|
PhotoShop 5.0 / Digimarc 1.6.82
Commercial stupidity is alive & well
|
Most stupid protections award
|
|
29 June 1998
|
by
XaVaX
|
|
 |
Courtesy of Fravia's page of
reverse engineering
|
slightly edited
by fravia+ |
fra_00xx
980629
XaVaX
1100
NA
PC
|
See: commercial stupidity, as usual... when will they learn it? Internet DOES NOT work like that... it does not
make any sense to develop stupid protection schemes alone in your little provincial corner...
silly limuted 'regionalism' (as usual: this is also valid in all political, linguistical and cultural fields)
is doomed to catastrophic petty results!
Learn to exploit the "non-commercial"
HUGE power of the web! You should propose a project and
let hundred UNKNOWN people make you (effective and valid) proposals for free... thattaway
you would
get hundred different and valid protection schemes instead of the crap that you have "developed"
(if you really want to call it 'developing') all alone by yourself inside your little premises
with your -commercially
lobotomized- little programmers... Read the following, stupid commercial oriented
protectors & silly commercial oriented gullible clients... when will you learn it?
|
|
|
There is a crack, a crack in everything
That's how the light gets in
| |
|
Rating
|
( )Beginner (x)Intermediate ( )Advanced ( )Expert
|
|
Yet another example of artificial intelligence being no match for natural stupidity.
PhotoShop 5.0 / Digimarc 1.6.82
Written by
XaVaX
This is an addendum to the excellent essay by Frog's Print (frogdigi.htm) of 6/8/97
concerning the weakness of the protection applied to the Digimarc watermarking plug-in
supplied with PhotoShop 4.0. As you will see, things have not changed much in the
latest release included with PhotoShop 5.0.
SoftIce 3.22 (what else?)
W32DSM89
Hex WorkShop
http://www.digimarc.com
To keep this as short as possible I'll refer you to the essay by Frog's Print on a
previous version of Digimarc for a detailed description - you can find it in the
essays section on this site (6/8/97).
The file used by the Digimarc system for creating a watermark is digisign.8BF (a DLL)
and it is to be found in \plug-ins\digimarc under photoshop5.
The creator ID and password are stored in digimarc.ini in the same directory.
After reading the essay by Frog's Print on the previous version, I decided to
see if the programmers had learnt anything since as digisign.8BF has grown
from 128 kB to 230 kB in version 1.6.82 - not much, it seems!
Run Photoshop.EXE, open an image and select FILTER/DIGIMARC/EMBED WATERMARK
We're presented with a dialog box which shows the 'Creator ID' as 'Picturemark
Demo' and an adjacent 'Configure' button. Clicking the button shows a 'Change
Creator ID' dialog box with 2 edit boxes. The first edit box accepts 2 digits
and the second accepts up to 8 digits. From examination of the code, acceptable
numbers are 10101 or >=100000 for the larger entry.
GetDlgItemTextA is called for every entered digit so I went 'fishing' and found
GetDlgItemInt to be a more expedient breakpoint to get into the main part of
the number verification routine after a short period of tracing via softice.
So - BPX GetDlgItemInt and enter a number eg 11-111111
Click OK and softice pops up but not quite where we want to be so CTL-D and we
get to this interesting block of code on the second pop:
(F12 to get back to the Digisign DLL)
:10014AB1 FFD7 call edi ;the GetDlgItemInt call
:10014AB3 8BF8 mov edi, eax ;the hex equivalent of our number
:10014AB5 8D842418010000 lea eax, dword ptr [esp+00000118]
:10014ABC 57 push edi
:10014ABD 6848A20210 push 1002A248 ;ie valid characters etc
:10014AC2 50 push eax
:10014AC3 E8AE290000 Call 10017476 ;lots of checks on our entry
:10014AC8 83C40C add esp, 0000000C
:10014ACB 8D4C2410 lea ecx, dword ptr [esp+10]
:10014ACF 55 push ebp
:10014AD0 6848A20210 push 1002A248
:10014AD5 51 push ecx
:10014AD6 E89B290000 Call 10017476 ;ie valid characters etc
:10014ADB 8B460C mov eax, dword ptr [esi+0C]
:10014ADE 8B0E mov ecx, dword ptr [esi]
:10014AE0 83C40C add esp, 0000000C
:10014AE3 8D542410 lea edx, dword ptr [esp+10]
:10014AE7 8B4920 mov ecx, dword ptr [ecx+20]
:10014AEA 85C0 test eax, eax
:10014AEC 8D842418010000 lea eax, dword ptr [esp+00000118]
:10014AF3 52 push edx
:10014AF4 50 push eax
:10014AF5 7507 jne 10014AFE
:10014AF7 E8040FFFFF call 10005A00 ;THE REAL VALIDITY TEST
:10014AFC EB05 jmp 10014B03
:10014AFE E83D0AFFFF call 10005540
:10014B03 85C0 test eax, eax ;EAX must be non-zero
:10014B05 744F je 10014B56 ;*** blast this
:10014B07 85ED test ebp, ebp ;EBP must be non-zero
:10014B09 744B je 10014B56 ;*** blast this
:10014B0B 85FF test edi, edi ;EDI must be non-zero
:10014B0D 7447 je 10014B56 ;*** blast this
:10014B0F 8B460C mov eax, dword ptr [esi+0C]
:10014B12 85C0 test eax, eax
:10014B14 7520 jne 10014B36 ;*** blast this for good measure
:10014B16 8B5608 mov edx, dword ptr [esi+08]
:10014B19 6A01 push 00000001
:10014B1B 53 push ebx
:10014B1C 897A44 mov dword ptr [edx+44], edi
:10014B1F FF154C810110 Call dword ptr [1001814C]
With the indicated mods, going through the configure option again with any number
entry will create an entry in the digimarc.ini file.
We may expect some check to be done on this data at a later time to keep the
'bad guys' locked out but this is not so - we now have our own watermark ID
which can be changed anytime and as often as we like.
(Obviously this is of no real value to anyone as there is no corresponding
entry in the database maintained by Digimarc for registered users)
This was such a non-event that I went on to have a look at the possibility of
changing the watermark already embedded in a picture (by a registered Creator
of course)
In very little time with the aid of softice and W32DSM I isolated the following:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10007500(C)
|
:1000767E FF10 call dword ptr [eax]
:10007680 8B442414 mov eax, dword ptr [esp+14]
:10007684 83F801 cmp eax, 00000001
:10007687 7495 je 1000761E ;*** blast this
:10007689 83F802 cmp eax, 00000002
:1000768C 7490 je 1000761E ;*** and this
:1000768E 8B442424 mov eax, dword ptr [esp+24]
:10007692 C744241446000000 mov [esp+14], 00000046
:1000769A 85C0 test eax, eax
:1000769C 7408 je 100076A6
:1000769E C744241428000000 mov [esp+14], 00000028
Making these changes will allow a previously watermarked picture to be
watermarked again with a different Creator ID and URL, options etc
Where is the security for those who have paid for this technology?
In defense of Digimarc, private individuals can obtain for free a valid ID number
for their own use in watermarking their own creations.
Corporate users pay an annual fee of $99 US and receive support in tracking their
art on the net as well as other services.
This is quite reasonable except for the fact that the miserable protection on
this clever technology makes it absolutely worthless for anyone expecting some
security for their creations.
I wont even bother explaining you
that you should BUY this target program if you intend to use it for a longer
period than the allowed one. Should you want
to STEAL this software instead, you don't need to crack its protection
scheme at all: you'll
find it on most Warez sites, complete and already regged, farewell.
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_fravia+
Is reverse engineering legal?