
in the registry, searching in the registry I found in:

	OleGUIDHigh	Date Value1
	OleGUIDLow	Date Value2 

After that I tried another trick: I put Frog's print's values in my own winice.dat 
file AND in the registry and it worked fine.

Now again W32dasm8 on winice.exe and searching in winice.exe with a 
little use of zen (I searched for 0000000E, That not too much zen, is it? :-)
and i found:

:000549A6 55                      push ebp
:000549A7 8BEC                    mov ebp, esp
:000549A9 83EC1C                  sub esp, 0000001C
:000549AC 53                      push ebx
:000549AD 56                      push esi
:000549AE 57                      push edi
:000549AF A1D4730B00              mov eax, [000B73D4]
:000549B4 3305B88E0600            xor eax, [00068EB8]
:000549BA 8945EC                  mov [ebp-14], eax
:000549BD A1D0730B00              mov eax, [000B73D0]
:000549C2 3305B48E0600            xor eax, [00068EB4 
:000549C8 8945F8                  mov [ebp-08], eax
:000549CB A1B48E0600              mov eax, [00068EB4]
:000549D0 3145EC                  xor [ebp-14], eax
:000549D3 8B45F8                  mov eax, [ebp-08]
:000549D6 C1E80C                  shr eax, 0C
:000549D9 83E00F                  and eax, 0000000F
:000549DC 8945FC                  mov [ebp-04], eax
:000549DF 8B45F8                  mov eax, [ebp-08]
:000549E2 C1E814                  shr eax, 14
:000549E5 83E00F                  and eax, 0000000F
:000549E8 8B4DF8                  mov ecx, [ebp-08]
:000549EB 83E10F                  and ecx, 0000000F
:000549EE C1E104                  shl ecx, 04
:000549F1 0BC1                    or eax, ecx
:000549F3 8945F0                  mov [ebp-10], eax
:000549F6 8B45F8                  mov eax, [ebp-08]
:000549F9 C1E808                  shr eax, 08
:000549FC 25000F0000              and eax, 00000F00
:00054A01 8B4DF8                  mov ecx, [ebp-08]
:00054A04 C1E918                  shr ecx, 18
:00054A07 83E10F                  and ecx, 0000000F
:00054A0A 0BC1                    or eax, ecx
:00054A0C 8B4DF8                  mov ecx, [ebp-08]
:00054A0F 81E1F0000000            and ecx, 000000F0
:00054A15 0BC1                    or eax, ecx
:00054A17 8945F4                  mov [ebp-0C], eax
:00054A1A 2BC0                    sub eax, eax
:00054A1C 8B4DF4                  mov ecx, [ebp-0C]
:00054A1F 334DF0                  xor ecx, [ebp-10]
:00054A22 334DFC                  xor ecx, [ebp-04]
:00054A25 8B55F4                  mov edx, [ebp-0C]
:00054A28 0FAF55F0                imul edx, [ebp-10]
:00054A2C 0FAF55FC                imul edx, [ebp-04]
:00054A30 03CA                    add ecx, edx
:00054A32 8B55F0                  mov edx, [ebp-10]
:00054A35 0FAF55FC                imul edx, [ebp-04]
:00054A39 03CA                    add ecx, edx
:00054A3B 8B55F4                  mov edx, [ebp-0C]
:00054A3E 0FAF55F0                imul edx, [ebp-10]
:00054A42 03CA                    add ecx, edx
:00054A44 8B55F4                  mov edx, [ebp-0C]
:00054A47 0FAF55FC                imul edx, [ebp-04]
:00054A4B 03CA                    add ecx, edx
:00054A4D 034DF4                  add ecx, [ebp-0C]
:00054A50 034DF0                  add ecx, [ebp-10]
:00054A53 034DFC                  add ecx, [ebp-04]
:00054A56 2BC1                    sub eax, ecx
:00054A58 F7D8                    neg eax
:00054A5A 2945EC                  sub [ebp-14], eax
:00054A5D 0F8407000000            je 00054A6A
:00054A63 2BC0                    sub eax, eax
:00054A65 E97E000000              jmp 00054AE8
:00054A6A 8B45F4                  mov eax, [ebp-0C]
:00054A6D 50                      push eax
:00054A6E 8B45F0                  mov eax, [ebp-10 
:00054A71 50                      push eax
:00054A72 8B45FC                  mov eax, [ebp-04]
:00054A75 50                      push eax
:00054A76 E872000000              call 00054AED
:00054A7B 83C40C                  add esp, 0000000C
:00054A7E 8945E8                  mov [ebp-18], eax
:00054A81 8B4510                  mov eax, [ebp+10]
:00054A84 50                      push eax
:00054A85 8B450C                  mov eax, [ebp+0C]
:00054A88 50                      push eax
:00054A89 8B4508                  mov eax, [ebp+08]
:00054A8C 50                      push eax
:00054A8D E85B000000              call 00054AED
:00054A92 83C40C                  add esp, 0000000C
:00054A95 8945E4                  mov [ebp-1C], eax
:00054A98 8B45E4                  mov eax, [ebp-1C]
:00054A9B 3945E8                  cmp [ebp-18], eax
:00054A9E 0F870A000000            ja 00054AAE
:00054AA4 2BC0                    sub eax, eax
:00054AA6 2B45E8                  sub eax, [ebp-18]
:00054AA9 F7D8                    neg eax
:00054AAB 2945E4              *** sub [ebp-1C], eax		;Days using it
:00054AAE 837DE40E                cmp [ebp-1C], 0000000E	;here it is****
:00054AB2 0F8217000000        *** jb 00054ACF		      ;Make it jmp always
:00054AB8 C705A4C10C0000000000    mov dword ptr [000CC1A4], 0 ;0 days left
:00054AC2 8B45F4                  mov eax, [ebp-0C]
:00054AC5 E91E000000              jmp 00054AE8
:00054ACA E919000000              jmp 00054AE8
:00054ACF B80E000000              mov eax, 0000000E
:00054AD4 2B45E4                  sub eax, [ebp-1C]	;Nop this to get always
                                                    ;14 days left	
:00054AD7 A3A4C10C00              mov [000CC1A4], eax	;Days left
:00054ADC 8B45EC                  mov eax, [ebp-14]
:00054ADF 8D444003                lea eax, [eax + 2*eax + 03]
:00054AE3 E900000000              jmp 00054AE8
:00054AE8 5F                      pop edi
:00054AE9 5E                      pop esi
:00054AEA 5B                      pop ebx
:00054AEB C9                      leave
:00054AEC C3                      ret

Now simply change 0F8217000000 to EB1E17000000 (jmp always)!!!
and 	 	    2B45E4 to 909090		

Look how both routines are "identical".

Final check...I try a few diferent values for the date and it works ever!!!

Final comments:

	I'm not sure... Sice may have more protections routines, it could 
happen. I have not used it a long time after the above patch, but this doc 
represents only another approach, now you have more perspective point to 
attack this scheme. Work on it! 

And finally but not less important,
*thanks a lot Razzia* (for your "how to crack" VisualBasic *.dll).

That's all folks!!!!

+Rcg 1997

You are deep inside reverser's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
antismut CGI-tricks search_forms mailFraVia
Is software reverse engineering legal?