Windows developers, DO NOT purchase 20/20 Software's outrageously priced ($695) softSENTRY utility. The package IS A SCAM. Before reading the below document I found on the Web, understand that DLL- and component-based copy protection systems are inherently easy to crack. (softSENTRY incorporates a DLL-based protection as one of its options, in addition to direct .exe "protection".) Also understand that utilities such as Shrinker and WWPack are only useful for compression, NOT protection from reverse engineering. EXE-compressors are notorious for being easy to crack. Do you want me to convince you? http://209.44.62.170/pir8/files/ak.html provides cracks for Vbox, SalesAgent, softSENTRY, TimeLock, and many other copy protection schemes. (Yes, the much overbloated Vbox is now WORTHLESS as a copy protection system.) For cracks of just about any EXE-compressor/encryptor you can think of (including WWPack32, Protect!, and Shrinker), visit http://www.nettaxi.com/citizens/caligo/main.htm. Yes, you can also forget about using Shrinker or WWPack to protect your app's code. They are both absolutely WORTHLESS in that respect as well. Cracks for them are now everywhere on the Web. ----------------------- e-mail: LSD-LSD@usa.net ----------------------- Hello out there. I am somewhat of a newbie at cracking (with some knowledge of assembly) but thought I'd try my luck at a commercial protection scheme for one of my first cracks. I will show you how to crack an extremely stupid, ready-made protection scheme, softSENTRY 2.07 from 20/20 Software. Download the trial version (itself extremely easy to crack) from http://www.twenty.com/pgs/dlidx.html. This software allows zombie programmers (who, IMHO, do not deserve to be called programmers if they have fallen for this disgustingly bogus protection) to "automatically" convert their FULL programs to "protected" trial versions. Sounds like a snake oil vendor, right? It is precisely that: bogus commercialism at its very best. (This crappy, $695 piece of junk really is worth only ten bucks. I have encountered far better utilities priced five times less.) Okay, what tools do we need to crack softSENTRY? - Numega's Soft-Ice - a good hex-editor I will not show you how to crack the demo of softSENTRY, because the process is boringly easy to do. (Do it youself! Tip: Delete c:\windows\system\ss.drv and the "magic key" located at HKEY_CLASSES_ROOT\{XXXXXXXXXX} to restore the trial period.) I shall, however, show how to murder its weak protection scheme! (By the way, the fact that softSENTRY's own protection is so weak indicates a lot about the quality of the product itself!!) Prepare a test target by protecting some small program like Notepad in order to disassemble the process and watch how softSENTRY "works". For disassembly, we will utilize SoftIce because W32Dasm89 seemed to crash when I attempted to load the target. The protected file and the original file have different sizes. "Clever", you would have thought, as I did, "Maybe there's some encryption and variable random protection scheme inside the target." Well, you're in for quite a surprise. Now hold your breath; THIS IS THE ENTRY POINT FOR ALL PROTECTED FILES: :004B066F CC int 03 :004B0670 55 push ebp :004B0671 8BEC mov ebp,esp :004B0673 83EC48 sub esp,00000048 :004B0676 53 push ebx :004B0677 56 push esi :004B0678 57 push edi :004B0679 E950000000 jmp 004B06CE ; This is a very strange jump, wouldn't you say? :004B067E 0000 add [eax],al :004B0680 7006 jo 004B0688 All protected files possess the same pattern, with the exact same JMP (coded as E950000000)! This is very fortunate for us; it means that searching any "protected" file for the pattern { 55 8B EC 83 EC 48 53 56 57 E9 50 00 00 00 } will give us the entry point of the program and indicate to us that the program has been "protected" with softSENTRY! (Has your jaw hit the floor yet?) Yes, softSENTRY is very silly. The very insolent JMP 004B06CE points the EIP to the actual protection routine. The routine then jumps depending on the "protection" scheme the programmer specified for use: time limit, splash, etc. Read carefully: 00093C82: 8B4508 mov eax,[ebp][00008] ; 00093C85: 50 push eax ; 00093C86: 68A0324B00 push 004B32A0 ; 00093C8B: FF156C744B00 call [0004B746C] ; 00093C91: E88A000000 call 001279B1 ;THIS CALL LOADS THE RESOURCES OF THE MAIN PROGRAM! 00093C96: E825000000 call 00127956 ;THIS CALL WILL RUN THE MAIN PROGRAM! 00093C9B: 8B45B8 mov eax,[ebp][0FFB8] ; ; 00093C9E: 50 push eax ; 00093C9F: FF15E4734B00 call [0004B73E4] ; (If the protection fails, you will land at 00093C9B.) The two calls at 00093C91 and 00093C96 load the FULL program completely free of all nag, splash, time-limit, etc. functions that have been chosen. If you compare the above source with any other "protected" program, you will see that both calls are ALWAYS coded as: E8 8A 00 00 00 E8 25 00 00 00 1st Call 2nd Call Now we can write a general crack for this amazingly retarded protection scheme. Simply replace the first jump (coded as E950000000) with the code of the two calls, which, again, is always E88A000000 E825000000. 1) Search for: { 55 8B EC 83 EC 48 53 56 57 E9 50 00 00 00 } ^^^^^^^^^^^^^^ (This is the jump.) 2) Replace it with E8A2040000 E83D040000. Note that the two calls have been recalculated accordingly but remain the same. (Track them with your debugger!) So, cracking a softSENTRY-"protected" application is only a matter of switching a few bytes. I certainly wouldn't pay $695 for some silly "protection" that took me only 10 minutes to crack! -----== Posted via Deja News, The Leader in Internet Discussion ==----- http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum