Cracking Comments v1.3
(If they would only make it so easy for us every time)
by FanTC
(17 August 1997, slightly edited by Fravia)
Courtesy of Fravia's page
of reverse engineering
Well, this is a most stupid protection indeed!
Cracking Comments v1.3
or
If they would only make it so easy for us every time...
Comments is a handy little CGI-utility I came across, it just takes
inputs from a HTML-form and dumps them into a file or an email (and it
can add some server variables etc). It is a CGI-utility (obviously) and
will therefore only run on WinNT and you can use it only with a
Web-Server, but it is SO stupid... just for fun: get it here)
I needed it because most emailers just can't decrypt what comes from a
browsers when you directly POST to a "mailto:".
Anyways, I just let my W32DASM do its job, and I quickly came to this
code snippet:
* Referenced by a Jump at Address:004054EF(C)
|
:0040557C 8D842404010000 lea eax, [esp + 00000104]
:00405583 6A0D push 0000000D
* Possible StringData Ref from Data Obj ->"registration="
;^this was what I had
;searched for
|
:00405585 68C0224300 push 004322C0
... and here were several PAGES with really ugly-looking stuff, so I
didn't go into this further now... I planned to use my SoftIce later on...
when I ran into THIS:
:0040565D 7418 je 00405677 ;jump OVER THE BAD_GUY
* Possible StringData Ref from Data Obj ->"Invalid registration code. Please "
->"contact Greyware for assistance"
|
:0040565F BE7C224300 mov esi, 0043227C
:00405664 8DBC2404020000 lea edi, [esp + 00000204]
:0040566B B910000000 mov ecx, 00000010
:00405670 F3 repz
:00405671 A5 movsd
:00405672 66A5 movsw
:00405674 A4 movsb
:00405675 EB5A jmp 004056D1
* Referenced by a Jump at Address:0040565D(C)
|
:00405677 66A13C104300 mov ax, [0043103C] ;jump lands here
* Possible StringData Ref from Data Obj ->"Comments"
|
:0040567D 6830104300 push 00431030
:00405682 6689442414 mov [esp + 14], ax
:00405687 8D8C2488000000 lea ecx, [esp + 00000088]
:0040568E 8D442414 lea eax, [esp + 14]
:00405692 50 push eax
:00405693 8D442418 lea eax, [esp + 18]
:00405697 50 push eax
:00405698 8D44241C lea eax, [esp + 1C]
:0040569C 50 push eax
:0040569D 8D442420 lea eax, [esp + 20]
:004056A1 50 push eax
* Possible StringData Ref from Data Obj ->"%software\Cla%s%se%s\GAP\%s\Info"
|
:004056A2 680C104300 push 0043100C
:004056A7 51 push ecx
:004056A8 E8DD130000 call 00406A8A
:004056AD 8D8C24A0000000 lea ecx, [esp + 000000A0]
:004056B4 83C41C add esp, 0000001C
* Possible StringData Ref from Data Obj ->"True"
|
:004056B7 6854104300 push 00431054
* Possible StringData Ref from Data Obj ->"Registered"
|
:004056BC 6840104300 push 00431040
:004056C1 51 push ecx
:004056C2 6802000080 push 80000002
:004056C7 E814BEFFFF call 004014E0
:004056CC 83C410 add esp, 00000010
:004056CF EB08 jmp 004056D9
now LOOK AT THIS!
"software/classes/GAP/Info"
hmm... sounds&looks like a registry key...
I looked into
hkey_local_machine/software/classes/GAP/Info
(which is the same as hkey_classes_root/GAP/Info)
and saw a "Install Date"... now this turned out to be interesting...
"Registered","True"
now this sounds incredible. Could it be that...? Nah, I could not
believe it... not even a shareware programmer could ever be SO dumb.
But it was worth a try, so I got back to RegEdit and added a STRING
named "Registered" to the key above...
The value was "True" (you guessed that, didn't you? ;-).......
believe it or not! IT WORKED.
I ran comments.exe and it said "Registered copy".
So what did we learn?
Well, nothing new, just the old same story:
1. NEVER think that they can't be so stupid... They are.
2. Before using SoftIce and working hard to trace the calculating
routines etc., look into the executable and your disassembled text.
nothing more to say, I believe...
Regards, FanTC
(c) FanTC 1997. All rights reserved
You are deep inside fravia's page of reverse engineering,
choose your way out:
Project 7
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering illegal?