Blue Marble Geographics Calculator v4.0 - Tutorial - (calc400.exe - 4.7Mb).

Welcome to another tutorial which I hope will encourage software authors to be a little more creative when writing their protections. The Blue Marble range of products is very specialist and fairly expensive, so I doubt whether publishing this tutorial will damage the programmers sales significantly. Lets start the program and take a look. You'll find that a large message box appears with an individual installation code, you are given the choice of registering or continuing in evaluation mode.

Now we could try reversing the serial # routine and trying to locate the real serial number, in fact that might prove quite a laborious task (and just reversing the obvious deciding jump won't work), I did briefly examine the scheme, tracing as far as the check_if_code_entered was 12_in_length, realising then that I was in the middle of the protection I noted that I was actually inside a dll, bmauth32.dll.

So lets take a disassemble of geocalc.exe, and now a look through the imported functions list. One cannot begin to imagine what the programmer was thinking when he named a function Auth_Check. So lets just see what possible differences there might be between the evaluation version and a fully enabled full version by continuing our evaluation. You'll note the title bar "The Geographic Calculator - Evaluation".

So back to our disassembly lets see what our mysterious Auth_Check function does, just take a good look at this code reference and wonder why they didn't give the software away:

:00466B8D CALL 004552D0 <-- CALL bmauth32.Auth_Check
:00466B92 CMP AL,01 <-- A_flag_quite_possibly.
:00466B94 JNZ 00466B9F <-- Jump to "The Geographic Calculator - Evaluation".
:00466B96 MOV BYTE PTR [EBX+00000BC4],01 <-- Good_guy_flag.
:00466B9D JMP 00466BB5 <-- Continue_nice_buyer.

Well, I would be insulting your intelligence if I explained this, but lets just verify our theory by loading the bmauth32.dll exports into SoftICE using the Symbol Loader (loader32.exe). So select Open Module and navigate to our dll (installed in the system directory), now Load Exports. This will now enable us to set a breakpoint on the function Auth_Check which is exported from bmauth32.dll.

>bpx Auth_Check

When you return to the caller you'll see that AL is 0, just a live SoftICE patch, modification of the zero flag >r fl z will be good enough to start the fully enabled working copy of this program. I'll leave you to make whatever patch you see fit, I'd settle for replacing the JNZ 00466B9F like below, however 2 NOP's would also work.

3C 01 75 09 C6 83 C4 0B <-- Original JNZ 00466B9F.
3C 01 40 48 C6 83 C4 0B <-- Patched to INC EAX, DEC EAX (net effect nil).

Well, remember that when a program uses its own dll for a protection they are usually incredibly easy to break, familiarise yourself with the dll's in your system directory, maybe make a short list of what each does, most will be system components but you may find suspicious others. As always please buy this software legitimately if you have a use for it.

Return to Miscellaneous

© 1998 CrackZ. 10th June 1998.