=====================================================================
Target : Sonic Foundry XFX2 Plug-In
Version : 1.0c Build 176
Type : Module (dll)
Name : sfppack2.dll
Done by : UmanErrOr
=====================================================================
Stuff for insiders
==================
> Disabled Getsystemtime function callback to jne
> This function is only used at init of each
plugin routine of sfnrpack at startup and en/disables
the trial period after 7 days of
using the plugin ie : installed the plugin.
Why the GetSystemTime function and not the serial/machinecode ?
----------------------------------------------------------------
Like like almost all DEMO's, this one has still the lousy
GetSystemTime functioncall in kernel to check if the
trialperiod has been expired. The procedure of reversing
and debugging this event is basicly the same as in other plugins
of SF. However the routines basicly differents, it was a manner
of minutes to find the bug and fix this.
At the beginning I had to choose : or disable the serial
and unlock-key functions; or disable the trial_period function.
While a serialnumber is floating on inet. (thanks to our Russian
friends of the RHA) Remember this is not the unlock-key !!!
The unlock key had to be found or dissabled as a routine,
but changing your machine and also it's machinenumber, makes this
anoying popup for a new unlock-key not go away. :-(
So, a logical option to disable the trialcheck
routine to avoid this problem for the future. :-)
After XFX 1 this took me 1.12 minute to debug, so no problem for you ;-)
Food for thoughts
=================
> Always remember that in most cases disassembling or
changing the code of a program is considered to be illegal !
> However a normal program should work without bugs,
including nag-screens or disabled routines.
Serialz are ok, as long as the company wil not abuse your
privacy for any reason without letting you know.
And believe me, in most cases you don't know !
> Let's say you buy your stuff in a bookshop:
And the bookshop say to you; Hey u have to register here
first, before you have permission to have all of our books here..
We don't do that either, do we ??
Also the garantee of good qualtiy as in most cases of software
are good examples of our believe in manufacturors...
Remember that you always have to pay for updates, the telephonebill
atleast...
> Also; Most people don't have that kind of money asked for this, and
so I prefer paying for what it's worth.
How the job was done
====================
The tools
---------
> IDA version 4.04 (disassembler)
> Hiew (hex-editor)
> SoftICE 4.05 (debugger)
> CodeFusion (patcher)
> Pen and paper
Preliminary work
----------------
> Install the plugin [DEMO] and a host [like WaveLab or Sound Forge]
if you didn't at this point. You can get the DEMO at www.sonicfoundry.com.
> Load SoftICE.
> Disable the taskbar clock and any other prog that could be
using the GetSystemTime call to kernel. [most likely using time routines]
> Run the plugin host.
> Run the prog several times and get the feelz about it.
> Read some of the articles about the plugins I wrote about reversing
Sonic Foundry Noise Reduction 2.0 and 2.0a and Arboretum Restauration-NR 1.0.
> The basics are the same as in XFX 1, which you should read as a starter.
> Compare the asm routines from these tuts to understand some of the trialtime
checks in those progs.
Let's start
-----------
1 First of all, in category of reversing and debugging, this was a real piece of cake.
If you have not much expirience with reversing, this is a good start.
2 Notice that the last 4 digits of the adresses are significant to remember.
All DLL's are loading dynamicly in memory, so it's different from the offsets in IDA
or whatever you use for a disassembler.
3 Now run the host if you didn't do this until now.
4 Hit Ctrl-D and SoftICE pops up.
5 Enter bpx GetSystemTime
6 Hit Ctrl-D again to hide SoftICE.
7 Now load the plugin fron your host
8 SoftICE pops up and hey; it breaked at a call to GetSystemTime !
9 Now it's time to get pen and paper and write down the line, including the
asm instruction.
10 Hit F12 to go on to the next routine, until you're back in 'sfppack2'
11 Now look for the following test eax, eax and following jz, jnz, je or jne
instructions.
Hit F10 to walk through the code and look what is happening.
12 Stop after each test eax, eax, when your on a jz, jnz, je or jne.
13 Write them down and look if the eax flagg is set [1 or 0] and if it
jumps. ['jmp' or 'no jmp']
14 Go on with this until the plugin is loaded and SoftICE is hidden again.
15 Now you should have a list with all breakpoints and jz, jnz, je or
jne instructions.
16 If you don't know much at asm, the basic rule is that you look if there are
instructions called 2, 3 or more times during startup.
Remember these and mark them on you paper!
17 Now, hit Ctrl-D again and type 'bc*' to disable all breakpoints.
18 Unload the host and change your system date [in configuration screen]
for eg year 2045.
19 Repeat the whole procedure from step 4 and compare the jz, jnz, je or
jne and 'jmp' or 'no jmp' between SoftICE and your paperwork.
20 You will see that after the second GetSystemTime, the first jz wil not
jump and not goes to the xor eax, eax routine.
This is mostlikely the one we have to change :-)
21 So let's try, type (in my case) 'a 167:04EFB2E4' and hit Enter.
22 Type 'jnz 04EFB2F1' and hit enter again.
23 Hey, it will not jump anymore :-) ok, hit Esc and the coding is done for now.
24 Hit some Ctrl-D' until the plugin is loaded and what do we see ???
25 It's 2045 and we are still in trial period.. :-))
26 Now you may set your systemtime/date back to it' original state, unload
and relaod the plugin again, keep on CtrL-D until it's loaded...And ?
27 I told you; piece of cake huh ?
28 If you are curious about this, just run IDA and find the GetSystemTime calls.
> You will find:
--- s ---
00460164 extrn GetSystemTime:dword ; DATA XREF: .text:0045AE14 ^r
00460164 ; sub_45EBD0+8 ^r ...
--- es ---
> We find 3 cross references now:
0045AE14 call ds:GetSystemTime ; Indirect Call Near Procedure
0045EBD8 call ds:GetSystemTime ; Indirect Call Near Procedure
0045FC72 jmp ds:GetSystemTime ; Indirect Near Jump
> Now remeber the last 4 digits we wrote down on paper, because here we see
the adress-offsets.
> Ok now we have to check all cross references and check the routines to see
- and find our code - doing this you need to think like a compiler and finally
you find the instruction we found in SoftICE.
Hints
-----
> 0045EBD8 > brings you to a sub > go up to the references of this one,
watch the calls and look where it brings you...
> Well have a nice tour, you will shure learn something from that.
> Ok for the lazy ones just do a text search for 'B2E4'. Remember these last digits ?
> Now hit it !
And we find:
--- s ---
0045B2E4 jz short loc_45B2F1 ; Jump if Zero (ZF=1)
--- es ---
Hey, that's what we wrote down on paper and changed in SoftICE !!!
In SoftIce it looks like this :
--- s ---
0167:04EFB2E4 jz 04EFB2F1 (jmp / no jmp)
--- es ---
Notice the difference ?
> Ok, ok this is the routine we are looking for:
0045B2C0 ; ªªªªªªªªªªªªªªª S U B R O U T I N E ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
0045B2C0
0045B2C0
0045B2C0 sub_45B2C0 proc near ; CODE XREF: sub_401000+CD ^p
0045B2C0 ; sub_401000+16A ^p ...
0045B2C0
0045B2C0 var_8 = dword ptr -8
0045B2C0 var_4 = dword ptr -4
0045B2C0
0045B2C0 sub esp, 8
0045B2C3 push ebx
0045B2C4 push ebp
0045B2C5 push esi
0045B2C6 push edi
0045B2C7 mov edi, ecx
0045B2C9 mov eax, [edi+4]
0045B2CC test eax, eax
0045B2CE jz loc_45B380
0045B2D4 call sub_45EBD0
0045B2D9 mov ecx, edi
0045B2DB mov ebp, eax
0045B2DD call sub_45B7B0
0045B2E2 test eax, eax
0045B2E4 jz short loc_45B2F1 << This one !
0045B2E6 pop edi
0045B2E7 pop esi
0045B2E8 pop ebp
0045B2E9 or eax, 0FFFFFFFFh
0045B2EC pop ebx
0045B2ED add esp, 8
0045B2F0 retn
0045B2F1 ; ---------------------------------------------------------------------------
> Although there is a possibility to change the asm code in IDA, I will not recommend that.
> Now we start Hiew and make the changes, shall we ?
> Press F5 and type: '.0045B2E4' and hit Enter....
> And we see something like this:
--- s ---
.0045B2E4: 740B je .00045B2F1
--- es ---
> Hee, JE ? we thought it was JZ ?
> Well, don't get confused now, some compilers/disassemblers treat a Zero as a result
and some treat Equal [''] as result of comparing two bytes, get it ?
JE = Jump if Equal [as a comparishing result]
JZ = Jump if Zero [as a comparishing result]
In hex that is: - why do we need this ? -
---------------
> Hit F4, choose Hex, and we see:
--- s ---
Adress Hex Ascii
~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
.0005B2D0: AC 00 00 00-E8 F7 38 00-00 8B CF 8B-E8 E8 CE 04 ╝ ▐╕8 ∩ñ∩▐▐+
.0005B2E0: 00 00 85 C0-74 0B 5F 5E-5D 83 C8 FF-5B 83 C4 08 α+t _^]Γ+ [Γ- << hello, here !
-- --
.0005B2F0: C3 8B CF E8-C8 04 00 00-85 C0 75 0B-5F 5E 5D 83 +∩ñ▐+ α+u _^]Γ
--- es ---
> Copy this stuff to Notepad, because we need this part !
> Now we go back, Hit F4, Decode.
> Hit F3 [Edit]
> Hit F2 [Asm]
Edit line :
.0045B2E4: 740B je .00045B2F
Now you see:
[je 00045B2F1] Use your arrow keys to goto 'je' and type 'jne'
> Hit Enter and Esc
The result must be now:
.0045B2E4: 750B jne .00045B2F
> Ok ? Then hit F9 to save it on disk.
> Go back to hex-mode
And this is what you should see:
--- s ---
Adress Hex Ascii
~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
.0045B2D0: AC 00 00 00-E8 F7 38 00-00 8B CF 8B-E8 E8 CE 04 ╝ ▐╕8 ∩ñ∩▐▐+
.0045B2E0: 00 00 85 C0-75 0B 5F 5E-5D 83 C8 FF-5B 83 C4 08 α+u _^]Γ+ [Γ- << Joohoo !
-- -- --
.0045B2F0: C3 8B CF E8-C8 04 00 00-85 C0 75 0B-5F 5E 5D 83 +∩ñ▐+ α+u _^]Γ
--- es ---
> Copy this stuff to Notepad, because we need this part too !
> Hit F10 to close Hiew and we take a trial with our program on several dates shall we ?
> If everything works fine we can make the patch now.
> To keep it easy use a patcher like CodeFusion and that's why we saved the hex strings to
Notepad. From here on you should not have much difficulties to make your own release.
> why using 48 bytes to patch and not just 2 ? Because this size makes it almost shure
the patcher wil find the one and only correct series of bytes to adjust, most likely.
Notes
=====
> Before you jump a hole in the air, getting stoned, bothering your girlfriend or whatever,
you should test all your results before spreading the good news on inet.
> Uninstall the plugin (not the DLL you reversed and debugged ofcourse... <;-)
and pretend you are a newbe on this.
> When eveything is fine, then...... hehe.
> Put some notes in plain text for other users. -howto-
Security
========
> Zip the stuff.
> When sending with email I suggest you take a temporarly hotmail acc.
or another fake account so you will not be traced some how...
> Why ? : Because you're doing illegal stuff !
> Never use your real id and make shure you did that,
todays cybercobs are not all weenies !
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanx
=====
To the boyz and girlz from SoftICE;
the HIEW crew;
the creators of IDA -- great tool --;
everybody I forgot this time;
and last but not least; the Sonic Foundry team who made this possible;-)
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXeof