EnTray-Vous, Merci
 Or, "How NOT to use the Registry to protect your software"
HCU

by Mammon_

(27 August 1997)

Courtesy of Fravia's page of reverse engineering

Well, here is the letter I got from the author:
Fravia:  

 

I'm not much one for contributing essays, but this has got to be the

stupidest protection scheme I have ever come across. I cracked this program at

work in under 3 minutes, breaking my previous record with QuickViewPlus 4.0 ( a

5 or so minute BMSG approach done while on the phone...very expedient ;),

and was so shocked by the poor programming in terms of security and in general

that I had to stop using the program. I passed it on to another aspiring

cracker and told him to crack it without w32dasm or Soft-Ice as an exercise...
And this essay contains indeed an important lesson for all shareware programmers: try at least not to be OBVIOUS... what's the point of a protection scheme so weak that you don't even need to dead list it (let alone winice it) to crack it in 2 minutes flat? I know, I know... these "programmers" are not "real" programmers... they just assemble toy applications after having read "Teach yourself Visual Basic for Windows 95 in 21 days" or some other crap like that... yet, c'mon, dear protectionist reader... if you have made it until this page you should know better how to protect a program (and how to deprotect it if needs be :-)
EnTray-Vous, Merci 

 

 

Target: EnTray Version 1.3, by Ashkay R 

EXE Size: 48.5 K 

Zip File: 661.8 K 

Distribution: Tucows (http://207.155.78.240/files/entray13.zip) 

 

The protection scheme used on this software was so simple to defeat that I 

am embarassed to even be writing about it; in fact it has so diminished my

respect for the programmer that I cannot bring myself to even use the 

software anymore.  

And what software is this? 

 

It is EnTray, a program which, like TrayIcon, allows you to put any

shortcut you like (for example, the Soft-Ice Symbol Loader or BaseCalc) on 

your TaskBar. 

It is shareware, and very easy to use... even easier to configure than 

TrayIcon. The program is 48.5 K and comes with a 987K .dll file (mfc42.dll, 

hmmm, what could this have been written using-- Delphi? Pascal? No wait, I'll 

get it, hold on...) -- as far as I'm concerned, yet another reason to use 

"static" instead of "shared" libraries when compiling MFC (or any C++/VB) 

applications. There is no reason a program with a max size of maybe 100K 

should be distributed with over 1 MB of binary files. 

 

Every detail of an application is a clue as to how to crack it. I took the

marriage of a 987K .dll with a 49K .exe to indicate that I would need neither

Soft-Ice nor W32DASM. 

The biggest lesson to be gained from EnTray is to never make things more  

complicated than they need be. 

 

Stage 1: Information gathering 

 

EnTray comes with numerous help files in HTML format (another sign...); 

I only bothered to unzip REGN.HTM, in which the author states: 

  

"On receipt of your registration request, I will send you a registration 

program which you will need to run in order to register EnTray to your name. 

The registered version differs from the downloadable version in only two

respects : 

  The About Box does not appear on starting up EnTray and EnTray silently 

  installs itself; 

  The About Box (when you choose to bring it up) acknowledges that your 

  copy of EnTray is licensed to you."

  					 

When you run Entray, a small nag screen pops up telling you that the

software is UNREGISTERED. The first thing that comes to mind is to kill the 

nag screen with a resource editor; but BRW gives an "Unknown File Format" 

error, and Symantec Resource Studio gives an "Invalid Bitmap Header" error--

probably due to calls in the MFC .dll. 

Next step: right-click on EnTray.exe and choose QuickView, scroll down to

the Imports Section. Hmmm, MFC, MSVCRT (MS Visual C++ Runtime Library), Kernel, 

User, GDI, and...  ah, ADVAPI32.DLL, infamous for its registry access calls. 

Sure enough, EnTray imports 

RegCreateKeyExA, 

RegSetValueExA, 

RegQueryValueExA, and 

RegOpenKeyExA. 

Door #1 is therefore the 95 Registry. 

 

Stage 2: Runtime Monitoring 

 

The best thing to do when a program accesses the Registry is, of course, 

to run  RegMon, which gives us the following output: 

 

30435 OpenKey      LOCAL\Software\Akshay\Entray\1.0      SUCCESS 

30436 QueryValueEx LOCAL\Software\Akshay\Entray\1.0\REG  NOT FOUND 

 

This seems fairly straightforward: EnTray is looking for a value named

"REG" in HKEY_LOCAL_MACHINE\Software\Akshay\Entray\1.0, and as the 

program is not registered it is not finding it. 

So using RegEdit, create a string value in the above key, name 

it REG and give it a value of 1 for "True". 

 

Restart EnTray...Bingo! No nag screen. Your product is now registered. 

 

Stage 3: Disgust 

 

Granted, this pretty weak protection scheme is for a program that was 

probably written more for personal use that for commercial distribution; 

I can accept that.  

But, the one criticism I will offer before deleting the program from my

system: try at least to be less than obvious...if nothing else, DO NOT call 

the "magic registry key" REG -- call it MRU or WindowPos, or HCU, and put it 

in HKEY_CURRENT_CONFIG/Display/Settings or any other key that the system accesses 

frequently; the HKLM/Software key added by your program should only contain 

settings regarding user preferences and file locations, not the key to 

your whole protection scheme. 

 

_m
_m 1997: All rights reversed. Hail Eris!