Cracking Comments v1.3
(If they would only make it so easy for us every time)
HCU

by FanTC

(17 August 1997, slightly edited by Fravia)


Courtesy of Fravia's page of reverse engineering

Well, this is a most stupid protection indeed!


                 Cracking Comments v1.3
                          or
If they would only make it so easy for us every time...


Comments is a handy little CGI-utility I came across, it just takes
inputs from a HTML-form and dumps them into a file or an email (and it
can add some server variables etc). It is a CGI-utility (obviously) and
will therefore only run on WinNT and you can use it only with a
Web-Server, but it is SO stupid... just for fun: get it here)
I needed it because most emailers just can't decrypt what comes from a
browsers when you directly POST to a "mailto:".

Anyways, I just let my W32DASM do its job, and I quickly came to this
code snippet:


* Referenced by a Jump at Address:004054EF(C)
|
:0040557C 8D842404010000          lea eax, [esp + 00000104]
:00405583 6A0D                    push 0000000D

* Possible StringData Ref from Data Obj ->"registration="
					  ;^this was what I had
					  ;searched for
                                  |
:00405585 68C0224300              push 004322C0


... and here were several PAGES with really ugly-looking stuff, so I
didn't go into this further now... I planned to use my SoftIce later on...

when I ran into THIS:

:0040565D 7418                    je 00405677     ;jump OVER THE BAD_GUY

* Possible StringData Ref from Data Obj ->"Invalid registration code.  Please "
                                        ->"contact Greyware for assistance"
                                  |
:0040565F BE7C224300              mov esi, 0043227C
:00405664 8DBC2404020000          lea edi, [esp + 00000204]
:0040566B B910000000              mov ecx, 00000010
:00405670 F3                      repz
:00405671 A5                      movsd
:00405672 66A5                    movsw
:00405674 A4                      movsb
:00405675 EB5A                    jmp 004056D1

* Referenced by a  Jump at Address:0040565D(C)
|
:00405677 66A13C104300            mov ax, [0043103C]  ;jump lands here

* Possible StringData Ref from Data Obj ->"Comments"
                                  |
:0040567D 6830104300              push 00431030
:00405682 6689442414              mov [esp + 14], ax
:00405687 8D8C2488000000          lea ecx, [esp + 00000088]
:0040568E 8D442414                lea eax, [esp + 14]
:00405692 50                      push eax
:00405693 8D442418                lea eax, [esp + 18]
:00405697 50                      push eax
:00405698 8D44241C                lea eax, [esp + 1C]
:0040569C 50                      push eax
:0040569D 8D442420                lea eax, [esp + 20]
:004056A1 50                      push eax

* Possible StringData Ref from Data Obj ->"%software\Cla%s%se%s\GAP\%s\Info"
                                  |
:004056A2 680C104300              push 0043100C
:004056A7 51                      push ecx
:004056A8 E8DD130000              call 00406A8A
:004056AD 8D8C24A0000000          lea ecx, [esp + 000000A0]
:004056B4 83C41C                  add esp, 0000001C

* Possible StringData Ref from Data Obj ->"True"
                                  |
:004056B7 6854104300              push 00431054

* Possible StringData Ref from Data Obj ->"Registered"
                                  |
:004056BC 6840104300              push 00431040
:004056C1 51                      push ecx
:004056C2 6802000080              push 80000002
:004056C7 E814BEFFFF              call 004014E0
:004056CC 83C410                  add esp, 00000010
:004056CF EB08                    jmp 004056D9

now LOOK AT THIS!

"software/classes/GAP/Info"

hmm... sounds&looks like a registry key...
I looked into 
hkey_local_machine/software/classes/GAP/Info
(which is the same as hkey_classes_root/GAP/Info)
and saw a "Install Date"... now this turned out to be interesting...

"Registered","True"

now this sounds incredible. Could it be that...? Nah, I could not 
believe it... not even a shareware programmer could ever be SO dumb. 
But it was worth a try, so I got back to RegEdit and added a STRING 
named "Registered" to the key above...
The value was "True" (you guessed that, didn't you? ;-).......

believe it or not! IT WORKED. 
I ran comments.exe and it said "Registered copy".

So what did we learn?

Well, nothing new, just the old same story: 

1. NEVER think that they can't be so stupid... They are.
2. Before using SoftIce and working hard to trace the calculating
   routines etc., look into the executable and your disassembled text.


nothing more to say, I believe...

Regards, FanTC

   
(c) FanTC 1997. All rights reserved
You are deep inside fravia's page of reverse engineering, choose your way out:

Project 7
homepage links red anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia
Is reverse engineering illegal?