advanced
How To Crack A Ferret
(a clever, beautiful protection: wars between keys and the FFFFFFF8 monster)
by Hackmore Readrite , 7 January 1998
f
Courtesy of Fravia's page of reverse engineering
fravia's comments
An incredibly clever and 'sturdy' reversing of a difficult and intelligent protection. I don't use this kind of programs, and I hate people that throw me advertisement rubbish without asking, yet after having seen this, I admit that I respect the programmer that devised this protection, he deserves recognition! As sign of respect we will never again reverse (publicly) his future protection schemes (yet we'll seek and await them eagerly for our private cracking sessions: they are delicious!), I anyway wont publish any more on my sites any essay about Ferret's clever protection schemes, this one is the first and the last, yet what for an essay! Read, head and enjoy this BEAUTIFUL essay by Hackmore. My congratulations, Hackmore, Good work! I love your style: not much code and a lot of explanations! And your image of the FFFFFFF8 Monster lying in ambush is really great!
f
There is a crack, a crack in everything
That's how the light gets in
Rating
( )Beginner (x)Intermediate (x)Advanced ( )Expert
An useful essay for intermediate and advanced crackers in order to see an example of some of the paths followed by clever protectionists when developing new protection schemes. Read and head: not all of them are stupid.
Title
How To Crack A Ferret
(a clever, beautiful protection: wars between keys and the FFFFFFF8 monster)

Written by Hackmore Readrite
Introduction





No intro

Tools Required

~

Target URL
Usual tools
Softice is a must
~

   Targets                Size           Description

   -------                ----           -----------

   EFT111.EXE              690 Kb        E-mail Ferret

   FFT111.EXE              724 Kb        File Ferret

   IFT111.EXE              678 Kb        IRC Ferret

   NFT111.EXE              694 Kb        News Ferret

   PFT111.EXE              673 Kb        Phone Ferret

   WEBFERRET110.EXE        620 Kb        Web Ferret

   WFPEV.EXE               732 Kb        Web Ferret Pro Evaluation Copy



 FROM: ftp://ferret.aitcom.net/pub/ferret

  AND: http://www.ferretsoft.com/ferret/
Program History
No history
T
H
E

E
S
S
A
Y

 Notes: Program descriptions are available at the "http" address, but

 the "Web Ferret Pro" program is ONLY available at the "ftp" site. Also

 available at the "ftp" site is a program named "NFupgrade111.exe", which

 is just an upgrade utility to convert "older" versions of these programs

 to the "current" version, which is Version 1.11 for all of the programs

 listed except the Web Ferrets.



    WFPEV.exe is time crippled at install AND at run-time. It is also

 "missing" some code to turn off the advertising, but I'll show you how

 to get around these problems later. Despite these "problems", you'll want

 to download "WFPEV.exe" instead of "WebFerret110.exe" because "WFPEV.exe"

 is the "PRO" version, which does boolean searches, allows deletes, and

 has several other "nessesary" features. Get it as soon as you can,

 because it has already expired and will probably be removed from the

 server as soon as someone notices it's still taking up space.



 ---------------------------------------------------------------------------



    WHAT DO THESE PROGRAMS DO?

    --------------------------



    These are very compact "search engines" which live on your hard drive.

 You enter query strings, just like you would at any search engine, and

 these programs will search ALL of the search engines you select. The

 results can be saved for future use, or used imediately if you choose.



    For instance, using Web Ferret and Win95 as an example, you would go

 to "find" on your "start" menu, click "web pages" to start the program,

 type in "fravia" and "cracking" as the items to search for, then click

 "find", and you'll get a listing containing every web page listed on the

 search engines that contain the text "fravia" and "cracking". Point your

 mouse at any listing, and you'll see the begining text from that web page,

 click on a listing to open your browser and load the web page.



    The boolean feature in the Pro version is especialy helpful. You can

 search for "cars AND trucks [but] NOT convertibles", as stated by the

 company. Features like these can be real handy when searching for a

 certain file, web-site, E-mail address, or IRC channel.



 ------------------------------------------------------------------------



    WHAT'S THE PROBLEM?

    -------------------



    Cash flow, or boredom, depending on WHY you crack. These programs are

 VERY reasonably priced, and worth the investment! It was the sales

 tactics which drew my attention to these programs, and the encryption

 technique which drew my interest.



    When you install these programs, you enter your name and company, then

 click the "next" button, and enter your serial number and registration

 "key", or just leave these two feilds blank to take the program for a

 test drive.



    After installation, you'll want to run the program, of course. It is

 then that you will discover the sales tactics. A banner will continualy

 display adds, on YOUR monitor! This can NOT be tolerated! The "view"

 menu has an "option" to turn OFF advertising, but this option has been

 disabled, until you register the program.



    They could have lost a sale because the time I WOULD have spent earning

 money to pay for these programs HAD to be spent removing thier advertising

 instead. How do they expect me to test drive thier product with those

 awful banners constantly distracting me?



    Even though we've got the program installed on our hard drives, the

 original install program is nessesary to register the program,  so don't

 delete it yet. Let's fix these programs so we can test them without all

 of those distractions! The Web Ferret Pro is totaly different from all

 of the other programs listed above, so I'll cover it a bit later in this

 essay, but here is what you'll need to fix ALL of the other programs.



 ------------------------------------------------------------------------



    Even though we will NOT be going into the encryption scheme used in

 this program in this essay, I urge you to study it. It wont be nessesary

 for cracking these programs, but the author has done a very fine job of

 encrypting things, and deserves honors for his style and technique.

 Unfortunately, he forgot that, no matter how well he encrypts his

 passwords, it MUST always boil down to a simple "go here, or go there"

 instruction in the end.



    For those of you who are too lazy to study, I'll give you a short

 description of how this encryption scheme is implimented. For those of

 you who DO study this, be VERY careful, one slight miscalculation will

 crash your computer! You should become very familiar with the "hboot"

 command inside Soft-Ice. Even minimizing the loader screen to the

 taskbar will lock up your computer.



    The serial number must contain five digits for reasons I'll explain

 later, and the "key" number must contain nine digits to activate the

 "next" button, which is deactivated as soon as you enter the first

 digit of the serial number.



    After you've typed in your serial number and registration key number,

 locate them, and set BPR's on them inside Soft-Ice. Then click on the

 "next" button. You'll break into the protection scheme at CS:004026D4.

 The "key" that you typed in, as you'll learn, is the "key" to unlocking

 the program. The serial number is only used to set a counter.



    The "key" value does it's usual trip through memory addresses until

 it finaly ends up on the stack. The center digit has been removed, so

 now your "key" is a "handy" eight characters long, so it fits nicely

 into the registers. After the string was shortened to eight characters,

 it was counted in the usual mannor by placing FFFFFFFF in ECX. The result

 was inverted, as usual, to obtain the "decimal" byte count of "8", but it

 was also saved, uninverted as FFFFFFF8, to crash your computer!



    At this point, we find another key already waiting for us at DS:0041C540.

 This second key is 12h bytes long, and is comprised in three parts,

 using the starting values:



                   "12345678" "23456789" and "34567890"



    To make a long story short, these three groups of eight numbers are

 sent to war against the "key" value you typed in, AND against the other

 "eight number" groups. It's like a war between four countrys, with EACH

 country fighting the other three countrys. They are beat against each

 other in just about every way imaginable until nothing is left but a

 mangled, un-recognizable, eight character string of garbage.



    From time to time, the 12h byte string is "refreshed" with the

 original numbers I've listed above. But the war continues. And when the

 smoke has cleared, we can finaly do a few comparisons. If you've followed

 this through, you should find yourself at CS:0040EC3D.



    Again, the author was very clever. Every time you THINK EAX should be

 set to "01", it should be a "00", and vise versa. Keep this in mind,

 because, as I mentioned earlier, we're set up to crash! Any time you

 choose the "wrong" path to take after a CMP or TEST instruction, the

 program will find its way back to that FFFFFFF8 monster, and use it to

 crash your system. So choose wisely. Remember that you've entered bad

 data, so if the program "wants" to go one way, it probably "should" go

 the other way instead. Also remember, thats NOT always true!



    But, alas, we've made it to the check point. Lamers can just set your

 breakpoints to the following addresses. Lamers are lamers because they

 miss all of the fun stuff, YOU decide who you are!



 ------------------------------------------------------------------------



 1st check:                                         ; [ESP+0C] holds the

                                                    ; encrypted value of

                                                    ; your input "key"

 

 :0040EC3D 8B44242C    mov eax, dword ptr [esp+2C]  ; the GOOD number

 :0040EC41 83C40C      add esp, 0000000C

 :0040EC44 3944240C    cmp dword ptr [esp+0C], eax  ; the first "test"

 :0040EC48 7525        jne 0040EC6F                 ; a bad place to go!



 ------------------------------------------------------------------------



    Here, the GOOD value is stored at [ESP+2C]. Then it's MOVed to EAX to

 be CoMPared to the encrypted value of the "key" you typed in, which is

 stored at [ESP+0C]. Assuming EAX is "59 42 55 f8" and [ESP+0C] is

 "22 47 39 23", you might encounter a slight "problem" when you arrive at

 the JNE instruction. To repair this "problem" when the two numbers do NOT

 match, simply edit memory in Soft-Ice, as follows:



   d esp+0c              yet! We

 still have a couple of checks left, and FFFFFFF8 is sitting on the stack

 just WAITING for us to make a mistake so it can crash our computers! If

 you decided to "repair" the JMP instruction above, instead of entering

 the proper data, you'll learn just how effective that FFFFFFF8 monster

 can be, when you have to re-start your computer.



   Wander through the code just a while longer, and eventualy you'll come

 across the next check. Again, the lamers can just set thier breakpoints

 here, but they'll miss the full beauty of the authors protection scheme.

 

 ------------------------------------------------------------------------



 2nd check:



 :0040E92F 8B8D70FFFFFF  mov ecx, dword ptr [ebp+FFFFFF70] ; the GOOD number

 :0040E935 3B01          cmp eax, dword ptr [ecx]          ; the 2nd "test"

 :0040E937 0F850E000000  jne 0040E94B                      ; a BAD place



 ------------------------------------------------------------------------



    Here we find another instance of the encrypted version of the "key"

 you entered being CoMPared to a "good" number. You might notice that

 both of these numbers are quite different from the numbers you used

 to fix that last "problem" we had.



    The repair technique is the same though. Simply copy the value you

 find at ECX into EAX. Please note that ECX holds the ADDRESS of the

 proper number, NOT the proper number itself! So DO NOT copy the ADDRESS

 into eax, and DO NOT try to "repair" the JMP instruction, or the FFFFFFF8

 monster will get you!



    There is one more check that must be made, but if you typed in a five

 digit serial number like I told you to, feel free to hit "F5" or 

 at any time now. Your program will be fully registered. When the program

 is registered, it will write a 398 byte (18Eh) "lic" key into your

 registry, and any disabled functions and menu items will be enabled.



    For those of you who typed in more than five digits, follow the code

 a bit further. The program will simply count the number of digits you

 entered, then use the result of the count to check some strings in 

 memory. So if you entered seven digits, it will look for seven strings.

 The problem here is that there are only FIVE strings in memory to be

 checked. And the FFFFFFF8 monster is STILL waiting!



    You can fix this problem by fixing the count when the result is placed

 in EAX. Simply change the value to "5", then quit Soft-Ice and your

 program will be fully registered.



    These techniques will fully register ALL of the FerretSoft programs

 except for the Web Ferrets. Web Ferret is a "crippled" version of the

 Web Ferret Pro program, which is offered just to get you interested in

 the product, so you'll break down and "pay" for the "real" program.



    Web Ferret Pro is NOT offered in any form as a demo. Fortunately for

 us, FerretSoft left an evaluation copy on thier ftp server for us to

 play with. Since it's an evaluation copy, we'll need to treat it just

 a bit differently.



 ------------------------------------------------------------------------



    WHAT ABOUT THAT MONSTER?

    ------------------------



    If ANY of the "checks" fail, (and there are MANY more than I've

 mentioned here), the program begins encrypting data against the 12h byte

 string. Each pass through the encryption process will decrement the

 FFFFFFF8 monster by "1", so you "could" go through the encryption process

 4,294,967,288 times, theoreticaly! Of course, this would never happen

 because each pass is directed towards a different byte in memory, so

 eventualy you encounter a "Memory Out Of Range" error message. With

 Soft-Ice running, you'll never get back into the program to see that

 message though. And, as I mentioned earlier, even minimizing the Loader

 window used to load the program will cause a crash.



 ------------------------------------------------------------------------



    WEB FERRET PRO

    --------------



    Now let's install the Web Ferret Pro program. This program has a time

 lock when we try to install it. All we get is an error message informing

 us that the trial period is over. Later, when we get to run this program,

 we'll see that it expired December 31st, 1997. We can "fix" that though.

 So lets get to work!



    STEP 1

    ------



    In Soft-Ice, set a BPX on GetLocalTime. Then start the "WFPEV.EXE"

 program. When Soft-Ice breaks, you'll be at the first line of the

 GetLocalTime function. Press "F12" to return to the WFPEV code, (read

 the title on the line that runs across your screen inside Soft-Ice.)

 Trace through the code about fifteen steps until you find the following

 line of code:



 :00413716 0594F8FFFF              ADD EAX, FFFFF894



    As soon as this instruction has executed, change EAX to "0" with the

 instruction:



 r eax=0



    Then let the installation run its course. The program will install,

 but as soon as you try to run it, you'll get the same "expired" error

 message.



    If you cancelled your breakpoint, re-set it. If you did not cancel it,

 you should already be where you need to be. We're just going to do that

 last "fix" all over again, except this time we'll need to make it a

 permanent repair using a hex editor.



    When Soft-Ice breaks at GetLocalTime, just press "F12" again, to return

 to the WFPEV code, then trace about fifteen instructions again, and you

 should see:



 :004BD162 0594F8FFFF              ADD EAX, FFFFF894



    Which we need to change to:



 :004BD162 B800000000              mov eax, 00000000



    This will ALWAYS tell the program that this is the first time you

 have ever used it. Be sure to write down the hex bytes of the

 instructions around this instruction. You will need them to locate this

 spot in your hex editor when we make these changes permanent.



    STEP 2

    ------



    This step is strictly cosmetic. You can skip it if you're in a hurry

 and don't care what your menu looks like. Because this is an "evaluation"

 copy, they didn't bother to put in all that code it takes to enable or

 disable a menu item. They also left out the code needed to make the

 function work, in case "WE" got a copy of the program.



    What function? The one to turn off the advertising, of course! They

 just tossed in a few lines of code to make sure the adds would ALWAYS

 run. So skip these steps if you like to see advertisments, too!



    To enable the menu item "advertisment" on the "view" menu, set a

 breakpoint on "EnableMenuItem". When Soft-Ice breaks, use "F12" again

 until you return to the WFPEV code. Then, back-trace through the code

 until you reach this line of code:



 :0048DD7A 6A00                    push 00000000 

  
Final Notes

    These programs are the ONLY programs sold by FerretSoft. If you make a

 key generator, or crack these programs and give them away for free to lamers

 in ANY form, you will be damaging FerretSoft in a way which COULD put them

 out of business and you will still remain a lame idiot anyway, since anybody 

 on the scene will know that you just ripped my essay off!



    Please STUDY these protection schemes, and use them all you like in 

 order to implement and ameliorate your own protections, but if you

 decide to KEEP the ferret programs, please PAY for them. The programmer(s) 

 (must be at least two: a clever one that devised the protection and an 

 idiot that devised the advertising cram) have worked very hard to create 

 these beautiful protections for us, they studied encryption techniques the 

 same way you have, and worked very hard to implement those techniques in 

 an effective manner. They did a great job, but messed up just a bit at 

 the end.



   This is NOT a "greedy" company like M$, they have priced thier products

 very reasonably. Even thier advertising techniques are "original" to say

 the least. So be kind, and treat this company with a bit of respect. If

 you do, they might dream up even BETTER stuff for our private pleasure.



                                                      Search well...

                                                      Hackmore Readrite

                                                      Data Miners Inc.
Ob duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
way out
You are deep inside fravia's page of reverse engineering, choose your way out:

advanced
Back to advanced cracking
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia+
redIs reverse engineering legal?