Courtesy of Fravia's page of reverse engineeringWell, have a look... pretty interesting reverse enginnering
Courtesy of Fravia's page of reverse engineeringDifficulty: Beginner
Time to Fish: 1-2 hours
Tools: RegistryMonitor, Hexpert32, W32dasmXX
Comments: Not too difficult of a patch, in fact, only 1 byte needs to be
changed inorder for this program to run forever.
Preamble:
In the world of programming, there are several different forms of code
that are produced. Most often, these are seen as .dll, .exe, .com, ...
Yet today, I am going to introduce you to another form of program. The
Photoshop Filter (.8bi) program.
Target information: (From their web site)
Pegasus' flag ship compression tool PICPRESS is now available within
Adobe Photoshop! Creates smaller JPEGs, Progressive JPEGs and PIC images!
Pegasus JPEG files are 10% to 30% smaller than standard JPEGs created for
other programs. Create thumbnails and a full size representation at the
same time. Preview the results before compressing! New version works with
Photoshop 4.0. Includes 10 Trial Compressions! The Better JPEG Plug-in!
They got that right! Photoshop has the *worst* jpg compressor I've ever
seen in my entire life! Before Adobe bout Aldus out, Aldus made a program
called Photostyler. They had a slide-adjustable quality factor for jpgs,
made small images at great sharpness. BUT the conglomerant adobe couldn't
stand the competition, so they bought them out. Now, Photoshop 4, instead of
having improved by that technology, has plowed ahead with their own, outdated
compressors and outdated items... so much for development.
Enter PicPress
PicPress is *the* best image compressor i have ever seen...i see
about a 50% increase in savings. Smaller images mean faster downloads
and less wasted bandwidth. This translates to more enjoyable websurfing
with less wait.
From the info that they provide, we know that we are given 10 Free
compressions. Translating this, there are 3 different ways it can count
out our number of uses.
1) Write to the registry.
2) Write to the some .ini file
3) Hide it in the windows.ini file, under some bogus name/info
Start Photoshop. After this monstrous program boots, load any image,
choose File->Save As. Scroll down to where our .jpg (pegasys) is listed,
and before hitting enter, start all our monitoring programs. It truly helps
to filter these entries (you'll see all the relevant info scroll across
the screen like this) (I've highlited in blue the important parts, and in red
the parts that _may_ be important...)
Allright! What did we learn from looking at this? There are a few
numerical places where the hidden/encrypted trials may be saved. Why
are we sure it is in the registry and not in another file ? Well,
all our other snooping revealed _no_ file access. That leaves these
interesting calls to the registry. At log entry 713 we
see a blatant pointer to OWNERREGISTRATION. Hmmmm....what could this be?
Lets turn our attention to the trial encryption. In only one place,
is one key read, modified, then read again. This is at logs locations
716, 722, 728. When we run this filter again, we find that
the same key is read, modified, then read again. Except that the value is
decremented by one. *This* is our key.
Now, the way i traced this call was extremely laborious. I went into W32dasm,
and searched for all the error messages i could find. There were lots... :(
Lets try some zen: If i was a lazy programmer, and i wanted a simple simple
simple, simple, simple, _simple_ protection, i would probably write it like
this:
int trial_run=0;
int trial_enc= some random number (here it will be 2005);
trial_run = trial_enc -
homepage links
anonymity
+ORC students' essays tools
cocktails antismut search_forms mailFraVia
is reverse engineering legal?