An interesting tool: Numega Smartcheck 5.0
Echoing a silly "install" and trial protection scheme
(27 October 1997, slightly edited by fravia+)
Courtesy of fravia's page of reverse engineering
Well... this happens ofter and ofter nowadays: I was preparing my
"An interesting tool: Numega's Smartcheck 5.0" essay... and Snatch has "snatched"
it before me.
Well, the minimum that Snatch can do after having spoiled my "in fieri" essay :-) is to allow me a somehow long introduction to
his essay: here it is.
Smartcheck is an interesting tool indeed... yet you must be careful
and set it up corrrectly:
program/settings: Default: detect and report everything
program/settings/advanced: check everything, don't suppress anything
and don't forget to "check program compliance" before
delving in... as soon as you use it you'll easily understand that this program is a very important
addition to our tools arsenal.
In fact the real funny question is: "Why does Numega use such stupid protections?".
Mind you, we are not speaking of a small shareware programmer that is using
some overbloated language for some overbloated useless application: we are speaking
of the BEST programmers and wizards of assembly in the whole planet here!
The fact that Numega (which, differently
Micro$oft lamers' park, HAS INDEED A LOT of said good programmers and
wizards) publishes powerful disassembly and reversing tools (Bondcheck,
Smartcheck, Softice...) in
downlodable "trial" version with
pretty silly protections (as if the kind of people that REALLY USE such tools
were not capable of earing a password echo in memory) can IMO only mean
A) EITHER Numega follows the Micro$oft path of giving away everything
for free, in the hope that they will dominate the disassembler
markt and get the rewards from "scale" economy.
This may happen: it is clear that the crackers and "simple" programmers
i.e. a great part of the people that peruse the many available sites like mine, ARE the reverse
engineers of to-morrow (who else?), and will be able to afford *any*
"commercial" fare that Numega will in the future decide for, say,
Smartcheck version 13.0.
B) OR that Numega will bring to light a very tough protections (the mytical
"unbreakable" software protection :-) as soon as their absolute dominance
of the market has been asserted. Let's hope they do it soon: the "protections"
(if you really want to call them so) that they
are using at the moment are simply too boring to bother
And here is the short essay by Snatch, sorry for the long introduction
Cracking Numega Smartcheck 5.0
I was recently tipped off that Numega's Smartcheck could
reverse visual basic files so I downloaded the demo from
ftp://ftp.ultranet.com/pub0/n/numega/files/smchk50.exe (about 7.19 megs)
The first thing I noticed when I ran the setup file was a
password to start the setup program.
So I went into Softice ver 3.21(very nice indeed), and set a bpx
getwindowtext. Then type in a dummy password and click OK.
After stepping through the routine(F10), you find that there is:
CALL USER!GETWINDOWTEXT >> Get what you typed
LEA AX,[BP-32] >> Load AX with address of what you typed
PUSH SS >> Segment of what you typed
PUSH AX >> Offset of what you typed
PUSH DS >> Segment of real password
PUSH 06BA >> Offset of real password
CALL USER!LSTRCMP >>Comparison of strings at ss:ax and ds:09d6
Next you do a dump of 06ba:
d ds:06ba l 64
You should see the password, &Smc50-14d% there in front of your eyes.
Type bd * to disable your breakpoints, ctl-d to run and get an error,
and then run the setup again and type the right password to bypass
that silly message.
Now we are one-fourth of the way done! It was that easy!
After going through a few screens, you will see your name, company plus
a serial number! I tried to crack the serial number but gave up.
Don't worry, we can still crack this later on, and much easier and
quicker. So simply install it. And run it :-)
Now load a program (must be 32-bit which is why this program won't
help me too much with vb programs). Now try program and start.
Uh-Oh! Name of thr trial user, blue "trial meter" and registration
Phew!, there is a purchase button. Let's click it. Here it is,
unlock code and all. Nice, lets go back to the debugger.
be * for our breakpoints to be re-enabled.
Now enter your name and company and a dummy password.
BOOM! your in the debugger. Now step and step and step and step
until you get to a patch of code that looks like this:
LEA EAX,[EBP-14] >> Your password
LEA ECX,[EBP-28] >> The correct password
PUSH EAX >> Your password
PUSH ECX >> The correct password
Here you have it! Type a d ecx l 64, and the first 16 bytes are
the right code.
Numega is using a hashing of your name and password and reg number
to get the code so for everyone the code will be different.
Now back to reality, write down those 16 numbers and disable
Keep your name and company the same, enter the password in and you
are a *registered* user of numega smartcheck 5.0, with your own user
name and password!
**Note, you could have probably reversed this protection scheme,
also, individuating both passwords I have described by editing the
memory and changing the jumps to noop's but I "trust more" the real
and correct password!
(c) Snatch, 1997. All rights reversed.
You are deep inside fravia's page of reverse
engineering, choose your way out:
Back to project 7 (stupid protections)
Back to project 2 (Numega's own)
+ORC students' essays tools
antismut search_forms mail_fravia
is reverse engineering legal?