|
Reversing the protection scheme of Opera 3.60
a not so easy protection scheme
|
Not Assigned
|
|
30 July 1999
| by
-alx
|
|
 |
Courtesy of Fravia's page
of
reverse engineering
|
slightly edited
by fravia+
|
fra_00xx
98xxxx
-alx
1100
NA
PC
|
I have hesitated before publishing this essay. Opera is a browser so good
that once you get used to it you will never want to go back to
the huge stupid browsersaurii. Opera deserves our support and our help.
And now we publish an essay that explains its most recent version protection
scheme. Why do we do it? Wont this damage Opera?
There are two reasons: first (I checked) the "ready-made cracks" (lamers' food)
for Opera (3.6) abound on the web: a
simple altavista search has given me 198 different pages two minutes ago. Therefore
I think and hope that
this essay could be more helpful than anything else for the programmers of
Opera, allowing them to see the flaws in their protection scheme (which are pretty evident)
from an (advanced :-)
newbye perspective.
Secondly the more people will use Opera the more people will 'see the light', at least
in the browsers' field. And I can imagine that this essay will motive people to delve
even deeper in the inner code of this little jewel of an application.
Yes, please pay for Opera (I did it, as the Opera people probably know :-)
| |
|
There is a crack,
a crack in
everything
That's how the light gets in
| |
| Rating
|
( )Beginner (x)Intermediate (
)Advanced (
)Expert
| |
An useful essay for beginners who alredy know the
usage of some tools
(SoftIce
and WinDasm) but do not know the right way......
This is a collection of attempts with only one
purpose: remove the
30-days limitation
from a shareware (Opera 3.60)
Reversing the protection scheme of Opera 3.60
a not so easy protection scheme
Written by
-alx
I think I'm an "advanced" beginner but cracking Opera
3.60 has taken me
2 days
instead of the 2 hours of Opera 3.20! This means that
Opera's
programmers read
HAL's essay and you should
read it too.
SoftIce
WinDasm 8.93
an hex editor (I use UltraEdit 5.20)
Here
you can
download all
versions of Opera in many of the most common languages
First of all, let's run Opera 3.60.
As you can see, there is a "Thanks for using Opera"
window with your
remaining days and some options: Evaluate, Purchase,
Register.
Click on Register and Opera will ask you for a name,
an organization and a
registration code. Type whatyouwant in the first two fields and a 12
chars reg-code in the last one.
A message box appairs: "You have probably entered a
pre 3.50 reg-code".
Ok, now go to Help......Register Opera... and type a
14 chars reg-code.
Another message box will inform you that your code is
wrong.
Why are there 2 different message boxes?
Because Opera's programmers probably have changed
their previous protection
scheme (Opera 3.20 end so on) with a more complex one;
I think it's more
complex because it wants more chars than previous one
(see my introduction about opera 3.20).
Well, return to the registration window (RW from now),
press CTRL-D and
breakpoint at MessageBoxA; (have you read HAL's essay ?)
:bpx MessageBoxA
return to RW, fill the fields and press OK.
SoftIce pops up just before the message box.
press F12, read the message and click on OK. You will
land here:
:00470195 E86123FFFF call 004624FB
:0047019A 389D80FDFFFF cmp byte ptr [ebp+FFFFFD80], bl
:004701A0 7513 jne 004701B5
.........
.........
:004701C6 FF1520664F00 Call [USER32.MessageBoxA,]
:004701CC 56 push esi <----here
:004701CD 8BF8 mov edi, eax
:004701CF E8FA57FBFF call 004259CE
:004701D4 59 pop ecx
:004701D5 8BC7 mov eax, edi
:004701D7 5F pop edi
:004701D8 5E pop esi
:004701D9 5B pop ebx
:004701DA C9 leave
:004701DB C21800 ret 0018
Feel free to study the code (this is only a little
part) and to test
the jumps; you will obtain only a "warnig" message and
some
"General protection fault" errors.
Ok, we are in 4701C6; let's exit from this CALL (press
F12) and we
land on 488C77
:00488BA6 8BCA mov ecx, edx
:00488BA8 B811030000 mov eax, 00000311
:00488BAD 2BC8 sub ecx, eax
:00488BAF 0F84F9030000 je 00488FAE
:00488BB5 81E90F7D0000 sub ecx, 00007D0F
:00488BBB 0F84E0030000 je 00488FA1
:00488BC1 81E9E10F0000 sub ecx, 00000FE1
:00488BC7 0F8432020000 je 00488DFF
:00488BCD 81E9A1000000 sub ecx, 000000A1
:00488BD3 0F8400010000 je 00488CD9
:00488BD9 83E905 sub ecx, 00000005
:00488BDC 747D je 00488C5B <--------
:00488BDE 83E90C sub ecx, 0000000C
:00488BE1 744F je 00488C32
:00488BE3 EB03 jmp 00488BE8
..........
..........
:00488C5B 8B0D3C175100 mov ecx, dword ptr [0051173C]
:00488C61 33F6 xor esi, esi
:00488C63 56 push esi
:00488C64 56 push esi
:00488C65 53 push ebx
* Reference to String Resource ID=22004: "Opera Registration"
|
:00488C66 68F4550000 push 000055F4
:00488C6B 57 push edi
:00488C6C FF351C0F5100 push dword ptr [00510F1C]
:00488C72 E85C74FEFF call 004700D3
:00488C77 81FFF5550000 cmp edi, 000055F5 <----we are HERE
:00488C7D 751F jne 00488C9E
:00488C7F 83F801 cmp eax, 00000001
We are in a
unpatchable-never-ending-multiple-choice-loop!
something
like:
while (?) {
switch (?) {
case: ? ;
case: ? ;
}
}
try to breakpoint at 488BA6 and you will understand
the problem
(and also why I have spent two days on this
scheme!!).
This code deals with menu, bar's button, the "Thanks
for using Opera"
window etc.
Try to fill the RW and press OK; how many times
SoftIce pop up?
too many.
This first approach doesn't seem the right one; Do you
remember +ORC's
words?
(maximum result with minimum effort)
At this point, I decided to try a dead-listing
approach in order to
find some
string references to a greeting message ("Thanks for
registering
......")
First I disassembled Opera and then I started to
search for "regist"
and you MUST do it too; here is the most important
string (in my
opinion):
:004911EE 55 push ebp <-- here the CALL starts
:004911EF 8BEC mov ebp, esp
:004911F1 51 push ecx
:004911F2 56 push esi
:004911F3 57 push edi
:004911F4 33F6 xor esi, esi
:004911F6 33FF xor edi, edi
:004911F8 3935B0145100 cmp dword ptr [005114B0], esi
:004911FE 7413 je 00491213 <--- first jump
:00491200 68FCFCF300 push 00F3FCFC
:00491205 FF1588604F00 Call dword ptr [004F6088]
:0049120B 6A01 push 00000001
:0049120D A3B0145100 mov dword ptr [005114B0], eax
:00491212 5F pop edi
:00491213 A11C175100 mov eax, dword ptr [0051171C]
:00491218 3BC6 cmp eax, esi
:0049121A 740F je 0049122B <--- second one
:0049121C 33C9 xor ecx, ecx
*************************************************************************
:0049121E 39B0E8040000 cmp dword ptr [eax+000004E8], esi
*
:00491224 0F94C1 sete cl
*
:00491227 8BC1 mov eax, ecx
*
:00491229 EB03 jmp 0049122E ---
*
:0049122B 6A01 push 00000001 |
*
:0049122D 58 pop eax |
*
:0049122E 3BC6 cmp eax, esi <-
*
:00491230 7525 jne 00491257 <---- third one
*
*************************************************************************
:00491232 8B0D3C175100 mov ecx, dword ptr [0051173C]
:00491238 56 push esi
:00491239 56 push esi
:0049123A 6A24 push 00000024
:0049123C 56 push esi
"This copy of Opera is already registered.Do you want to cha" <----HERE
|
:0049123D 68F1550000 push 000055F1
:00491242 FF7508 push [ebp+08]
:00491245 E889EEFDFF call 004700D3
:0049124A 83E806 sub eax, 00000006
:0049124D F7D8 neg eax
:0049124F 1BC0 sbb eax, eax
:00491251 40 inc eax
:00491252 8945FC mov dword ptr [ebp-04], eax
:00491255 740E je 00491265
:00491257 56 push esi
:00491258 6A04 push 00000004
:0049125A FF7508 push [ebp+08]
:0049125D E816000000 call 00491278
:00491262 83C40C add esp, 0000000C
:00491265 3BFE cmp edi, esi
:00491267 5F pop edi
:00491268 5E pop esi
:00491269 740B je 00491276
:0049126B 68B0145100 push 005114B0
:00491270 E8564BF9FF call 00425DCB
:00491275 59 pop ecx
:00491276 C9 leave
:00491277 C3 ret
What a little CALL !!! and there are only THREE conditional jumps
before our target-string!!.
well, I think now it's more interesting to study this
code using SoftIce
than starting a random patch with a Hex editor;
So, press CTRL-D and search for this code in memory.
I think the lines after the string are the most
representative:
:s 30:00 l ffffffff 68 F1 55 00 00 FF 75 08
What have you found? nothing!!!
well, go to RW, press CTRL-D, and breakpoint at GetDlgItemTextA
:bpx GetDlgItemTextA
fill the fields and press OK..........
SoftIce pops up. good. press F12 and now retry the previous search
(remember to delete the last breakpoint.... GetDlgItemTextA)
:s 30:00 l ffffffff 68 F1 55 00 00 FF 75 08
Pattern found at 0030:0049123D
ok, let's Un-assemble at this address:
:u 49123D
BINGO!!!!!!
We have found our little CALL! Let's breakpoint at its
beginning and go to RW......................
Hey! What's happening ? Why does SoftIce pop up before
the RW?
It's very simple! If you are a registered user, our
little CALL
will inform you that there is no need to register
again! (and you
won't see the RW).
Now there is the very interesting part: how does our
little CALL know
you are/aren't a registered user? it uses a FLAG!!!!
If you pay attention you can see that two jumps are
conditioned
by two flags and the last one by a registers
comparing. (in relation
with the result of previous jumps).
So, our REG-FLAG is [EAX+000004E8]; Write down on
paper is right
address
(994728) and when SoftIce break at 4911EE try to
change is value from
00
to 01. Press CTRL-D and ...................
"This copy of Opera is already registered"
"Do you want to change the registration information?"
click on NO
Now go to Help ....... About Opera .......... and
YES! Opera is
registered!!
very good. Now we have to find where is the code that
set the REG-FLAG at
the Opera's execution beginning and then patch it.
Return to WinDasm and search for "+000004E8]". EAX is
not important; the register may be another.
First result:
:0045DB1E 899ED8030000 mov dword ptr[esi+000003D8], ebx
:0045DB24 899EA8020000 mov dword ptr[esi+000002A8], ebx
:0045DB2A 899EAC020000 mov dword ptr[esi+000002AC], ebx
:0045DB30 899E50020000 mov dword ptr[esi+00000250], ebx
:0045DB36 899E54020000 mov dword ptr[esi+00000254], ebx
:0045DB3C 899E58020000 mov dword ptr[esi+00000258], ebx
:0045DB42 899E5C020000 mov dword ptr[esi+0000025C], ebx
:0045DB48 6820070000 push 00000720
:0045DB4D 899EE8040000 mov dword ptr[esi+000004E8], ebx <--- HERE
Here, our REG-FLAG is probably setted to zero like
many other flags.
(ebx=00)
Second result:
:0045E2D3 E82EF00500 call 004BD306
:0045E2D8 8B0E mov ecx, dword ptr [esi]
:0045E2DA E873EB0500 call 004BCE52
:0045E2DF 8986E8040000 mov dword ptr [esi+000004E8], eax <--- HERE
hmmmmm, smell it!!!!! We are very close our target.
Probably, call 004BCE52 check the encrypted file (have
you read HAL's essay?)
where Opera stores the registered user's code, name
and organization.
Let's trace this function! first, breakpoint at
45E2D8, close Opera and then
re-run it...................yes, SoftIce pops up
before the nag window;
press F8 twice and you land here:
* Referenced by a CALL at Addresses:0045E2DA , :00497347
|
:004BCE52 8D8138010000 lea eax, dword ptr[ecx+00000138]
:004BCE58 85C0 test eax, eax
:004BCE5A 741A je 004BCE76 (1)
:004BCE5C 803800 cmp byte ptr [eax],00
:004BCE5F 7415 je 004BCE76 (2)
:004BCE61 81C190030000 add ecx, 00000390
:004BCE67 51 push ecx
:004BCE68 E88650FDFF call 00491EF3
:004BCE6D 85C0 test eax, eax
:004BCE6F 59 pop ecx
:004BCE70 7404 je 004BCE76 (3)
:004BCE72 6A01 push 00000001
:004BCE74 58 pop eax
:004BCE75 C3 ret
wow! this is the shortest function I have ever seen!
(notice that it is called two times).
Study this function and then patch it!!!
I hope you have understood that the main problem of
this essay is
finding
the protection and not to crack it.
Reading this essay and then de-protect Opera is very
easy but as you
already know this has taken me much time.
Notice that in Opera there are tons of string
references
but none deals with a greeting message (but IT MUST
EXISTS!!!!!).
We have found only a warning (it does not exist in
Opera 3.20) and we
have
never seen it before patching the REG-FLAG.
Notice that if I persevered with my first approach I
would probably get
crazy.
(so, open your mind. be SUPPLE).
thanks to:
Jade for her moral support
Sugar for his unvaluable music
+ORC; without him, all this would have not been possible.
-alx
YES, I'll send you another that follows the ZEN way.
I wont even
bother explaining you
that you should BUY this target program if you
intend to use it for
a
longer period than the allowed one. Should you want
to STEAL this
software instead, you don't need to crack its
protection scheme at
all:
you'll find it on most Warez sites, complete and
already regged,
farewell, don't come back.
You are deep inside fravia's page of
reverse
engineering,
choose your way out:
homepage
links
search_forms
+ORC
how to
protect
academy database
reality cracking
how
to search
javascript wars
tools
anonymity academy
cocktails
antismut
CGI-scripts
mail_fravia+
Is
reverse engineering
legal?