Beating M$ with his own tools
Most stupid protection
For protectors: you SHOULD NEVER, NEVER, NEVER write inside a module something like:
If LicCheck = 0 Then 'are the licence details already stored somewhere on the computer?
The fact that you can use access' debug functions to crack - and even to produce a keygenerator! - is something that shareware authors should take note of...
"Have you ever found a program which resists any attack by WinIce and where no Decompiler exists ? Even no other tool works ?" says Pepper in his essay..Yes i have found a program which cant be attacked by softice.(at least for me).Our target is only one .mdb file.It is executed by Access runtime.Usual breakpoints doesnt help you much.I couldn't found any valuable information after one week.In this essay i will completely nake M$ protection schema and code keygen for this program.Sorry for my bad English I think you speak Turkish bad too :)
Program is really big 18 mb.It is nightmare for dialup users like me.Program is not important at all.Main goal is understanding the protection of mdb files. This program is database program for companies.It is usefull for big companies to track meetings, events etc.Program needs serial to unlock its some features.Main protection is in the sp2000.mdb.If this program is access database lets try to open with Access 97.If you have read pepper's essay you know that calculation is done by modules.I have tried to open all modules and looked what is going on.I have opened all modules but Gfstartup and Mieutilities. When you try to open this modules, access says that "You dont have access to ....".Lets try to open this modules.I have bpx on messagebeep like pepper but couldnt found the way.(If you find it please letme know)Before reinventing the wheel, I decided to search well.After good search I found GetAccess 98.Here is what GetAccess claims in its helpfile "GetAccess'98 unsets Access database file password&User level Security.It also reveals the database password if available." GetAccess is Vb i hope finding a serial is not a big deal.Open the database and choose "Remove Security Permissions Also".Wait, wait, wait it is very long process.Lets try to open Mieutilities module.Yeah it worked.Lets analyze what is in this module. Public Function LicCheck() On Error GoTo LCErrorBit Dim dbs As Database, rst As Recordset Set dbs = CurrentDb Set rst = dbs.OpenRecordset("Software Details") rst.MoveFirst ProdCode = rst("ProductCode") ExtLName = rst("LicenceeName") LicName = Left(ExtLName, Len(ExtLName) - 1) & ProdCode ;prodcode is SP2000 in the table LicNum = rst("LicenceNumber") If IsNull(LicName) Or LicName = "" Or IsNull(LicNum) Or LicNum = 0 Then LicCheck = 0 GoTo LCExitPoint End If L1Len = Len(LicName) DC = 0 For J = 1 To L1Len DC = DC + (Asc(Mid(LicName, J, 1)) * (L1Len + 1 - J + 3)) Next J DC = DC * Int((L1Len + 14.3) / 2) If Int(DC) + 71077345 = Int(UnGNum(LicNum)) Then LicCheck = 1 Else LicCheck = 0 LCExitPoint: If LicCheck = 0 Then 'are the licence details already stored somewhere on the computer ;ehehe programmers comment On Error GoTo CantReadF1 SystemDirectory = GetSysDir() FileNumber = FreeFile Open SystemDirectory & "\config.sli" For Input As #FileNumber Input #FileNumber, WLicName, LicNum Close #FileNumber SetAttr SystemDirectory & "\config.sli", vbHidden + vbSystem GoTo FoundStoredDetails CantReadF1: Resume NothingValidStored FoundStoredDetails: On Error GoTo LCErrorBit If IsNull(LicName) Or LicName = "" Or IsNull(LicNum) Or LicNum = 0 Then LicCheck = 0 GoTo NothingValidStored End If LicNum = CLng(LicNum) LicName = Left(WLicName, Len(WLicName) - 1) & "SP2000" L1Len = Len(LicName) DC = 0 For J = 1 To L1Len DC = DC + (Asc(Mid(LicName, J, 1)) * (L1Len + 1 - J + 3)) Next J DC = DC * Int((L1Len + 14.3) / 2) If Int(DC) + 71077345 = Int(UnGNum(LicNum)) Then LicCheck = 1 Else LicCheck = 0 If LicCheck = 0 Then GoTo NothingValidStored If LicCheck = 1 Then rst.Edit rst("LicenceeName") = WLicName rst("LicenceNumber") = LicNum rst.Update rst.Close Exit Function It opens Software Details table and take Product Code ,Licence Name and LicenceNumber.It computes real serial number and compare it.What is this Ungnum function ? Public Function GNum(SN) On Error Resume Next SNStr = CStr(SN) N1Str = Left(SNStr, 2) N2Str = Left(SNStr, 1) N1 = CInt(N1Str) + 17 N2 = CInt(N2Str) + 6 N1 = N1 * N2 GNum = SN + N1 End Function Public Function UnGNum(SN) On Error Resume Next SNStr = CStr(SN) N1Str = Left(SNStr, 2) N2Str = Left(SNStr, 1) N1 = CInt(N1Str) + 17 N2 = CInt(N2Str) + 6 N1 = N1 * N2 UnGNum = SN - N1 End Function This info is enough to code keygen.If you have ever used access 97 you know that it has debug menu.You can surf in the code like in softice.Open software details table ad fill name and license number.Run it step by step.When you are at If Int(DC) + 71077345 ... note int(dc) open debug menu and type gnum(int(dc)+71077345).This is your serial.You may ask why i didnt changed this License check=0 stuff.I have tried but it crashes the program maybe it is because of startupgf module.Access use visual basic language.You can easily code keygen by just copy and paste.However program looks config.sli file in system directory you can make key file also. Key file format is like this "Name","Serial" ie. "LaptoniC","12345678"
Sorry for my bad english and writing skill ,I am totally newbie but trying to learn.I hope this essay helped you.As you see, M$ protection is worst than no protection.I end my essay with a little poet
Hey cousin Billy
Hey cousin Billy
Is there anything
That you can do for me