A nasty protection
Well, my first natural reaction, like that of Miguel Neto, was of anger against Intermania (Portland, Oregon) and its product (HTMLPad, version 2.6), yet, come to think of it inside the perspective of the 'larger scheme of things', this is actually not a bad idea at all for a (lame but working) protection scheme.
In fact no 'real' cracker would have any difficulty in cracking any protection scheme, however complex, therefore concentrating on 'heavy' protection schemes does not make much sense. See: shareware authors are not loosing money because a couple of dozens of real crackers, out there, study (or even explain to other 'studiosi') their protection schemes, they are loosing money because million of morons, that would not understand what a byte is if it come out of the screen in order to bite them, use ready made patches (made by some real cracker of the darker side) in order to steal software. Therefore it makes A LOT of sense to concnetrate in punishing the lusers, since outsmarting the crackers is much too difficult for programmers that have drunk too much visual basic and too few assembly.
This kind of protection schemes (I have seen other on the same lines) are patently directed against all those morons that seek ready-made cracks and use them in order to steal targets
Anyway why should we care? We are NOT friends of the luser little thieves, are we? So I reckon that this is actually a pretty good idea and easy to implement: 1) Release your soft with dummy cracker/password couples and a simple protection scheme that is ready to wreak havoc inside the luser's machine. 2) A couple of weeks later, if your soft is worth something (a very big if most of the time) you'll find a dozen of ready made cracks on any warez site. 3) Release a second version of your soft that has this time 'real' cracker/password couples and screw up the lusers' machines.
Not bad: I like it!
(You may also find very useful -along similar protection lines- to read Ghiribizzo's ideas about a 'later implemented' part of the serial number).
BTW: does really exist a cracker "thatguy"? Or did they mean 'thatdude'? Or did they purposely seed some ready made cracks with name 'thatguy'? Who knows?
Hi, it's me again. This protection is slightly more difficult than the ones I tackled in my former essays, so, in order to spare you (and me) some time, I'll try to avoid the usual jokes (reverser cuts most of them off anyway :-)
The target you will need for this cracking session is called HTMLPad, it is a nice web-design utility. Basically, it provides shortctus for the HTML tags; You have more control over the HTML code than if you used a standard editor, but you don't loose as much time as if you wrote the code with UltraEdit.
First of all, install the target. Play with it a little. All done? ok.
If you've read, as you should, the help files, you will notice that we
have this shareware limitations listed. Here is the snippet from that
By purchasing HTMLpad and registering your copy, you will be
additional benefits such as:
Our task will be to remove the first 2 limitations: the nag and the crippling lock. The target's weak points, which you should be able to identify after playing a few minutes with this program, are the following: 1) The Option to Register 2) The "Registered to" String in the about box 3) The Nag Itself Let's try to stalk the first one; Disassembling the target and searching for the invalid reg code error message, you will land here (some code has been removed in order to spare you dw time: :0046511E E8D1900000 call 0046E1F4 :00465123 3C01 cmp al, 01 :00465125 7517 jne 0046513E (...) * StringData Ref from Code Obj ->"Thank you for registering HTMLpad! " ->"Keep the registration number in " ->"a safe place in case you need " ->"it at a later date." | :00465132 B8E4514600 mov eax, 004651E4 :00465137 E8E484FDFF call 0043D620 :0046513C EB1C jmp 0046515A * Referenced by a Jump at Address: 00465125(C) | :0046513E 8BC3 mov eax, ebx (..) * StringData Ref from Code Obj ->"You have entered an invalid "registration number." | :00465150 B864524600 mov eax, 00465264 Bottom line, if after the call at 46511E al is 1 we are registered. Of course, if you nop the jne at 465125, you will get a thank you message, but you will still be unregistered. But let's see where else is 46E1F4 called from... * Referenced by a CALL at Addresses:004610C9, :00464D90, :0046511E, :00473294 | :0046E1F4 E803000000 call 0046E1FC :0046E1F9 C3 ret I reckon that it is the first time that I see a call such as this one, but nevermind, let's go on. We must now inspect the locations that call our 6E1F4... I didn't find the code at 610C9 very interesting, you can and should check for yourself ofcourse... However, at 64D90 we see this: :00464D90 E85F940000 call 0046E1F4 :00464D95 84C0 test al, al :00464D97 745C je 00464DF5 (...) * Possible StringData Ref from Code Obj ->"UNREGISTERED" | :00464DF5 BA8C4E4600 mov edx, 00464E8C If after the call, al is 0, we are REGISTERED TO UNREGISTERED. Otherwise, the application will get our name from the registry (see your own dead listing, I didn't want to overcode this essay) and print it instead of UNREGISTERED. So, once again, if the al flag is 1, our reg code has been accepted and we will nolonger be "unregistered". But that is not all... In Soft-Ice, set a breakpoint at 46E1F4. Now click on "About HTML PAD" Soft-Ice will bang, confirming our speculations. Now click on Register. Soft-Ice pops up again. Finally, click on Options (one of them was locked, remember?). Soft-Ice will pop up once more. So, Now, if you change the instruction at 4610C9 from call 46e1f4 to, say mov al, 00 inc al jmp 46e1f9 You will take care of all of this target's limits *but* the nag. Why? Rememeber that I was surprised that all 6E1F4 did was to call 6E1FC? Why not call 46E1FC in the first place, thus saving a lot of bytes? (Compiler constraints... you'll find the same pattern at 73C3C, 7DF2C and 812D4 for instance) In anycase, this means that calling 6E1F4 has exactly the same effect as calling 6E1FC; so maybe some limits call the latter instead of the former... Just to make sure, set a breakpoint on 46E1FC in Soft-Ice. Now insert a few scripts (this will make the nag appear). Bingo! Soft-Ice pops up! Press F12 and what do you know... Here is what you get: :00480CEC E80BD5FEFF call 0046E1FC :00480CF1 84C0 test al, al :00480CF3 7507 jne 00480CFC You just have to change that jne to jmp and you will never see the nag again. However, that makes a lot of changes, and since the only thing that matters is to get flag 1 at al at the end of the call, we might as well just patch the former. The boys at intermania have realised this: inside this huge call, we can admire the following snippet: * StringData Ref from Code Obj ->"thatguy" | :0046E28D BA20E44600 mov edx, 0046E420 :0046E292 E8C959F9FF call 00403C60 :0046E297 7528 jne 0046E2C1 :0046E299 6A00 push 00000000 :0046E29B 668B0D28E44600 mov cx, word ptr [0046E428] :0046E2A2 B202 mov dl, 02 * StringData Ref from Code Obj ->"Sorry. You'll have to crack the " ->"code again. In the mean time " ->"you can fix the little presents " ->"that are going to be left on your " ->"machine!"Pathetic! To put this at the sight of everyone TENTHS of bytes before the end of the call, giving us all the room we want to patch. I suppose intermaniacs think they are funny... They are morons... I won't even bother to make fun of them, humour is a powerful weapon, but it can only hurt those who have a minimum sense of *pride*, which is not the case of the Intermania programmers... You guys don't deserve my respect... Not knowing how to program is one thing, but trying to #$%&/!up my machine and NOT doing it right is an insult to my intelligence... You can thank the fact that +we are not crackers of the dark side, else you would be bankrupt before you could say "censorship"!
Anyway, let's finish this:
Since the end of the call is as follows:
:0046E3BC 8BC3 mov eax, ebx :0046E3BE 5E pop esi :0046E3BF 5B pop ebx :0046E3C0 8BE5 mov esp, ebp :0046E3C2 5D pop ebp :0046E3C3 C3 ret Anyone that cares would just need to change :0046E3BC 8BC3 mov eax, ebx to :0046E3BC B001 mov al, 01And there you go, you are fully registered. Of course, if you want to be registered with a chosen name (for instance 'thatguy' :-) you have to first make these changes in memory just before you enter your chosen name and chosen bogus code, then close the program, patch it, and rerun.