An interesting tool: Numega Smartcheck 5.0
Echoing a silly "install" and trial protection scheme

by Snatch
stupid

(27 October 1997, slightly edited by fravia+)


Courtesy of fravia's page of reverse engineering

Well... this happens ofter and ofter nowadays: I was preparing my own "An interesting tool: Numega's Smartcheck 5.0" essay... and Snatch has "snatched" it before me.
Well, the minimum that Snatch can do after having spoiled my "in fieri" essay :-) is to allow me a somehow long introduction to his essay: here it is.

Smartcheck is an interesting tool indeed... yet you must be careful and set it up corrrectly:
program/settings: Default: detect and report everything
program/settings/advanced: check everything, don't suppress anything
and don't forget to "check program compliance" before delving in... as soon as you use it you'll easily understand that this program is a very important addition to our tools arsenal.

In fact the real funny question is: "Why does Numega use such stupid protections?". Mind you, we are not speaking of a small shareware programmer that is using some overbloated language for some overbloated useless application: we are speaking of the BEST programmers and wizards of assembly in the whole planet here!

The fact that Numega (which, differently from Micro$oft lamers' park, HAS INDEED A LOT of said good programmers and wizards) publishes powerful disassembly and reversing tools (Bondcheck, Smartcheck, Softice...) in downlodable "trial" version with pretty silly protections (as if the kind of people that REALLY USE such tools were not capable of earing a password echo in memory) can IMO only mean two things:

A) EITHER Numega follows the Micro$oft path of giving away everything for free, in the hope that they will dominate the disassembler "commercial" markt and get the rewards from "scale" economy.
This may happen: it is clear that the crackers and "simple" programmers of to-day, i.e. a great part of the people that peruse the many available sites like mine, ARE the reverse engineers of to-morrow (who else?), and will be able to afford *any* "commercial" fare that Numega will in the future decide for, say, Smartcheck version 13.0.
B) OR that Numega will bring to light a very tough protections (the mytical "unbreakable" software protection :-) as soon as their absolute dominance of the market has been asserted. Let's hope they do it soon: the "protections" (if you really want to call them so) that they are using at the moment are simply too boring to bother

And here is the short essay by Snatch, sorry for the long introduction


Cracking Numega Smartcheck 5.0 by Snatch
I was recently tipped off that Numega's Smartcheck could reverse visual basic files so I downloaded the demo from this site: ftp://ftp.ultranet.com/pub0/n/numega/files/smchk50.exe (about 7.19 megs) The first thing I noticed when I ran the setup file was a password to start the setup program. So I went into Softice ver 3.21(very nice indeed), and set a bpx getwindowtext. Then type in a dummy password and click OK. After stepping through the routine(F10), you find that there is: CALL USER!GETWINDOWTEXT >> Get what you typed LEA AX,[BP-32] >> Load AX with address of what you typed PUSH SS >> Segment of what you typed PUSH AX >> Offset of what you typed PUSH DS >> Segment of real password PUSH 06BA >> Offset of real password CALL USER!LSTRCMP >>Comparison of strings at ss:ax and ds:09d6 Next you do a dump of 06ba: d ds:06ba l 64 You should see the password, &Smc50-14d% there in front of your eyes. Type bd * to disable your breakpoints, ctl-d to run and get an error, and then run the setup again and type the right password to bypass that silly message. Now we are one-fourth of the way done! It was that easy! After going through a few screens, you will see your name, company plus a serial number! I tried to crack the serial number but gave up. Don't worry, we can still crack this later on, and much easier and quicker. So simply install it. And run it :-) Now load a program (must be 32-bit which is why this program won't help me too much with vb programs). Now try program and start. Uh-Oh! Name of thr trial user, blue "trial meter" and registration number. Phew!, there is a purchase button. Let's click it. Here it is, unlock code and all. Nice, lets go back to the debugger. be * for our breakpoints to be re-enabled. Now enter your name and company and a dummy password. BOOM! your in the debugger. Now step and step and step and step until you get to a patch of code that looks like this: ADD ESP,04 LEA EAX,[EBP-14] >> Your password LEA ECX,[EBP-28] >> The correct password PUSH EAX >> Your password PUSH ECX >> The correct password CALL 10005680 Here you have it! Type a d ecx l 64, and the first 16 bytes are the right code. Numega is using a hashing of your name and password and reg number to get the code so for everyone the code will be different. Now back to reality, write down those 16 numbers and disable your breakpoints, bd *, now ctl-d. Keep your name and company the same, enter the password in and you are a *registered* user of numega smartcheck 5.0, with your own user name and password! **Note, you could have probably reversed this protection scheme, also, individuating both passwords I have described by editing the memory and changing the jumps to noop's but I "trust more" the real and correct password! Snatch '97
(c) Snatch, 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering, choose your way out:

Back to project 7 (stupid protections) Back to project 2 (Numega's own)
homepage links red anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?