=====================================================================
Target : Sonic Foundry XFX3 Plug-In
Version : 1.0c Build 176
Type : Module (dll)
Name : sfppack3.dll
Done by : UmanErrOr
=====================================================================
Stuff for insiders
==================
> Disabled Getsystemtime function callback to jne
> This function is only used at init of each
plugin routine of sfnrpack at startup and en/disables
the trial period after 7 days of
using the plugin ie : installed the plugin.
Why the GetSystemTime function and not the serial/machinecode ?
----------------------------------------------------------------
Like like almost all DEMO's, this one has still the lousy
GetSystemTime functioncall in kernel to check if the
trialperiod has been expired. The procedure of reversing
and debugging this event is basicly the same as in other plugins
of SF. However the routines are slightly different.
At the beginning I had to choose : or disable the serial
and unlock-key functions; or disable the trial_period function.
While a serialnumber is floating on inet. (thanks to our Russian
friends of the RHA) Remember this is not the unlock-key !!!
The unlock key had to be found or dissabled as a routine,
but changing your machine and also it's machinenumber, makes this
anoying popup for a new unlock-key not go away. :-(
So, a logical option to disable the trialcheck
routine to avoid this problem for the future. :-)
After XFX 2 this took me 45 seconds to debug, so no problem for you ;-)
Food for thoughts
=================
> Always remember that in most cases disassembling or
changing the code of a program is considered to be illegal !
> However a normal program should work without bugs,
including nag-screens or disabled routines.
Serialz are ok, as long as the company wil not abuse your
privacy for any reason without letting you know.
And believe me, in most cases you don't know !
> Let's say you buy your stuff in a bookshop:
And the bookshop say to you; Hey u have to register here
first, before you have permission to have all of our books here..
We don't do that either, do we ??
Also the garantee of good qualtiy as in most cases of software
are good examples of our believe in manufacturors...
Remember that you always have to pay for updates, the telephonebill
atleast...
> Also; Most people don't have that kind of money asked for this, and
so I prefer paying for what it's worth.
How the job was done
====================
The tools
---------
> IDA version 4.04 (disassembler)
> Hiew (hex-editor)
> SoftICE 4.05 (debugger)
> CodeFusion (patcher)
> Pen and paper
Preliminary work
----------------
> Install the plugin [DEMO] and a host [like WaveLab or Sound Forge]
if you didn't at this point. You can get the DEMO at www.sonicfoundry.com.
> Load SoftICE.
> Disable the taskbar clock and any other prog that could be
using the GetSystemTime call to kernel. [most likely using time routines]
> Run the plugin host.
> Run the prog several times and get the feelz about it.
> Read some of the articles about the plugins I wrote about reversing
Sonic Foundry Noise Reduction 2.0 and 2.0a and Arboretum Restauration-NR 1.0.
> The basics are the same as in XFX 1 and 2, which you should read as a starter.
> Compare the asm routines from these tuts to understand some of the trialtime
checks in those progs.
Let's start
-----------
1 First of all, in category of reversing and debugging, this was a real piece of cake.
If you have not much expirience with reversing, this is a good start.
2 Notice that the last 4 digits of the adresses are significant to remember.
All DLL's are loading dynamicly in memory, so it's different from the offsets in IDA
or whatever you use for a disassembler.
3 Now run the host if you didn't do this until now.
4 Hit Ctrl-D and SoftICE pops up.
5 Enter bpx GetSystemTime
6 Hit Ctrl-D again to hide SoftICE.
7 Now load the plugin fron your host
8 SoftICE pops up and hey; it breaked at a call to GetSystemTime !
9 Now it's time to get pen and paper and write down the line, including the
asm instruction.
10 Hit F12 to go on to the next routine, until you're back in 'sfppack3'
11 Now look for the following test eax, eax and following jz, jnz, je or jne
instructions.
Hit F10 to walk through the code and look what is happening.
12 Stop after each test eax, eax, when your on a jz, jnz, je or jne.
13 Write them down and look if the eax flagg is set [1 or 0] and if it
jumps. ['jmp' or 'no jmp']
14 Go on with this until the plugin is loaded and SoftICE is hidden again.
15 Now you should have a list with all breakpoints and jz, jnz, je or
jne instructions.
16 If you don't know much at asm, the basic rule is that you look if there are
instructions called 2, 3 or more times during startup.
Remember these and mark them on you paper!
17 Now, hit Ctrl-D again and type 'bc*' to disable all breakpoints.
18 Unload the host and change your system date [in configuration screen]
for eg year 2045.
19 Repeat the whole procedure from step 4 and compare the jz, jnz, je or
jne and 'jmp' or 'no jmp' between SoftICE and your paperwork.
20 You will see that after the second GetSystemTime, the first jz wil not
jump and not goes to the xor eax, eax routine etc.
The one at offset xxxx8DBA is mostlikely the one we have to change :-)
21 So let's try, type (in my case) 'a 167:04EB8DBA' and hit Enter.
22 Type 'jz 04EB8DC7' and hit enter again.
23 Hey, it will not jump anymore :-) ok, hit Esc and the coding is done for now.
24 Hit some Ctrl-D' until the plugin is loaded and what do we see ???
25 It's 2045 and we are still in trial period.. :-))
26 Now you may set your systemtime/date back to it' original state, unload
and relaod the plugin again, keep on CtrL-D until it's loaded...And ?
27 I told you; piece of cake huh ?
28 If you are curious about this, just run IDA and find the GetSystemTime calls.
> You will find:
--- s ---
.idata:0043E13C extrn GetSystemTime:dword ; DATA XREF: .text:004388D4 ^r
.idata:0043E13C ; sub_43C690+8 ^r ...
--- es ---
> We find 3 cross references now:
004388D4 call ds:GetSystemTime ; Indirect Call Near Procedure
0043C698 call ds:GetSystemTime ; Indirect Call Near Procedure
0043D762 jmp ds:GetSystemTime ; Indirect Near Jump
> Now remeber the last 4 digits we wrote down on paper, because here we see
the adress-offsets.
> Ok now we have to check all cross references and check the routines to see
- and find our code - doing this you need to think like a compiler and finally
you find the instruction we found in SoftICE.
Hints
-----
> 0043C698 > brings you to a sub > go up to the references of this one,
watch the calls and look where it brings you...
> Well have a nice tour, you will shure learn something from that.
> Ok for the lazy ones just do a text search for '8DBA'. Remember these last digits ?
> Now hit it !
And we find:
--- s ---
:00438DBA jnz short loc_438DC7 ; Jump if Not Zero (ZF=0)
--- es ---
Hey, that's what we wrote down on paper and changed in SoftICE !!!
In SoftIce it looks like this :
--- s ---
0167:04EB8DBA jnz 04EB8DC7 (jmp / no jmp)
--- es ---
Notice the difference ?
> Ok, ok this is the routine we are looking for:
In this case we have 2 options;
Or change option 1 in jnz [:00438DA4]
Or change option 2 in jz [:00438DBA]
Well that's for you to decide at this point.
In this example I choose for 2, because the routine wil keep the registry
tidy... see at 'Merit', and makes the dll load faster because of this.
.text:00438D80 ; ªªªªªªªªªªªªªªª S U B R O U T I N E ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
.text:00438D80
.text:00438D80
.text:00438D80 sub_438D80 proc near ; CODE XREF: sub_401000+CD ^p
.text:00438D80 ; sub_401000+16A ^p ...
.text:00438D80
.text:00438D80 var_8 = dword ptr -8
.text:00438D80 var_4 = dword ptr -4
.text:00438D80
.text:00438D80 sub esp, 8 ; Integer Subtraction
.text:00438D83 push ebx
.text:00438D84 push ebp
.text:00438D85 push esi
.text:00438D86 push edi
.text:00438D87 mov edi, ecx
.text:00438D89 mov eax, [edi+4]
.text:00438D8C test eax, eax ; Logical Compare
.text:00438D8E jz loc_438E40 ; Jump if Zero (ZF=1)
.text:00438D94 call sub_43C690 ; Call Procedure
.text:00438D99 mov ecx, edi
.text:00438D9B mov ebp, eax
.text:00438D9D call sub_439270 ; Call Procedure
.text:00438DA2 test eax, eax ; Logical Compare
.text:00438DA4 jz short loc_438DB1 ; Jump if Zero (ZF=1) << option 1
.text:00438DA6 pop edi
.text:00438DA7 pop esi
.text:00438DA8 pop ebp
.text:00438DA9 or eax, 0FFFFFFFFh ; Logical Inclusive OR
.text:00438DAC pop ebx
.text:00438DAD add esp, 8 ; Add
.text:00438DB0 retn ; Return Near from Procedure
.text:00438DB1 ; ---------------------------------------------------------------------------
.text:00438DB1
.text:00438DB1 loc_438DB1: ; CODE XREF: sub_438D80+24 ^j
.text:00438DB1 mov ecx, edi
.text:00438DB3 call sub_439280 ; Call Procedure
.text:00438DB8 test eax, eax ; Logical Compare
.text:00438DBA jnz short loc_438DC7 ; Jump if Not Zero (ZF=0) << option 2
.text:00438DBC pop edi
.text:00438DBD pop esi
.text:00438DBE pop ebp
.text:00438DBF or eax, 0FFFFFFFFh ; Logical Inclusive OR
.text:00438DC2 pop ebx
.text:00438DC3 add esp, 8 ; Add
.text:00438DC6 retn ; Return Near from Procedure
.text:00438DC7 ; ---------------------------------------------------------------------------
> Although there is a possibility to change the asm code in IDA, I will not recommend that.
> Now we start Hiew and make the changes, shall we ?
Hiew it ! :-)
> Find the adress and [type '.00438DBA],
and we end up here > the same as in IDA
.00438DB8: 85C0 test eax,eax
.00438DBA: 750B jne .000438DC7 << Here ok ?
> First we going to make a copy of this section with a lenght of about 32 - 48 bytes.
> So leave the cursor on 750B and hit F4 and choose 'Hex'
> Now we copy this section to eg Notepad:
-s-
.00438DA0: 00 00 85 C0-74 0B 5F 5E-5D 83 C8 FF-5B 83 C4 08
.00438DB0: C3 8B CF E8-C8 04 00 00-85 C0 75 0B-5F 5E 5D 83 < Our goal is here
-- --
.00438DC0: C8 FF 5B 83-C4 08 C3 8B-4F 04 8B 41-04 85 C0 75
-es-
Remember we only need the hexcode, not the addresses to copy !
So like this:
00 00 85 C0-74 0B 5F 5E-5D 83 C8 FF-5B 83 C4 08
C3 8B CF E8-C8 04 00 00-85 C0 75 0B-5F 5E 5D 83
C8 FF 5B 83-C4 08 C3 8B-4F 04 8B 41-04 85 C0 75
You may leave '-' these for what it is..
> Hit F4 again and choose 'Decode'
> Hit F3 'Edit' and F2 'Asm' and we see this popping up:
+- Assembler ----------------------------------------------------+
ª jne 000038DC7___________________________________________ ª
+----------------------------------------------------------------+
Now use you arrow-keys to put your cursor on jne
and type this:
+- Assembler ----------------------------------------------------+
ª je 000038DC7___________________________________________ ª
+----------------------------------------------------------------+
> Hit Enter and Esc
Now your code must look like this:
00038DBA: 740B je 000038DC7
-- --
> Hit F9 'Save'
> Repeat the hex copy procedure to copy the exact section we did before
changing the instruction.
Remember we only need the hexcode, not the addresses to copy !
So it must look like this:
-s-
.00438DA0: 00 00 85 C0-74 0B 5F 5E-5D 83 C8 FF-5B 83 C4 08
.00438DB0: C3 8B CF E8-C8 04 00 00-85 C0 74 0B-5F 5E 5D 83 < See the difference ?
-- --
.00438DC0: C8 FF 5B 83-C4 08 C3 8B-4F 04 8B 41-04 85 C0 75
-es-
And ofcourse you only copied this:
00 00 85 C0-74 0B 5F 5E-5D 83 C8 FF-5B 83 C4 08
C3 8B CF E8-C8 04 00 00-85 C0 74 0B-5F 5E 5D 83
C8 FF 5B 83-C4 08 C3 8B-4F 04 8B 41-04 85 C0 75
> Hit F10 'Exit' and we are done.
> Now get CodeFusion and make your patch using the copied bytes
Don't forget to choose 'Replace First Match' and copy in Hex. <;-)
> why using 48 bytes to patch and not just 2 ? Because this size makes it almost shure
the patcher wil find the one and only correct series of bytes to adjust, most likely.
Notes
=====
> Before you jump a hole in the air, getting stoned, bothering your girlfriend or whatever,
you should test all your results before spreading the good news on inet.
> Uninstall the plugin (not the DLL you reversed and debugged ofcourse... <;-)
and pretend you are a newbe on this.
> When eveything is fine, then...... hehe.
> Put some notes in plain text for other users. -howto-
Security
========
> Zip the stuff.
> When sending with email I suggest you take a temporarly hotmail acc.
or another fake account so you will not be traced some how...
> Why ? : Because you're doing illegal stuff !
> Never use your real id and make shure you did that,
todays cybercobs are not all weenies !
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanx
=====
To the boyz and girlz from SoftICE;
the HIEW crew;
the creators of IDA -- great tool --;
everybody I forgot this time;
and last but not least; the Sonic Foundry team who made this possible;-)
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXeof