BEGINNERS: Awesome AW: MOST STUPID PROTECTION OF THE YEAR 1997!
Awesome AW: MOST STUPID PROTECTION OF THE YEAR 1997! Hardcoded and unencrypted registration codes: a touristic tour for beginners by Tristan Hi all from the +HCU, and especially +ORC for his tutorials and his followers who made them accessible to us. A few words before I start with the real essay. I started to learn cracking only one year ago, but in a first phase I only followed the evolution of our techniques reading essays and trying out ready made cracks. After a long period of researches, I began to reverse on my own. I found a lot of incredible easy protection schemes, and I can only encorage anyone reading this that has not yet done it, maybe scared by the 'advanced stuff', to start cracking on his own. In fact I don't understand why the cuckoo I didn't started to crack earlier myself. I have an advice for beginners and an incredibly stupid protection scheme to report. My advice is "really, newbies, try your hand! You can only learn, and there is no way you would loose against such feeble protection schemes as the ones I found until now". And the subject of this essay is related to this advice: I found a mighty candidate for the "most stupid protection" award. Awesome AW: an example of an Incredibly Stupid Protection Scheme The target is Add Web 1.23 from cyberspace hq. You can download it from www.download.com or from its web page at http://www.cyberspacehq.com/home.htm, else (as soon as they will take it away :-) you'll of course find any current or previous version of it elsewhere on the web, if you have learned how to search. First you should research a little: study the target. You will then see that there exist three different versions of Add Web. The first is the one you get after installation, without registering. Yeah you guessed it: it's the 'unregistered version' which permits you to register your home page at 10 search engines. The next, higher, version is the 'registered version' which allows you to register your home page at about 355 search engines (well quite a lot too many, I think, since there are only a couple of dozens of really important search engines, most of the others are just pilfered 'bogus' subsets). Last but not least there is a 'gold registered version' which allows you the following: "The GOLD version adds the ability for you to customize the report headers and footers, and allows you to edit the text in e-mail reports." I pasted it from the Add Web Help file, because I couldn't remember it after having closed the Help file. The two 'registered' Versions can be accessed by simple Registration number inputs. Ohh and another aspect shouldn't be left out: the price of this program: Pricing: Version Price ==================== Standard $49.00 Gold $89.00 Huuh $89? Quite a lot for this software! I think the whole Win95 isn't so expensive (which on the other hand is quite understandable seen how buggy it is). And now you think: borabora! If the target is so expensive, then it will have a nearly uncrackable protection scheme. Let's see: here follows the crack: First approach: I opened the file addweb.exe (by the way 732.160 bytes long) with Wdasm 8.9. And now I looked for relevant strings like 'now registered' or 'sorry this was a bad reg. number' (Just like +Orc and all his students told us). And there comes the funny Part: I found string references like this: "AW21-JH8WFHB-84EWFW8" "AW23-JH843H8-8426298" "AW98-2J882DB-JW01192" "AWD8-362HF83-8EHE532" "AWE1-F373736-UJU8376" "AWGD-WDWD824-4962345" "AWGE-DWE837A-FE97438" ...and a lot more Hmm what do you think are these strings? Well for me they don't look like Error Messages, so what could they be then? Why not encoded registration numbers. Well yes but why are they encoded thattaway? Or could it be that...? No, it can't be! Would be too easy! 0r perhaps they are really blank registration keys? Pahh! Too simple (but worth a try nevertheless...) And so I entered one of these numbers, just to see what nasty message I would have got and I could noy believe my eyes: Bingo! There comes the happy message: 'Thanks for your 49 (or 89) dollars'... for a registration number which isn't even encoded! A shame! Puah! This "crack" took me two minutes ,without any working with my brain. Well, the crack isn't already done, because i said to you that there are two kind of registration: the normal and the gold one. Looking at the About Box told me that I registered for a normal version. So i decided to have a 'zen' look at the hardcoded registration codes above.
A small 'zen cracking' exercise Do it NOW, before reading the following, is a (very very tiny) 'zen cracking' exercise :-) Look at the registration codes above! You dig it?
Hope you tried for yourself instead of just reading on. It's (once more) so easy I could cry! The following applies: - All registration numbers start with AW (Gosh, could it possibly be a contraction of AddWeb? :-) - all gold versions registration numbers begin with G after AW (G for Gold how original... hmm... do you see a simile?) - all other reg. numbers which don't have a G are normal versions now go and have a look yourself if you don't believe me, it's so stupid that it's zum kotzen. Second approach: Why should we use a registration ready made number? Let us transform it into a real crack, as it should be if the programmers would not have been so stupid. Starting Wdasm again we search the strings until we land to the position of one of the registration numbers above, as soon as you land there the code will look, for example, like the following snippet: * Referenced by a Jump at Address:045A459(C) | :045A495 8B831C050000 mov eax, dword ptr [ebx+0000051C] * StringData Ref from Code Obj ->"AW25-7JREG7C-3H1EG54" <-this is our reg, code . | (one of the normal version) :045A49B BA68AB4500 mov edx, 0045AB68 <-pass as parameter in edx :045A4A0 E85792FAFF call 004036FC <-compare entered reg code :045A4A5 753A jne 0045A4E1 <-reg code wrong: evil jump :045A4A7 C6831305000001 mov byte ptr [ebx+513], 01 <-goodcode : flag one here :045A4AE C6831105000000 mov byte ptr [ebx+511], 00 <-good: flag zero here Watch it! :045A4B5 66B91F00 mov cx, 001F <-Parameters for the... :045A4B9 66BA0C00 mov dx, 000C <-...following... :045A4BD 66B86300 mov ax, 0063 <-...call :045A4C1 E872C4FAFF call 00406938 <-In this call the reg. Code is saved :045A4C6 DD9B14050000 fstp qword ptr [ebx+514] ...in our Win95 registry I think :045A4CC 9B wait :045A4CD C7832805000001000000 mov dword ptr [ebx+528], 1 <-More flags like expiration dates :045A4D7 C7832C050000D0070000 mov dword ptr [ebx+52C], 7D0 <-and the year 2000 * Referenced by a Jump at Address:045A4A5(C) | :045A4E1 8B831C050000 mov eax, dword ptr [ebx+51C] * StringData Ref from Code Obj>"AWGM-MCC77WA-G55WGS5" <-reg. code for a gold version | :045A4E7 BA88AB4500 mov edx, 0045AB88 :045A4EC E80B92FAFF call 004036FC <-Again the comparison :045A4F1 753A jne 0045A52D <-And again a jump if it is wrong :045A4F3 C6831305000001 mov byte ptr [ebx+513], 01 <-Now the flags registered if 1 :045A4FA C6831105000001 mov byte ptr [ebx+511], 01 <-Normal or gold? Gold please. :045A501 66B91F00 mov cx, 001F All what now follows is the same like above :045A505 66BA0A00 mov dx, 000A :045A509 66B86200 mov ax, 0062 :045A50D E826C4FAFF call 00406938 :045A512 DD9B14050000 fstp qword ptr [ebx+514] :045A518 9B wait :045A519 C783280500000B000000 mov dword ptr [ebx+528], B :045A523 C7832C050000CE070000 mov dword ptr [ebx+52C], 7CE <-Only 1998 for goldy? Now come my two solution for this to crack: First decide if you want to get a normal version or a gold version of this crap, just for the sake of it. For a normal version take the location of the jne at :0045A4A5 and for the gold the jne at :0045A4F1 Now another decision, regarding the evil jump: Nop out or turn around? The first solution would turn 753A to 9090 (see below about nopping) and the second would turn 753A to 743A (75="jne" 74="je)" (The second solution has one flaw: if you entered the valid reg. number then the evil jump would be done :-) Since plane 0x90 nopp�ng (as +ORC teached us) could eventually trigger a protectionist 'bait' (it won't of course happen here with such doof programers, but let's say we are paranoid for the sake of it), and we are scared that one day the most stupid protection will turn out being in the reality- the most clever cracker's bait around (protectionists, are you reading this?), which will destroy our harddisk and our screen (yes, you can destroy a screen through software, it's great fun for some viri :-) as soon as we nop two bytes with the ubiquitous 0x90... well, so here is the "elegant nopping table" for you:
elegant nopping: two bytes nopping: basicinc ax 40 1000000 dec ax 48 1001000 - - ~ - - inc bx 43 1000011 dec bx 4B 1001011 - - ~ - - inc cx 41 1000001 dec cx 44 1000100 - - ~ - - inc dx 42 1000010 dec dx 4A 1001010 Of course there are also 4 bytes nops, like FEC0 inc al and FEC8 dec al. The more you study opcodes the more you see that you can crack 'secret' intel opcodes as well, it's just like cracking software!
Final hint:
If you want to re-obtain your own copy of Add Web unregistered
then start regedit from win95 and search for AddWeb.
In the sub dir Init you find the entry RegNum which, after
deletion, gives you your own 'unregistered' version of this
target to play with.
Final, final hint:
One of the interesting things of this essay is that you can
work a lot even if you don't understand NOTHING of all this
cracking stuff! Learn to crack! It's (often enough) easier
than you can imagine.
Final, final, final (and really last) comment:
For any suggestions you can reach me at:
to(point)tristan(at)usa(point)net
I am currently working on Winimage (anyone working on that?
Write me!)
Sorry for my bad english, my native tongue is German, so you can write
me in German too, Tristan.
All rights released.
-----Tristan--------
(c) Tristan 1997