neto_03.htm HTMLPad: A nasty protection

	HTMLPad A nasty protection	Our Protections
25 July 1998	by Miguel Neto
	Courtesy of Fravia's page of reverse engineering	slightly edited by fravia+
fra_00xx 980725 MiguelNeto 0100 OP PC	"Sorry. You'll have to crack the code again. In the mean time you can fix the little presents that are going to be left on your machine!" Well, my first natural reaction, like that of Miguel Neto, was of anger against Intermania (Portland, Oregon) and its product (HTMLPad, version 2.6), yet, come to think of it inside the perspective of the 'larger scheme of things', this is actually not a bad idea at all for a (lame but working) protection scheme. In fact no 'real' cracker would have any difficulty in cracking any protection scheme, however complex, therefore concentrating on 'heavy' protection schemes does not make much sense. See: shareware authors are not loosing money because a couple of dozens of real crackers, out there, study (or even explain to other 'studiosi') their protection schemes, they are loosing money because million of morons, that would not understand what a byte is if it come out of the screen in order to bite them, use ready made patches (made by some real cracker of the darker side) in order to steal software. Therefore it makes A LOT of sense to concnetrate in punishing the lusers, since outsmarting the crackers is much too difficult for programmers that have drunk too much visual basic and too few assembly. This kind of protection schemes (I have seen other on the same lines) are patently directed against all those morons that seek ready-made cracks and use them in order to steal targets Anyway why should we care? We are NOT friends of the luser little thieves, are we? So I reckon that this is actually a pretty good idea and easy to implement: 1) Release your soft with dummy cracker/password couples and a simple protection scheme that is ready to wreak havoc inside the luser's machine. 2) A couple of weeks later, if your soft is worth something (a very big if most of the time) you'll find a dozen of ready made cracks on any warez site. 3) Release a second version of your soft that has this time 'real' cracker/password couples and screw up the lusers' machines. Not bad: I like it! (You may also find very useful -along similar protection lines- to read Ghiribizzo's ideas about a 'later implemented' part of the serial number). BTW: does really exist a cracker "thatguy"? Or did they mean 'thatdude'? Or did they purposely seed some ready made cracks with name 'thatguy'? Who knows?
	There is a crack, a crack in everything That's how the light gets in
Rating	()Beginner (x)Intermediate ( )Advanced ( )Expert

This essay will show you how to deprotect HPAD, a nag and function disabled protected program

HTMLPad
A nasty protection
Written by Miguel Neto

Introduction

Hi, it's me again. This protection is slightly more difficult than the ones I tackled in my former essays, so, in order to spare you (and me) some time, I'll try to avoid the usual jokes (fravia+ cuts most of them off anyway :-)

The target you will need for this cracking session is called HTMLPad, it is a nice web-design utility. Basically, it provides shortctus for the HTML tags; You have more control over the HTML code than if you used a standard editor, but you don't loose as much time as if you wrote the code with UltraEdit.

Tools required

Wdasm
Soft-Ice
Your Favourite HexEditor

Essay

First of all, install the target. Play with it a little. All done? ok. If you've read, as you should, the help files, you will notice that we already have this shareware limitations listed. Here is the snippet from that file:

HTMLpad Registration

By purchasing HTMLpad and registering your copy, you will be entitled to additional benefits such as:

Not seeing the friendly shareware reminder message anymore.
Unlock the Custom Update Stamp feature under the options dialog
Automatic notification of updates and new releases
Discounts on future releases
Extended Technical Support

Our task will be to remove the first 2 limitations: the nag and the 
crippling lock.

The target's weak points, which you should be able to identify after playing 
a few minutes with this program, are the following:

1) The Option to Register
2) The "Registered to" String in the about box
3) The Nag Itself

Let's try to stalk the first one; 

Disassembling the target and searching for the invalid reg code
error message, you will land here (some code has been removed in 
order to spare you dw time:

:0046511E E8D1900000              call 0046E1F4
:00465123 3C01                    cmp al, 01
:00465125 7517                    jne 0046513E
(...)

* StringData Ref from Code Obj ->"Thank you for registering HTMLpad! "
                               ->"Keep the registration number in "
                               ->"a safe place in case you need "
                               ->"it at a later date."
                                  |
:00465132 B8E4514600              mov eax, 004651E4
:00465137 E8E484FDFF              call 0043D620
:0046513C EB1C                    jmp 0046515A

* Referenced by a  Jump at Address: 00465125(C)
|
:0046513E 8BC3                    mov eax, ebx
(..)
* StringData Ref from Code Obj ->"You have entered an invalid 
        			      "registration number."
                                  |
:00465150 B864524600              mov eax, 00465264

Bottom line, if after the call at 46511E al is 1 we are registered. 
Of course, if you nop the jne at 465125, you will get a thank you
message, but you will still be unregistered. But let's see where 
else is 46E1F4 called from...

* Referenced by a CALL at Addresses:004610C9, :00464D90, :0046511E, :00473294   
|
:0046E1F4 E803000000              call 0046E1FC
:0046E1F9 C3                      ret

I reckon that it is the first time that I see a call such as this one, 
but nevermind, let's go on. We must now inspect the locations that call
our 6E1F4... I didn't find the code at 610C9 very interesting, you can
and should check for yourself ofcourse... However, at 64D90 we see
this:

:00464D90 E85F940000              call 0046E1F4
:00464D95 84C0                    test al, al
:00464D97 745C                    je 00464DF5
(...)
* Possible StringData Ref from Code Obj ->"UNREGISTERED"
                                  |
:00464DF5 BA8C4E4600              mov edx, 00464E8C
 
If after the call, al is 0, we are REGISTERED TO UNREGISTERED.
Otherwise, the application will get our name from the registry (see 
your own dead listing, I didn't want to overcode this essay) and print 
it instead of UNREGISTERED. So, once again, if the al flag is 1, our 
reg code has been accepted and we will nolonger be "unregistered". But 
that is not all...
In Soft-Ice, set a breakpoint at 46E1F4. Now click on "About HTML PAD"
Soft-Ice will bang, confirming our speculations. 
Now click on Register. Soft-Ice pops up again.
Finally, click on Options (one of them was locked, remember?). Soft-Ice
will pop up once more. So, Now, if you change the instruction at 4610C9
from

call 46e1f4 

to, say

mov al, 00
inc al
jmp 46e1f9

You will take care of all of this target's limits *but* the nag. 

Why? Rememeber that I was surprised that all 6E1F4 did was to call
6E1FC? Why not call 46E1FC in the first place, thus saving a lot
of bytes? (Compiler constraints... you'll find the same pattern at 
73C3C, 7DF2C and 812D4 for instance) In anycase, this means that calling 
6E1F4 has exactly the same effect as calling 6E1FC; so maybe some 
limits call the latter instead of the former... Just to make sure, set
a breakpoint on 46E1FC in Soft-Ice. Now insert a few scripts (this will
make the nag appear). Bingo! Soft-Ice pops up! Press F12 and what do you
know...
Here is what you get:

:00480CEC E80BD5FEFF              call 0046E1FC
:00480CF1 84C0                    test al, al
:00480CF3 7507                    jne 00480CFC
  
You just have to change that jne to jmp and you will never see the nag
again.
However, that makes a lot of changes, and since the only thing that
matters is to get flag 1 at al at the end of the call, we might as 
well just patch the former. 
The boys at intermania have realised this: inside this huge call,
we can admire the following snippet:

* StringData Ref from Code Obj ->"thatguy"
                                  |
:0046E28D BA20E44600              mov edx, 0046E420
:0046E292 E8C959F9FF              call 00403C60
:0046E297 7528                    jne 0046E2C1
:0046E299 6A00                    push 00000000
:0046E29B 668B0D28E44600          mov cx, word ptr [0046E428]
:0046E2A2 B202                    mov dl, 02

* StringData Ref from Code Obj ->"Sorry.  You'll have to crack the "
                                        ->"code again.  In the mean time "
                                        ->"you can fix the little presents "
                                        ->"that are going to be left on your "
                                        ->"machine!"

Pathetic! To put this at the sight of everyone TENTHS of bytes before the end of the call, giving us all the room we want to patch. I suppose intermaniacs think they are funny... They are morons... I won't even bother to make fun of them, humour is a powerful weapon, but it can only hurt those who have a minimum sense of *pride*, which is not the case of the Intermania programmers... You guys don't deserve my respect... Not knowing how to program is one thing, but trying to #$%&/!up my machine and NOT doing it right is an insult to my intelligence... You can thank the fact that +we are not crackers of the dark side, else you would be bankrupt before you could say "censorship"!

Anyway, let's finish this:

Since the end of the call is as follows:


:0046E3BC 8BC3                    mov eax, ebx
:0046E3BE 5E                      pop esi
:0046E3BF 5B                      pop ebx
:0046E3C0 8BE5                    mov esp, ebp
:0046E3C2 5D                      pop ebp
:0046E3C3 C3                      ret

Anyone that cares would just need to change

:0046E3BC 8BC3                    mov eax, ebx

to 

:0046E3BC B001                    mov al, 01

And there you go, you are fully registered. Of course, if you want to be registered with a chosen name (for instance 'thatguy' :-) you have to first make these changes in memory just before you enter your chosen name and chosen bogus code, then close the program, patch it, and rerun.
Alternatively, of course, you could also make the changes later, directly inside the registry (the dead listing will show you where :-)

Final Notes

I hope all this didn't sound too confusing, if you have any doubts or comments please send them to mneto@bigfoot.com (me)

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged (just watch it in this case :-)... farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:

links

Is reverse engineering legal?

This page was last updated on 21-07-98 20:12 using HTMLpad. "