|
BEGINNERS: Use Opera! (Bye Bye Navigator ?)
(Cracking in order to help - 1) A very interesting new browser!
|
Not Assigned
|
|
15 February 1998
|
by HAL+
|
|
|
Courtesy of Fravia's page of reverse engineering
|
|
fra_00E7
980216
Hal
1000
NA
PC |
OK, I'll admit it: I'm in doubt, yet
overall I believe I'm right, so let's go on...
The Opera Browser deserves to be spread: it is (almost) as good as Navigator 3, which
as anyone should know is the
best version of Netscape's browser (I myself am using a 'panzered' version of
Netscape 3, with some homemade adds-on)... navigator's breed went downhill (or should one
say bughill?) after version 3, trying to
tackle the overbloated monstruosities of our M$-banes... as if anybody could beat
Micro$oft in overbloating code...
I reckon you should
try Opera...
it deservers it... should this browser ameliorate...well it needs some ameliorations
for sure, see the interesting add-on by Lord Lucifer at the
bottom, with some advices the opera Authors would be well advised to take
into consideration for their future versions...
Anyway, if this Opera browser
will be ameliorated (by the Authors or by us :-) we'll begin to use it even more seriously, may be even as a WEAPON against the
bugged 'big (overbloated) two'...
what about a Opera-only section of this site? All slaves using the commercial
browsers out unless they at least try to use this nice browser!.
You have here a very easy, beginners
oriented cracking essay, that
I publish clearly in the hope to HELP Opera... don't think they will loose anything
from this, quite the contrary, since Opera is anyway everywhere
to have (actually "to steal") already regged, (I checked) and because I believe
that if some serious reverser begin to study the inner 'guts' of opera, and to
propose some ameliorations to it (as we will -may be- do in our 'our tools' section,
gegebenfalls), this
browser will have much more chances to survive. And to survive (and eventually to triumph)
it deserves, IMO.
And now enjoy this easy yet interesting session... and USE OPERA, or at least try it out
and send your proposal for ameliorations...
|
|
|
There is a crack, a crack in everything That's how the light
gets in
|
|
|
Rating
|
(x)Beginner
( )Intermediate ( )Advanced ( )Expert
|
Beginners only |
An useful
essay for beginners in order to see what happen if you write down a very
nice software and you leave it "nearly" unprotected ;-)
I will assume you know the very basic of soft-ice!!
This
is the end, my only friend ?
Tiny,fast,configurable
: I don't ask more!
Written
by Hal+
I first met it surfing around Mammon's homepage I rushed to download it and everything
started: I started to look around and finally I managed to bypass the simple protection.
- Soft-ice 3.2 ( What else!)
- W32 Dasm
- An hex editor if you wanna patch it.
- A pen a paper, some good music .
- Last but not least: Brain
Opera
v. 3.10: Get it,
It think you won't regret using this browser... don't let the (paid) hypo about the
'FOUR' version of M$-MSIE and Netscape submerge you... judge by yourself!
I first download Opera
v. 3.0 in couple of day I heard of version 3.10: it seems to be
faster, a little smaller and ... try it!
Well, try to run it a couple of time ( I'm referring to version 3.10):
as you can see it asks for Name, Organization , and Serial Number.
Let's try to make it happy! type in something it wants "both name and
organization". Unless you're very lucky the s/n you typed in won't be the
good one: it says "Invalid.....", but it seems we're lucky: the window
seem to be created by MessageBox call (Remember: Windows has standard icons
for MessageBoxes!! )so let's put a
> bpx MessageBoxA
try to "register" again and you'll land in softice, F12 (P Ret), hit Ok and
you're back again.
Well, let's begin:
* Reference To: USER32.MessageBoxA, Ord:0195h
|
:0049E370 FF159C8B4E00 Call dword ptr [004E8B9C] ; call to messageboxa
* Referenced by a Jump at Address:0049E331(C)
|
:0049E376 5D pop ebp
:0049E377 C3 ret
you land here, F12 and you are in:
* Referenced by a Jump at Address:0045A4A1(U)
|
:0045A4A8 8D8588FEFFFF lea eax, dword ptr [ebp+FFFFFE88]
:0045A4AE 50 push eax
:0045A4AF 57 push edi
:0045A4B0 E8703E0400 call 0049E325
:0045A4B5 83C410 add esp, 00000010 ;you are here
:0045A4B8 5F pop edi
:0045A4B9 5E pop esi
:0045A4BA C9 leave
:0045A4BB C21000 ret 0010
I had a look around, but as I can't find out the heart of the protection scheme just tracing
I used the dead-listing approach. Start Wdasm, decompile Opera.exe ( it takes a while, to
create a 18 Mb file! ).
Well now all we have to do is looking for the code referenced by "Invalid registration.. etc"
:00449D73 8BCE mov ecx, esi
:00449D75 E824010000 call 00449E9E
:00449D7A 85C0 test eax, eax
:00449D7C 7509 jne 00449D87
:00449D7E 57 push edi
:00449D7F 57 push edi
* Possible Reference to String Resource ID=20099: "Invalid registration code. Please check..."
|
:00449D80 68834E0000 push 00004E83
:00449D85 EB30 jmp 00449DB7
hey, wait a moment, look at 00449D7C, oh my God a conditional jump! and it jumps
over the nag!! Well it's done! Put a bpx on the jne:
>bpx 00449D7C , F12 and try to register, blam, you are on the jne, well change the
Z flag and it'll let you go: you old Good Guy!! F12 and the nag's gone! You are in.
But, if now it seems to be all right , when we come back ?
NO!! The Nag, again.
It wasn't so easy after all! Hey, it now Knows my name and my organization, how is it
possible ?
Well after a session in Filemonitor i discovered it uses a file Ousr310.dat
to save reg. datas if we delete it we'll have again a clean nag (yes I know
I'm using filemonitor but I didn't put it in the tool section... well don't
worry we won't use it).
After jumping a lot around the code, I just discovered Hot Water!!:
try always the easiest, the most-obvious-it-can't-be-so-easy!! way before
everything else!!
Look at address
:00449D75 E824010000 call 00449E9E
it's just before our check.
* Referenced by a CALL at Addresses:00449C1E ,:00449C7C ,:00449D75 ,:0049B4A7
|
:00449E9E 55 push ebp
:00449E9F 8BEC mov ebp, esp
:00449EA1 83EC10 sub esp, 00000010
:00449EA4 56 push esi
:00449EA5 8B7508 mov esi, dword ptr [ebp+08]
:00449EA8 85F6 test esi, esi
:00449EAA 7435 je 00449EE1
:00449EAC 56 push esi ; try d esi
:00449EAD E81E800700 call 004C1ED0
:00449EB2 83F80C cmp eax, 0000000C ;
:00449EB5 59 pop ecx
:00449EB6 7529 jne 00449EE1 ; Bad guy /Good guy -> Nop it
:00449EB8 8D45F0 lea eax, dword ptr [ebp-10]
:00449EBB 56 push esi
:00449EBC 50 push eax
:00449EBD E82E810700 call 004C1FF0
:00449EC2 59 pop ecx
:00449EC3 8D45F0 lea eax, dword ptr [ebp-10]
:00449EC6 59 pop ecx
:00449EC7 50 push eax
:00449EC8 E87EFFFFFF call 00449E4B
:00449ECD 59 pop ecx
:00449ECE 8D45F0 lea eax, dword ptr [ebp-10]; try d ecx
:00449ED1 56 push esi
:00449ED2 50 push eax ; try d eax
:00449ED3 E878800700 call 004C1F50
in 00449eb6 if you failed the check at 00449eb2 you're obviously a bad guy!!
if you can reach 00449ece you ( surely a good guy ) will be surprised to find in ecx,
and eax your code: it has been calculated just for you! Take the pen and write down
it!
If you want, instead, to bypass the protection scheme well you just have
to NOP 00449eb6 and make it simple jump (without checking) at 00449d7c
(75 09 -> EB 09).
:00449D75 E824010000 call 00449E9E
:00449D7A 85C0 test eax, eax
:00449D7C 7509 jne 00449D87
:00449D7E 57 push edi
Patch it, run it you'll have the regged version of a browser that seems to be even better than
Netscape, and it's so much smaller!!
I didn't believe to manage to bypass the prot scheme, I am just a beginner:
this makes me think that this nice pro wasn't very hard protected!!
I am sorry for my English! Thanks to:
+ORC -> his essays are unavaluable!!
fravia+ -> one of the most interesting site of the whole Net.
I think Fravia's home page is a sort of fractal:
you can spend there hours and hours and you always
see something new, something interesting you didn't
noticed before, and it grows and it grows...
+GreyThorne -> Censorship will never win till there's people who
wants to look inside "the black box" to understand
how it works.
I wont even bother explaining you that you should BUY this target
program if you intend to use it for a longer period than the allowed one.
Should you want to STEAL this software instead, you don't need to crack
its protection scheme at all: you'll find it on most Warez sites, complete
and already regged, farewell.