|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
The Compress tool removes all information used for editing in the HTML file. This information is unneeded for viewing the HTML file but is simply used to make its editing a lot easier. The UnCompress function of this tool though adds this formatting information once again by using the common standards of HTML files like indents etc.
Since the author
of HTML (un)Compress has consented to this tutorial being published
on my web page, all he asks in return is that we don't write any on his
latest version, which is currently V4.1. Please respect his wishes.
Thank You.
|
|
1. The program itself was created in Visual Basic 5. A newbies worst nightmare.
2. Dead listings while possible, will make no sense because VB programs contain just routines to the main Visual Basic runtime library.
3. It performs five checks on the User name and looks to see if the User is trying to register this program using one of five well known handles belonging to certain cracking groups. Once satisfied that the User is not using any of these handles it will begin processing the serial number.
4. Once this program is first run it will create a 16 byte file called HTMLComp.dat and place this in your C:\Windows directory. Opening this file reveals the following information:-
"99J 99J1",535 <--Our default name is: 99J 99J1 and our default serial is 535
A quick check in the System registry file also reveals this same default name & serial number..
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\HTML (Un)Compress\Registration
Name =The Sandman
Password=XXXXXXXX
This tells us that the software author
knows that the registry entry can be tampered with so he has made sure
there is always a backup copy which the program can use and which it can
replace the corrupted or deleted entry with.
On successful registration, the User's
details (Name & Password) are stored in the System registry file and
are once again found here:-
HKEY_CURRENT_USER\Software\VB
and VBA Program Settings\HTML (Un)Compress\Registration
Name =The Sandman
Password=XXXXXXXX
Interestingly, this is NOT the main repository for your Registration details, you can delete this entry as many times as you want, the program will keep re-creating it. This tells us that the program must therefore be getting this information from somewhere else.
What happens is that the HTMLComp.dat also
now contains the User's new registration details which the program also
checks each time it is run.
|
|
Visual Basic programs contain nothing but meaningless routines that then call further routines in the main VB5 Runtime library. Anyone who has tried to follow these routines will know how easily the cracker can become lost and disorientated amongst all this hideous code.
However, by studying how Visual Basic programs are structured we can find it's weak points. Unless the programmer uses third party protection systems such as encryption handling routines then he/she will have little option but to rely on the ones provided by the Visual Basic runtime library.
The simplest type of protection routine we can use is the straight forward 'compare one serial number against another', then either display "beggar off cracker' if both serials are not the same, or, to allow the program to register itself if both serials are correct. In Visual Basic this is to some degree, all the programmer has at his disposal, so then here is where we must start our initial explorations. Considering that protection routines are vital if a program is to remain a 'sellable' product for any length of time, then why Microsoft in their wisdom made no effort to provide better string handling routines is beyond me. I speak of experience as I used to program in VB3 & 4..
In my previous essay on cracking Minimize Magic (Essay No 59) which is a Visual Basic 4 program, I explained that thanks to Razzia, who first found the String Compare routines for VB4 programs, I developed a quick approach to cracking Minimize Magic using Softice to search for the beginning of this String Compare routine. For those who haven't yet setup Softice to use ALT-F4 for cracking VB programs then please go and read this essay NOW!. You will not be able to follow this essay much further if you haven't made the two changes to your winice.dat file!.
The importance of setting up Softice so that we can redefine the ALT-F4 keys to search for the memory location of the String Compare routine is because this ALSO works in Visual Basic 5 programs without requiring any modifications to the original search string. An all in one tool..:)
On starting up HTML (un)Compress we are greeted with a nag screen informing us that we are now on day '0' of our 30 day evaluation period. It is here also where we are given the opportunity to register this program.
OK, lets click on the 'Password' button, a small registration box appears.
Type in your name/handle and a fake serial number..
For this example I use:
Name = The
Sandman
Password = 999999999
Before clicking on the 'OK' button lets
fire up Softice by pressing the CTRL-D keys
together..
Our first task is to get softice to break once we press the 'OK' button, one system function that will almost guarantee this is hmemcpy because it is used in conjunction with a whole host of other functions so it's highly likely this program will use a system function that requires this routine.
Now type: bpx hmemcpy then x to leave softice.
Now you can click on the 'OK' button..
Softice now breaks at the start of the hmemcpy function..
From here all you have to do is press the ALT-F4 keys together.
Softice reports...
Pattern found at 0030:0F00d9 ;This memory address will be different on your pc
From here type in full, the memory address Softice has just shown you.
Type: u XXXX:XXXXXX ; Insert the address Softice gave you in here.
You should now see that you are looking at the follow section of code:
XXXX:XXXXXXXX 56
push esi
XXXX:XXXXXXXX 57
push edi
XXXX:XXXXXXXX 8B7C2410
mov edi, [esp + 10]
XXXX:XXXXXXXX 8B74240C
mov esi, [esp + 0C]
XXXX:XXXXXXXX 8B4C2414
mov ecx, [esp + 14]
XXXX:XXXXXXXX 33C0
xor eax, eax
XXXX:XXXXXXXX F366A7
repz cmpsw
XXXX:XXXXXXXX 7405
je 0F79B362
XXXX:XXXXXXXX 1BC0
sbb eax, eax
XXXX:XXXXXXXX 83D8FF
sbb eax, FFFFFFFF
XXXX:XXXXXXXX 5F
pop edi
XXXX:XXXXXXXX 5E
pop esi
XXXX:XXXXXXXX C20C00
ret 000C
The XXXX:XXXXXXXX represent a memory address where this routine was found and which, will be different on every one's computer.
From here we type:
Type: bpx XXXX:XXXXXX ; Insert the address Softice gave you in here, it should create a new softice breakpoint at the start of the above routine.
Next, you will need to type: bc 00 this will clear away our previous softice breakpoint. It has served it's purpose and is now no longer needed.
Type x to leave softice and allow HTML (un)Compress to carry on with what it was doing..
Softice now breaks again..
It has stopped on on our newly created breakpoint.
Press the F10 key just Four times so that we have executed the following lines of code:-
XXXX:XXXXXXXX 56
push esi ;save
esi register for safe keeping
XXXX:XXXXXXXX 57
push edi ;save
edi register for safe keeping
XXXX:XXXXXXXX 8B7C2410
mov edi, [esp + 10];String to check for
XXXX:XXXXXXXX 8B74240C
mov esi, [esp + 0C];Our entered User Name.
XXXX:XXXXXXXX 8B4C2414
mov ecx, [esp + 14];We are now here..
OK, if we now type: D esi we should see our User name and if we now type: d edi we should also see what this routine is going to check our name against.
Typing: d esi
will show the string r.o.m.e.o
Typing: d esi
will show our User name.
If you don't see this THEN press x
and then move your mouse a little. Then press the F10
key four times and repeat the above instructions. This is
because this routine is also used by many other routines in Visual Basic
and you may have arrived here before the program has had chance to get
round to actually checking the User names.
OK, assuming you have got this far, then you should now see around 6 names in your Softice code window. These names are handles used by some cracking groups. The author of HTML (un)Compress is checking to see if you are trying to register this program using a serial number they have used in the past to crack this program.
From here all we need to do is to press X then when we return back into Softice press the 'F10' key again four times and type: d edi.
keep doing this UNTIL when you type:
d edi you see H.T.M.L.c.o.m.
What we are doing is cycling through the
list of 'crackers' names this program checks for until we reach the last
one.
For the last time press X
then when we return back into Softice press the 'F10'
key again four times and type: d edi
Your should now see YOUR *fake* serial number and if you type: d esi you will also see the *real* serial number which the program has created based on your User Name.
From here type: BC to clear all our Softice breakpoints followed by X to leave softice.
Re-run this program and type in the *real* serial number you have just seen and the program will now be *fully* registered.
Once this program is registered and you wish to practice on it then you must delete the file HTMLComp.dat file found in your window's directory and also delete the registration entry:-
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\HTML (Un)Compress\Registration
This will convince HTML (un)Compress that
this is the first time it's being run.
Job Done.
|
|
|
|
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
| Next | Return to Essay Index | Previous |