Windows 95 & A Very Old School Crack
Hi, today I’ll help you install Windows 95 to play around with it and see how it was done back in the day. This tutorial will follow the installation of the OS using MS-DOS and VirtualBox. You’ll need the MS-DOS floppies, the disk driver, and the Windows 95 ISO. If you want to make it more usable on modern hardware, you’ll probably want Scitech Display Doctor too. We’ll also fix some display resolution issues to make it more enjoyable.
Let’s install…MS-DOS
Prepare your hypervisor of choice (here we will use VirtualBox) and create a new machine. If you name it “Windows 95” Virtual Box will take care of everything. If you feel creative and want to name it in any other way, be my guest, but remember to select the correct type of system (Windows 95 :)). The defaults should be 64MB of RAM, 1 Processor, and 2GB of storage.
After you have created the machine, open settings, and disable acceleration (if your computer supports it).
You can find the ISO searching the internet archive.
Windows 95 was the first attempt from Microsoft to unite its experimental Windows 3 with its more established MSDOS product. The final product itself is a cool new and improved GUI inspired by Windows 3 over an MS-DOS kernel. More than that is basically just a GUI over MSDOS. This is a bit harsh and not completely true, but without entering into complicated debates, let’s just say that the relationship between Windows 95 and MS-DOS was murky at best. If you want to read more check this for a very interesting reading. But why this disclaimer? Because now you know why we are going to install MS-DOS.
Open again settings and insert in the floppy storage MSDOS floppy 1, then spin up the machine. Now that you have the machine running you should be prompted with the installation of MS-DOS (in my case version 6.22). The installation is pretty straightforward and does not require any wizard abilities to understand what is happening. You should be able to finish it in a breeze, just press Enter and swap the floppies when asked (with the floppy icon in VirtualBox).
Better installer than any Linux distro.
When the installation is completed remember to remove the floppy. Restart your computer and congratulation, you installed MS-DOS! What we want to do now is install Windows 95 properly and we want to do that with an ISO. The problem is, MS-DOS couldn’t read disks by default, so we need to install the appropriate driver. Startup the system, and you will find yourself in “C:/” with a prompt. Insert in the floppy “cdrom.ing” with the driver and move in it by writing “A:”. Now that you are in the disk, install the driver with “setup.bat”. Remove the floppy.
Glorious MS-DOS in action.
At this point, you might encounter the first disturbance in the force. We are working with ancient relicts here and the power they emanate can disrupt the normal working of reality. With a bit of luck and handed down wisdom we should be able to overcome it. Insert the ISO in the cd storage and go in it with “D:”. It will probably fail. Wisdom number 1: restart the machine. Now you should be able to select it. Type “setup” and enter to initialize the installation of Windows 95.
After the restart(s)
Windows 95 proper
Now you should be in known territory, the installation procedure is very simple and you should keep an eye only for a few things. When asked the key use: 12095-OEM-0004226-12233. Fun Fact: in the first version of Windows 95, you could use 111-1111111 as a valid key. Unfortunately, in my version, the mythical key is not acceptable, more on that here. Always install all drivers and components when asked. Also, do not opt for a startup disk (unless you have a floppy to spare). Restart the machine when asked. Remember to remove the floppy.
“just restart it lol”. Good Job Microsoft
You might need to also remove the installer ISO. Then, keep going with the installation, but if you have removed the ISO, put it in again when asked. At this point, you will be asked to restart the machine to complete the installation, do it. DO NOT INSTALL PRINTERS, like in real life, you don’t want anything to do with printers unless absolutely necessary. Congratulation, when you see the login panel, you will have a complete Windows 95 installation!
After the restart you should be greeted with a login prompt, remember to log in the intended way by closing the window with the top right X. And you are done! Windows 95 is fully working. Enjoy the best startup sound ever created.
Yes, press the X.
Make it usable
Now you have a working instance of Windows 95 and should be proud of it. If you want just to try it and see how it was back in the day, it should be fine without tweaks. In the unfortunate case, you found something else to do on the system and you want a bit more space to operate, in this section, I’ll explain how to change the resolution on the system.
As you can see we can’t change much by default.
If you start tinkering with the settings you’ll notice that you can’t change the number of colors and resolution, yet. To do that we just have to use a third-party software called Display Doctor 7 (beta). Yes, beta. The company that made it, SciTech, was acquired in 2008 so we probably won’t see the full release. Start the system, put the ISO in the cdrom, and open it as you will open a cdrom in your last windows version (aka from My Computer, I know you use Linux don’t worry). Run the executable and install with everything as default.
You are again in the hands of RNG, remove the disk and restart. You might have to do it a few times… After the restart, open the Desktop properties by pressing a random empty point on the screen. Go on settings and advanced properties.
Great, If the system restarted correctly, just some menuing is separating us from a full fledge modern Windows 95 installation. A window with Display Doctor written all over it should be on big display. They are just flexing that they are able to view bigger screen resolutions. You’ll be able to, don’t worry. DO NOT PANIC if a scary alert appeared. We have to find the driver for the adapter. Change the Standard PCI Graphics Adapter by selecting “SciTech Software, Inc.” as the manufacturer and Display Doctor as the model. You will be asked to find a driver (.drv) file for the new (fake) graphic adapter. You can find it under “C:\progra\scitec\disk\sdd9x.drv”. Apply again. We did it. Restart and under Display Properties, you should find lots of colors and a lot of resolutions. I should mention that again while restarting something might not work. You must have patience, believe, and never surrender when restarting.
Go again under Display Properties > Advanced Properties > Change (the adapter). Choose “SciTech Software, Inc.” under manufacturer and “SciTech Display Doctor 7.0” under models. Press ok.
Complete path to the driver.
I’ll encourage you to crack Display Doctor to not have the nag of “21 days remaining” showing each time you open it. You should probably already have a key to register it in the folder you downloaded but where is the fun in that?
You made it. Now everything works*
*Except for shutting down the machine, which won’t ever work again. You’ll have to do it the hard way the majority of times probably.
Fast CPU Fix
If at any point you had problems with restarting the machine and having an error like this one:
While initializing device IOS:
Windows Protection Error. You need to restart your computer.
or
While initializing device NDIS:
Windows Protection Error. You need to restart your computer.
You should check the GHz of your CPU. Windows 95 doesn’t match well with modern CPUs, so it might not work. In order to force it to work, use the FIX95CPU fix following the README.txt directions.
Red, cool
Let’s Crack Something!
DISCLAIMER: this is not a tutorial but more of a historical re-enachtment, I won’t explain anything in detail but if you have some familiarity with programming, a bit of debugging and assembly you should be able to at least grasp the idea of what is happening. In any case, I think that everyone can follow it until the end. I urge you to ask Google for words and concepts that might not be clear, or directly write to me. Have fun.
We have everything ready as it was in 1995. That’s cool, but now what? Sometimes, we want to go back to the ancient ways, just to feel how it was done by the masters when they were still humans. That’s why to conclude the tutorial we will crack the first challenge of the “Newbies Lectures” that could have been found on a very old website where old Italian and international crackers hang out. The Program is called DesKey and it doesn’t work in Windows XP with compatibility mode, so is a perfect candidate for this celebrative crack.
But before thinking about the program to crack, we have to think about the tools to use. And which better tool than SoftIce? The legendary SoftIce. Now a relic of the past, it was the creme de la creme of the debuggers at the time, the tool that every cracker should have known like the back of his hand. SoftIce was cool because it was a kernel-mode debugger, basically running at a lower level than Windows. If you want to check out a more modern approach to the kernel mode debugger, check out this.
If you want to follow along, you just need SoftIce and DesKey. I’m using versions 4.05 and 1.03 respectively. Remember to add the winice.dat in the folder where SoftIce is located just to make the interface easier to use.
Legendary view. CTRL-D goes brr.
DesKey
I’m not really sure what is the purpose of DesKey, the only important thing for us is that its free license is limited in time and we want to have it forever.
Ok, let’s start working. I suggest you create a shortcut for deskey on the desktop after you have installed it. After everything is ready, disable DesKey. You can easily do it by right-clicking on it in the lower right.
First, open SoftIce (Ctrl+D) and set a breakpoint on “settimer” by writing “bpx settimer”. What we are trying to do is tell SoftIce (aka sice), that as you recall runs under Windows, to create a trap (the breakpoint) on the function “SetTimer”. This trap will activate each time that function is called by anybody or anything. Other useful commands to manage breakpoints are bl (list breakpoints), bc (remove breakpoint), be (enable), and bd(disable). For example, to remove our set breakpoint we can do bl, see that the name of that breakpoint is 00 (the number on the left), and remove it with bc. Now when we type bl, nothing appears and the breakpoint has been successfully removed.
Now, what we want to do is make sice trap settimer when this function is called by DesKey at startup. We can infer it will be called because SetTimer can be used to check the timer in order to check for the expiration of licenses. With Ctrl+D you can close sice and open DesKey (remember to reset the breakpoint if you’d removed it before). Sice will pop up and you’ll find yourself in the execution code of DesKey. In reality, you are not yet in the DesKey code, but in the code of the library that calls SetTimer, itself called by DesKey. On the green text towards the lower half of the sice windows, you should see some text. Press F11 until you find yourself with that text saying something “DesKey” something. What we have done is run through all the libraries until the control is given again to DesKey. IMPORTANT: there can be other software that calls for SetTimer in the period you will try to open DesKey, we don’t care about them but sice will pop up anyway. You can recognize them by the fact that pressing F11 a few times will make sice close.
SICE in action.
This should be similar to your situation. You can use ctrl+up\down to move the upper part of sice. If you have already used a debugger you can clearly see what just happened. Move the visual with a couple of Ctrl+up and you’ll see that we are in the instruction just after the SetTimer call. Without going too much into the details “call USER32!SetTimer” is the call to the function SetTimer. The parameters are passed through the stack with the four previous push instructions (there is a mov in between). Here’s the documentation for SetTimer:
UINT SetTimer(
HWND hWnd, // handler, id of the window
UINT nIDEvent, // timer id
UINT uElapse, // time-out value in milli
TIMERPROC lpTimerFunc // Where the procedure for the timer is found
);
We can easily see that uElapse (Hungarian notation ;)) is the second value pushed in the stack (remember the reverse push order). This hex value represents the time we care about and we want to ignore. 0x0036EE80 = 3600000d milliseconds, 1 hour. Ok, now what? We can again infer that if the program is registered, no call to SetTimer will be done and will be usable without limits. With a few ctrl+up (until instruction 0040397A), we can see that there are 2 conditional jumps (the “cmp jz cmp jz” sequence). One of these 2 lands exactly at 00403991, where there is the first push for the SetTimer call. What is happening here? Probably SoftIce is doing a check for the registration/timer. We want to skip that, and as we can see the second conditional jump, if taken, skips the whole SetTimer thing. So we have an objective, we want to skip the checks and ideally go to the location that skips the SetTimer business. How we can do that? Simple, make the first jump go directly in the location of the second, by changing the target address. There are a few ways to do it but this is just a demonstration, so we will just change it to make the program run as long as we want.
The line with “74 09” shouldn’t be red in yours yet
Let’s switch it up a little bit by using OllyDBG, another legendary debugger. Spin it up, load Deskey and press CTRL+G. Put the address we want to change (enter the habit of writing down interesting addresses). And you should see it selected on your screen. Go a bit up and place a breakpoint on the 0040397F line (double click on it until is filled red). This is just before the jump we want to change. Press play and see how OllyDBG pauses Deskey exactly at the breakpoint. F8 to do a single step, and now we are ready to change the jump. You can see how “JE 00403991” is in reality seen by the machine as “74 09”. Keep an eye on it. With the selector over the jump we want to change, press space to assemble a new instruction (substitute whatever is written with something else). Substitute what is written with “JMP 004039B2”, this means “always jump to 004039B2 and so we will always skip the SetTimer, no matter what. Press ok and you’ll see how “74 09” changed in “EB 2A”. We did it, the program is cracked. Now you have only to change the executable so the changes will be permanent. You can do it directly from Olly (google is your friend) or you can use a hex editor. I’ll leave you with a screenshot of XVI32, the hex editor I used to apply the change, you don’t have to use it (I advise against it), any hex editor is fine.
The cursors marks where I did the changes, remember to overwrite and not add text
Conclusion
I hope you found something useful in this brief tutorial/walkthrough. To anyone who has ever tried to crack/reverse something, this will look like a very bad way to crack a very simple program, but I wanted to do it in a very similar way to how it was done in the original 2000 tutorial. The objective is to show someone who’s never done anything similar a quick glimpse of how it is to explore an executable and try to crack it. This, I believe, was the same objective of Quequero when he (or she ;)) wrote the tutorial in 2000, a sort of wooing the newbie that is searching on the internet what the heck is this cracking thing and how is done, to make him or her ask the right questions and keep on the path of learning.
With me, it worked…even more than 20 years later.
Greetz
What more can I say? I wouldn’t be here today, if the old school didn’t pave the way — Grand Puba
Quequero :: +fravia :: +Malattia :: J. Edward Sanchez :: Fantoibed :: Tactus :: LoneCrusader