|
|
|
|
|
|
|
|
|
|
||
|
||
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
LED Scroll
Super Scroll
Fading Scroll
Status Scroll
Cool Button
Pulldown Menu
Once installed you have just six uses from it before the program disables
itself.
|
User RegKey:
RegKey
:
When first run the program creates a number of entries in the system registry file, the one of interest to us is hidden deep within the registry file itself, and even uninstalling the product won't remove this entry. Notice that this entry has no identifiable features to it that could be associated with Hot Chilli, this is a common feature of many programs today, to hide the 'expire/counter' information so you won't be able to find it, he he, have they never heard of Regmon??. If you still haven't got Regmon then GET IT NOW!.
Here's that hidden entry within the Registry
File:-
HKEY_CURRENT_USER\Windows\#40ADC\6454342\prefs
One entry created:
workTime1
"6" <=====This is the countdown value
The program 'reads' the value for workTime1
then decreases this value by one until it reaches 1, where the program
will then only let you access the 'Registration Screen'.
|
You wouldn't go about 'patching' a program
so it always 'registers' itself when you type in a fake Regkey if the program
uses just one Regkey hard coded into the program itself, you could but
why would you want to do this?. Like-wise, why spend your time de-coding
the Registration Key routine if a simple Nop (90h) can bypass the whole
process. (There are of course, those rare times when Nop'ng is not always
the best way to crack a program).
Right, we now have a 'Dead Listing' of
Hot Chilli, what next.. Let's check out the program's String Data references,
an excellent source of tasty clues..
Excuse the long listing but there is a very good reason for this..:)
String Resource ID=00001:
"Untitled"
String Resource ID=00002:
"OK to overwrite %s"
String Resource ID=65535:
"Floating point overflow"
"
"
"
("
" Delay="
" Flash="
" Starting Action={"
" AMPM"
" Finish="
" HEIGHT="
" Start="
" Style="
" VALUE=""
" VALUE="<"
" VALUE="<5><Color=#000000><left>Please
"
" VALUE="<5><Color=#000000><left>This
"
" VALUE="UNREGISTERED
version of "
"" ( FONT="
"" (Color="
"" VALUE=""
"" VALUE=""
"" value=""
"" VALUE="http://www.internic.com/hotchilli/">"
"" value="IN:LEFTWARD;OUT:LEFTWARD;FONT:TimesRo"
"" VALUE="TimesRoman,PLAIN,12">"
"" VALUE="Unregistered
version "
"%.*x"
"%.6x"
"%s[%d]"
"%s_%d"
", FONT SIZE="
", FONT STYLE="
",500;"
".\:"
".wmf"
":mm"
":mm:ss"
";FONT:"
";OUT:"
";PAUSE:"
";STRING:"
"[Y]"
"[YY]"
"\Credit_Card_Orders.hlp"
"\Default.htm"
"\Hchelp.hlp"
"\HotChilli1.class"
"\HotChilli10.class"
"\HotChilli2.class"
"\HotChilli3.class"
"\HotChilli4.class"
"\HotChilli5.class"
"\HotChilli6.class"
"\HotChilli7.class"
"\HotChilli8.class"
"\HotChilli9.class"
"\Settings.txt"
"^[Y]"
"^[YY]"
"^Y]"
"_^["
"_^[Y]"
"_^[YY]"
"|%D"
"} )"
"<!Copyright 1997,
Hot Chilli, "
"</APPLET>"
"</BODY></HTML>"
"<Color=#"
"<down>"
"<explode>"
"<HTML><HEAD><TITLE>Hot
Chilli "
"<HTML><TITLE>Hot
Chili Applet "
"<left>"
"<nervous>"
"<none>"
"<P><B>"
"<PARAM NAME="BackColor"
value=""
"<param name="bgcolor"
value=""
"<PARAM NAME="bgColor"
VALUE="black">"
"<PARAM NAME="Blue"
VALUE=""
"<PARAM NAME="BorderColor"
value=""
"<PARAM NAME="BorderWidth"
value=""
"<PARAM NAME="BTEXT"
VALUE=""
"<param name="changefactor"
value=""
"<PARAM NAME="DISABLED"
VALUE="false">"
"<PARAM NAME="font"
"<PARAM NAME="Green"
VALUE=""
"<PARAM NAME="LEDSize"
value=""
"<PARAM NAME="link"
"<PARAM NAME="number"
VALUE=""
"<PARAM NAME="Red"
VALUE=""
"<PARAM NAME="Speed"
value=""
"<PARAM NAME="target"
VALUE=""
"<PARAM NAME="TARGET"
VALUE=""
"<PARAM name="Text"
"<PARAM NAME="text"
"<PARAM name="Text"
"<PARAM NAME="text"
"<PARAM NAME="TEXT"
VALUE=""
"<param name="txtcolor"
value=""
"<PARAM NAME=bgcolor
VALUE="#"
"<PARAM NAME=bgcolor
VALUE="getBackground()">"
"<PARAM NAME=font
VALUE=""
"<PARAM NAME=line"
"<PARAM NAME=NUMBER
VALUE=""
"<PARAM NAME=REFRESH
VALUE="5">"
"<PARAM NAME=size
VALUE=""
"<PARAM NAME=style
VALUE=""
"<PARAM NAME=TEXT"
"<right>"
"<Right>"
"<sine-wave>"
"<up>"
"0"
"0,0,0"
"000000"
"1765-7654-8765"
"192,192,192"
"255,0,0"
"AMPM "
"Bitmap"
"bmp"
"BOLD"
"Bold,"
"BtnWndProc3d"
"BUTTON"
"C:\WINDOWS\winhlp32.exe
"
"Check1"
"Check2"
"Color:"
"Color="
"COMBOBOX"
"comctl32.dll"
"commdlg_FindReplace"
"commdlg_help"
"ControlOfs%.8X%.8X"
"CTL3D32.DLL"
"Ctl3dAutoSubclass"
"Ctl3DColorChange"
"Ctl3dCtlColorEx"
"Ctl3dDlgFramePaint"
"Ctl3dRegister"
"Ctl3dSubclassCtl"
"Ctl3dSubclassDlgEx"
"Ctl3dUnAutoSubclass"
"Ctl3dUnregister"
"Data"
"Default"
"Delphi Component"
"Delphi Picture"
"Delphi%.8X"
"dh@"
"DOWNWARD"
"EDIT"
"emf"
"Error"
"False"
"ffffff"
"FFFFFF"
"FileEditStyle"
"Finishing Action={"
"FLASH:500,"
"font"
"FPUMaskValue"
"ggg"
"Hchelp.hlp"
"Hot Chilli V2.5 -
Registered "
"Hot Chilli V2.5"
"Hot Chilli will now
copy to your "
"http://"
"ico"
"IDH_how_to_register"
"IDH_table_of_contents"
"Image"
"IMM32.DLL"
"ImmGetCompositionStringA"
"ImmGetContext"
"ImmGetConversionStatus"
"ImmIsIME"
"ImmNotifyIME"
"ImmReleaseContext"
"ImmSetCompositionFontA"
"ImmSetCompositionWindow"
"ImmSetConversionStatus"
"ImmSetOpenStatus"
"IN:"
"Incorrect Key!"
"InitCommonControlsEx"
"IsControl"
"ITALIC"
"Italic,"
"JumpID("","%s")"
"l`A"
"layout text"
"Left"
"LEFTWARD"
"line"
"link"
"LISTBOX"
"m/d/yy"
"MAINICON"
"MDICLIENT"
"Message"
"mmmm d, yyyy"
"msctls_statusbar32"
"msctls_trackbar32"
"nil"
"NONE"
"OWNER"
"p`@"
"PixelsPerInch"
"PLAIN"
"Plain"
"Plain,"
"Please select a browser
for previewing "
"prefs"
"RegisterAutomation"
"Registered Version"
"RIGHTWARD"
"Runtime error
at 00000000"
"ShortCutText"
"Software\Borland\Delphi\Locales"
"SOFTWARE\Borland\Delphi\RTL"
"SpinDown"
"SpinUp"
"Strings"
"SVW"
"SVWU"
"SysTabControl32"
"System\CurrentControlSet\Control\Keyboard
"
"TApplication"
"TEXT"
"text"
"text"
"Text"
"TextHeight"
"The contents of the
file will "
"The evaluation period
for Hot "
"Top"
"TPUtilWindow"
"True"
"UPWARD"
"USER32"
"vcltest3.dll"
"Windows\#40ADC\6454342"
"WINNLSEnableIME"
"wmf"
"WndProcPtr%.8X%.8X"
"workTime"
"workTime1"
"XINWARD"
"XLEFTWARD"
"XOUTWARD"
"XRIGHTWARD"
"XROUTWARD"
"Y"
"YDOWNWARD"
"YINWARD"
"You must first click
the "Add" "
"You must first open
a file"
"You must first open
a HTML file."
"YOUTWARD"
"YRINWARD"
"YROUTWARD"
"YUPWARD"
"YY]"
"yyyy"
If you have quickly scrolled down this window without properley looking at the above then you will have missed some huge clues to how a cracker will deiced to crack this program. In fact, looking at the above string resource data allowed me to crack this program without even looking at the actual code W32Dasm had created for me!.
Lets first state what we know from the
target program from a crackers point of view..
1.
The User RegKey will accept 50 characters
in total.
2.
The RegKey Code will accept any number
of characters, most likely consisting of alpha numeric characters.
3. We can't be certain at this point weather or not this Regkey is based on the User name or wether it is generated internally based on some sort of product serial code.
4.
We can be certain that it's storing the 'Times
the program has been used' Counter somewhere in the System Registry
File.
Before proceeding on with this essay make
a note of possible clues you can gain about the protection system used
in this program from the above String Resource Data. I will wait here until
you've finished...
Time passes....
OK, did your notes contain these two items?
"1765-7654-8765"
"Windows\#40ADC\6454342"
They should have because if you had read my last essay
I said that the first things I do when looking at the String Resource Data
from W32Dasm is:-
1.
Any sequence of alpha numeric characters that resemble a Keycode, you never
know..:)
2.
Locations and names of any .ini files and, more importantly, the references
to any items of data that gets posted into the system registry file.
3.
References to any likely 'Beggar off' or 'Thanks for buying' messages,
these will help to pin point the associate routines within the program,
they are like a neon signs saying 'crack me, crack me" to crackers!.
Taking the first priority, "any sequence of alpha numeric characters
that resemble a keycode".
Doesn't this string reference: "1765-7654-8765"
look like a registration code to you?.
You would be amazed just how many programs still use hard code registration
numbers within their code AND which, the programmer hasn't bothered trying
to hide it!.
There's only one
way to find out.. Run up Hot Chilli, enter in the User Regkey Your name
or handle, then, in the RegKey Code type in this number.. 1765-7654-8765
Yep, that's right,
it's the keycode the program was looking for!. Once you've pressed
the 'Register' button the program won't display any 'Thank you for purchasing
this product etc' but rest assured it's been registered.. Now quite the
program and re-run it, this will allow the program to update the System
Registry file with the new details.
Is this the end of of this essay?. No, we still want to learn a bit more about it so that if we come across another similar product from the authors we will know how to deal with it without wasting our time starting from scratch again..
Taking my second priority, Locations and names of any .ini files and, more importantly, the references to any items of data that gets posted into the system registry file.
We want to know about what entries in the System Registry file this
program uses for it's protection system, that annoying '6 times you can
use it and your out' counter.
"Software\Borland\Delphi\Locales"
"SOFTWARE\Borland\Delphi\RTL"
"Windows\#40ADC\6454342"
If you now go into your your System Registry file using C:\Windows\RegeEdit.exe
and now look for the above entry's you will quickly see that at:
"HKEY_CURRENT_USER\Windows\#40ADC\6454342\prefs"
Now contains:-
id
"YOUR ENTERED NAME/HANDLE"
workTime1
"1234"
What the program has done when it was registered was to insert your entered name/handle under the ID heading, then, in the variable workTime1 (which up until now had been used as a countdown) it has placed the value of "1234".
The significance of workTime1 = "1234" becomes clearer if you
delete this entry key, in which case when you re-run Hot Chilly it will
go back to being unregistered!. So, if we now manually re-enter this
string ourselves in the same place within the System Registry and re-run
Hot Chilli again it will become fully registered again!!. Had we known
before hand of this we could have simply done this in the first place and
not bother with anything else..
We don't need to bother with my third and fourth priority since we've
done the job we origially set out to do. However, we could still
examine the code to see other 'gems' may lurk behined the jungle of code.
Job Done.....
|
|
Registration payment of US$29.95 sounds
about right for this homepage utility, but if the author is reading this
then may I suggest you at least try and hide the registration code, even
using the well known XOR method would be better than none.
My thanks and gratitude goes to:
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
Next | Return to Essay Index | Previous |