HTMLGate 4 - Tutorial by RUSKiE

"There are not enough polite words for me to use to describe this protection, so I won't attempt too. Listen to me Mr Pham, NOT 1 person is EVER going to buy your product when you protect it like this (its sad but true), if you have any respect at all for your abilities as a coder then for gods sake PROTECT your work immediately." "This document oh-so slightly edited by CrackZ - welcome aboard RUSKiE :)".

http://members.xoom.com/mp_home - Webpage.
htmlgate4.exe (1,138k).

Introduction

Welcome to my first tutorial for CrackZ's Reverse Engineering Page for Newbies. This tutorial is for HTMLGate 4, an HTML editor. Here's a brief description of the program :

- 32-bit program
- Templates
- Edit more than one document
- Dialog box to all HTML tags
- User defined HTML tags
- JavaScript Editor
- DHTML Samples

And much more.....Lets run the program. A nag box is displayed asking for a name and a password. Type in a name and a password (I used RUSKiE & 1234567890) and click Register. Of course the "wrong password" dialog box is displayed.

BPX MessageBoxA and click on Register again. This time we'll enter SoftICE on the MessageBox call. Press F12 three times, remembering to click on the OK button after the first press of F12. This will return you from the original call to MessageBoxA (004A5CE7). 

015F:004A5CA4 MOV EAX,[EBP-04]
015F:004A5CA7 MOV EDX,004A5D18
015F:004A5CAC CALL 00403D20     <-- Check password.
015F:004A5CB1 JNZ 004A5CD4      <-- Bad Guy.
015F:004A5CB3 PUSH 00
015F:004A5CB5 MOV ECX,004A5D20  <-- HTMLGate.
015F:004A5CBA MOV EDX,004A5D2C  <-- Thanks! For register HTMLGate 4.
015F:004A5CBF MOV EAX,[004CA2C4]
015F:004A5CC4 MOV EAX,[EAX]
015F:004A5CC6 CALL 0043374C
015F:004A5CCB MOV EAX,EBX
015F:004A5CCD CALL 00431468
015F:004A5CD2 JMP 004A5CEC      <-- Good Guy.

======================================

015F:004A5CD4 PUSH 00
015F:004A5CD6 MOV ECX,004A5D20  <-- HTMLGate.
015F:004A5CDB MOV EDX,004A5D4C  <-- Wrong Password!.
015F:004A5CE0 MOV EAX,[004CA2C4]
015F:004A5CE5 MOV EAX,[EAX]
Scroll up through the disassembly until you come across the JNZ instruction at 004A5CB1 which jumps to the bad guy code at 004A5CD4. The call above the JNZ determines if the correct password has been entered or not. Clear the previous breakpoints and BPX 004A5CAC.

Re-run the register applet again and SoftICE will break. Press F8 to trace into the call; the code is shown below: 

015F:00403D20 PUSH EBX
015F:00403D21 PUSH ESI
015F:00403D22 PUSH EDI
015F:00403D23 MOV ESI,EAX       <-- ESI = 1234567890
015F:00403D25 MOV EDI,EDX       <-- EDI = pham   
015F:00403D27 CMP EAX,EDX 
015F:00403D29 JZ 00403DBE
Step through the code using F8 and observe the registers. If you look at the above code, 00403D23 moves ESI to our fake password. The next instruction moves EDI to the String 'pham'. I mean, pham? surely that can't be the password?. Re-run the register applet again and change the password to 'pham' (without the quotes). Registered! changing the name of the registered person has *no* effect on the password, it will always be the same. But why pham? Well I realised later, it's the surname of the author: Michael Pham. The word is only four letters so it's easily compared in ASM.

This probably goes down as one of the stupidest protections around. Not only a hard-coded password but also one which is easily guessed. After I cracked this with SoftICE I thought I'd have a quick look at a dead listing of the code in W32Dasm. I only wish I initially did this because the password is there for all to see.

RUSKiE (ruskie@connectfree.co.uk)

You have finished reading another tutorial courtesy of CrackZ's Reverse Engineering Page.
Find a quick way back to more documents with this link.

Return to Main Index, New Reversers.

© 1999 RUSKiE. Hosted by CrackZ, 14th June 1999.