EnTray-Vous, Merci
 Or, "How NOT to use the Registry to protect your software"
HCU

by Mammon_

(27 August 1997)

Courtesy of Fravia's page of reverse engineering

Well, here is the letter I got from the author:
Fravia:  
 
I'm not much one for contributing essays, but this has got to be the
stupidest protection scheme I have ever come across. I cracked this program at
work in under 3 minutes, breaking my previous record with QuickViewPlus 4.0 ( a
5 or so minute BMSG approach done while on the phone...very expedient ;),
and was so shocked by the poor programming in terms of security and in general
that I had to stop using the program. I passed it on to another aspiring
cracker and told him to crack it without w32dasm or Soft-Ice as an exercise...
And this essay contains indeed an important lesson for all shareware programmers: try at least not to be OBVIOUS... what's the point of a protection scheme so weak that you don't even need to dead list it (let alone winice it) to crack it in 2 minutes flat? I know, I know... these "programmers" are not "real" programmers... they just assemble toy applications after having read "Teach yourself Visual Basic for Windows 95 in 21 days" or some other crap like that... yet, c'mon, dear protectionist reader... if you have made it until this page you should know better how to protect a program (and how to deprotect it if needs be :-)
EnTray-Vous, Merci 

 
 
Target: EnTray Version 1.3, by Ashkay R 
EXE Size: 48.5 K 
Zip File: 661.8 K 
Distribution: Tucows (http://207.155.78.240/files/entray13.zip) 
 
The protection scheme used on this software was so simple to defeat that I 
am embarassed to even be writing about it; in fact it has so diminished my
respect for the programmer that I cannot bring myself to even use the 
software anymore.  
And what software is this? 
 
It is EnTray, a program which, like TrayIcon, allows you to put any
shortcut you like (for example, the Soft-Ice Symbol Loader or BaseCalc) on 
your TaskBar. 
It is shareware, and very easy to use... even easier to configure than 
TrayIcon. The program is 48.5 K and comes with a 987K .dll file (mfc42.dll, 
hmmm, what could this have been written using-- Delphi? Pascal? No wait, I'll 
get it, hold on...) -- as far as I'm concerned, yet another reason to use 
"static" instead of "shared" libraries when compiling MFC (or any C++/VB) 
applications. There is no reason a program with a max size of maybe 100K 
should be distributed with over 1 MB of binary files. 
 
Every detail of an application is a clue as to how to crack it. I took the
marriage of a 987K .dll with a 49K .exe to indicate that I would need neither
Soft-Ice nor W32DASM. 
The biggest lesson to be gained from EnTray is to never make things more  
complicated than they need be. 
 
Stage 1: Information gathering 
 
EnTray comes with numerous help files in HTML format (another sign...); 
I only bothered to unzip REGN.HTM, in which the author states: 
  
"On receipt of your registration request, I will send you a registration 
program which you will need to run in order to register EnTray to your name. 
The registered version differs from the downloadable version in only two
respects : 
  The About Box does not appear on starting up EnTray and EnTray silently 
  installs itself; 
  The About Box (when you choose to bring it up) acknowledges that your 
  copy of EnTray is licensed to you."
  					 
When you run Entray, a small nag screen pops up telling you that the
software is UNREGISTERED. The first thing that comes to mind is to kill the 
nag screen with a resource editor; but BRW gives an "Unknown File Format" 
error, and Symantec Resource Studio gives an "Invalid Bitmap Header" error--
probably due to calls in the MFC .dll. 
Next step: right-click on EnTray.exe and choose QuickView, scroll down to
the Imports Section. Hmmm, MFC, MSVCRT (MS Visual C++ Runtime Library), Kernel, 
User, GDI, and...  ah, ADVAPI32.DLL, infamous for its registry access calls. 
Sure enough, EnTray imports 
RegCreateKeyExA, 
RegSetValueExA, 
RegQueryValueExA, and 
RegOpenKeyExA. 
Door #1 is therefore the 95 Registry. 
 
Stage 2: Runtime Monitoring 
 
The best thing to do when a program accesses the Registry is, of course, 
to run  RegMon, which gives us the following output: 
 
30435 OpenKey      LOCAL\Software\Akshay\Entray\1.0      SUCCESS 
30436 QueryValueEx LOCAL\Software\Akshay\Entray\1.0\REG  NOT FOUND 
 
This seems fairly straightforward: EnTray is looking for a value named
"REG" in HKEY_LOCAL_MACHINE\Software\Akshay\Entray\1.0, and as the 
program is not registered it is not finding it. 
So using RegEdit, create a string value in the above key, name 
it REG and give it a value of 1 for "True". 
 
Restart EnTray...Bingo! No nag screen. Your product is now registered. 
 
Stage 3: Disgust 
 
Granted, this pretty weak protection scheme is for a program that was 
probably written more for personal use that for commercial distribution; 
I can accept that.  
But, the one criticism I will offer before deleting the program from my
system: try at least to be less than obvious...if nothing else, DO NOT call 
the "magic registry key" REG -- call it MRU or WindowPos, or HCU, and put it 
in HKEY_CURRENT_CONFIG/Display/Settings or any other key that the system accesses 
frequently; the HKLM/Software key added by your program should only contain 
settings regarding user preferences and file locations, not the key to 
your whole protection scheme. 
 
_m
_m 1997: All rights reversed. Hail Eris!
You are deep inside fravia's page of reverse engineering, choose your way out:

Project 7
homepage links red anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia
Is reverse engineering illegal?