Cracking for Fun, part 2: POLYCOM PVX 8.0

I decided to write this article in english, becouse there were too many people that wanted the translated version of part 1. Polycom PVX is a videoconferencing software that is ableto use the H.239 protocol. This is a propietary protocol, it has certain advantages over the older ones, for example it supports having multiple video channels (e.g., one for conferencing, another for presentation) within a single session (call).

I decided to write this article in english, becouse there were too many people that wanted the translated version of part 1.

Polycom PVX is a videoconferencing software that is ableto use the H.239 protocol. This is a propietary protocol, it has certain advantages over the older ones, for example it supports having multiple video channels (e.g., one for conferencing, another for presentation) within a single session (call).

wikipedia article about H.239

This is the first and only crack for it. Hope it will be usable to someone :)

How did i get to this prog ? One colleague of me asked me for help, so i looked at it .... and few hours later ....

You can download it from the official site: http://www.polycom.com/pvxtrial/

Part 1: Reconnaissance

Run the application, watch for anything that can help us. For example the window that shows up when the program starts telling us that we can activate or continue in the trial mode. All right, notice the text we will need it, now click on activate. You can see text-boxes for serial number and for a key, try to write anything in them and click activate. An error box should appear.

Now we will look at the code. I used OllyDbg. First it would be nice to check the structure of the code, from the first view we can tell is was writen in visual c++. C codes are always so nice :P Try to find the strings that we saw in the ugly nag screens earlier, can you find them anywhere ? Uhmmm, nope .....

Part 2: Come on...

Hmm, i dont have time today, so i will make it fast. Is this application working with strings ? Yes, it is, the serial/key are strings. Do this application makes some string comparations ? Yes. Is this app written in VC++ ? Yes. So try to look at the api calls, look for some string comparation. Put breakpoints on all. For example strcmp. This api call is referenced only twice in the whole program.

Wow, it breaked ... look at it, how nice it is :)))

Now look at it, you see some comparation, you see that the RAM and CPU registers are full of strings, try to experiment with the logic behind that.

Part 3: Solution

Ok, here is the solution. The piece of code your looking at is called from multiple places over the code, the cmp operation is taken out here, but the jumps are far far away, behind complicated procedures. So what if we would make something that isnt so common ? Why should we change the jump condition to achieve our goal ? What if we could alter the whole process without doing anything with the jumps....

Yes, it can be done. Very easily, look at this:

EBP-C8 => thats our key
EBP-1C8 => thats some internal generated key
strcmp makes the comparation,

=> what will be the result of the comparation if we would compare the SAME two strings ? :P

Yeah, just edit the line

LEA EAX,DWORD PTR SS:[EBP-C8]
to
LEA EAX,DWORD PTR SS:[EBP-1C8]

and thats it ;)

Every time some function calls this piece of code, the result of the comparation will be possitive. So we have solved this protection very easily, but with the traditional cracking methods it would be very hard and time consuming to crack it. Becouse of the multiplied checks. The only mistake the developers made was that they trust in only one strcmp :P

=>=> dedicated to inka <=<=

phb(at)mail.gywb.cn