|
1999 |
( 'what a surprise' ) |
Win Code Reversing |
|
|
|
|
|
|
|
|
|
Program Name:Applet45.zip Program Type: JavaScript utility Program Location: Here Program Size: 1.6mb |
||
|
Softice V3.25 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler |
||
|
|
|
|
|
The author of Button Factory
v4.5 says :
New easy to use Interface !
AutoArrange Buttons Horizontally, Vertically or any way you wish
!
WYSIWYG drag and drop preview control !
Fully customize your Button Layout !
Use any Image(s) for your buttons !
Make .gif Button Images Transparent Instantly !
Duplicate any Button with just a click !
Use any Color for your Button border, background or text !
Use Color Gradients for Button Backgrounds !
Make text, sounds, and images change on Load, MouseOver or Click
!
Put messages in the browser status bar on MouseOver !
Easy HTML Preview Window !
Browser test your applets in both Netscape and IE.
|
|
This protection routine is based
on the user name and a password. This username and password is common
to all registered users.
The program keeps its settings at the registry :
HKLM\Software\Silicon Joy Software\Applet Button Factory\4\mainWindow\lb1
"caption"
|
|
This program is protected with a
very weak protection, and as so, it can be very good for begginers, even
if you will not become to a lot
of programs beeing protected with this kind.
As always, play with this program
and try to register it. You get message :
"incorrect username and password".
Go to w32dasm and create the program
dead list. In the String Data Referances, look for this message.
Double click on it will take you
to the location where this message is coming from tn the program.
You should see now this snippet
of code :
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046F4DC(C), :0046F504(C)
* Possible StringData
Ref from Code Obj ->"Incorrect username and password."
|
:0046F592 B890F64600
mov eax, 0046F690
:0046F597 E81839FEFF
call 00452EB4
Can you see that the program will
come here from two different locations, depends on conditional jump
that will decide to jump here or
not. Let take a look at this locations :
* Possible StringData
Ref from Code Obj ->"mk67z"
|
:0046F4D0 BAC0F54600
mov edx, 0046F5C0
:0046F4D5 E80699F9FF
call 00408DE0
; ckecking name/password
:0046F4DA 85C0
test eax, eax
; eax=0 ?? name ok ??
:0046F4DC 0F85B0000000
jne 0046F592
; first conditional jump
:0046F4E2 8D55FC
lea edx, dword ptr [ebp-04]
:0046F4E5 8B8318030000
mov eax, dword ptr [ebx+00000318]
:0046F4EB E86017FCFF
call 00430C50
:0046F4F0 8B45FC
mov eax, dword ptr [ebp-04]
:0046F4F3 E8784AF9FF
call 00403F70
* Possible StringData
Ref from Code Obj ->"trs98z"
|
:0046F4F8 BAC8F54600
mov edx, 0046F5C8
:0046F4FD E8DE98F9FF
call 00408DE0
; ckecking name/password
:0046F502 85C0
test eax, eax
; eax=0 ?? password ok ??
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0046F49D(C)
|
:0046F504 0F8588000000
jne 0046F592
; second conditional jump
:0046F50A A1686B4A00
mov eax, dword ptr [004A6B68]
:0046F50F 8B00
mov eax, dword ptr [eax]
What is going on in this program
code is kind of typical name/password verification.
This is the time to test our theory
with our beloved debugger.
Go in the Help/Registration Information,
and type in any name and password.
Before you click on the "Register",
fire up softice "Ctrl-d" and set a break point on the API "getwindowtexta".
Type "x", and "Register".
Softice break, press "F11" once.
We want to disable this BP and to set a new one where we want to see
how this protection checks
the data entered.
Type "bd 00", and then "bpx 46f4d5",
and "x" to leave SI. We get the error message.
Press on "Register" again, and we
land on location :
:0046F4D5
E80699F9FF
call 00408DE0
; we land here
:0046F4DA 85C0
test eax, eax
; eax=0 ?? name ok ??
:0046F4DC 0F85B0000000
jne 0046F592
; jump if not
At this point i can tell you that
if we force the two jumps not to jump, the program will be registered,
but
since we want to learn out of this
tutorial, let go into this call and see how the check goes.
Press "F8" in SI. This will take
you inside this call :
:00408DE0 57
push edi
; we land here
:00408DE1 56
push esi
:00408DE2 89D7
mov edi, edx
:00408DE4 89C6
mov esi, eax
:00408DE6 B9FFFFFFFF
mov ecx, FFFFFFFF
:00408DEB 31C0
xor eax, eax
:00408DED F2
repnz
:00408DEE AE
scasb
:00408DEF F7D1
not ecx
:00408DF1 89D7
mov edi, edx
:00408DF3 31D2
xor edx, edx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00408E1B(C)
|
:00408DF5 F3
repz
; begin of loop
:00408DF6 A6
cmpsb ; this will check the
string, if equal means *real*
:00408DF7 7424
je 00408E1D
; name/password and will jump here
:00408DF9 8A46FF
mov al, byte ptr [esi-01] ; first
char of "fake* to al
:00408DFC 80F861
cmp al, 61
;
:00408DFF 7208
jb 00408E09
; the program checks if the
:00408E01 80F87A
cmp al, 7A
; characters entered are between
:00408E04 7703
ja 00408E09
; the hex value of "a" to "z"
:00408E06 80E820
sub al, 20
; converst to uppercase
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00408DFF(C), :00408E04(C)
|
:00408E09 8A57FF
mov dl, byte ptr [edi-01] ; first
char of "real* to dl
:00408E0C 80FA61
cmp dl, 61
:00408E0F 7208
jb 00408E19
; the same check as above
:00408E11 80FA7A
cmp dl, 7A
:00408E14 7703
ja 00408E19
:00408E16 80EA20
sub dl, 20
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00408E0F(C), :00408E14(C)
|
:00408E19 29D0
sub eax, edx
; if eax will be "0" means the
:00408E1B 74D8
je 00408DF5
; chars equal, jmp to top loop
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00408DF7(C)
|
:00408E1D 5E
pop esi
:00408E1E 5F
pop edi
:00408E1F C3
ret
Press "F10' until you are on location
00408E0C, at this time, al holds the hex value of your first character
of the "fake" name, and dl holds
the hex value of another hex value.
Type "? al" and you'll see the first
char of your name. Type "? dl" and you'll see that it is "m".
Now, go to correct the first character
to "m", and do again the above steps. You can see that your second
character of "name" is beeing compared
to "k"...
At this point, i said to my self
how can it be that i can't use my name to register this program,
where did
the "m" and the "k" came from ???
That reminds me that i saw in the
"String Referances" some wierd string starting with "mk" :
*
Possible StringData Ref from Code Obj ->"mk67z"
|
:0046F4D0 BAC0F54600
mov edx, 0046F5C0
:0046F4D5 E80699F9FF
call 00408DE0
; ckecking name/password
:0046F4DA 85C0
test eax, eax
; eax=0 ?? name ok ??
:0046F4DC 0F85B0000000
jne 0046F592
; first conditional jump
------ snip snip --------
* Possible StringData
Ref from Code Obj ->"trs98z"
|
:0046F4F8 BAC8F54600
mov edx, 0046F5C8
:0046F4FD E8DE98F9FF
call 00408DE0
; ckecking name/password
:0046F502 85C0
test eax, eax
Is
this making you thinking of something ???
Type this values in the name and
password field, is the program registered now ?
Yes, it is !! job done.
|
|
Nothing needed...
REMEMBER,
i'm
doing my cracks as a hobby and challenge, so please, if you like
this utility
and want to keep using it, support the author and pay for it.
|
|
More then a
year ago, when i start to learn now to crack and i read on +Sandman's site
a tutorial about
hard-coded
serials/codes in the program.
I couln't
belive that i'll see this kind of protection again, but here we have one,
and i can tell you that some
other
softwares from this author that i checked, uses the same method, but with
other strings ...:)
My thanks and gratitude goes to:-
The Sandman for all what he is doing for us, newbies.
Rhayader for helping me with Reverse Code Engineering and useful tips