|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
"WebTrimmer Lite: the serious
HTML optimizer Uses nearly 200 custom filters to radically reduce the size
of HTML documents. Average reductions of 20 percent based on mixed output
from various authoring tools. Fully configurable optimization options and
built- in multiple-file, multiple-term search-and-replace engine. Shareware
version optimizes one file per pass (analysis mode allows
unlimited files). Single
user license $25. Win95/NT only. Ver. 1.10a."
You might also wish to view his opinions and views
on Software
Copyrights, it's well worth a few minutes of your time reading it.
|
|
Once registered this program will use a simple wtlite.ini file (stored in the same directory as the program itself) to store the fact that you have *registered* this file.
Here's what the program adds to the ini file on successful *registration*
[General Options]
WriteDetailedStats=1
UsedOnce=1
OutputReport=1
LastDirectory=C:\Homepage
DefaultBrowser=C:\Program Files\Netscape\Communicator\Program\netscape.exe
LastWrittenReport=C:\PROGRAM FILES\WEBTRIMMER\WTLITE.r02
UserInfo=#r79Z(!P+ <====*OUR REGKEY
HERE!*
|
|
Lets *crack* this babe using TWO different
ways, I could use more but lets keep things as simple as possible for now..
*CRACK METHOD
ONE* - Searching for the Hard Coded Serial No.
Hard Coded Serial Numbers/Passwords/Registration keys refer to the fact that the programmer has used just one serial number or password to register his program with. Nine times out of ten he will not even bother trying to hide this serial/password from you, so using any utility that can display ascii will reveal the exact sequence of letters/numbers used to register the program with. If you can load this program into a Hex Editor then that's about as hard as it gets to *crack* this program, you don't even have to understand any Assembler code or do any tracing of the target program's code.
If your a newbie then here's how you might *crack* this program using this *crack* method...
1.
Create a 'Dead Listing* of this program using W32Dasm.
2.
Examine the program's String Data Resource's
You will see a large list of the following
sequence of characters that looks like possible serial numbers:
""Custom Search and
Replace manager?"
""Discard any changes
and close "
"#000000"
"#000080"
"#00008B "
"#0000CD "
"#0000FF"
"#006400 "
"#008000"
"#008080"
"#008B8B "
"#00BFBF "
"#00CED1 "
"#00FA9A "
"#00FF00"
"#00FF7F "
If you now locate where these alpha-numeric characters are used then you will see something like this:
* Possible StringData
Ref from Code Obj ->"black"
|
:00460B9B BA9C224600
mov edx, 0046229C
:00460BA0 E8772DFAFF
call 0040391C
:00460BA5 7511
jne 00460BB8
:00460BA7 8BC3
mov eax, ebx
* Possible StringData
Ref from Code Obj ->"#000000"
|
:00460BA9 BAAC224600
mov edx, 004622AC
:00460BAE E8352BFAFF
call 004036E8
:00460BB3 E996160000
jmp 0046224E
Look above and below this code snippet,
you will quickly realize that these sequence of alpha-numeric codes are
in fact, the hex codes for colours that can be used within our web pages.
We can now discount these alpha-numeric characters and go back to searching
for the *real* product code, if it hasn't been encrypted that is..:)
Eventually you might come this section
within the String Data Resources...
"> <"
"-->"
"0"
"0xFFFFFFFF"
"2.1"
"6093257"
"9Restoration was not
completely "
"A file by this name
already exists. "
"A files list also exists.
Should "
"A files list exists
from a previous "
"A valid term or term
pair must "
"A/P"
"Abort requested"
"Abort the optimization
process?"
"About to clear current
files list"
"About to record new
directory"
"About to reset all
options"
Can you see the String Reference "6093257"?
It's a likely candidate for our possible Product Code that we're seeking..
From here now marks the difference between a *cracker* and someone who
is just looking for a serial number to illegally register their software..
Lets now find out where in the target
program this number is used:-
* StringData Ref from
Code Obj ->"Enter your product serial number:"
:0047700C BAD8704700
mov edx, 004770D8 ;Dialog Title
* StringData Ref from
Code Obj ->"Registration code entry"
:00477011 B804714700
mov eax, 00477104 ;Dialog Input box
:00477016 E809BAFDFF
call 00452A24 ;Create
our Dialog
:0047701B 84C0
test al, al ;Did
User Press the
;'Cancel' button?.
:0047701D 0F8486000000
je 004770A9 ;Jump
if 'Cancel'
:00477023 8B45FC
mov eax, dword ptr [ebp-04]
* StringData Ref from
Code Obj ->"6093257"
:00477026 BA24714700
mov edx, 00477124 ;Mem location of the
;Product Code!
:0047702B E8ECC8F8FF
call 0040391C ;Compare
the Product
;Code expected by the
;program with the one
;we've typed in.
:00477030 755E
jne 00477090 ;If
our Product Code
;is Not Equal to the
;one expected by the
;program then
;Beggar off Cracker.
:00477032 68A0C84700
push 0047C8A0 ;From here
prepare then
;save to the ini file
;the details that shows
;that the User has
;registered the program
:00477037 682C714700
push 0047712C ;==>"#r79Z(!P+"
:0047703C 6838714700
push 00477138 ;==>"UserInfo"
:00477041 68C0BB4700
push 0047BBC0 ;==>"General
Options"
:00477046 E865E1F8FF
Call 004051B0 ;SAVE TO INI FILE
:0047704B C605ACCB470001
mov byte ptr [0047CBAC], 01 ;*REG FLAG*
:00477052 8D85FCFDFFFF
lea eax, dword ptr [ebp+FFFFFDFC]
* StringData Ref from
Code Obj ->"Thank you for registering WebTrimmer. "
:00477058 BA4C714700
mov edx, 0047714C ;"THANK YOU FOR...."
:0047705D E8CAFAF8FF
call 00406B2C
Look!, everything we want to know about this program's protection system is here in this tiny section of code right from creating the Registration Dialog Box to saving the all important entry to the .INI file!.
We can now be certain that the Product
Code requested by the target program is: "6093257". This is another way
of saying Serial Number, just that the program calls it a Product Code.
If you now deiced to ignore the rest of
this essay because you now have the Product Code to register this program
with then you will have learned nothing about this program and that you've
been wasting your time reading this page, since the serial number can be
found elsewhere on the web without you having to bother reading anything.
*CRACK METHOD
TWO* - Nop'ing a jump instruction.
Nop'ing a Conditional Jump is a method commonly used in *cracking*
to prevent the target program from jumping to the 'beggar off cracker'
routines when we fail to register the program with the correct serial number/password.
It is not a 100% way of cracking a program since there are many factors
to take into consideration before this method can work.. Fooling the program
into *registering* itself can sometimes result in the program saving the
'dummy' serial number we typed to the System Registry File or Ini file
which, when you re-run the target program again it will see the dummy serial
number and treat it as an invalid entry and proceed thereafter as still
being unregistered.
From
the programmer's point of view, they should never assume that even if the
serial number was found to be 'correct' earlier on in their program's code
that when it comes to saving these results to the Registry file or ini
file that they should always save the serial number typed
in by the USER, instead of automatically saving the *real* serial number
generated by their program. This would then prevent anyone from simply
diverting their code to the 'Good Guy' routines with a simple nop'ing out
of their conditional jump instruction.
In
the case of this particular program the programmer should NEVER use a simple
string to denote that the program has been registered, because a simple
nop'ing of your jne instruction at memory location :00477030 will defeat
your program's protection system as easily as A,B,C.
Back to our target
program....
If we examine the
above snippet of code again we can see where program decides wether or
not our entered product Code is correct or not and uses a jne (Jump If
Not Equal) instruction based on the results of comparing 'our' entered
Product Code to the one it expects:-
:00477026 BA24714700
mov edx, 00477124 ;Mem location of the
;Product Code!
:0047702B E8ECC8F8FF
call 0040391C ;Compare
the Product
;Code expected by the
;program with the one
;we've typed in.
:00477030 755E
jne 00477090 ;If
our Product Code
;is Not Equal to the
;one expected by the
;program then
;Beggar off Cracker.
Since we can see
that on finding that the Product Code entered by the User is correct, the
program will save the 'magic' string to it's wtlite.ini file without any
further checks we can simply Nop out the 'jump Not Equal' instruction at
memory location :00477030 so that regardless of wether or not the program
found our Product Code correct or not it will STILL save to the ini file
the 'magic' string code that identifies this program as being registered.
So to *crack* this
program using this Crack two method all we would do is load Web Trimmer
into a hex editor and:
Search
for the bytes : E8ECC8F8FF755E
THEN REPLACE
WITH : E8ECC8F8FF0000
|
|
|
|
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
| Next | Return to Essay Index | Previous |