October 1998 |
"CSE HTML Validator v3.01" ( Turning HTML Validator into it's Key Generator ) |
Win '95/'98 PROGRAM Win Code Reversing
|
|
by Punisher |
|
|
Cracking 4 Newbies |
|
Program Details Program Name: Csesetup.exe Program Type: HTML Validator Program Location: http://www.htmlvalidator.com/ Program Size: 1.61 mb
|
||
Tools Used: Softice 3.2 - Debugger Hacker's View 5.92 - Hex Editor
|
||
Rating |
Easy ( X ) Medium ( ) Hard ( ) Pro ( ) |
There is a crack, a crack in everything. That's how the light gets in. |
CSE HTML Validator 3.01
( Changing a program into it's own KeyGen )
Written by Punisher
Introduction |
"CSE HTML Validator is part of an HTML
development environment. Before publishing HTML documents, especially
documents created manually or with a 'dumb' HTML editor, you should
have the documents checked for syntactical errors. HTML Validator
functions as that checker, helping make sure that your documents are
written in correct syntax to help ensure that they are viewed as
intended in a variety of HTML browsers."
About this protection system |
The program uses your name to calculate the registration key.
The Essay |
We will use the memory echo to find the valid registration key for HTML Validator. Then we will turn this target into its own key generator.
Well enough with the talk.
Install the target and have a look at the different features.
You will notice that it has the word unregistered in the title bar,
that sucks.
Choose File menu and select Register Program. You will be presented
with a dialogbox with two fields to enter your name and registration code.
Type in your name. I use 'Punisher'. Then type in a fake registration key. I use '3333333'.
Enter softice by pressing ctrl-d. let's set a break point on GetDlgItemTextA.
-- BPX GetDlgItemTextA
Now leave softice by pressing crtl-d. We are back in the registration dialog box.
Press the Ok button and softice breaks on GetDlgItemtextA since there is two calls to GetdlgItemtextA to get our name and
reg key we will type x and press enter to let softice run. It will break on GetDlgItemTextA again.
Now Press F11 to get back to the caller. You will now see the following code.
Call User32!GetDlgItemTextA
lea ecx, [ebp+FFFFFE00] ;you land here after pressing F11
push ecx
call 0043BA14
pop ecx
cmp eax, 05
jl 004312B9
cmp eax, 50
jge 004312B9
lea eax, [ebp+FFFFFA00]
push eax
lea edx, [ebp+FFFFFE00] ;your name is in edx here
push edx ; 'd edx' to see it
call 0042F398 ; -- this call calculates the
add esp, 00000008 ; correct serial number.
lea ecx, [ebp+FFFFFC00] ; your fake serial is in ecx
push ecx ; to see it 'd ecx'
lea eax, [ebp+FFFFFA00] ; the real serial is loaded into eax
push eax; to see it 'd eax'
call 0043B998
add esp, 00000008
test eax, eax
jnz 004312B9
xor esi, esi
test esi, esi
jnz 004312D2; bad cracker bug-off jump
push 00010040
push 0045F887
push 0045F7D7
push ebx
Call USER32!MessageBoxA ; shows accepted registration message box.
test esi, esi
je 00431306 ; here is where bug-off jump to.
push 00000200
push 00000000
lea eax, [ebp+FFFFFA00]
push eax
call 0043B8B8 ; -- this call deletes the real reg key
add esp, 0000000C ; from memory. So we will nop it out
push 00010010 ; 5 nops
push 0045FA12
push 0045F8AD ; -- this is the address of the text in the failed
push ebx ; messagebox we will change that to push eax and
Call USER32!MessageBoxA ; nop the rest of bytes. 4 nops.
After coming back from the call to GetDlgItemTextA we land at
lea ecx, [EBP+FFFFFE00]
trace through the code using F10 until you get to
lea edx, [EBP+FFFFFA00]
Your name is loaded into edx. to see your name dump the memory by typing "d edx" and pressing enter. you will see your name.
Now trace using F10 to the next call which is
call 0042F398
This call calculates the serial number for the name entered. and stores it in ecx.
Trace using F10 to
lea ecx, [EBP+FFFFFC00]
Now dump the ecx you will see you fake serial number.
Trace using F10 again to
lea eax, [EBP+FFFFFA00]
Here the real serial number is loaded into eax.
Type "d eax" to get the real serial number.
You can now disable your breakpoint by type bd * and exit softice by pressing x and enter the real serial for your name and the program
will be registered. or you can continue and change the program into a key generator.
KEYGEN
Trace with F10 to
Test esi, esi
JNZ 004312D2
this is where the program test to see whether the serial number is correct or not if it is correct it does not jump and continues to
execute the instructions after the jump which sets up the message telling you your registration is accepted.
If the test fails then the program jumps to
Test esi, esi E8CFA50000
We will replace it (using a hex editor) with
9090909090
We trace using F10 to this piece of code
push 00010010
push 0045FA12
push 0045F8AD
push ebx
call User!MessageBoxA
The messagebox function takes four parameters, these are push on the stack before the function is call.
The third push is the address of the text to be displayed in the
messagebox. We will replace this push with push eax which contains the address of the real serial number.
The third push is five bytes and push eax is only one byte so we will have to nop the next four bytes after push eax.
The code for push 0045F8AD is
68ADF84500
We will replace this with
5090909090
You must now take down the codes for the to search for and those
to replace them with. get out of softice. (ctrl-d)
Now use your hex editor to do the rest. I use hiew.
Open up Htmlval30.exe in hiew592
1. Press F4 then F3 to get code view.
2. Press F7 and enter E8CFA50000. Then press enter to search.
3. When Hiew finds it press F3 to edit and Enter 9090909090.
4. Now Press F9 to save.
Now do steps 1 to 4 with the other to codes.
search for 68ADF84500 replace it with 5090909090
Now whenever you run HTML Validator and choose the 'File Register Program' item it will bring up a dialog box with the correct Reg Key / Serial Number for the name you entered.
Well isn't that nice.
You should buy this program if you intend to use it longer than the
evaluation period.