SpeedTec v2.0
[Reversing essay]

Subject: Cracking
Target: SpeedTec v2.0
URL: http://www.montanasoft.com
Author: BlackB
Date: 2000-02-19
Tools used: SoftICE, W32DSM89, HIEW, Smartcheck
Difficulty (scale 1-5): 1

Before starting!
This essay is for knowledge purposes only!!
Software developers spend much time in making their programs. They live from the money we give them!
Please buy good software!!
I. Introduction
Hi cracker! Some time ago I wrote an essay (due to my studies), but yesterday I cracked a
program that was worth a tutorial for sure: SpeedTec. It's a little visual basic program that
optimizes your Internet connection, resulting in higher download speeds and faster webpage
viewing. (certainly worth to download!)
II. About the protection
30-day trial / nagscreen / disabled functions
III. Cracking it
Okay. This time it won't be regular cracking....no something different this time :) I've found 
out a "little" (actually a big) bug in the program. Try out for yourself: when starting up 
click on "Register"....fill in an excessive long username and excessive long serial number. 
Click ok and see what happens......!! Yup, it's true! The program overflows and registers 
itself! Funny isn't it? :)
Now, how did I came up with the idea to try entering a very long serial? Well, as this is a 
visual basic program, I tried to reverse the serial routine with smartcheck. I noticed that
the serial was moved into a float variable (which has limitations) and that there wasn't a 
built-in overflow check. There was only an overflow check in the VB library file. So....I
just gave it a try...and I couldn't believe my own eyes it worked :))
Now, the only thing that remains is a little message with an OK button (which gives the 
overflow error). You can also hear a little beep before the message appears. To remove it, we
gotta find out where the "call-error-window" code is. To do that we set a breakpoint 
on messagebeep (bpx messagebeep). Re-run the program, SoftICE will break and start executing
the code with F10. Now, to find out where exactly the call is made to display the window, use
my technique described in my WS_FTP cracking tutorial. But if you are a quick-understanding
guy (girl?) I'll summarize: 1. execute with F10 until window is drawn 2. clear all breakpoints 
set breakpoint on that
call that draws the window 3. re-run the program 4. sice breaks on the call you previously
set a breakpoint on 5. trace into that call 6. goto 1. until you got the real "draw-window"
When you'll find the real call and the window is drawn, you should see this:

* Referenced by a CALL at Addresses:
|:0041C516   , :0041C94E   , :0041CE1E   , :0041D6A3   , :0041D9D9   
|:0041DCB1   , :0041E107   , :0041E499   , :0041F19E   , :0041F9E7   
|:004211F5   , :004215A6   , :00421B10   , :00421E31   , :00422322   
|:00422806   , :00422BB6   , :00422F61   , :004231DD   , :004238A4   
|:00424911   , :00424B8E   , :00424E32   , :004250CB   , :004256BB   
|:004268CF   , :00426FE8   , :00427767   , :00427C6C   , :00427FE8   
|:0042834F   , :0042860A   , :004291D0   , :0042A002   , :0042ACBE   
|:0042C154   , :0042C662   , :0042D3E1   , :0042E538   , :0042F86A   
|:00430514   , :00430A4C   , :004314BE   , :00431A6B   , :00432816   
|:00433328   , :00433C43   , :00434194   , :00434A9D   , :00435322   
|:00435DB5   , :00436EE3   , :00437A1E   , :0043913E   , :0043B862   
|:0043BBF5   , :0043BEAA   , :0043C153   , :0043C3F3   , :0043CAE7   
|:0043CE27   , :0043D167   , :0043D537   , :0043D959   , :0043DD89   
|:0043E76D   , :0043EACA   , :0043EDA3   , :0043F4E7   , :004418FC   
|:00441D24   , :00442233   , :0044290C   , :0044399E   , :00443DBE   
|:004444B3   , :00444B7B   , :004457C8   , :00445A90   , :00445D76   
|:00446040   , :004462E3   , :004465B0   , :00446988   , :00446D99   
|:0044719A   , :00447491   , :004479B9   , :00447D98   , :0044823E   
|:004485B4   , :00448A80   , :00449191   , :00449AC5   , :0044B964   
|:0044BD45   , :0044C013   , :0044D014   , :0044D4DB   , :0044D93D   
|:0044DD4E   , :0044E925   , :0044EBD8   , :0044F631   , :0044FA67   
|:0044FE0C   , :00450788   , :00450C1E   , :00451AE9   , :004522BF   
:004223E0 83EC10                  sub esp, 00000010
:004223E3 53                      push ebx
:004223E4 55                      push ebp
:004223E5 56                      push esi
:004223E6 57                      push edi
:004223E7 C744241000000000        mov [esp+10], 00000000

* Reference To: MSVBVM50.rtcBeep, Ord:0216h
:004223EF FF1568844500            Call dword ptr [00458468]
:004223F5 8B442428                mov eax, dword ptr [esp+28]

* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h
:004223F9 8B35C0844500            mov esi, dword ptr [004584C0]
:004223FF 66C7054E304500FFFF      mov word ptr [0045304E], FFFF
:00422408 B950304500              mov ecx, 00453050
:0042240D 8B10                    mov edx, dword ptr [eax]
:0042240F FFD6                    call esi
:00422411 8B4C2424                mov ecx, dword ptr [esp+24]
:00422415 8B11                    mov edx, dword ptr [ecx]
:00422417 B954304500              mov ecx, 00453054
:0042241C FFD6                    call esi
:0042241E 8B54242C                mov edx, dword ptr [esp+2C]
:00422422 B958304500              mov ecx, 00453058
:00422427 8B12                    mov edx, dword ptr [edx]
:00422429 FFD6                    call esi
:0042242B 8B442430                mov eax, dword ptr [esp+30]
:0042242F B95C304500              mov ecx, 0045305C
:00422434 8B10                    mov edx, dword ptr [eax]
:00422436 FFD6                    call esi

* Reference To: MSVBVM50.rtcGetErl, Ord:025Dh
:00422438 FF1538844500            Call dword ptr [00458438]
:0042243E BF03000000              mov edi, 00000003
:00422443 8D542410                lea edx, dword ptr [esp+10]
:00422447 B960304500              mov ecx, 00453060
:0042244C 89442418                mov dword ptr [esp+18], eax
:00422450 897C2410                mov dword ptr [esp+10], edi

* Reference To: MSVBVM50.__vbaVarMove, Ord:0000h
:00422454 FF15E4824500            Call dword ptr [004582E4]
:0042245A A1B4304500              mov eax, dword ptr [004530B4]
:0042245F 85C0                    test eax, eax
:00422461 7510                    jne 00422473   <- If overflow error then jump
:00422463 68B4304500              push 004530B4
:00422468 685C634000              push 0040635C

* Reference To: MSVBVM50.__vbaNew2, Ord:0000h
:0042246D FF15A4844500            Call dword ptr [004584A4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00422473 83EC10                  sub esp, 00000010
:00422476 B90A000000              mov ecx, 0000000A
:0042247B 8BEC                    mov ebp, esp
:0042247D B804000280              mov eax, 80020004
:00422482 83EC10                  sub esp, 00000010
:00422485 8B35B4304500            mov esi, dword ptr [004530B4]
:0042248B 894D00                  mov dword ptr [ebp+00], ecx
:0042248E 8B4C2434                mov ecx, dword ptr [esp+34]
:00422492 BA01000000              mov edx, 00000001
:00422497 897C2430                mov dword ptr [esp+30], edi
:0042249B 894D04                  mov dword ptr [ebp+04], ecx
:0042249E 8BCC                    mov ecx, esp
:004224A0 89542438                mov dword ptr [esp+38], edx
:004224A4 8B1E                    mov ebx, dword ptr [esi]
:004224A6 894508                  mov dword ptr [ebp+08], eax
:004224A9 8B44243C                mov eax, dword ptr [esp+3C]
:004224AD 56                      push esi
:004224AE 89450C                  mov dword ptr [ebp+0C], eax
:004224B1 8B442438                mov eax, dword ptr [esp+38]
:004224B5 8939                    mov dword ptr [ecx], edi
:004224B7 894104                  mov dword ptr [ecx+04], eax
:004224BA 895108                  mov dword ptr [ecx+08], edx
:004224BD 8B542440                mov edx, dword ptr [esp+40]
:004224C1 89510C                  mov dword ptr [ecx+0C], edx
:004224C4 FF93B0020000            call dword ptr [ebx+000002B0]
:004224CA 85C0                    test eax, eax
:004224CC 7D12                    jge 004224E0 <- Here you land after window is drawn
:004224CE 68B0020000              push 000002B0
:004224D3 6814E94000              push 0040E914
:004224D8 56                      push esi
:004224D9 50                      push eax

If we want to take out the error message we'll have to take out the whole call. How? 
By setting a "RET" at the start of the call.
:004223E0 83EC10                  sub esp, 00000010
:004223E0 C3                      ret
:004223E1 90			  nop
:004223E2 90                      nop

This way our program is cracked :) Thx to a stupid bug in the prog. Now you probably wonder
HOW this could be possible? Well, after executing the error call, the program jumps to the 
"make-registered" part of the code instead of the "remain-unregistered" part ;)
IV. In the end
Thx goto Nitrus (for helping me out with some c++ source concerning this program).
Greets to all guyz who ever helped me out!


Essay written by The Blackbird © 1999-2000
This essay can be freely distributed/ published/ printed etc... as long as no modifications are made.