=====================================================================
Target : Sonic Foundry XFX1 Plug-In
Version : 1.0c Build 176
Type : Module (dll)
Name : sfppack1.dll
Done by : UmanErrOr
=====================================================================
Stuff for insiders
==================
> Disabled Getsystemtime function callback to jne
> This function is only used at init of each
plugin routine of sfnrpack at startup and en/disables
the trial period after 7 days of
using the plugin ie : installed the plugin.
Why the GetSystemTime function and not the serial/machinecode ?
----------------------------------------------------------------
Like almost all DEMO's, this one has still the lousy
GetSystemTime functioncall in kernel to check if the
trialperiod has been expired. The procedure of reversing
and debugging this event is basicly the same as in other plugins
of SF. However the routines basicly differents, it was a manner
of minutes to find the bug and fix this.
At the beginning I had to choose : or disable the serial
and unlock-key functions; or disable the trial_period function.
While a serialnumber is floating on inet. (thanks to our Russian
friends of the RHA) Remember this is not the unlock-key !!!
The unlock key had to be found or dissabled as a routine,
but changing your machine and also it's machinenumber, makes this
anoying popup for a new unlock-key not go away. :-(
So, a logical option to disable the trialcheck
routine to avoid this problem for the future. :-)
Food for thoughts
=================
> Always remember that in most cases disassembling or
changing the code of a program is considered to be illegal !
> However a normal program should work without bugs,
including nag-screens or dissabled routines.
Serialz are ok, as long as the company wil not abuse your
privacy for any reason with out letting you know.
And believe me, in most cases you don't know !
> Let's say you buy your stuff in a bookshop:
And the bookshop say to you; Hey u have to register here
first, before you have permission to have all of our books here..
We don't do that either, do we ??
Also the garantee of good qualtiy as in most cases of software
are good examples of our believe in manufacturors...
Remember that you always have to pay for updates, the telephonebill
atleast...
> Also; Most people don't have that kind of money asked for this, and
so I prefer paying for what it's worth.
How the job was done
====================
The tools
---------
> IDA version 4.04 (disassembler)
> Hiew (hex-editor)
> SoftICE 4.05 (debugger)
> CodeFusion (patcher)
> Pen and paper
Preliminary work
----------------
> Install the plugin [DEMO] and a host [like WaveLab or Sound Forge]
if you didn't at this point. You can get the DEMO at www.sonicfoundry.com.
> Load SoftICE.
> Disable the taskbar clock and any other prog that could be
using the GetSystemTime call to kernel. [most likely using time routines]
> Run the plugin host.
> Run the prog several times and get the feelz about it.
> read some of the articles about the plugins I wrote about reversing
Sonic Foundry Noise Reduction 2.0 and 2.0a and Arboretum Restoration-NR 1.0.
> Compare the asm routines from these tuts to understand some of the trialtime
checks in those progs.
Let's start
-----------
1 First of all, in category of reversing and debugging, this was a real piece of cake.
If you have not much expirience with reversing, this is a good start.
2 Remember that the last 4 digits of the adresses are significant to remember.
All DLL's are loading dynamicly in memory, so it's different from the offsets in IDA
or whatever you use for a disassembler.
3 Now run the host if you didn't do this until now.
4 Hit Ctrl-D and SoftICE pops up.
5 Enter bpx GetSystemTime
6 Hit Ctrl-D again to hide SoftICE.
7 Now load the plugin fron your host
8 SoftICE pops up and hey; it breaked at a call to GetSystemTime !
9 Now it's time to get pen and paper and write down the line, including the
asm instruction.
10 Hit F12 to go on to the next routine, until you're back in 'sfppack1'
11 Now look for the following test eax, eax and following jz, jnz, je or jne
instructions.
Hit F10 to walk through the code and look what is happening.
12 Stop after each test eax, eax, when your on a jz, jnz, je or jne.
13 Write them down and look if the eax flagg is set [1 or 0] and if it
jumps. ['jmp' or 'no jmp']
14 Go on with this until the plugin is loaded and SoftICE is hidden again.
15 Now you should have a list with all breakpoints and jz, jnz, je or
jne instructions.
16 If you don't know much at asm, the basic rule is that you look if there are
instructions called 2, 3 or more times during startup.
Remember these and mark them on you paper!
17 Now, hit Ctrl-D again and type 'bc*' to disable all breakpoints.
18 Unload the host and change your system date [in configuration screen]
for eg year 2045.
19 Repeat the whole procedure from step 4 and compare the jz, jnz, je or
jne and 'jmp' or 'no jmp' between SoftICE and your paperwork.
20 You will see that after the second GetSystemTime, the first jz wil not
jump and not goes to the xor eax, eax routine.
This is mostlikely the one we have to change :-)
21 So let's try, type (in my case) 'a 167:04ED6B44' and hit Enter.
22 Type 'jnz 04ED6B51' and hit enter again.
23 Hey, it will not jump anymore :-) ok, hit Esc and the coding is done for now.
24 Hit some Ctrl-D' until the plugin is loaded and what do we see ???
25 It's 2045 and we are still in trial period.. :-))
26 Now you may set your systemtime/date back to it' original state, unload
and relaod the plugin again, keep on CtrL-D until it's loaded...And ?
27 I told you; piece of cake huh ?
28 If you are curious about this, just run IDA and find the GetSystemTime calls.
> You will find:
--- s ---
.idata:0044C14C extrn GetSystemTime:dword ; DATA XREF: .text:00446674 ^r << this is what we need to know about
.idata:0044C14C ; sub_44A430+8 ^r
--- es ---
> We find 3 cross references now:
.text:00446674 call ds:GetSystemTime ; Indirect Call Near Procedure
.text:0044A438 call ds:GetSystemTime ; Indirect Call Near Procedure
.text:0044B4F6 jmp ds:GetSystemTime ; Indirect Near Jump
> Now remember the last 4 digits we wrote down on paper, because here we see
the adress-offsets.
> Ok now we have to check all cross references and check the routines to see
- and find our code - doing this you need to think like a compiler and finally
you find the instruction we found in SoftICE.
Hints
-----
> 00446674 > brings you to a sub > go up to the references of this one,
watch the calls and look where it brings you...
> Well have a nice tour, you will shure learn something from that.
> Ok for the lazy ones just do a text search for '6B44'. Remember these last digits ?
> Now hit it !
And we find:
--- s ---
.text:00446B44 jz loc_446B51 ; Jump if Zero (ZF=1)
--- es ---
Hey, that's what we wrote down on paper and changed in SoftICE !!!
In SoftIce it looks like this :
--- s ---
0167:04ED6B44 jz 04ED6B51 (jmp / no jmp)
--- es ---
Notice the difference ?
> Ok, ok this is the routine we are looking for:
; ªªªªªªªªªªªªªªª S U B R O U T I N E ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
.text:00446B20
.text:00446B20
.text:00446B20 sub_446B20 proc near ; CODE XREF: sub_401000+CD ^p
.text:00446B20 ; sub_401000+16A ^p
.text:00446B20 ; .text:00401456 ^p
.text:00446B20 ; .text:004014F1 ^p ...
.text:00446B20
.text:00446B20 var_8 = dword ptr -8
.text:00446B20 var_4 = dword ptr -4
.text:00446B20
.text:00446B20 sub esp, 8 ; Integer Subtraction
.text:00446B23 push ebx
.text:00446B24 push ebp
.text:00446B25 push esi
.text:00446B26 push edi
.text:00446B27 mov edi, ecx
.text:00446B29 mov eax, [edi+4]
.text:00446B2C test eax, eax ; Logical Compare
.text:00446B2E jz loc_446BE0 ; Jump if Zero (ZF=1)
.text:00446B34 call sub_44A430 ; Call Procedure
.text:00446B39 mov ecx, edi
.text:00446B3B mov ebp, eax
.text:00446B3D call sub_447010 ; Call Procedure
.text:00446B42 test eax, eax ; Logical Compare
.text:00446B44 jz short loc_446B51 ; Jump if Zero (ZF=1) < Although there is a possibility to change the asm code in IDA, I will not recommend that.
> Now we start Hiew and make the changes, shall we ?
> Press F5 ant type: '.00446B2E' and hit Enter....
> And we see something like this:
--- s ---
.00446B44: 750B je .000446B51
--- es ---
> Hee, JE ? we thought it was JZ ?
> Well, don't get confused now, some compilers/disassemblers treat a Zero as a result
and some treat Equal [''] as result of comparing two bytes, get it ?
JE = Jump if Equal [as a comparishing result]
JZ = Jump if Zero [as a comparishing result]
In hex that is: - why do we need this ? -
---------------
> Hit F4, choose Hex, and we see:
--- s ---
Adress Hex Ascii
~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
.00446B30: AC 00 00 00-E8 F7 38 00-00 8B CF 8B-E8 E8 CE 04 ╝ ▐╕8 ∩ñ∩▐▐+
.00446B40: 00 00 85 C0-74 0B 5F 5E-5D 83 C8 FF-5B 83 C4 08 α+t _^]Γ+ [Γ- < Copy this stuff to Notepad, because we need this part !
> Now we go back, Hit F4, Decode.
> Hit F3 [Edit]
> Hit F2 [Asm]
.00446B44: 750B je .000446B51
je 000446B51 Use your arrow keys to 'je' and type 'jne'
> Hit Enter and Esc
The result must be now:
.00446B44: 750B jne .000446B51
> Ok ? Then hit F9 to save it on disk.
> Go back to hex-mode
And this is what you should see:
--- s ---
Adress Hex Ascii
~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
.00446B30: AC 00 00 00-E8 F7 38 00-00 8B CF 8B-E8 E8 CE 04 ╝ ▐╕8 ∩ñ∩▐▐+
.00446B40: 00 00 85 C0-75 0B 5F 5E-5D 83 C8 FF-5B 83 C4 08 α+u _^]Γ+ [Γ- < Copy this stuff to Notepad, because we need this part too !
> Hit F10 to close Hiew and we take a trial with our program on several dates shall we ?
> If everything works fine we can make the patch now.
> To keep it easy use a patcher like CodeFusion and that's why we saved the hex strings to
Notepad. From here on you should not have much difficulties to make your own release.
Notes
=====
> Before you jump a hole in the air, getting stoned, bothering your girlfriend or whatever,
you should test all your results before spreading the good news on inet.
> Uninstall the plugin (not the DLL you reversed and debugged ofcourse... <;-)
and pretend you are a newbe on this.
> When eveything is fine, then...... hehe.
> Put some notes in plain text for other users. -howto-
Security
========
> Zip the stuff.
> When sending with email I suggest you take a temporarly hotmail acc.
or another fake account so you will not be traced some how...
> Why ? : Because you're doing illegal stuff !
> Never use your real id and make shure you did that,
todays cybercobs are not all weenies !
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanx
=====
To the boyz and girlz from SoftICE;
the HIEW crew;
the creators of IDA -- great tool --;
everybody I forgot this time;
and last but not least; the Sonic Foundry team who made this possible;-)
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXeof