Artpaint 1.3 GoW reversing using IDA by George of Winter --------------------------------------------------------*/ A small foray into Beos software protection -------------------------------------------- I am not an assembly & elf format guru. I was just annoyed by some message boxes when i started to use the beos (tm). All my primary experiences came from the windows (tm) world. As i don't wanna spoil anyone, especially the beos community, i will not supply ready made patches (which would, anyway, sucks). Because of this, offsets are missing...if you wanna use this...work on it. Here we go, this is the way i proceed and probably not the best one, go to the HCU linux page if you wanna poke at ELF executables. Tools used ----------- Ida (oups, this is not running natively under beos ;-) ). Well, it is an interesting tool indeed, go to www.datarescue.com or www.searchlores.org, it's just a matter of approach ;-) . 3.8 works well and i suppose 3.7x serie do the same. You can also use Mammon (www.eccentrica.org/Mammon) configuration files if you don't want to bother with conf files tweaking like me and just wanna go for it at once (Mammon, if you are reading this, i like the color scheme you used). Any hexeditor wich let you search by offset. 1-Artpaint ----------- Uh, there is no paint tools natively under beos. I wanna do some quick drawing, Artpaint came out the first. At launch : messagebox this is a shareware etc... Also it is stated somewhere in the doc that, if you buy, you get a keyfile which register the application. Hints : key, registration View name in IDA : search for "reg" string and hit ctrl-t until something interesting popups. Interesting functions, part of a bigger scheme RegistrationWindow:: RegistrationWindow::showWindow Authorization Control::ShowRegistrationInfo Just two lines above, more interesting stuff Authorization Control::WriteKeyfile Authorization Control::ReadKeyfile What do you want to do ?? : Maths ??? : go to the keyfile routine and try to figure out the algorithm Disable the nag ?? : lazy one hey ;-) follow me to the ReadKeyfile routine. Double-click on function name in IDA name window...you'll jump in on the main window 00054840 ; S u b r o u t i n e 00054840 ; AuthorizationControl::ReadKeyfile(BFile &) 00054840 ; Attributes: bp-based frame 00054840 55 public ReadKeyfile__20AuthorizationControlR5BFile 00054840 ReadKeyfile__20AuthorizationControlR5BFile proc near 00054840 ; CODE XREF: PaintApplication::+13Cp 00054840 ; DATA XREF: 0010836Co 00054840 var_8C= byte ptr -8Ch 00054840 var_7C= dword ptr -7Ch 00054840 var_78= dword ptr -78h 00054840 var_74= dword ptr -74h 00054840 var_6C= dword ptr -6Ch 00054840 var_68= dword ptr -68h 00054840 var_64= dword ptr -64h As i implicitly stated before we are not going to bother with the key, i just want to test the program without the nag. That nag should be called from the main program flow just after some check has been performed on a existing / or not existing keyfile. Looking in the cross-references (on your right, buddy) you can see a link to the main flow : CODE XREF: PaintApplication::+13Cp Let's go and check what's going on there (on IDA, click on the XREF) : 00044xxx 8B 87 10 01 00 00 mov eax, [edi+110h] 00044xxx 50 push eax 00044xxx E8 2F FA 00 00 call ReadKeyfile__20AuthorizationControlR5BFile ; AuthorizationControl::ReadKeyfile 00044xxx 83 C4 14 add esp, 14h 00044xxx 85 C0 test eax, eax 00044xxx 75 09 jnz short loc_44E21 00044xxx C6 87 14 01 00 00+mov byte ptr [edi+114h], 1 00044xxx EB 16 jmp short loc_44E37 00044xxx loc_44E21: ; CODE XREF: PaintApplication::+146j 00044xxx 8D 83 36 F9 FC FF lea eax, [ebx-306CAh] Some test with jump non zero (jnz), probably interesting but, again, we are not here to register the stuff. If we follow the logical path, the program should test the key we don't have and then call the nag screen so let's scroll down a little bit. Sure .... 00044xxx 75 0F jnz short loc_44E7F 00044xxx 8B 87 10 01 00 00 mov eax, [edi+110h] 00044xxx 50 push eax 00044xxx E8 D0 04 01 00 call DisplaySplashScreen__20AuthorizationControl ; AuthorizationControl::DisplaySplashScreen 00044xxx 83 C4 04 add esp, 4 00044xxx loc_44E7F: ; CODE XREF: PaintApplication::+19Ej 00044xxx 8B 87 18 01 00 00 mov eax, [edi+118h] "Nomen est nomen" as some would say. Now that we have found our target, disabling the whole call is just a matter of (how awful) simple nopping (a nop stands for no-operation and is a way to tell the computer to do nothing. The hex value of nop is 90). In IDA, Edit --> Patch program --> Change byte Make your changes Then File --> Produce output file --> Produce dif file (handy for hexediting after) If you're still confused about nopping, here's a simple example (unrelated to the subject) : 00044xxx 75 09 jnz short loc_44E21 3 columns : 00044xxx = offset hexadecimal form of opcodes = 75 09 opcodes = jnz short loc_44E21 For some reasons, you want to get rid of the wole instruction, open the program with an hex-editor ,jump to the offset (00044xxx) and you should see 7509 right under your nose, just overwrote them with 9090 and save the program. Conclusion : Despite the fact that i used IDA, the general ideas remain the same ie get info about protection (keyfile, regcode, crippled, watermark) and then choose an approach (math, simple disabling ("once you can eliminate the effect of a protection look no further" +ORC), flags tricks). There is a whole bunch of software under beos protected that way (easy to defeat) but it would be nice to focuse on apps modification, especially on NetPositive (http referrer and cookies). If you check www.betips.net you can see that it is possible to change the USER-AGENT of NetPositive by changing an attribute....that's a good start. To come (if i get time) : Pe (functions disabled, keyfiles), Postmaster (time limits), Squeeze (time limits-nag).