Cracked Metal, runtime dll creation
How to crack HoTMetaL Pro 4 Evaluation
student
Programmers
4 February 1998
by Fallen
Courtesy of Fravia's page of reverse engineering ~ very slightly edited
fra_00E1
980204
Fallen
1100
PC
XX
Well, from what Fallen writes it seems that our protectionists friends are finally beginning to learn some (elementary) aspects of code protection, i.e. DO NOT give immediate signs that the protection has discovered that somebody is cracking it... as Fallen writes:
when I ran the program everything worked fine until I 

tried to create a new document or load an existing HTML document. 

It would THEN give me a message about a corrupted rules file
Nice! of course even this sort of messages is not necessary (if you are SURE that someone is fiddling with your code and that no poor luser is just trying to install your crappy software, that is, which you can only be sure if you are not programming in overbloated languages, that is :-) and anyway we can easily zen-crack all these schemes nevertheless in two minutes flat, yet it's a good sort of feeling to constate that at least some protectionists are listening and delivering us something more palatable (like a run-time encrypted dll-creation) than the usual boring flag_good_guy dinosaurier that still rule the earth :-(

Bravo Hotmetal... that's the right way... only, s'il vous plaÓt, may be a little better implemented next time.
Enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner (x)Intermediate ( )Advanced ( )Expert

A very interesting protection scheme about an encrypted file used to create a DLL at runtime
Cracked Metal, runtime dll creation
Cracking HoTMetaL Pro 4 Evaluation Version
Written by Fallen


Introduction
I fully agree with fravia+ that HTML should be written using a simple text editor. I downloaded this target solely for cracking purposes and was quite pleased with it as a target. I found the protection scheme both simple and interesting at the same time. I feel that this was one of my more fun cracks!

Tools required
SoftICE (of course.)
BoundsChecker (Not necessary, but it was helpful.)
Hex Workshop (or any other hex editor.)

Target's URL/FTP
Web Site: http://www.sq.com
FTP Site: http://ftp4.softquad.com
It took me numerous tries to get the complete application. Keep trying. I also
suggest getting the files by way of the web site. I can't remember the path to
the zip files and the FTP site will not allow access to directory lists.

Program History
I encountered HoTMetaL Lite a couple of years ago and decided to see how it had
progressed since then. I haven't much in the way of history... sorry.

Essay 

I'm still new to cracking, and this is my first attempt at an essay, so 

forgive me if I seem a little bad at it.  I have cracked numerous DOS and 

Windows programs, a lot of them I was able to locate a password in memory,

and I've done a few Nag screen/Time Trial schemes also.  

This one however, I found very interesting, and fun!



PART 1: 

When you first run HoTMetaL Pro you will see a message box saying 

something about file date inconsistencies, after this there will be 

a Dialog Box that will not allow you to close it for an agonizing 

amount of time. Then it will run the program.



Well, first lets find out where this NAG screen comes from.  

Once the OK button became enabled I popped into S-ICE and checked 

the window handle list.  

I placed a breakpoint on that handle for the message wm_destroy:



BMSG Handle_you_ll_get_on_your_own_machine WM_DESTROY



Now get back out of S-ICE and hit the OK button. 

You should pop into S-ICE somewhere in USER, if I remember right, now 

disable the breakpoints and press F12 a few times until you end up 

in a DLL that the name begins with EFY???? where the four question 

marks represent four numbers. This is where our protection scheme 

lies, but don't get excited, it's not that simple.

 

The first time I tried to crack this, I removed the call to this 

DLL and eliminated the Time Protection, Nag Screen and a MessageBox 

that pops up about file date inconsistencies all at once. 

However, when I ran the program everything worked fine until I 

tried to create a new document or load an existing HTML document. 

It would then give me a message about a corrupted rules file. 

So back to the cracking board.

 

If you search your hard drive for a matching DLL you will find that it 

exists in the system temp directory, usually C:\WINDOWS\TEMP, and that 

the four numbers at the end change every time you run the program. 



Hmmm... this could be a problem, nah not really.

 

I came to the obvious conclusion that this DLL was created by HMPRO4.EXE 

every time the program was run. Now to figure out how to alter the code 

it writes. For this I used BoundsChecker to find out how it creates the 

file. I tried using SmartCheck at first but for some reason it would 

crash every time I tried to run it in SmartCheck, so I used BoundsChecker.

 

I loaded it up in BoundsChecker and watched for the function CreateFile. 

I'm not going to get specific about BoundsChecker, but I found the portion 

of code where it created the DLL and looked above that for the ReadFile 

function. 

I found that it loaded it's information from a file named ASDFLKJH.IUY this 

is disguised to look like a temporary file, but it's not.



After examining this file you will see that this file is the DLL in an 

encrypted format.

So our problem lies here. How do we decrypt it, crack it, and re-encrypt 

it. No need, a simpler way exists.

 

The method I used of locating these functions in SoftICE may seem 

lengthy, but I wasn't having any luck using the addresses I retrieved 

from BoundsChecker. 

The first thing I did was set a breakpoint on LoadLibrary. I could see 

from my BoundsChecker listing that this was the first DLL that HMPRO4.EXE 

loads so of course we need to break on the first LoadLibrary and look at 

the code above it to see what we need.  



This is what I ended up with:



:00422A37 push 006309C8 - This address holds the name of the DLL to load



* Reference To: KERNEL32.LoadLibraryA, Ord:0021h

            |     

:00422A3C Call dword ptr cs:[0065032C] - and of course this loads it.

 

If you look up from this segment of code you will see this:



* StringData Ref from Data Obj ->"asdflkjh.iuy" - This is the name 

                                                  of the encrypted DLL.

            | 

:00422A0F mov edx, 005D537C 	- The address of the encrypted DLL filename.

... 				- Unimportant code. - Removed

:00422A27 call 004227E8 	- This call is shown below, it creates the 

                                  new DLL file.



The call from above ^.

:004227E8 			- Code to open the encrypted DLL, 

				  read it into memory and then 

				  close the handle.



:004228CE call 00411520 	- This call decrypts the file! 

				  This is what we need to eliminate for this crack.



Code to write the 

un-encrypted DLL to a file. 	- Removed



The point of the above section of the essay is to allow us to work with 

an unencrypted protection DLL. How? you may ask! Well, here's how we do it:



1. Run HoTMetaL Pro and let the Dialog Box pop up.

2. Make a copy of the efy????.dll file from you windows\temp directory 

   and place it in your HoTMetal Pro directory.

3. Rename it to the encrypted DLL file name, ASDFLKJH.IUY

4. Now patch HMPRO4.EXE at address 004228CE to eliminate the call that 

   decrypts the DLL. You choose your own method.



Well, I believe the point of this is self evident. 

We can now crack the file ASDFLKJH.IUY as a DLL and patch it accordingly.  

Since all of the protection scheme (ie. The messagebox about file date 

inconsistencies, Nag screen, and time protection) exist in ASDFLKJH.IUY,

that will be the target of the remainder of this essay.



Part 2 

The remainder of this crack is very simple.  

My first trip through, I patched the file ASDFLKJH.IUY in two places, 

once to eliminate the message box and Dialog Box, and another

to eliminate the time protection.  



However, writing of this essay, I found that if you apply the following 

patch, it eliminates both.

If you patch the time check call with this code:



:01D91BC6 XOR EAX,EAX

:01D91BC8 RET



It will prevent the program from exiting after March 1, 1998 and will 

also eliminate the messagebox and DialogBox Nag screens.


Final Notes
I found this program a lot of fun to crack and also learned something very useful during the process of writing this essay. I re-installed the software and as I went through the cracking process, I entered my steps into the essay without applying the patches to the executable. During this process I was able to eliminate one of the patches as I mentioned above.

MORAL: Document your cracks and you may learn an easier or more efficient way to crack them. This can also be useful, later, if you happen to find something interesting for the +HCU, btw.
Also, pay attention to the code and you'll see a lot of things you may miss if you don't!

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
You are deep inside fravia's page of reverse engineering, choose your way out:

projecT3
Programmer's corner
redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?