4.00 Eval Release - (Fun with packed files)
by snickers , 9 January 1998
As if real reversers would care at all about specific programs... the ones I enjoy most to crack myself (for instance) are 8 years old DOS programs on 5.25 old floppies...
Once more: almost every soul perusing this site is looking for 'ideas' and/or 'approaches', in order to reverse on his own targets' code snippets (and not necessarly protection schemes!) that are completely different from the ones you might have choosen for your essay... if you are looking for ready made 'cracks', in order to steal some software and use it for free without paying enough money to the shareware Author to let him buy milk for his kids (with Micro$oft's slaves it's different, let's hope their kids starve) then go ELSEWHERE, you'll find enough stolen warez and 'crackz for lamerz' almost everywhere on the web, and you should not be here at all.
OK, hope you understood me, now enjoy this essay... at times I'm very happy to see that my site has been useful to some clever reverser...
A last thing: I love snickers' methodical approach... even if this patching patched patchers seems -at times- a little patchy :-)
That's how the light gets in
An 'all around' cracking exercise with DOS, Win16, Win32, and even packed EXE targets, demonstrating nag screens and a unique but simple file header protection scheme.
(4.00 Eval Release)
Written by snickers
Fravia: the best way I feel I could show my gratitude for what I have learned from your page and the tens of other good cracking resources I have come across would be to come up with something substantial of my own to contribute to the cracking world. Thus I have remained silent until now, honing my basic cracking skills that one day, I may be worthy enough to join the ranks of the +HCU. For now, I submit this essay on a very simple protection scheme I found. Despite being simple it has certain unique facets that make it more than 'banal'. Also, it is a tool (or a set of tools) that could be handy for any +cracker.
To follow along with this essay, you need:
Tools:
SoftICE (3.x for Win95, as well as 2.x for DOS)
Hacker's View v.5.66 (or any other hex editor with
on-the-fly disassembly)
Tron v.1.30 (see The Undertacker's essay about tron)
~
Our target: rtpsetup.exe (2,228,694 bytes) you can hopefully still get copies at http://www.pocketsoft.com
About our target: .RTPatch Professional is a commercial patching engine. It comes with several utilities that aid in software modification and distribution, such as a file compare tool, string and byte searching utils, complete with a file archiving system that allows the creation of self-extracting setup files. Of course, the main product here is the patching engine, which compares files (or a set of files) and produces a binary patch file to allow software developers to quickly make and distribute software updates or bug patches. This tool is especially useful for beginning crackers like myself who do not yet have the capability of programming their own patch files or even for crackers who are experienced in programming but are too busy to write a patch file for every software they crack. The crack files written by +crackers themselves are often far more efficient (especially in terms of file size) and already you may find +cracker written patch generators/engines all over the web. I have already seen crack patches made by this program on the web, and the hundred plus KB size was a monster to download compared to the other 2 KB crack files. So what's so great about .RTPatch? For starters, patches by .RTPatch are really small, about a few hundred bytes. It's the patch apply programs which are relatively big (62 KB for DOS, 149 KB for Win32), and this is because these patch apply programs have many fully customizable options. Windows based patches can be made in an instant, complete with a GUI (it's a bloated DLL file which accounts for the size mentioned). .RTPatch is easy to use, and one of it's best features in my opinion is ease of multiple file patching, along with add and remove file capabilities. But you can read about this and other features in the complete documentation that comes in the distribution file, so enough of that here. The most important thing about .RTPatch is that it seems to be the defacto standard for binary file patching in the commercial software world. What makes me say this? Patches for Adobe and Symantec applications use .RTPatch, as well as many other corporate and non-corporate software developers listed on Pocketsoft's web site. So when these companies issue patches for their software, having the utilities they used to make their patches with will enable us to reverse engineer them. (May I suggest the reverse engineering of RTP files as a future +HCU Project?) Lastly, it would pretty damn ironic for us to be cracking and patching those commercial applications with the same commercial utility they're all using. Let's use their own tools against them.
H
E
E
S
S
A
Y
The Protection
The .RTPatch Professional Evaluation Release is a fully
functional version with all the tools and documentation
included. The evaluation period is for 30 days, but
Pocketsoft was probably counting on your honor because
the software doesn't seem to expire. I've changed my
date ahead as far as the year 2099 and it still works
without handicap. There seems to be two apparent
'protections' on this evaluation version:
1) There is an annoying nag screen/message every time
the patch build and patch apply programs for all
platforms (DOS, Win, Win32) are invoked.
2) According to the documentation, the eval release is
not capable of processing files larger than 25 megabytes.
These cracks are so simple that I won't even be putting
a line of code for them here. I guarantee you, however,
you will have fun, since .RTPatch is multi-OS and
presents an opportunity to review your cracking skills
in DOS, Win16 and of course, Win32. But here are the
guideline hints - this is, after all a cracking essay:
-The nags appear in 9 programs which need to be patched. These are:
PATCHBLD.EXE the Win32 Console App which generates
the .RTPatch files
PBLD-V16.EXE the standard DOS version of PATCHBLD
PATCHW32.DLL the Win32 DLL for Console and GUI Patch
Apply Programs (the nag is in this DLL
and not the Apply Programs)
PATCHW.DLL this is the DLL for the Win16 GUI
Patch Apply.
.RTPatch has an EZPatch system which allows you to
bind the patch file and the apply program into a
single executable patching file. It uses DAT files,
which are really modified versions of the corresponding
standard EXE and DLL files with DAT extensions.
EZPNTDLL.DAT the 'bindable' version of PATCHW32.DLL
EZPDLL.DAT the 'bindable' version of PATCHW.DLL
EZP32DLL.DAT a 'bindable' combined graphic GUI and DLL
These two files, we'll deal with later.
PATCHDOS.EXE the DOS Patch Apply Program
EZPDOS.DAT the 'bindable' version of PATCHDOS
-PATCHBLD.EXE is a Win32 Console App and thus uses
standard Win32 APIs. Its nagscreen occurs as a
message box. Using SoftICE, bpx MessageBoxA and
you'll find the call. NOPping this call will get
rid of the call. Secondly, the 25 MB limit can be
taken care of here. Running PATCHBLD with any two
files larger than 25 MB will yield the error message
(I used my DriveSpace Compressed Volume Files).
Step the program to the error message display. A
few instructions before that you will find a CMP
with 19h (25) and a JGE. You know what to do.
-While you're still in Windows, crack the two DLL
files. FIrst, make a patch file using an original
copy of the nagged, limited PATCHBLD and your newly
patched one, using PATCHBLD itself. Next, use the
Win32 Patch Apply GUI (there's an icon in your Start
Menu) to apply the RTP file you just made. A message
Box will appear. Your bpx on MessageBoxA from your
last crack will catch it, and just NOP the call to
the API in PATCHW32.DLL. There will be no more nag.
-PATCHW.DLL is cracked similarly, but remember that
it is 16-bit and uses 16-bit APIs. NOPping the call
this time will crash the program, and so will NOPping
the call that calls the call, so at the top of the
routine that calls the nag force an early RETF by
changing the first byte to a CBh. It's cracked.
-EZPNTDLL.DAT and EZPDLL.DAT are not exactly like
their standard DLL counterparts, but they're similar
enough that all you have to do is search the same
sequences of bytes that you NOPped in PATCHW32.DLL
and PATCHW.DLL and NOP them too.
-When you're done with all this, you can leave Window$
to crack PBLD-V16.EXE. I know that you can load DOS
programs into SoftICE 3.x in Windows but it always
crashed on me so I decided that I would just crack it
in DOS. Load it into SoftICE 2.x and step to the
message. You'll be dragged throgh a lot of procedures
to get to the nag routine, so be prepared to step into
them. Eventually you'll find the right one - RETF the
first byte of the called procedure to skip the nag.
There are actually 2 patch creation programs for DOS -
the standard PBLD-V16.EXE and the enhanced, faster
PBLD-DX.EXE, both of which have nags. However, after
patching PBLD-V16.EXE, you won't need to patch PBLD-DX.EXE
anymore since the nag there also goes away.
By this point, most of the nags are gone and it probably
took you more experienced crackers about 10 minutes or less.
More Protection?
Well, I tried my newly nag-free Patch apply program on a
commercial software update .RTP file and I got an error
message 'Invalid Patch FIle.' But most companies are
still using .RTPatch version 3.20, like the patch file I
was trying to use, and I figured the error was just due
to a version incompatibility.
PATCHDOS.EXE is a packed EXE file, and all the tools
I've gathered off the web say it's an unknown packer.
Rather than go through the trouble of unpacking this
compressed exe just for a simple nag, I went back to
the Pocketsoft web site. In their downloads area I
found that PATCHDOS.EXE 4.00 was available for free
download. Excitedly I got this 63 KB file and rejoiced
when I found it had no nag screen. But when I tried it
on the patch files I made using PATCHBLD.EXE I got
another 'Invalid Patch File' message. Perhaps it only
works with patches made with the DOS programs, I thought.
But even with patches created with PBLD-DX and PBLD-V16
I got the same error. Could it be that my patching of
the nagscreens caused the patch builders to churn out
defective patch files?
The answer was no. The RTP files I had made worked well
with Patch Apply Programs SUPPLIED WITH THE EVAL RELEASE!
I then tried the commercial version 3.20 RTP file with
the new PATCHDOS.EXE 4.00 that I had acquired. It
worked perfectly!
So that is why the Evaluation Release of .RTPatch
Professional 4.00 was seemingly so poorly protected!
The Eval Release doesn't work with the Licensed
Release -- at least, it's not supposed to. If that
is the case, yes, we've cracked .RTPatch and can now
make our own patches without any annoying nags, BUT,
how can we work with the RTP files of the commercial
software makers? Must we buy this extremely overpriced
patch engine to reap all its benefits? Overpriced, of
course, since there are dozens of FREE utilities on
the web that do the same thing - written by +crackers,
for +crackers.
The answer is also no. And if you're the type that doesn't
give up easily, you'll soon discover that the crack for
this part of the protection is very easy. In fact, you
can give your SoftICE a rest and enter the battlefield
armed only with a hex editor.
There are two things to consider as we tackle this problem:
1) The Patch Building System has to be capable of
writing a RTP file that is recognizable to the Patch Apply System.
2) The Patch Apply System must have a method for
recognizing a valid RTP file.
Since you're probably still in DOS, you had best stay
there for the moment. This session will end in DOS.
However, I made this observation in Window$, since my
Windows Hex Editor (Hex Workshop) allowed me to look
at several files at once. I loaded a few of the
commercial RTP files I had, and then a few of the RTP
files I had made. The file contents were different,
but I noticed that the headers of all the RTP files
were the same -- except for one thing. The files I
had made with the Eval Release all began with EE 76 90 01,
while the commercial RTP files I had began with 4B 2A 40 01.
The Patch Apply Programs were reading in these first 4 bytes
to determine whether or not the RTP file was valid.
Testing this theory by editing the bytes worked.
At this point a simple solution would be to generate a
patch or write a program that would be capable of
searching EE 76 90 01 and replacing with 4B 2A 40 01
and vice versa to allow any patch file to work with
either the Eval or the Licensed Versions. But this
would be cumbersome and inconvenient. Besides, I want
the full product.
Fire up Hacker's View and switch to disassembly view.
Starting with PBLD-V16.EXE, we first search for
instances of EE 76 90 01. No luck. Reversing the
byte order also turns up nothing. Then you search for
3 of the bytes in sequence. Also no luck. But
searching for EE 76 turns up two spots. Searching
for 90 01 turns up thirteen. How do we know which
ones to patch? Time for the Zen part.
We're using Hacker's View since it can display in assembly.
As a result we can jump over red herrings and fish out the
right instructions. The first instance of EE 76 is a CMP
instruction. We know that this cannot be our target
because a CMP would not lead to writing on a RTP file.
The second one reads:
00043E44: C746FAEE76 mov w,[bp][-0006],076EE
A MOV instruction would be very likely in writing that
sequence to the RTP file. You then replace EE 76 with
4B 2A, the first 2 bytes of a licensed file header.
Scanning over the 13 occurrences of 90 01, only one is
a MOV. Replace the appropriate bytes with a 40 01.
Update the file and quit.
Using your newly patched PBLD-V16, you make a RTP file.
Loading the product into your hex editor, you find that
the first 4 bytes read 4B 2A 40 01. You also try the
file with that standard issue PATCHDOS from Pocketsoft's
web site. It recognizes your RTP file and everything
works! And as with the nag, there is no need to patch
PBLD-DX.EXE.
But we still have to patch PATCHBLD.EXE. Use the same
technique to find the proper locations to patch. Another
thing to patch is the Recognition System in the Patch
Apply Programs. The Recogintion system is patched the
same way, only the telltale instruction is CMP. Search
for the culprit in the 2 DLL files and their DAT
counterparts -- you'll find them quickly since the CMP
instructions for EE 76 and 90 01 are close to each other.
Also, you will need to patch PBIND.EXE so that it can
recognize a valid RTP file, but you only need to look for
the EE 76 string - that's all it compares.
Fun with Packed Files
.RTPatch has been a complete cracking package - cracking
nags in DOS, Win16 and Win32, as well as that nifty
recognition protection scheme. But after playing with
your cracked .RTPatch Pro, it won't be long before you
realize you can't make nag-free EZPATCH single file
patches for DOS. And those are the smallest kind - the
most convenient for distribution. What are you going to
do about it? EZPDOS.DAT is a modified PATCHDOS.EXE.
Renaming PATCHDOS.EXE to EZPDOS.DAT and then binding it
doesn't work, so what can you do? Well, you've come too
far to quit now. EZPDOS.DAT, like PATCHDOS, is compressed,
which is the exact reason we avoided the hassle of
uncompressing by downloading a different version. But
this time there is no 'other version' and we're stuck
with this nagged one. Not for long. Go check out the
+HCU Project on unpackers and Packed-EXE's -- nothing's
impossible.
Get your copy of Tron 1.3 out. Even though it's compressed
with an unknown packer, we can still uncompress EZPDOS.DAT
using Tron's universal decompressor. First, rename
EZPDOS.DAT to EZPDOS.EXE. Then you can use Tron like this:
tron -u EZPDOS.EXE
EZPDOS has an overlay, so Tron asks if it should remove it.
Answer Yes - EZPDOS still (seems to) runs without it.
After a while you have an unpacked EZPDOS. Load up
SoftICE 2.x (you're still in DOS, right?) and get rid of
the nag screen like you did all the others. You'll also
need to look for those Eval recognition bytes and change
them to Licensed bytes. Now everything works perfect, but
EZPDOS is no longer as slim as it used to be. You can
re-pack your cracked version with any EXE compressor
(I used PKLITE Shareware) and afterwards rename the file
back to EZPDOS.DAT.
Conclusion
Together we've cracked .RTPatch Pro. Let's summarize:
PATCHBLD.EXE cracked Nag, 25MB limit and Header Write
PBLD-V16.EXE cracked Nag and Header Write
PATCHW32.DLL cracked Nag and Recognition
PATCHW.DLL cracked Nag and Recognition
EZPNTDLL.DAT cracked Nag and Recognition
EZPDLL.DAT cracked Nag and Recognition
EZP32DLL.DAT cracked Nag and Recognition
PATCHDOS.EXE replaced with Nagless version from website
EZPDOS.DAT Unpacked EXE, cracked Nag and Recognition
PBIND.EXE cracked Recognition
The fun conclusion to this essay is to gather copies
of the original files in one directory, and copies of
the patched files in another one. Now you can use
.RTPatch's PATCHBLD to make an RTP file that removes
the protection on itself! Don't worry about PATCHDOS.EXE
and EZPDOS.DAT. PATCHBLD can detect that the new versions
are completely different from the originals and will provide
for a file replace in the RTP file - this program is great!
Didn't I say this would be easy?
(c) snickers 1998, all right reversed
Back to Packers and Unpackers
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia+
Is reverse engineering
legal?