|Description||Plastic Animation, (judging by the quality of this protection HP should stick to manufacturing hardware).|
|Protection Type||Dongle (supplied by HP).|
|Size||< 900k installed.|
|Target Name||Plastic Animation Paper pre 1.|
Perhaps I should have sensed the quality of this programs protection by the name of the main file (pap.exe), lets run it and see what happens. A "Fatal Error" is the result (a rather nice way to inform you that there isn't a dongle connected). bpx for MessageBoxA, look at the code and forget it :-
014F:00408301 CALL 00401770 <-- CALL_fantastic_dongle_routine.
014F:00408306 TEST EAX,EAX
014F:00408308 JNZ 00408328 <-- Guess what needs to happen here.
014F:0040830A PUSH 00052010
014F:0040830F PUSH 00432AC0 <-- "Fatal Error".
014F:00408314 PUSH 00432AAC <-- "Unexpected error".
014F:00408319 PUSH EAX
014F:0040831A CALL [USER32!MessageBoxA]
I wouldn't insult your intelligence explaining how to crack this, yet lets look at the magnificent CALL (which defies even further belief).
014F:00401774 PUSH 00 <-- Position to read.
014F:00401776 MOV DWORD PTR , 378 <-- Port address.
014F:00401780 CALL 00401980
014F:00401785 CMP EAX,74 <-- 't'.
014F:00401788 JNZ 004017F4
014F:0040178A PUSH 01
014F:0040178C MOV ECX,ESI
014F:0040178E CALL 00401980
014F:00401793 CMP EAX,61 <-- 'a'.
014F:00401796 JNZ 004017F4
014F:00401798 PUSH 02
014F:0040179A MOV ECX,ESI
014F:0040179C CALL 00401980
014F:004017A1 CMP EAX,75 <-- 'u'.
014F:004017A4 JNZ 004017F4
014F:004017A6 PUSH 03
014F:004017A8 MOV ECX,ESI
014F:004017AA CALL 00401980
014F:004017AF CMP EAX,6E <-- 'n'.
014F:004017B2 JNZ 004017F4
014F:004017B4 PUSH 04
014F:004017B6 MOV ECX,ESI
014F:004017B8 CALL 00401980
014F:004017BD CMP EAX,75 <-- 'u'.
014F:004017C0 JNZ 004017F4
014F:004017C2 PUSH 05
014F:004017C4 MOV ECX,ESI
014F:004017C6 CALL 00401980
014F:004017CB CMP EAX,73 <-- 's'
014F:004017CE JNZ 004017F4
014F:004017D0 PUSH 06
014F:004017D2 MOV ECX,ESI
014F:004017D4 CALL 00401980
014F:004017D9 CMP EAX,44 <-- 'D'.
014F:004017DC JNZ 004017F4
014F:004017DE PUSH 07
014F:004017E0 MOV ECX,ESI
014F:004017E2 CALL 00401980
014F:004017E7 CMP EAX,4B <-- 'K'
014F:004017EA JNZ 004017F4
014F:004017EC MOV EAX,00000001 <-- Guess who gets here.
TaunusDK indeed, I haven't a clue what it means and nor do I really care :-), as this CALL is referenced in 2 places it makes sense to patch at this level, notice that failure with this block will not immediately boot us out with EAX=0 but instead switch to check other parallel port addresses (this accounts for the 32 instances of CALL 00401980). Tracing lower, (we could have seen from the imported functions) that the real dll doing the work is ppppapi.dll from Hewlett Packard, specifically Poke8() below CALL 004016D0 & Peek8() beneath CALL 00401640, you do of course remember your days of poke and peek :-).