Download Sonic Foundry XFX 1 plugin v1.0c b 176

Added to site2002-12-31
Rating92/100
Votes15


sonicfoundryxfx1pluginv1.0cb176.zip (20524 bytes)

namesizecompressed
uer_sfp10c.exe 18134 15166
Watodo.nfo 0 0
CrackStory.nfo 13243 4998

Watodo.nfo




CrackStory.nfo

=====================================================================
Target  : Sonic Foundry XFX1 Plug-In
Version : 1.0c Build 176
Type : Module (dll)
Name : sfppack1.dll

Done by : UmanErrOr

=====================================================================


Stuff for insiders
==================

> Disabled Getsystemtime function callback to jne
> This function is only used at init of each
  plugin routine of sfnrpack at startup and en/disables
  the trial period after 7 days of
  using the plugin ie : installed the plugin.



Why the GetSystemTime function and not the serial/machinecode ?
----------------------------------------------------------------

Like almost all DEMO's, this one has still the lousy
GetSystemTime functioncall in kernel to check if the
trialperiod has been expired. The procedure of reversing
and debugging this event is basicly the same as in other plugins
of SF. However the routines basicly differents, it was a manner
of minutes to find the bug and fix this.

At the beginning I had to choose : or disable the serial
and unlock-key functions; or disable the trial_period function.
While a serialnumber is floating on inet. (thanks to our Russian
friends of the RHA) Remember this is not the unlock-key !!!
The unlock key had to be found or dissabled as a routine,
but changing your machine and also it's machinenumber, makes this
anoying popup for a new unlock-key not go away. :-(
So, a logical option to disable the trialcheck
routine to avoid this problem for the future. :-)


Food for thoughts
=================

> Always remember that in most cases disassembling or
  changing the code of a program is considered to be illegal !

> However a normal program should work without bugs, 
  including nag-screens or dissabled routines.
  Serialz are ok, as long as the company wil not abuse your
  privacy for any reason with out letting you know.
  And believe me, in most cases you don't know !

> Let's say you buy your stuff in a bookshop:
  And the bookshop say to you; Hey u have to register here
  first, before you have permission to have all of our books here..
  We don't do that either, do we ??
  Also the garantee of good qualtiy as in most cases of software
  are good examples of our believe in manufacturors...
  Remember that you always have to pay for updates, the telephonebill
  atleast...

> Also; Most people don't have that kind of money asked for this, and
  so I prefer paying for what it's worth.


How the job was done
====================


The tools
---------
> IDA version 4.04 (disassembler)
> Hiew (hex-editor)
> SoftICE 4.05 (debugger)
> CodeFusion (patcher)
> Pen and paper


Preliminary work
----------------
> Install the plugin [DEMO] and a host [like WaveLab or Sound Forge]
  if you didn't at this point. You can get the DEMO at www.sonicfoundry.com.
> Load SoftICE.
> Disable the taskbar clock and any other prog that could be
  using the GetSystemTime call to kernel. [most likely using time routines]
> Run the plugin host.
> Run the prog several times and get the feelz about it.
> read some of the articles about the plugins I wrote about reversing
  Sonic Foundry Noise Reduction 2.0 and 2.0a and Arboretum Restoration-NR 1.0.
  > Compare the asm routines from these tuts to understand some of the trialtime
    checks in those progs.  


Let's start
-----------
1 First of all, in category of reversing and debugging, this was a real piece of cake.
  If you have not much expirience with reversing, this is a good start.

2 Remember that the last 4 digits of the adresses are significant to remember.
  All DLL's are loading dynamicly in memory, so it's different from the offsets in IDA
  or whatever you use for a disassembler.

3 Now run the host if you didn't do this until now.

4 Hit Ctrl-D and SoftICE pops up.

5 Enter bpx GetSystemTime

6 Hit Ctrl-D again to hide SoftICE.

7 Now load the plugin fron your host

8 SoftICE pops up and hey; it breaked at a call to GetSystemTime !

9 Now it's time to get pen and paper and write down the line, including the
  asm instruction.

10 Hit F12 to go on to the next routine, until you're back in 'sfppack1'

11 Now look for the following test eax, eax and following jz, jnz, je or jne
   instructions.
   Hit F10 to walk through the code and look what is happening.

12 Stop after each test eax, eax, when your on a jz, jnz, je or jne.

13 Write them down and look if the eax flagg is set [1 or 0] and if it
   jumps. ['jmp' or 'no jmp']

14 Go on with this until the plugin is loaded and SoftICE is hidden again.

15 Now you should have a list with all breakpoints and jz, jnz, je or
   jne instructions.

16 If you don't know much at asm, the basic rule is that you look if there are
   instructions called 2, 3 or more times during startup.
   Remember these and mark them on you paper!

17 Now, hit Ctrl-D again and type 'bc*' to disable all breakpoints.

18 Unload the host and change your system date [in configuration screen]
   for eg year 2045.

19 Repeat the whole procedure from step 4 and compare the jz, jnz, je or
   jne and 'jmp' or 'no jmp' between SoftICE and your paperwork.

20 You will see that after the second GetSystemTime, the first jz wil not
   jump and not goes to the xor eax, eax routine.
   This is mostlikely the one we have to change :-)

21 So let's try, type (in my case) 'a 167:04ED6B44' and hit Enter.

22 Type 'jnz 04ED6B51' and hit enter again.

23 Hey, it will not jump anymore :-) ok, hit Esc and the coding is done for now.

24 Hit some Ctrl-D' until the plugin is loaded and what do we see ???

25 It's 2045 and we are still in trial period.. :-))

26 Now you may set your systemtime/date back to it' original state, unload
   and relaod the plugin again, keep on CtrL-D until it's loaded...And ?

27 I told you; piece of cake huh ?

28 If you are curious about this, just run IDA and find the GetSystemTime calls.

> You will find:

--- s ---
.idata:0044C14C     extrn GetSystemTime:dword ; DATA XREF: .text:00446674 ^r << this is what we need to know about
.idata:0044C14C                               ; sub_44A430+8 ^r
--- es ---

> We find 3 cross references now:
.text:00446674                 call    ds:GetSystemTime ; Indirect Call Near Procedure
.text:0044A438                 call    ds:GetSystemTime ; Indirect Call Near Procedure
.text:0044B4F6                 jmp     ds:GetSystemTime ; Indirect Near Jump

> Now remember the last 4 digits we wrote down on paper, because here we see
  the adress-offsets.

> Ok now we have to check all cross references and check the routines to see
  - and find our code - doing this you need to think like a compiler and finally
  you find the instruction we found in SoftICE.


Hints
-----

> 00446674 > brings you to a sub > go up to the references of this one,
  watch the calls and look where it brings you...

> Well have a nice tour, you will shure learn something from that.

> Ok for the lazy ones just do a text search for '6B44'. Remember these last digits ?

> Now hit it !

And we find:

--- s ---
.text:00446B44                 jz      loc_446B51      ; Jump if Zero (ZF=1)
--- es ---

Hey, that's what we wrote down on paper and changed in SoftICE !!!
In SoftIce it looks like this :

--- s ---
0167:04ED6B44                  jz      04ED6B51        (jmp / no jmp)
--- es ---

Notice the difference ?

> Ok, ok  this is the routine we are looking for:

 ; ªªªªªªªªªªªªªªª S U B R O U T I N E ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
.text:00446B20 
.text:00446B20 
.text:00446B20 sub_446B20   proc near               ; CODE XREF: sub_401000+CD ^p
.text:00446B20                                      ; sub_401000+16A ^p
.text:00446B20                                      ; .text:00401456 ^p
.text:00446B20                                      ; .text:004014F1 ^p ...
.text:00446B20 
.text:00446B20 var_8        = dword ptr -8
.text:00446B20 var_4        = dword ptr -4
.text:00446B20 
.text:00446B20              sub     esp, 8          ; Integer Subtraction
.text:00446B23              push    ebx
.text:00446B24              push    ebp
.text:00446B25              push    esi
.text:00446B26              push    edi
.text:00446B27              mov     edi, ecx
.text:00446B29              mov     eax, [edi+4]
.text:00446B2C              test    eax, eax        ; Logical Compare
.text:00446B2E              jz      loc_446BE0      ; Jump if Zero (ZF=1)
.text:00446B34              call    sub_44A430      ; Call Procedure
.text:00446B39              mov     ecx, edi
.text:00446B3B              mov     ebp, eax
.text:00446B3D              call    sub_447010      ; Call Procedure
.text:00446B42              test    eax, eax        ; Logical Compare
.text:00446B44              jz      short loc_446B51 ; Jump if Zero (ZF=1) < Although there is a possibility to change the asm code in IDA, I will not recommend that.

> Now we start Hiew and make the changes, shall we ?

> Press F5 ant type: '.00446B2E' and hit Enter....

> And we see something like this:


--- s ---
.00446B44: 750B                 je       .000446B51
--- es ---

> Hee, JE ? we thought it was JZ ?

> Well, don't get confused now, some compilers/disassemblers treat a Zero as a result
  and some treat Equal [''] as result of comparing two bytes, get it ?

  JE = Jump if Equal [as a comparishing result]
  JZ = Jump if Zero [as a comparishing result]

 
In hex that is:  - why do we need this ? -
---------------

> Hit F4, choose Hex, and we see:

--- s ---
  Adress                         Hex                              Ascii
~~~~~~~~~~  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  ~~~~~~~~~~~~~~~~
.00446B30:  AC 00 00 00-E8 F7 38 00-00 8B CF 8B-E8 E8 CE 04  ╝   ▐╕8  ∩ñ∩▐▐+ 

.00446B40:  00 00 85 C0-74 0B 5F 5E-5D 83 C8 FF-5B 83 C4 08    α+t _^]Γ+ [Γ-  <  Copy this stuff to Notepad, because we need this part !

> Now we go back, Hit F4, Decode.

> Hit F3 [Edit]

> Hit F2 [Asm]

.00446B44: 750B                         je      .000446B51

je       000446B51        Use your arrow keys to 'je' and type 'jne'

> Hit Enter and Esc

The result must be now:

.00446B44: 750B                         jne      .000446B51

> Ok ? Then hit F9 to save it on disk.

> Go back to hex-mode

And this is what you should see:

--- s ---
  Adress                         Hex                              Ascii
~~~~~~~~~~  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  ~~~~~~~~~~~~~~~~
.00446B30:  AC 00 00 00-E8 F7 38 00-00 8B CF 8B-E8 E8 CE 04  ╝   ▐╕8  ∩ñ∩▐▐+ 

.00446B40:  00 00 85 C0-75 0B 5F 5E-5D 83 C8 FF-5B 83 C4 08    α+u _^]Γ+ [Γ-   < Copy this stuff to Notepad, because we need this part too !

> Hit F10 to close Hiew and we take a trial with our program on several dates shall we ?

> If everything works fine we can make the patch now.

> To keep it easy use a patcher like CodeFusion and that's why we saved the hex strings to
  Notepad. From here on you should not have much difficulties to make your own release.


Notes
=====

> Before you jump a hole in the air, getting stoned, bothering your girlfriend or whatever,
  you should test all your results before spreading the good news on inet.
> Uninstall the plugin (not the DLL you reversed and debugged ofcourse... <;-)
  and pretend you are a newbe on this.
> When eveything is fine, then...... hehe.
> Put some notes in plain text for other users. -howto-


Security
========
> Zip the stuff.
> When sending with email I suggest you take a temporarly hotmail acc.
  or another fake account so you will not be traced some how...
> Why ? : Because you're doing illegal stuff !

> Never use your real id and make shure you did that,
  todays cybercobs are not all weenies !


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanx
=====

To the boyz and girlz from SoftICE;
the HIEW crew;
the creators of IDA -- great tool --;
everybody I forgot this time;

and last but not least; the Sonic Foundry team who made this possible;-)


MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXeof
 











# 0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z