[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
WARNING: softSENTRY is a SCAM
Windows developers, DO NOT purchase 20/20 Software's outrageously priced
($695) softSENTRY utility. The package IS A SCAM. Before reading the below
document I found on the Web, understand that DLL- and component-based copy
protection systems are inherently easy to crack. (softSENTRY incorporates a
DLL-based protection as one of its options, in addition to direct .exe
"protection".) Also understand that utilities such as Shrinker and WWPack are
only useful for compression, NOT protection from reverse engineering.
EXE-compressors are notorious for being easy to crack.
Do you want me to convince you?
http://209.44.62.170/pir8/files/ak.html provides cracks for Vbox, SalesAgent,
softSENTRY, TimeLock, and many other copy protection schemes. (Yes, the much
overbloated Vbox is now WORTHLESS as a copy protection system.)
For cracks of just about any EXE-compressor/encryptor you can think of
(including WWPack32, Protect!, and Shrinker), visit
http://www.nettaxi.com/citizens/caligo/main.htm.
Yes, you can also forget about using Shrinker or WWPack to protect your app's
code. They are both absolutely WORTHLESS in that respect as well. Cracks for
them are now everywhere on the Web.
-----------------------
e-mail: [email protected]
-----------------------
Hello out there. I am somewhat of a newbie at cracking (with some knowledge
of assembly) but thought I'd try my luck at a commercial protection scheme
for one of my first cracks.
I will show you how to crack an extremely stupid, ready-made protection
scheme, softSENTRY 2.07 from 20/20 Software. Download the trial version
(itself extremely easy to crack) from http://www.twenty.com/pgs/dlidx.html.
This software allows zombie programmers (who, IMHO, do not deserve to be
called programmers if they have fallen for this disgustingly bogus
protection) to "automatically" convert their FULL programs to "protected"
trial versions. Sounds like a snake oil vendor, right? It is precisely that:
bogus commercialism at its very best. (This crappy, $695 piece of junk really
is worth only ten bucks. I have encountered far better utilities priced five
times less.)
Okay, what tools do we need to crack softSENTRY?
- Numega's Soft-Ice
- a good hex-editor
I will not show you how to crack the demo of softSENTRY, because the process
is boringly easy to do. (Do it youself! Tip: Delete c:\windows\system\ss.drv
and the "magic key" located at HKEY_CLASSES_ROOT\{XXXXXXXXXX} to restore the
trial period.) I shall, however, show how to murder its weak protection
scheme! (By the way, the fact that softSENTRY's own protection is so weak
indicates a lot about the quality of the product itself!!)
Prepare a test target by protecting some small program like Notepad in order
to disassemble the process and watch how softSENTRY "works". For disassembly,
we will utilize SoftIce because W32Dasm89 seemed to crash when I attempted to
load the target. The protected file and the original file have different
sizes. "Clever", you would have thought, as I did, "Maybe there's some
encryption and variable random protection scheme inside the target." Well,
you're in for quite a surprise. Now hold your breath; THIS IS THE ENTRY POINT
FOR ALL PROTECTED FILES:
:004B066F CC int 03
:004B0670 55 push ebp
:004B0671 8BEC mov ebp,esp
:004B0673 83EC48 sub esp,00000048
:004B0676 53 push ebx
:004B0677 56 push esi
:004B0678 57 push edi
:004B0679 E950000000 jmp 004B06CE ; This is a very strange jump,
wouldn't you say?
:004B067E 0000 add [eax],al
:004B0680 7006 jo 004B0688
All protected files possess the same pattern, with the exact same JMP (coded
as E950000000)! This is very fortunate for us; it means that searching any
"protected" file for the pattern { 55 8B EC 83 EC 48 53 56 57 E9 50 00 00 00
} will give us the entry point of the program and indicate to us that the
program has been "protected" with softSENTRY! (Has your jaw hit the floor
yet?) Yes, softSENTRY is very silly. The very insolent JMP 004B06CE points
the EIP to the actual protection routine. The routine then jumps depending on
the "protection" scheme the programmer specified for use: time limit, splash,
etc. Read carefully:
00093C82: 8B4508 mov eax,[ebp][00008] ;
00093C85: 50 push eax ;
00093C86: 68A0324B00 push 004B32A0 ;
00093C8B: FF156C744B00 call [0004B746C] ;
00093C91: E88A000000 call 001279B1 ;THIS CALL LOADS THE RESOURCES
OF THE MAIN PROGRAM!
00093C96: E825000000 call 00127956 ;THIS CALL WILL RUN THE MAIN
PROGRAM!
00093C9B: 8B45B8 mov eax,[ebp][0FFB8] ;
;
00093C9E: 50 push eax ;
00093C9F: FF15E4734B00 call [0004B73E4] ;
(If the protection fails, you will land at 00093C9B.)
The two calls at 00093C91 and 00093C96 load the FULL program completely free
of all nag, splash, time-limit, etc. functions that have been chosen.
If you compare the above source with any other "protected" program, you will
see that both calls are ALWAYS coded as:
E8 8A 00 00 00 E8 25 00 00 00
1st Call 2nd Call
Now we can write a general crack for this amazingly retarded protection
scheme. Simply replace the first jump (coded as E950000000) with the code of
the two calls, which, again, is always E88A000000 E825000000.
1) Search for: { 55 8B EC 83 EC 48 53 56 57 E9 50 00 00 00 }
^^^^^^^^^^^^^^ (This is the jump.)
2) Replace it with E8A2040000 E83D040000.
Note that the two calls have been recalculated accordingly but remain the
same. (Track them with your debugger!)
So, cracking a softSENTRY-"protected" application is only a matter of
switching a few bytes. I certainly wouldn't pay $695 for some silly
"protection" that took me only 10 minutes to crack!
-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum