Cracking the Challenger Interactive CME

by dr_daze.

Introduction

Doctors are usually thought of as blokes in white coats with a stethoscope around their necks always eager to attack some poor unsuspecting soul with a hypodermic, they are not expected to know too much about computers least of all about cracking software. Correct me if I am wrong, but I believe this is one of the few cracking tutorials written by a real doc.

It all started when I got hold of the Harrison’s Internal Medicine 14th ed. CD-ROM. I found that it shipped with a very interesting and useful Challenger Interactive program. The only trouble was that it needed to be registered to become fully functional (sound familiar?). After extensive searches on the internet, I found that no one had bothered to crack this program.

That was when I decided to delve into the world of cracking. There was plenty of help out there on the net for a newbie like myself (tutorials, crackme’s and the sort). After a couple of weeks of research, a couple more of sleepless nights I finally did it. This tutorial was not written to boast about my cracking skills nor was it intended to be the final word in the matter of cracking (there will never be). It was written to show that anyone could learn to crack with a little guidance.

Tools needed

You need to alter the winice.dat file in the SoftICE directory before we can get started.

Open the file in notepad.

INIT = "color f a 4f 1f e;wc 8;wd 5;ww 2;code on;watch es:di;watch ds:si;x;"

TRA = 92

Save the file, restart windows and press Ctrl-d and you should be greeted by a black screen with arcane numbers and letters. Welcome to the world of SoftICE!. You will find it easier if you take a hardcopy of this tutorial so that you don’t have to switch between cracking and reading this text often.

Basics first

A little knowledge of assembly language is essential. There are many books available on the subject. You can even download entire texts from the net. I recommend Peter Norton’s ‘Assembly language book for the IBM PC’ to start with. Familiarize yourself with hex numbers, hex maths, logical operators, memory & registers.

The SoftICE screen

When you press Ctrl-d you should see something like this (values will differ) :-

Registers & Flags

EAX = BF77D004  EBX = ABCD1234  ECX = 00845ED1  EDX = 001985DA  ESI = C0FE2401
EDI = ABD12390  EBP = 123DC12A  ESP = 00789122  EIP = 12345ACD  o d s I z a p c

CS = 1024 DS = AC12 SS = 19AC ES = AC12 FS = 5D00 GS = 0000

Watch Window

ES:DI = 46AD
DS:SI = AC

Data Window

2227:00001AB0 AD CD 00 00 12 14 15 A0 - CA AB CD 12 00 00 A0 BA  ….$4….!…

Code Window

1ABC:00002AEF 51 PUSH ECX
1ABC:00002AF0 CC INT 3

Command Window

WINICE: Free32 Obj=02 Mod=recovr32

I’ll explain as we go along.

Lets get going

Install the Challenger and run it. Log in as instructed. The welcome screen stating that it is a demo should pop up. Choose License now and select the ‘I have a serial number’ (sn) option. The window requesting the serial number will pop up. Type in any 16 char long sn and press next. The ‘you have entered the invalid sn dialog box will appear’. Press OK and you are back to square one.

Our aim is to break out of the loop and find out what the program checks for in the entered sn. Having done that we should be able to defeat the protection scheme.

The tripwire...

How do we break out? We need to set a breakpoint in SoftICE so that we can stop the program just after pressing the next button in the dialog box. In this case we shall use the GETWINDOWTEXT function call for the breakpoint. To do this press Ctrl-d and in the SoftICE user window type :-

bc *   (To clear all previous breakpoints).

bpx getwindowtext   (To set the breakpoint).

Press Ctrl-d again. Enter a serial number. I typed DAZE-1234-ABCD-wxyz.

Press next and voila! you are back in SoftICE.

Now press F12 to get to 'Medchall' where the function was called from. You should see the following :-

3A01 CALL USER!GETWINDOWTEXT
3A08 JMP 3A09

The hunt is on...

Lets find out where our sn is stored in memory. Type :-

s ds:0 l 800000 ‘DAZE’  (search from ds:0 to ds:8000000 for ‘DAZE’).

We find it at DS:B5A8 (values may change).

Now lets set another breakpoint at the memory address where our sn is stored.

bd 0  (Disable first breakpoint).

bpm DS:B6A8+15 rw (break on memory access of sn read/write).

  • Note that the offset B6A8 may vary, so set the bpm according to the search result.

    Press ^D and you should see the entire sn in the data window. Press ^D again and the sn should change to capitals. This is the first operation on the sn.

    F2AE REPNZ SCASB ; Determine length of entered sn.
         NOT CX
         JNZ 49E0
    
    F3A5 REP MOVSW ; Copy sn from ds:si to es:di.
         ADC CX,CX
         REPZ MOVSB
         XCHG AX,CX

    Now type :-

    bpr ds:b6a8 ds:b6a8+15 rw  (set the breakpoint on the memory range where the sn is stored).
    
    bd 1  (disable the prev. bp).
    
    ^D

    Lets play hopscotch..

    You should see the following in the code window; (use ctrl-up & down to scroll through the code).

    xxxx:3E69 CMP BYTE PTR [BP-26],57 ; Check if the first letter is ‘W’
              JZ 3E72                 ; Proceed if yes.
              JMP 3F17                ; Quit if no.
    
    xxxx:3E72 MOV BL,[BP-25]          ; Check 2nd letter against value in table.
              SUB BH,BH               ; Located at BX+0B29.
              TEST BYTE PTR [BX+0B29] ; Perform logical AND.
              JNZ 3E81                ; Jump if it checks out.
              JMP 3F17                ; Quit.
    
    xxxx:3E81 MOV BL, [BP-24]
              SUB BH,BH
              TEST BYTE PTR [BX+0B29],80
              JNZ 3E90
    	  JMP 3F17

    OK, what do we have here? looks like a check routine. Each block checks a part of the sn. If it checks out, it jumps to the next step else it quits (JMP 3F17). Press F10 to step through the code one line at a time. At the first jump, we would expect the program to quit since ‘D’ is the first letter of our sn. Now comes the cheating part. After the CMP statement at 3E69, type 'r fl z' to toggle the zero flag. The no jump will magically change into a jump, now press F10 to continue to 3E72. I'll leave you to play hopscotch with the rest of the code in the same manner.

    3F12 JZ 3F17
    3F14 JMP 3F3E
    
    Keep pressing F10.
    
    3F3E MOV BL,[BP-25] ; 2nd letter of sn.
    
    3F78 MOV WORD PTR [BP-3C], 0001
         MOV AL,[BP-23] ; 4th letter.
         MOV [BP-3A],AL ; Copy to BP-3A
         MOV AL,[BP-22] ; 5th letter.
         MOV [BP-39],AL ; Copy to BP-39
         MOV AL,[BP-1B] ; 12th letter.
         MOV [BP-38],AL ; Copy to BP-38

    Whats going on here? it looks like parts of the sn are being taken and stored elsewhere (at BP-3A to BP-38). Take a look at the data window a few lines above where the sn is by using the ALT-up arrow. You should see E1D (if you entered the same sn as I did) which are the 4th, 5th & 12th letters of the sn respectively. Now lets place a breakpoint on this new location.

    bpr ds:bp-3a ds:bp-41 rw

    A ^D will land you some where in the middle of this big loop.

    3FED INC WORD PTR [BP-3E]
         CMP WORD PTR [BP-3E],08
         JL 3FF9
         JMP 4075 ; This routine builds up the remaining 5 letters.
    
    3FF9 MOV CL, [BP-42] ; Of the reassembled code at [BP-37] to [BP-33].
         LES BX, [BP-4A] ; You could do some hex math and figure what
    
         INC WORD PTR [BP-4A] ; really is going on here, but we don’t
                                have to!.
         MOV AL,ES: [BX]
         SHL AL,CL
         MOV SI, [BP-3E]
    
    40AA MOV [BP+SI-3A], AL
         MOV CL, [BP-44]
         JMP 3FED ; Loop to 3FED.

    Keep pressing F10 to loop around eight times! or press ^D 7 times and then F10 to step through the last time till the routine exits the loop at JMP 4075.

    MOV AL, [BP-30]
    CMP [BP-46], AL
    JNZ 4080 ; Invalid sn routine.
    JMP 40A7 ; sn is OK !.

    This is the final check on the sn. F10 through the code and at the JNZ statement type 'r fl z', you should know why by now!. Lets analyze what has happened till now. An eight letter string is extracted from the 16 digit sn we entered. Could this be a filename? It just so happens that it is. In the Challeng\data directory there exists the following files :-

    ECGCHALL.LIC
    IM1CHALL.LIC
    IM2CHALL.LIC
    IM3CHALL.LIC
    IM4CHALL.LIC
    IM5CHALL.LIC
    INTCHALL.LIC

    Is it a coincidence that all these files are 8 characters long? There is only one way to find out. Press Alt-D to edit the data window. Press Tab to get to the ASCII display. Change the E1D to ECGCHALL. Press Tab to edit the hex display and add a ’ ’ after the ECGCHALL. Press Alt-D to return to the command window.

    Disable all breakpoints with 'bd *' and ^D to start the ball rolling again. Voila! the Registering… wait a moment window should popup. I’ll leave it up to you to license the other modules. Remember once licensed you can make a license diskette for use on another machine!.

    Conclusion

    I’ve purposely avoided discussing the hex math and operations on the sn, so that you can figure it out for yourself (Can’t give away everything you know :-). Remember there maybe a million ways of cracking this program more elegantly. Let me know if you did it in a better way. You could gift the license files to your friends which would pain me coz I’ve wasted my time teaching you to crack on your own or you could gift them this tutorial so they can crack it themselves and discover the fun in cracking. The choice is yours….

    The principles described above hold good for any program. So practice on other software. Remember learn what you don’t know, share what you do. Good luck!.

    Acknowledgements

    +ORC for teaching me to crack my own programs and not steal them and for showing me the way.
    Ed!son for the great tutorial.
    And finally Slayer & Black Sabbath for their music which kept me going. Hail!

    dr_daze.

    Hint: WAAA-AAAA-AAAA-AAAA.