PhotoShop 5.0 / Digimarc 1.6.82
Commercial stupidity is alive & well
stupid
Most stupid protections award
29 June 1998
by XaVaX
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
980629
XaVaX
1100
NA
PC
See: commercial stupidity, as usual... when will they learn it? Internet DOES NOT work like that... it does not make any sense to develop stupid protection schemes alone in your little provincial corner... silly limuted 'regionalism' (as usual: this is also valid in all political, linguistical and cultural fields) is doomed to catastrophic petty results!
Learn to exploit the "non-commercial" HUGE power of the web! You should propose a project and let hundred UNKNOWN people make you (effective and valid) proposals for free... thattaway you would get hundred different and valid protection schemes instead of the crap that you have "developed" (if you really want to call it 'developing') all alone by yourself inside your little premises with your -commercially lobotomized- little programmers... Read the following, stupid commercial oriented protectors & silly commercial oriented gullible clients... when will you learn it?
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert

Yet another example of artificial intelligence being no match for natural stupidity.
PhotoShop 5.0 / Digimarc 1.6.82

Written by XaVaX


Introduction

This is an addendum to the excellent essay by Frog's Print (frogdigi.htm) of 6/8/97
concerning the weakness of the protection applied to the Digimarc watermarking plug-in
supplied with PhotoShop 4.0.  As you will see, things have not changed much in the
latest release included with PhotoShop 5.0.


Tools required
SoftIce 3.22 (what else?)
W32DSM89
Hex WorkShop

Target's URL/FTP
http://www.digimarc.com

Program History
To keep this as short as possible I'll refer you to the essay by Frog's Print on a previous version of Digimarc for a detailed description - you can find it in the essays section on this site (6/8/97).

Essay
The file used by the Digimarc system for creating a watermark is digisign.8BF (a DLL)
and it is to be found in \plug-ins\digimarc under photoshop5.
The creator ID and password are stored in digimarc.ini in the same directory.
After reading the essay by Frog's Print on the previous version, I decided to 
see if the programmers had learnt anything since as digisign.8BF has grown
from 128 kB to 230 kB in version 1.6.82 - not much, it seems!
Run Photoshop.EXE, open an image and select FILTER/DIGIMARC/EMBED WATERMARK
We're presented with a dialog box which shows the 'Creator ID' as 'Picturemark
Demo' and an adjacent 'Configure' button.  Clicking the button shows a 'Change 
Creator ID' dialog box with 2 edit boxes. The first edit box accepts 2 digits 
and the second accepts up to 8 digits. From examination of the code, acceptable 
numbers are 10101 or >=100000 for the larger entry.
GetDlgItemTextA is called for every entered digit so I went 'fishing' and found
GetDlgItemInt to be a more expedient breakpoint to get into the main part of
the number verification routine after a short period of tracing via softice.

So - BPX GetDlgItemInt and enter a number eg 11-111111
Click OK and softice pops up but not quite where we want to be so CTL-D and we 
get to this interesting block of code on the second pop:
(F12 to get back to the Digisign DLL)
:10014AB1 FFD7                    call edi		;the GetDlgItemInt call
:10014AB3 8BF8                    mov edi, eax		;the hex equivalent of our number
:10014AB5 8D842418010000          lea eax, dword ptr [esp+00000118]
:10014ABC 57                      push edi
:10014ABD 6848A20210              push 1002A248		;ie valid characters etc
:10014AC2 50                      push eax
:10014AC3 E8AE290000              Call 10017476		;lots of checks on our entry
:10014AC8 83C40C                  add esp, 0000000C
:10014ACB 8D4C2410                lea ecx, dword ptr [esp+10]
:10014ACF 55                      push ebp
:10014AD0 6848A20210              push 1002A248
:10014AD5 51                      push ecx
:10014AD6 E89B290000              Call 10017476		;ie valid characters etc
:10014ADB 8B460C                  mov eax, dword ptr [esi+0C]
:10014ADE 8B0E                    mov ecx, dword ptr [esi]
:10014AE0 83C40C                  add esp, 0000000C
:10014AE3 8D542410                lea edx, dword ptr [esp+10]
:10014AE7 8B4920                  mov ecx, dword ptr [ecx+20]
:10014AEA 85C0                    test eax, eax
:10014AEC 8D842418010000          lea eax, dword ptr [esp+00000118]
:10014AF3 52                      push edx
:10014AF4 50                      push eax
:10014AF5 7507                    jne 10014AFE
:10014AF7 E8040FFFFF              call 10005A00 	;THE REAL VALIDITY TEST
:10014AFC EB05                    jmp 10014B03
:10014AFE E83D0AFFFF              call 10005540
:10014B03 85C0                    test eax, eax		;EAX must be non-zero
:10014B05 744F                    je 10014B56		;*** blast this
:10014B07 85ED                    test ebp, ebp		;EBP must be non-zero
:10014B09 744B                    je 10014B56		;*** blast this
:10014B0B 85FF                    test edi, edi		;EDI must be non-zero
:10014B0D 7447                    je 10014B56		;*** blast this
:10014B0F 8B460C                  mov eax, dword ptr [esi+0C]
:10014B12 85C0                    test eax, eax
:10014B14 7520                    jne 10014B36		;*** blast this for good measure
:10014B16 8B5608                  mov edx, dword ptr [esi+08]
:10014B19 6A01                    push 00000001
:10014B1B 53                      push ebx
:10014B1C 897A44                  mov dword ptr [edx+44], edi
:10014B1F FF154C810110            Call dword ptr [1001814C]

With the indicated mods, going through the configure option again with any number
entry will create an entry in the digimarc.ini file.
We may expect some check to be done on this data at a later time to keep the 
'bad guys' locked out but this is not so - we now have our own watermark ID 
which can be changed anytime and as often as we like.
(Obviously this is of no real value to anyone as there is no corresponding
entry in the database maintained by Digimarc for registered users)

This was such a non-event that I went on to have a look at the possibility of 
changing the watermark already embedded in a picture (by a registered Creator 
of course)
In very little time with the aid of softice and W32DSM I isolated the following:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10007500(C)
|
:1000767E FF10                    call dword ptr [eax]
:10007680 8B442414                mov eax, dword ptr [esp+14]
:10007684 83F801                  cmp eax, 00000001
:10007687 7495                    je 1000761E		;*** blast this
:10007689 83F802                  cmp eax, 00000002
:1000768C 7490                    je 1000761E		;*** and this
:1000768E 8B442424                mov eax, dword ptr [esp+24]
:10007692 C744241446000000        mov [esp+14], 00000046
:1000769A 85C0                    test eax, eax
:1000769C 7408                    je 100076A6
:1000769E C744241428000000        mov [esp+14], 00000028

Making these changes will allow a previously watermarked picture to be
watermarked again with a different Creator ID and URL, options etc

Where is the security for those who have paid for this technology?




Final Notes

In defense of Digimarc, private individuals can obtain for free a valid ID number
for their own use in watermarking their own creations.  
Corporate users pay an annual fee of $99 US and receive support in tracking their
art on the net as well as other services.
This is quite reasonable except for the fact that the miserable protection on 
this clever technology makes it absolutely worthless for anyone expecting some 
security for their creations.  


Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?