An interesting tool: Numega Smartcheck 5.0
Echoing a silly "install" and trial protection scheme

by Snatch
stupid

(27 October 1997, slightly edited by fravia+)

Courtesy of fravia's page of reverse engineering
Well... this happens ofter and ofter nowadays: I was preparing my own "An interesting tool: Numega's Smartcheck 5.0" essay... and Snatch has "snatched" it before me.
Well, the minimum that Snatch can do after having spoiled my "in fieri" essay :-) is to allow me a somehow long introduction to his essay: here it is.

Smartcheck is an interesting tool indeed... yet you must be careful and set it up corrrectly:
program/settings: Default: detect and report everything
program/settings/advanced: check everything, don't suppress anything
and don't forget to "check program compliance" before delving in... as soon as you use it you'll easily understand that this program is a very important addition to our tools arsenal.

In fact the real funny question is: "Why does Numega use such stupid protections?". Mind you, we are not speaking of a small shareware programmer that is using some overbloated language for some overbloated useless application: we are speaking of the BEST programmers and wizards of assembly in the whole planet here!

The fact that Numega (which, differently from Micro$oft lamers' park, HAS INDEED A LOT of said good programmers and wizards) publishes powerful disassembly and reversing tools (Bondcheck, Smartcheck, Softice...) in downlodable "trial" version with pretty silly protections (as if the kind of people that REALLY USE such tools were not capable of earing a password echo in memory) can IMO only mean two things:

A) EITHER Numega follows the Micro$oft path of giving away everything for free, in the hope that they will dominate the disassembler "commercial" markt and get the rewards from "scale" economy.
This may happen: it is clear that the crackers and "simple" programmers of to-day, i.e. a great part of the people that peruse the many available sites like mine, ARE the reverse engineers of to-morrow (who else?), and will be able to afford *any* "commercial" fare that Numega will in the future decide for, say, Smartcheck version 13.0.
B) OR that Numega will bring to light a very tough protections (the mytical "unbreakable" software protection :-) as soon as their absolute dominance of the market has been asserted. Let's hope they do it soon: the "protections" (if you really want to call them so) that they are using at the moment are simply too boring to bother

And here is the short essay by Snatch, sorry for the long introduction

Cracking Numega Smartcheck 5.0
by Snatch


I was recently tipped off that Numega's Smartcheck could 
reverse visual basic files so I downloaded the demo from 
this site:
ftp://ftp.ultranet.com/pub0/n/numega/files/smchk50.exe (about 7.19 megs)
The first thing I noticed when I ran the setup file was a 
password to start the setup program.  
So I went into Softice ver 3.21(very nice indeed), and set a bpx 
getwindowtext.  Then type in a dummy password and click OK. 
After stepping through the routine(F10), you find that there is:

CALL USER!GETWINDOWTEXT >> Get what you typed
LEA AX,[BP-32] >> Load AX with address of what you typed
PUSH SS >> Segment of what you typed
PUSH AX >> Offset of what you typed
PUSH DS >> Segment of real password
PUSH 06BA >> Offset of real password
CALL USER!LSTRCMP >>Comparison of strings at ss:ax and ds:09d6

Next you do a dump of 06ba:
d ds:06ba l 64

You should see the password, &Smc50-14d% there in front of your eyes.  
Type bd * to disable your breakpoints, ctl-d to run and get an error, 
and then run the setup again and type the right password to bypass 
that silly message.
Now we are one-fourth of the way done!  It was that easy!
After going through a few screens, you will see your name, company plus 
a serial number!  I tried to crack the serial number but gave up.  
Don't worry, we can still crack this later on, and much easier and 
quicker.  So simply install it.  And run it :-)
Now load a program (must be 32-bit which is why this program won't 
help me too much with vb programs).  Now try program and start.  
Uh-Oh!  Name of thr trial user, blue "trial meter" and registration 
number.  
Phew!, there is a purchase button.  Let's click it.  Here it is, 
unlock code and all.  Nice, lets go back to the debugger.  
be * for our breakpoints to be re-enabled.  
Now enter your name and company and a dummy password.  
BOOM!  your in the debugger.  Now step and step and step and step 
until you get to a patch of code that looks like this:

ADD ESP,04
LEA EAX,[EBP-14] >> Your password
LEA ECX,[EBP-28] >> The correct password
PUSH EAX >> Your password
PUSH ECX >> The correct password
CALL 10005680

Here you have it!  Type a d ecx l 64, and the first 16 bytes are 
the right code.  
Numega is using a hashing of your name and password and reg number 
to get the code so for everyone the code will be different.  
Now back to reality, write down those 16 numbers and disable 
your breakpoints, 
bd *, 
now ctl-d.  
Keep your name and company the same, enter the password in and you 
are a *registered* user of numega smartcheck 5.0, with your own user 
name and password!

**Note, you could have probably reversed this protection scheme, 
also, individuating both passwords I have described by editing the 
memory and changing the jumps to noop's but I "trust more" the real 
and correct password!

Snatch '97
(c) Snatch, 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering, choose your way out:

Back to project 7 (stupid protections) Back to project 2 (Numega's own)
homepage links red anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?