MKS toolkit revisited
continuing drlan's work
student
Not Assigned
25 July 1998
by bb
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
980715
bb
0100
NA
PC
Well, another essay by bb, that shows you how to use your windows' knowledge to fool windows' targets into doing anything you want. I would advice you to read first bb's other (very good) essay about nag screen reversing techniques.
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner ( )Intermediate ( )Advanced ( )Expert

When cracking a plentitude of targets all obstructed in the same fashion, it's useful to find a common link. This essay finds the common link in 150-or-so tools within the MKS Toolkit, and offers a easy solution to the problem without having to modify all the individual tools.
MKS Toolkit revisited
continuing drlan's work
Written by bb


Introduction
Well, drlan seems to have already done this, but I didn't like the method. He went about cracking each of over a hundred executables to ignore the date check and the nag. I'm a lazy sonofabitch, that sounds like too much work for me. He had requested at the end of his essay for someone to look into making a generic patcher for all the EXEs. I'll go about doing this a different way, I think (I hope) a somewhat more "elegant" and "just" crack. The goal here is: find a way to crack all 150 executables without having to change them all.

Tools required
LCC
HIEW


Target's URL/FTP
MKS Toolkit 6.1 (for Intel platforms)

Program History
For more information, feel free to read drlan's essay.

Essay
So let's start with what we already know from Drlan's essay. There's a 30-day time limit and a nag screen. Each program individually checks for the 30-day time limit, and each calls a CreateProcess to run MKSDEMO.EXE, which contains the nag. Well, the nag will be pretty simple to get rid of, then. Just re-write MKSDEMO.EXE to exit silently, right?

Well, not quite. We also need to fool the caller a bit. Let's take a look at that EnumWindows call that Drlan mentions. For our purposes, it's important. (I'm using the VIW.EXE as our little test proggie.)

Inside the callback function of the EnumWindows, we have: 


00017747: 8B7508                       mov    esi,[ebp][00008]

0001774A: 6AEB                         push   0EB

0001774C: 56                           push   esi

0001774D: FF15F8B64300                 call   GetWindowLongA ;USER32.dll

00017753: 3DEBED0900                   cmp    eax,00009EDEB

00017758: 7533                         jne   .00001778D   ---------- (1)

0001775A: 8D459C                       lea    eax,[ebp][-0064]

0001775D: 6A64                         push   064

0001775F: 50                           push   eax

00017760: 56                           push   esi

00017761: FF1538B84300                 call   GetWindowTextA ;USER32.dll

00017767: 8D4D9C                       lea    ecx,[ebp][-0064]

0001776A: 68BCEB4200                   push   00042EBBC ; "MKS Toolkit Demo"

0001776F: 51                           push   ecx

00017770: E8BB540000                   call  .00001CC30   ---------- (2)

00017775: 83C408                       add    esp,008

00017778: 85C0                         test   eax,eax

0001777A: 7511                         jne   .00001778D   ---------- (3)

Ok, we start with a GetWindowLong(arg_8, 0xeb). The 0eb is most probably for the USERDATA. (check your header files if you're unsure..) That would mean the CMP right before jmp#1 is a magic number that our window needs to have in it's userdata. Once it passes that, we have a GetWindowText, which will pull our the window title into the buffer at ebp-64. That buffer, along with an argument @ 42eBBc which just so happens to be the text "MKS Toolkit Demo", gets passed to call#2, so we can guess that's the strcmp.

So we've got to fool this guy with two things: our userdata section has to have the magic number 0x09edeb in it, and our window needs to be called "MKS Toolkit Demo". Right on, let's write some code.

I'm using LCC, so some particulars apply differently to the compiler that you may choose. I've got code that looks like: 


#include <win.h>

main()

{

HWND hwnd;



hwnd=CreateWindow(

"STATIC" /* lpClassName */,

"MKS Toolkit Demo" /* lpWindowName */,

WS_DISABLED|WS_POPUP /* dwStyle */,

0 /* x */,

0 /* y */,

0 /* nWidth */,

0 /* nHeight */,

NULL /* hWndParent */,

NULL /* hMenu */,

NULL /* hInstance */,

0 /* lParam */ );



if (hwnd==NULL) {

  printf("no hwnd\n");

  exit(-1);

  }

SetWindowLong(hwnd,GWL_USERDATA,0x0009edeb);

SetWindowText(hwnd,"MKS Toolkit Demo");

Sleep(1000);

exit(0);

}
We create a window of no size, set the appropriate magic number and window text, then sleep for a short time, allowing our MKS executable to find us and bypass the evil message about being unable to start MKSDEMO.EXE... Compile this and link it with "-subsystem windows", replace the old MKSDEMO.EXE, and you've got no more nag. Now let's move on to the time limit.

What do we have here? Well, we've got a registry value in HKEY_LOCAL_MACHINE called SOFTWARE\Mortice Kern Systems\Toolkit\DemoVersion\DemoNumber which contains some number that represents the software install date, and then we've got another routine that comes along with a GetSystemTime and produces a similar number. A comparison between these two numbers is done, and if it just so happens to differ beyond 0x278d00, or thirty days, the executable refuses to work.

My first thought was to hook the RegQueryValueEx API function to check if we're looking for that registry key, and if we are, do a GetSystemTime and return the appropriate juju. That would probably work, though it would mean we'd need some sort of setup program for MKS to initialize the hook, and that just seems sloppy.

But then it occurred to me, since every executable is calling MKSDEMO, why can't we just have MKSDEMO update the key to the current time everytime a MKS tool is run? After I stopped giggling (for some reason, I found this intensely funny), I realized that this was justice preserved. MKS went through all this trouble to make it hard on us, and here we are using the mechanism of their own obstructionist tactics against them.

So our object now is to figure out how the number in the registry key is developed from GetSystemTime, and then to put that code into our own MKSDEMO.C. Our install time in DemoNumber will get updated to the current time and our 30-day trial will consistently renew itself whenever we run an MKS tool.

At 4175e0 we have our call to RegQueryValueEx, and there's a call to 423420 shortly thereafter, which has our GetSystemTime in it. The function at 423420 returns the number we want in eax, so we've got to reverse this routine. We need to remember the SYSTEMTIME structure, so follow along. (In this code, the WORDs of the structure get shoved into the DWORDs of the registers. Many times the WORD in the high part of the DWORD gets masked out, sometimes it doesn't; the high WORD never matters, though, so I'm ignoring it in the comments.) 


typedef struct _SYSTEMTIME {

    WORD wYear; 	// 0x10

    WORD wMonth;	// 0x0e

    WORD wDayOfWeek; 	// 0x0c

    WORD wDay; 		// 0x0a

    WORD wHour; 	// 0x08

    WORD wMinute; 	// 0x06

    WORD wSecond; 	// 0x04

    WORD wMilliseconds; // 0x02

} SYSTEMTIME;

The fairly long code snippet looks like: 


00023420: 55                           push   ebp

00023421: 8BEC                         mov    ebp,esp

00023423: 83EC10                       sub    esp,010

00023426: 53                           push   ebx

00023427: 56                           push   esi ; save regs

00023428: 8D45F0                       lea    eax,[ebp][-0010]

0002342B: 57                           push   edi ; save edi

0002342C: 50                           push   eax

0002342D: FF1590B64300                 call   GetSystemTime ; ebp-10=Systemtime

00023433: 8B5DF2                       mov    ebx,[ebp][-000E] ; ebx=wMonth

00023436: 8B45F0                       mov    eax,[ebp][-0010] ; eax=wYear

00023439: 8BCB                         mov    ecx,ebx

0002343B: 8B55F6                       mov    edx,[ebp][-000A] ; edx=wDay

0002343E: 81E1FFFF0000                 and    ecx,00000FFFF

00023444: 4A                           dec    edx ; wDay--

; the table in 42f73e is

;   int mon2day[14]={ 0x0, 0x0, 0x1f, 0x3b, 0x5a, 0x78, 0x97, 0xb5,

;                     0xd4, 0xf3, 0x111, 0x130, 0x14e, 0x16d };

; which, given a month, gives us the number of days for each month since Jan 01

00023445: 668B344D3EF74200             mov    si,[00042F73E][ecx]*2 ; si=mon2day[ecx]

0002344D: 8D8844F8FFFF                 lea    ecx,[eax][0FFFFF844] ;ecx=edi-1980

00023453: 8BF9                         mov    edi,ecx ; edi=wYear-1980

00023455: 6603F2                       add    si,dx ; si += wDay

; si now = the number of days into the year from Jan 01, discounting the leap year

; so we should expect a leap calculation now

00023458: 81E7FFFF0000                 and    edi,00000FFFF

0002345E: 8BC7                         mov    eax,edi ; eax=wYear-1980

00023460: 99                           cdq ; edx=0, (usually a precursor to a modulo?)

00023461: 33C2                         xor    eax,edx

00023463: 2BC2                         sub    eax,edx

00023465: 83E003                       and    eax,003 ; eax = wYear % 3

00023468: 33C2                         xor    eax,edx

0002346A: 2BC2                         sub    eax,edx

0002346C: 7507                         jne   .000023475 ; if we're not in a leap year, jump

0002346E: 6683FB02                     cmp    bx,002 ; if we're not past February yet,

00023472: 7601                         jbe   .000023475 ; jump

00023474: 46                           inc    esi ; add a day

; our leap year calculation is done

00023475: 8D14C9                       lea    edx,[ecx][ecx]*8 ; edx=9*(wYear-1980)

00023478: 8D4703                       lea    eax,[edi][00003] ; eax=(wYear-1980)+3 (+3?)

0002347B: 8D0CD1                       lea    ecx,[ecx][edx]*8 ; ecx=73*(wYear-1980)

; 73 is an important number, 73 * 5 = 365, we should see that nearby

0002347E: 99                           cdq ; edx =0

0002347F: 8BD9                         mov    ebx,ecx

00023481: 83E203                       and    edx,003

00023484: 03DE                         add    ebx,esi ; ebx=(73(wYear-1980)+#days)

00023486: 03C2                         add    eax,edx 

00023488: C1F802                       sar    eax,002 ; eax=(wYear+3)/4

; this eax will be used to calculate how many leap days have past

0002348B: 8D0C8B                       lea    ecx,[ebx][ecx]*4 ; ecx=73*5*wYear+si=365wYear+si

; Here's our 365 days a year we're calculating since 1980

0002348E: 8D8408440E0000               lea    eax,[eax][ecx][000000E44]

; and here we have an adjustment for 3652 days, about 10 years-ish, 1970-ish instead of

; 1980, plus an adjustment for leap days past

; our #days calculation is now complete.

; we need #days * 24 hrs a day * 60 mins an hour * 60 seconds a min

; to compute it in seconds.. We'll see it here.

00023495: 25FFFF0000                   and    eax,00000FFFF

0002349A: 8D1440                       lea    edx,[eax][eax]*2 ; edx=3*#days

0002349D: 8B45F8                       mov    eax,[ebp][-0008] ; eax=whour

000234A0: 25FFFF0000                   and    eax,00000FFFF

000234A5: 8D04D0                       lea    eax,[eax][edx]*8 ; edx=8*3*#days+wHour

; 24 hrs in a day + wHour here, gives us eax = total # of hours so far since begin date.

000234A8: 8B55FA                       mov    edx,[ebp][-0006] ; edx=wMinute

000234AB: 8BC8                         mov    ecx,eax

000234AD: 81E2FFFF0000                 and    edx,00000FFFF

000234B3: C1E104                       shl    ecx,004 ; ecx=totalhrs*16

000234B6: 2BC8                         sub    ecx,eax ; make that totalhrs*15

000234B8: 8D048A                       lea    eax,[edx][ecx]*4 ; eax=15*totalhrs*4+wMinute

; 60 mins per hour + minutes, one last * 60 and we should be done.

000234BB: 8B55FC                       mov    edx,[ebp][-0004] ; edx=wSecond

000234BE: 8BC8                         mov    ecx,eax

000234C0: 81E2FFFF0000                 and    edx,00000FFFF

000234C6: C1E104                       shl    ecx,004 ; * 16

000234C9: 2BC8                         sub    ecx,eax ; * 15

000234CB: 8D048A                       lea    eax,[edx][ecx]*4 ; 15*4*totalsecs+wSecond

; eax = the # of seconds past since some target date.

000234CE: 8B4D08                       mov    ecx,[ebp][00008]

; and finally, if we've got arg to put this in, put it there, otherwise we'll drop it in eax

000234D1: 85C9                         test   ecx,ecx

000234D3: 7402                         je    .0000234D7

000234D5: 8901                         mov    [ecx],eax

000234D7: 5F                           pop    edi

000234D8: 5E                           pop    esi

000234D9: 5B                           pop    ebx

000234DA: 8BE5                         mov    esp,ebp

000234DC: 5D                           pop    ebp

000234DD: C3                           retn

Not bad, certainly easier than some serial # routines. We can simplify this a bit in C: 


GetSystemTime(&st);

adddays=mon2day[st.wMonth]+st.wDay-1;

if ( ! (st.wYear-1980)%4 )

  if (st.wMonth>2)

    adddays++;



yeardays=st.wYear-1980;

yeardays*=73;

yeardays=(yeardays*4)+(yeardays+adddays);



leapdays=(st.wYear-1980+3)/4;

yeardays+=leapdays;

yeardays+=3652;



mytime = st.wSecond + (st.wMinute*60) + (st.wHour*60*60) + (yeardays*60*60*24);

What's curious here is the adjustments of 3,652 days. This calculation starts with Jan 01, 1980, but then instead gives us 10 years extra. The routine actually calculates the number of UTC seconds since Jan 01, 1970, but the programmer chose to calculate the date from 1980 and then add in the 10 extra years. Doubtless we'll never figure out why, but who cares? It's beat, and that's all that matters.

Add this into our MKSDEMO.C program, along with an appropriate registry change, and we're using MKS toolkit, nagless and forever. 


#include <win.h>

main()

{

HWND hwnd;

SYSTEMTIME st;

PHKEY keyhand;

unsigned long mytime;

int mon2day[14]={ 0x0, 0x0, 0x1f, 0x3b, 0x5a, 0x78, 0x97, 0xb5,

                  0xd4, 0xf3, 0x111, 0x130, 0x14e, 0x16d };



hwnd=CreateWindow("STATIC", "MKS Toolkit Demo", WS_DISABLED|WS_POPUP, 0, 0, 0, 0,

                  NULL, NULL, NULL, NULL, 0);

SetWindowLong(hwnd,GWL_USERDATA,0x0009edeb);

SetWindowText(hwnd,"MKS Toolkit Demo");



GetSystemTime(&st);

adddays=mon2day[st.wMonth]+st.wDay-1;

if ( ! (st.wYear-1980)%4 )

  if (st.wMonth>2)

    adddays++;



yeardays=st.wYear-1980;

yeardays*=73;

yeardays=(yeardays*4)+(yeardays+adddays);



leapdays=(st.wYear-1980+3)/4;

yeardays+=leapdays;

yeardays+=3652;



mytime = st.wSecond + (st.wMinute*60) + (st.wHour*60*60) + (yeardays*60*60*24);



RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Mortice Kern Systems\\Toolkit\\DemoVersion", 

             0, KEY_WRITE, &keyhand);

RegSetValueEx(keyhand,"DemoNumber",0,REG_DWORD,&mytime,sizeof(DWORD));



Sleep(1000);

exit(0);

}


Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?