|
|
|
|
||||||
|
|
|
|||||||
|
|
|
|
||||||
|
||||||||
|
|
||||||||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
'Deepsky 99 solves an important need for amateur and professional observers. The software allows the user to plan a productive observing session and record what was observed quickly and easily. The logbook features in Deepsky make it extremely easy to transfer your observing plans to the logbook with minimal data entry. To accomplish this, users first create a customized observing list of those objects they want to observe by querying the database and then tagging those objects that appear on the screen. The custom list of objects can then be saved to disk and recalled later if required. When you are finished observing, the list you created earlier can be used to help enter your observations into the logbook.
1. 400,000 Object Database of Deepsky
Objects
2. Observing Planner
3. Observers Logbook
4. Star Chart Creator with stars to
Magnitude 15.5 (Mag. 10 in shareware version)
5. Image Processing
6. LX200 Goto Support including Deepskys
unique Slide Show feature.
7. Support for Bob Dennys ACP software
for the LX-200 telescope'
|
|
When the program is installed and executed for the first time, it shows a message saying it's unregistered, and a 15 s delay is imposed before operation continues. Furthermore, the unregistered version does not allow access to object databases except the NGC2000 catalogue and is limited to 30 days of use. All these 'shareware' features have been implemented by use of an Active-X control called 'Registration Wizard', available to shareware authors at this site. At the Registration Wizard homepage, technical documetation is available that reveals the following information:
1. The registration key is calculated from the username and a so-called 'encryption key' that is either randomly generated or supplied by the user. Optionally, information about the user's system can be included into the calculation as well.
2. Shareware authors may format the registration code by supplying a regkey mask in the form of 'RWS-#####-^^^^&-^&#^&', where # is a number, ^ represents an upper case character and & stands for an upper or lower case character.
Armed with that knowledge, we now run DeepSky under SmartCheck, open the registration dialog and type in bogus information, e.g. 'Fra Diavolo' as UN and '1234567890' as unlock key. After klicking the register button, a message box informs us that we have entered invalid information. We can now stop logging with SmartCheck and examine the results.
The function call 'RegWizardPro1.ShowRegDialog' will be of interest to us, so we expand its tree by clicking on the '+' icon. Lots of string operations are performed here. Among them is the processing of our UN. We can easily see that the functions Mid$ and Asc transform the individual characters of 'Fra Diavolo' into their ASCII values, which are then concatenated to a string '701149732...'.
Reading further, we notice the occurence of another string, 'M31 - Andromeda Galaxy', that is somehow interacting with our new string '791149732...'. This apparently is the 'encryption key' specified by the author of DeepSky (see above). What kind of calculation is taking place here? The function Mid$ is used to grab a digit from the '701149732...' string, which is then transformed into its corresponding ASCII value. The first digit, '7', yields an ASCII value of 55. The first letter of 'M31- Andromeda...', 'M', is grabbed next and yields an ASCII value of 77. Now follows a line 'Chr$(Integer: 122)' Immediately we realize that 55 + 77 is ... 132, not 122.
Still, we suspect that the value 122 must somehow be calculated from 77 and 55, because we know the regkey is calculated from the UN and the 'encryption key'. Now, what will a Visual Basic lamer mean when he talks about encryption? Probably the most basic of the binary operations - XOR. So let's try... BINGO! 77 XOR 55 is 122. The 'andromeda' string is XORed with our string '701149732...' according to the pattern just described. A new string 'HIPTP...' is the result. This cannot be the reg code, because it contains weird charachters like '|'. Instead, it is transformed into a 'number string' just like it was the case with our UN 'Fra Diavolo', and the string is '727380...122'.
This is interesting, because the result of the first operation, 55 XOR 77 = 122 appears at the end of the string - the whole thing is inverted. Now, with this string '727380...', how do we get our registration code? The regkey mask, "RWS-###...' is apparently used for some string operations now. The first five Mid$ calls don't have anything to do with '727380...', so we need not deal with them. Then follows a Mid$ on position 1 of our string '727380...', followed by a Mid$ on position 6 of the mask. Although it is not immediately evident from the SmartCheck log, one can imagine that the digits are simply filled in here, so our password so far would be 'RWS-72738-'.
Now, according to the mask, we should produce some upper case letters. We see that digits 6 and seven of our string '7273808...' are grabbed, inverted to yield 80 and transformed into a character by Chr. The upper case status is then assured by the function UCase.
At this point, we realize that we can actually read down the regcode as it is generated. We also know how it is generated. The 'protection' is a joke. The author of DeepSky, Steven S. Tuma, has been blatantly ripped off by the author of the 'Registration Wizard', Russell Anderson. Anyone running SmartCheck can immediately get the regcode for any username he sees fit. In our case, the key is 'RWS-72738-PT...'. 'Registration Wizard' easily qualifies for the most stupid protection award.
It is worth mentioning that the use of SmartCheck is absolutely not the only approach to cracking this program. A softice breakpoint on 'hmemcpy' takes us into the 'Registration Wizard', where we can easily s 0 l ffffffff 52 00 57 00 53 00 2D 00 to find the regkey mask in memory. With a BPR on it, we land in a routine copying it, character by character, to another memory location. A casual inspection of the target area reveals the registration code being generated in front of our eyes... .
|
|
var
name,
serial,
namestring,
codestring:
string;
i: byte;
bst:
integer;
bstr:
string;
const
andromeda:
array[1..22] of byte =(77, 51, 49, 32, 45, 32, 65, 110, 100,
114, 111, 109, 101, 100, 97, 32,
71, 97, 108, 97, 120, 121);
begin
if Edit1.text
= '' then Edit1.text := 'Lamer';
name
:= Edit1.text;
namestring
:= '';
codestring
:= '';
serial
:= '';
bst :=
0;
bstr
:= '';
for i := 1 to length(name)
do
begin
namestring := namestring + IntToStr(Ord(name[i]));
end;
for i := 22 downto 1 do
begin
codestring := codestring + IntToStr(Ord(namestring[i]) xor andromeda[i]);
end;
serial := 'RWS-' + Copy(codestring,
1, 5) + '-';
for i := 3 to 6 do
begin
bst := StrToInt(codestring[(2*i)+1] + codestring[2*i]);
if (bst >= 0) and (bst < 23) then bst := bst +100;
if (bst >= 23) and (bst < 65) then bst := bst + 42;
if (bst >= 91) and (bst < 97) then bst := bst - 6;
bstr := UpperCase(Chr(bst));
serial := serial + bstr;
end;
bst := StrToInt(codestring[15]
+ codestring[14]);
if (bst
>= 0) and (bst < 23) then bst := bst +100;
if (bst
>= 23) and (bst < 65) then bst := bst + 42;
if (bst
>= 91) and (bst < 97) then bst := bst - 6;
serial := serial + Chr(bst)
+ '-';
bst := StrToInt(codestring[17]
+ codestring[16]);
if (bst
>= 0) and (bst < 23) then bst := bst +100;
if (bst
>= 23) and (bst < 65) then bst := bst + 42;
if (bst
>= 91) and (bst < 97) then bst := bst - 6;
bstr := UpperCase(Chr(bst));
serial := serial + bstr;
...
end.
The interested reader can write the missing part
or take another approach - it should be clear how things work.
|
|
|
|
Ripping off software through serials and cracks is for lamers.
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warez, Cracks etc.
| Return |