Cracking Micro$oft Visual SourceSafe 5.00
Cracking a quite easy timeprotection
project9
Microsoft bashing
31 March 1998
by TWD
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
98xxxx
handle
1100
NA
PC
Well, TWD is specialising in Micro$oft bashing, as it seems. That's very good. I'm a little deceived that so many reversers ignore totally Micro$oft's awful applications (and silly protections). This is a MISTAKE! Micro$oft's programs are extremely overbloated and buggy, yet they are also SOLD and WIDESPREAD. Let's take account of this simple (if very sad) reality. Reversing Micro$oft's application is therefore USEFUL for a series of reasons:
1) It could be helpful -say for some far-away forgotten study institute in Africa without any money- to have the possibility to use the SAME (stupid) applications that all other study institutes all over the 'developed' world are (unfortunately) using... excel instead of 1-2-3, so to say: not that it works better (it does not) nor quicker (it does not), but excel is unfortunately, like it or not, the de facto 'standard' of these aera of software decadence.
2) We could find -reversing deep and reversing well- some of the faul TRICKS that the Micro$oft's programmers have hidden inside their applications in order to get, say, a complete list of the software running on a given machine, or to delay a little netscape's browser, or to send to their sites on line some registration informations without asking you.
(TWD) >
Life is but a dream therefore, where there is no dream, there is no life - it's your life
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert

A very easy crack, but it's a Micro$oft crack. That's worth an essay.
Cracking Micro$oft Visual SourceSafe 5.00
TimeNag - cracking at it's most easy
Written by TWD


Introduction

  You wont believe it, but Micro$oft distributes a german developer CD-ROM

  With a lot of crap on it, but also with on or two "time-protected" programs.

  One of the programs is Visual SourceSafe 5.00



Tools required
Tools I used : - SoftICE 3.22 - IDA 3.7 - UltraEdit 5.0 (just for editing and writing essays)

Target's URL/FTP
Maybe at www.microsoft.com

Program History
Which history ???

Essay



After starting Visual SourceSafe 5.00 and logging in, a window appears and 

tells us that only 30 days a remaining, before VSS expires.



Thanx a lot, I finished it and started it again. Before finishing the login,

I set a breakpoint on   GetLocalTime   and continued.



SoftICE breaks up here :



10037843 8D 44 24 08                 lea eax, [esp+18h+var_10]

10037847 50                          push eax

10037848 FF 15 34 44 06 10           call ds:GetLocalTime

1003784E 66 8B 44 24 08              mov ax, word ptr [esp+18h+var_10]

10037853 8A 4C 24 0A                 mov cl, [esp+18h+var_E]





Nice, nice, but not the thing we are looking for. You can look around by pressing

some "^p ret;" in your SoftICE, but this is not the right position, at least not 

in the moment.



After carrying on, SoftICE pops up at exact the same position as the last time, but

this time called by another procedure :





100025C7 E8 74 52 03 00              call ?DT_GetCur@@YAJXZ      ; <-- Our proc

100025CC 2B 44 24 78                 sub eax, [esp+204h+var_18C]   <-- eax=days passed

100025D0 B9 80 51 01 00              mov ecx, 15180h

100025D5 99                          cdq

100025D6 F7 F9                       idiv ecx

100025D8 83 F8 3C                    cmp eax, 3Ch

100025DB 7C 23                       jl  short loc_10002600

100025DD C7 05 18 86 05 10 01 00+    mov dword_10058618, 1

100025E7 6A 3C                       push 3Ch

100025E9 68 70 D6 FF FF              push 0FFFFD670h

100025EE E8 0D 83 01 00              call ?Error@MSERR@@SAHHZZ   ; <-- Output Error 1





The call at  "100025C7"  checks the time. The days since installation are stored in eax.

If more than sixty days are gone, a special message box pops up. (Error 1).

There are more error messages like this one. This one is called if more than 30 days 

have passed since SourceSafe expired. If you have just installed Visual SourceSafe, 

it shouldn't be expired, that means it jumps to :



10002600 83 F8 1E                    cmp eax, 1Eh

10002603 7C 17                       jl  short loc_1000261C

10002605 68 71 D6 FF FF              push 0FFFFD671h

1000260A E8 F1 82 01 00              call ?Error@MSERR@@SAHHZZ   ; <-- Output Error 2

1000260F 83 C4 04                    add esp, 4

10002612 33 C0                       xor eax, eax

10002614 5E                          pop esi

10002615 81 C4 00 02 00 00           add esp, 200h

1000261B C3                          retn



If more than 30 days and less than 60 days passed by, another message box pops up (Error 2).

Else we keep going on jumping to :



1000261C B9 1E 00 00 00              mov ecx, 1Eh

10002621 2B C8                       sub ecx, eax

10002623 51                          push ecx

10002624 68 72 D6 FF FF              push 0FFFFD672h

10002629 E8 D2 82 01 00              call ?Error@MSERR@@SAHHZZ   ; Error 3

1000262E 83 C4 08                    add esp, 8

10002631 33 C0                       xor eax, eax

10002633 5E                          pop esi

10002634 81 C4 00 02 00 00           add esp, 200h

1000263A C3                          retn



If less than 30 days are gone, SourceSafe calculates the remaining days, stores them

in ecx and outputs it with a message box. This is no real error, but it disturbs.



To kick this silly protection and to remove the message box (Error 3), the only thing 

to do, is to change the 



    100025DB 7C 23                       jl  short loc_10002600



to 



    100025DB EB 54                       jmp 10002631





This will jump short behind the message box (error 3), but it shouldn't jump on

the 



    1000262E 83 C4 08                    add esp, 8



because this will kill the program by modifying the stack.





As usual questions, ideas, suggestions, etc can be send to 



   mailto:twd(point)rulez(at)gmx(point)net

   http://twdrulez.home.ml.org



Final Notes



Cracking this program was very simple. One breakpoint on GetLocalTime was enough.

Why some one should use this program is very easy to explain. The overbloated 

M$ - programs make it necessary. 





Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:

project9
Microsoft bashing


redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?