So, at work we use this old program for our staff scheduling needs: Visual Staff Scheduler Pro v8. From the looks of it, I could tell right off the bat it’s built using some old technology like VB6 or old VC++. Everything about it just screams Windows XP days in terms of the way the program looks and feels. There’s a number of topics I kinda want to go over as I’ve only scratched the surface of the program in terms of cracking it: Cracking the Registration and then Revealing the Read/Write Password for the schedule files. As I stated the version at work is an older version of v8, and the most recent is v14. I wasn’t expecting the demo to be a fully functioning, for what I can tell at least, version of the program, but yet if you get past the Registration, there it is…albeit with a 15use restriction that’s easily reset.
Don’t steal. I have no use for this software on my own and don’t plan to use it. This article is to be used for educational purposes, as it’ll feature some flaws in the false reality we call Security and it’s flaws with my favorite language: VB. If you like VSSPro, buy it. For what it’s for, it seems like a pretty great application. And as always with DMCA requests, if I receive any to take down the article, I will. This isn’t meant to infringe on anyone’s hard work, just a great puppet for some good free education.
OllyDBG v2 http://www.ollydbg.de/
Visual Staff Scheduler Pro 14 Demo http://www.abs-usa.com/support/visual-staff-scheduler-pro/overview/
A brain and no fear!
So if you have all three things ready, install the Demo and get Olly ready. It’s going to be a ride:
Up First, Information Scouting
So first up, you should always take a look at what you’re dealing with. The key to this tutorial is that we are going to want to look for certain places where things are taking place. Programs happen in a pretty linear fashion with a who lot of logical expressions telling it where to travel. From the start, to whereever the program ends, there’s code telling it what to do. Olly, will display all that code in a readable fashion known as ASM (Assembly), but luckily some things are in good english like some window Titles, Messages, etc. So let’s try to gather as much information as we can to pinpoint what’s going on.
So run the VSS_App.exe, you’ll be presented with the You must click Begin Registration to continue. Click it and you’ll see that it instantly tries calling home to ABS Servers….but there’s a Cancel button. Let’s do that. Remember, we’re not here to register, we’re here to skip over that, so lets just keep it moving.
Next up you’ll have to choose how would you like to register.Since it just tried doing the internet, and that didn’t work thanks to clicking the Cancel button, all that’s left is register by phone. So click that and grab your phone out of the list of tools I told you to prepare……wait. Never mind, just select Next and see what comes next.
All right, you should be up at the screen asking for a registration code. The idea presumably is that you give them the serial number listed, they give you a registration key, and away you go. With your 15-Use trial. Type whatever you want and see what you get. Unless you’re somehow a master guesser, you should get this next screen.
So now we know a few things, and if you’re keeping track like I am with Notepad in the background there, here’s what you should have:
Registration Key: we type in here
Register Visual Staff Scheduler Pro (name of a window where the registration key goes)
The registration key entered is invalid. Please check number and re-enter. (message for wrong key)
System Registration (name of the message box)
Using just that information, we should be ready to go and poke around in Olly. So click X to exit out of everything, we’re ready to try to bypass this.
Right click and open Ollydbg with Admin rights. Click File=>Open and select the VSS_Pro.exe or the shortcut that’s on your desktop.
Some nifty things will happen as it loads some libraries already on the computer, but all you have to be mindful of is the VSSPro module. So lets first click View from the top toolbar, and select Executable Modules, which will bring up a large list of modules that are being loaded. We want the one that points to VSS_Pro.exe. So double click that one.
Now while looking at all the jibberish that loaded and I won’t be translating for you, right click on the window and Hover over Search For, then click on “Referenced Strings”. This is where we want to search for particular strings. Now we don’t really know much about the program, I’m not teaching how to decipher all the ASM to figure out how programs make their calls and what not, but programming aside, let’s think about the logic for a moment.
We clicked on the Next button and the program took what we wrote (or didn’t write) inside the Registration Key box and evaluated it. It then decided that we had the wrong value and showed us a Message Box saying we were wrong.
So with that logic in mind, we want to find where it decided that we were wrong, and have it decide we were right. Programs do this via some sort of Logical Comparison where
If Express = True OR False Then
Do Something Else.
Or in our case
If RegistrationKey = ValidKey Then
They Are Awesome, let them use it
The key you entered is invalid
That’s pretty simple logic to figure out right? So lets do a search for that string “entered is invalid” rather than writing it all out. You should land somewhere where you can see our string for the “System Registration” and the “entered is invalid”, knowing that we are sitting right now in the “We entered the wrong thing” of the If Then statement. Now this is where we need to know something about Assembly. Instead of giving you even remotely a crash course, I’ll just say, we’re looking for a Jump statement. And not just any Jump, and Conditional Jump statement where we’re only going to jump past this “You are wrong” crap and get to the “You’re pretty awesome for buying us” crap. These jumps can take on a number of forms “JMP, JZ, JZE, JE, JNE, JNZ, J…” you get the point. So do a quick scan, what do you see immediately around you?….
Hopefully you found a JE jump which is “Jump If Equal” and Just above it is a TEST ECX, ECX. So it would probably make logical sense to say
If ECX=ECX THEN
JUMP TO 0090304A
Keep going and show those messages
So again, knowing or even looking up some ASM jump codes, if JE means Jump if Equal…then how about Jump if NOT EQUAL? Yea, it’s just “JNE”. So let’s double click that, change the JE to JNE and….How about we just run it now!
Blah blah blah, same window to register, click the phone, type in whatever you want….click next…and ?
Yep, that’s right….you’re super cool right?. Click finished and away you go. Only thing is, we haven’t saved anything. And…..i’m not going to tell you how, you figure that out. But otherwise the damage is already done. VSSPro counts this as a Usage, and you get to use the program 15 times for a trial. So we only Cracked the Registration to begin our trial….not the trial.
I’ll do a later entry on how to one just keep resetting your trial, then another one on how to crack the trial. Then I’ll do a separate CrackMe program that I’ll create just to show how to save our changes, reset a similar Trial that I’ll build into it like VSSPro, and then how to patch it. Then create a Patch! Superfun!.
So lets talk Security
So VSSPro from what I can tell does a few things in the name of Security:
Has Registry Entries that dictate the position you’re at in regards to the Registration.
Usages are not regular numbers of 1-15 but instead seem to have a lowlevel encryption, which probably tells it something else too.
I’m not sure yet, but I believe it also uses certain values to dictate what version of the application “Premiere, Gold, Enterprise, Pro” the final registered program is to be.
So what’s the problem with this “Security”. The good side about it is for what it’s worth, its a very simple, cost effective means to protect your Application. The Application isn’t just packed away like a Zip file in the memory which can be pulled out, doesn’t require anything too fancy to figure out either. For what I can guess, because I don’t see the Serial Number changing much on my end between installs, is that the Registration Key is a very basic algorithm that comes from the Serial. Once the correct key is inserted, the nagging goes away and a full application is born. It’s very nice, compact, and convenient.
On the flipside though, it’s easily breakable. All we did here is just jumped over the WRONG and went straight to the RIGHT.
When I show the Simple reset, we’ll just be resetting the Registration Usages back to Pre-Registered where our saved Patched file will allow us to again Jump over the Wrong and go to Success.
When we end up Patching out the check Nag screen and check all together, we’ll just be jumping straight into the program.
Simple, cost effective, and convenient is easily overtaken by simple cracks. But with a pricetag of $400+ and a very niche market, you’re probably going to have more paying customers than pirates to worry about and you want to cut costs all together. If the company is a small 5-10man team with an outsourced Tech Support, then you probably want the quickest and simplest methods that wont cut your profits down. That’s what makes this a great lesson though too, as I am a smalltime developer with small niches I focus on. Costs/Profits must be weighed.
So that concludes today’s article, I’ll do a later entry on how to one just keep resetting your trial, then another one on how to crack the trial. Then I’ll do a separate CrackMe program that I’ll create just to show how to save our changes, reset a similar Trial that I’ll build into it like VSSPro, and then how to patch it. Then create a Patch! Superfun!.