SmartDraw 3.11 W95
("'Heavy/Stupid' Anti-Crackers protection defeated with HexWorkShop & BRW")

STUPID

by Frog's prin+
HCU

(05 July 1997, slightly edited by Fravia)


Courtesy of Fravia's page of reverse engineering

 

SmartDraw v3.11 Win95  

 

'Heavy/Stupid' Anti-Crackers protection defeated with HexWorkShop & BRW 

 

- by Frog's Print - 

 

I noticed lately that there was no cracks/patches for the new SmartDraw v3.11 Win95 

(http://www.smartdraw.com) on the Net (at least I didn't find any). As I was looking 

for some interesting protection schemes to crack, I thought that this soft would be  

what I was looking for. 



I downloaded it and fired it: 



-2 nagscreens 

-time limited (30 days) 

-adds "created with the trial edition of Smartdraw" to any printed document 

-disables the save function when the time trial period has expired 

-detects if the system clock has been set back... 

-dialog boxes and bitmaps have 'Trial Edition' written/printed throughout... 

-you are supposed not to be able to turn it into a registered version as it is a demo 

and cannot be unlocked with a password/serial number. 

 

Nothing really exciting yet. 

 

I first loaded it into SoftIce with Loader32 and started to trace, trying to find 

some 'infos': SoftIce crashed and I had to re-boot. I started again, it soon crashed 

again... 

I gave up tracing and ran W32Dasm80: I crashed too! I tried W32Dasm versions 5,6,7 

and the new 85: they all crashed. 

 

What a protection for such a simple $49.00 graphic tool! I understood why I didn't find 

any cracks on the Net. 

 

Well, most of the time such softwares (16 or 32 bits - EXE or COM) use ready-to-use 

expensive protections tools (ie: EverLock, CopyControl...) that act on EXE files 

and/or are linked in DLL's and called from within the code. 

 

If you have a look at Microcosm's home page (CopyControl) you'll read: 

 

CopyControl Software  

Pirates Hate It!               ; < who said that??  

Very high level of security. 

Beats ALL the hardware and software "bit-copiers" and dis-assemblers.  

Encrypts your programs and adds strong anti-debug code to it. 

 

And at EverLock's one: 

 

Protects your investment in development and marketing, protects your software against 

no authorized use and reverse engineering, on platforms: DOS, Windows 3.1, Windows for 

Workgroups 3.11, Windows'95, Windows-NT and Networks (Novell, LANtastic, etc.). 

... 

... 

  

You'll find several companies and Softs like the above mentioned on the Net to protect 

any program from debugging, disassembling, copying... 

 

I assume that such tools are strong to crack, but without SoftIce and without W32Dasm 

I have to say that I'm a bit lost. 

 

As we (I) cannot 'high crack' SmartDraw, let's 'zen crack': 

 

First, those tools are 'ready-to-use' (I don't know which one is used in SmartDraw, but 

if you DO KNOW please keep me informed:=). It means that you just have to write your  

program as usual and they will take care of the rest. And that's the problem : 

=> programmers will not work a lot on their own protection scheme (time limitation, 

disabled features) just because they think that their new anti-crackers tool will do 

it for them. 

 

Are SmartDraw programmers real anti-crackers protectionists?? 

 

NO!! In fact they should get our "Most Stupid Protectionists" Award... 

But I'm afraid they would have to share it with many other stupid protectionists, 

among others the Numega's guys... I recently decided to reverse engineer the 

protection of BoundsChecker (all editions) hoping its scheme, at least, would have 

been a little more complicated than SoftIce ridiculous'one.

But I was very deceived!... it's even worse: this time the great Numega's programmers

simply used the TimeLock DLL (TL32v20.DLL)to protect this very valuable target! 

See Xoanon's essay if you want to crack the TL32v20.DLL protection scheme, or 

Horwi's essay on BoundsChecker reverse engineering in order to crack Numega's 

BoundsChecker directly!. 

 

Despite its anti-wdasm and anti-winice protection, I am going to show you 

right now how to FULLY 'zen crack' SmartDraw 3.11 Win95 within 5 minutes 

time using following tools: 

- HexWorkShop (80% of the crack)!  

- a little help from the good old Resource WorkShop (about 15%)  

- the 5% left will be done with a BPX DialogBoxParamA (without any crash!) 

 

When I say 'crack' I mean that we are going to turn this demo into a fully functional  

version identical to the commercial's one:  

- No more limitations of any kind  

- Dialog boxes and even bitmaps with no more 'Trial Edition' written or printed (without 

  having to edit them with BRW itself, of course). 

 

1/ Run Borland Resource WorkShop and load SmartDraw 3.11 Win95 so we can have a look at  

   all those nagscreens... 

 

In the "BITMAP" section you can see: 

 

-ABOUT  (display the 'SmartDraw' bitmap of the licensed version)  

-ABOUTD (display the same bitmap but with 'TRIAL EDITION' printed on it) 

 

Other 'ABOUTxx' bitmaps are non-used and come from older version of SmartDraw. 

 

In the "DIALOG" section you can see: 

 

-ABOUT            (display a small dialogbox with 'Licensed Copy' written)  

-ABOUTKISS        (identical but the dialogbox is bigger)  

-ABOUTSHARE       (display our 'TRIAL EDITION' dialogbox with a 'PURCHASE' button) 

-CANTSAVE         (display a dialogbox with "YOU ARE NO LONGER ABLE TO SAVE DOCUMENTS") 

-HINT_REG         (display a dialogbox with "WELCOME to the trial edition". 

                   Note: we do not care about this one as it only appears 

                   once: the very first time you install SmartDraw:=) 

-LIC_EXPIRED      (dialogbox with "YOUR LICENSE HAS NOW EXPIRED")  

-LIC_EXPIRED_RUNS (dialogbox with "YOUR LICENSE HAS NOW EXPIRED..you have xx runs remaining") 

-LIC_ROLLBACK     (dialogbox with "YOUR SYSTEM CLOCK HAS BEEN SET BACK")  

-LIC_TAMPERED     (dialogbox with "YOUR TRIAL VERSION TIMER HAS BEEN TAMPERED WITH") ...  

-NAG              (dialogbox with "PURCHASE SmartDraw......") 

 

Now you can leave Resource WorkShop, we do not need its help anymore. 

 

2/ Run HexWorkShop and load SmartDraw: 

 

Now let's search for the bitmaps and dialogboxes: 

 

-Search for "ABOUTD": We find it twice. DELETE (yes, delete!) the "D" in the HEX WINDOW  

(that's "44") and change both occurrences to "00". 

 

-Search for "ABOUTSHARE": We find it twice too. Delete the "SHARE" and replace them with 

"0000000000" too. 

 

-For : LIC_EXPIRED, LIC_EXPIRED_RUNS, LIC_ROLLBACK, LIC_TAMPERED and NAG, just delete and 

replace them ALL with a lot of "00"s;. 

(again, all the above changes to be done in the Hex window). 

 

Now we already have done 95% of our crack. 

 

Save your modified file and run it. No more nagscreens, and at the beginning of the program 

(or if you press Help-About) you'll see that you have now turned the dialogboxes and even 

the bitmaps into a licensed version. If you set the system date 2 or 3 months ahead (or back) 

you'll notice that it still works fine as well. 

 

Just one more thing to do: We know that SmartDraw will disable the SAVE function if your  

trial period has expired. Keep the system date a couple of month ahead and press the Save 

button. A message box (CANTSAVE) will notify you that you are no longer allow to use this 

feature. 

 

3/  With SofIce, just BPX the DialogBoxParamA function and press again SmartDraw's Save button. 

    SoftIce will pop out. Press F11 and you'll land in the middle of a small and un-interesting  

    function. Trace (F10) until the next "RET" and you'll land here: 

 

(This piece of code come from Hiew v5.5) 

 

00024B8F: 833D84E0510000 cmp d,[00051E084],000            ; Is '0'?  

00024B96: 0F8419000000   je 000024BB5                     ; Yes, go ahead otherwise...  

00024B9C: 68234E0000     push 000004E23                   ; ...sorry,  

00024BA1: 6804E55100     push 00051E504                   ; prepare "CANTSAVE" 

00024BA6: E8AE340B00     call 0000D8059                   ; < That's where we come from  

00024BAB: 83C408         add esp,008 

00024BAE: 33C0           xor eax,eax  

00024BB0: E99A020000     jmp 000024E4F                    ; Bye-bye  

00024BB5: 837D0800       cmp d,[ebp][00008],000 

 

As usual, the same old stupid trick:  

'0'=Nice_Guy  

'1'=Bad_Guy 

(please note that this is the ONLY protection of the program besides the fact you cannot 

debug/disassemble it!!) 

 

We just have to find the "mov dword ptr[0051E084],00000001" instructions (their are 6  

of them) and to change them to "mov dword ptr[0051E084],00000000" and our job is done. 

 

By the way, we do not have to worry about the "created with the trial edition of Smartdraw" 

message on any printed document, as it has gone away too. 

(In fact, everything has gone away!) 

 

You have now a fully licensed copy of Smartdraw. 

What about a +HCU Award for the "Most Stupid Protectionists Of The Year" ?? 

 

Frog's Print, 4 July 1997 

 

frog_s_print@thepentagon.com 

 



You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
search_forms mailFraVia

Is reverse engineering legal?