Monday, May 24, 2010

Migrating and Cracking Tritek Legal Case Management

In my development of the MerusCase module that does a data migration from Tritek to MerusCase, I have thoroughly decoded their database schema.  What a mess!  I had to develop contact 'de-duping' software using what we call 'fuzzy matching' via a Levenshtein metric.  That was really intriguing to develop.

However, in order to properly map data from their system to ours, I needed a working copy of the software to reference from and see how that data was being stored in their archaic dBase (Microsoft FoxPro) format. It's funny that Microsoft has officially announced the death of FoxPro, i.e. they have announced the dates after which they will no longer support the product.  It's even funnier that if Tritek has any chance of keeping up with technology they will have to start their app from scratch.  Anyone who as ever used the program realizes how shoddy the user interface is -- irritating to navigate, an eyesore to look at (no taste for aesthetics whatsoever!), and a counter-intuitive approach to UI design.

Apparently Tritek's tampering check is easy to crack.  First off, if you rename the xmgmt.exe file with a .txt extension and open it up in TextPad, you'll see that all the FoxPro code is embedded in plain text.  That is, you can see exactly what the developers wrote that make the application run and do what it does.  If you do a search for 'tampered' or 'exempt' you will find the dialog box that tells you to buy a license, and you will also find the code that does the security check.

All it does is do a 'dir x: > WORK\vsno.txt' on the drive that your data sits on, saves the output into the WORK folder, looks for 'Volume Serial Number' in that text file, because it grabs the 9-char s/n for your drive.  It then hashes it and computes the corresponding 8 to 11 digit integer using a built-in FoxPro hash function (SYS 2007).  That integer is compared to the value contained in serno.dbf file, located in your data folder.  There are 'backdoors' aka Tritek Maintenance logins hard-coded too (see code snippet below).  I could run a brute force attack on those codes using a utility like MDCrack to find out the universal volume-s/n they use...

Fortunately, there is a simple command-line utility that allows you to change your drive's serial number.  This has no effect to anything else, so far as I can think of.  Nothing uses HDD serial numbers except for the occasional 15-year old p.o.s. software (Tritek for one!).  Download volumeid.exe from Microsoft Technet (it's free) or from here.  It's usage is simple: volumeid <driveletter:> xxxx-xxxx.  You'll have to reboot for changes to take effect.

Maybe if I have time in the future, I'll throw together a little script that will disable or patch tritek to completely bypass security checks altogether.  In the world of cracking, a bypass may be as simple as converting a machine code instruction 'jump if equal (je)' to 'jump if not equal (jne)'.  =)


a="dir "+xdata+" >"+xwork+"\vsno.txt"
RUN &a
b=xwork+"\vsno.txt"
a=FILETOSTR(b)
c="Volume Serial Number is "
L=LEN(c)
d=AT(c,a)
d=d+L
z=SUBSTR(a,d,9)
a=SYS(2007,z,0,1)
b=a
a=a+a
L=LEN(a)
SELECT serno
vtampered=.f.
z=ALLTRIM(vsno)
LL=LEN(SYS(2007,z,0,1))
    IF (b="446519453" .or. b="487413866" .or. b="1505040575" .or. ;
    b="3629040784" .or. b="659246687" .or. b="140427344" .or. ;
    b="3772951423")
*!*        IF (b="446519453" .or. b="487413866" .or. b="1505040575" .or. ;
*!*        b="3629040784" .or. b="659246687")
    usesmsg="TRITEK MAINTENANCE LOGIN"
    thisform.uses1.visible=.t.
    xe=0