Opera 3.21 reverse
by Ozymandias


Commented by +Malattia and Fravia+ (10 july 1998)

Here's a very good essay from Ozymandias, a guy who calls himself a beginner, but that IMO can be considered a REAL cracker yet: he shows that he studied cracking tutorials with attention and his essay seems easy to understand and well organized. Just a few words about the program: if you haven't tried it yet, DOWNLOAD IT IMMEDIATELY at http://www.operasoftware.com and LEARN how programs should be done! And, of course, if you like it... PAY for it!
The comments above are +Malattia's own, I agree completely. I read this small essay on +Malattia's good page and I liked it. I believe that we should spread Opera much more, and I think this essay will help. I would also propose to the Opera boys that WE write a good protection for them. The miserable way they protect their good software means that they won't be able to scare even a newbie. Therefore, if Operasoftware wishes it, we may help building a better protection scheme for their fantastic browser (not a perfect protection scheme, that cannot exist of course, a BETTER protection scheme). I hope that many other +hcukers will help
Enjoy this nice essay by Ozymandias and enjoy Opera, the BEST browser of this planet by far! BTW, I have added a small addition at the bottom.

  
At any rate, as I said, this may be too simple; it is my first  
"unassisted" reverse, and took me a total of three hours (two minutes, 
therefore, for someone more practiced, I'm sure.) Still, it is not for  
your education, but rather for the education of other poor lost souls  
like myself... or more accurately, as I was before finding Fravia+ and  
the HCU...  

Ozymandias Target: Opera 3.21 Protection: 30-day-trial Tools: Wdasm 8.9 HeD v1.78b Borland Resources Workshop 4.5 UltraEdit-32 5.10a This is a very simple little reverse, it is the first program I have ever done without the assistance of an essay of some sort. The protection is very simple - I expected it to be much harder to reverse, but decided to give it a try anyway. I used the software for a few days before attempting to reverse it, writing down any text I felt was relevant; although I have learned a great deal of Soft-Ice, as yet I am more comfortable with the dead listing approaches. Go through Fravia+'s "Cracking for Dummies" series (all two lessons) for a quick intro to this approach. First thing I did was to make a backup copy. Then I made another backup to save myself some time. While I set Wdasm to work on one copy, I opened the other in BRW. There are a ton of stringtables in there, and not all of them are caught by Wdasm. By searching through the stringtables, I found the following "relevant" codes: Stringtable References: 20092 - "Opera 3.21 - Evaluation" ;This is the title of the program ;when unregistered 20095 - "This evaluation copy of Opera has expired..." ;and so on, ;self explanatory 20099 - "Invalid Registration code" ;also self explanatory 21106 - "Please enter both name and organization" ;this seems pretty ;simple - remember ;it, we'll see it ;again 21107 - "Could not open registration file" ;a mystery - this string ;is never used 21110 - "Opera 3.21" ;This is the "good" version of the first string 21425 - "Your timed evaluation has %i days left..." ;another obvious one 32888 - "This is a restricted version of Opera..." ;another mystery 32889 - "This evaluation copy has expired" ;obvious By the time I had searched through the entire stringtable (it's really large) Wdasm had finished decompiling. I saved a text file of it and pulled it up in UlraEdit, where I began my search. Because this is a beginner's essay (both on this end and the receiving end) I will go through some of the more tedious steps that I went through rather than just skipping to the end. Although I "fished" for all the strings listed above, the only ones that proved to be really useful were the "Please enter both name and organization" string and the "Invalid Registration code" string. The reason will become apparent as you fish for the others. Opera has a process set aside to draw the error boxes: finding it does you no good, as there are several hundred dummy calls to the routine. You can't backtrace your way through the call, so the strings don't get you anywhere. EXCEPT for these two error messages. Opera displays the first message when you attempt to register the software without a user name or organization. The important part for us is that this error message is stored in the registration routine itself, NOT in the process with the other codes. As far as I can understand it, the problem is that the registration routine cannot run without the name and organization; without the reg routine, the proper flags don't go into place, and the screen-drawing routine can't run properly. But that's not important. The second message is stored just before the end of the registration routine. It seems that when you are unregistered, instead of returning a "bad" flag it simply continues through the routine, making it appear that this is not the reg routine itself. Here's the routine as disassembled by Wdasm with my own comments on the right: * Referenced by a CALL at Address: |:00477D6B | ;This is the registration sub :0044AC2A 55 push ebp :0044AC2B 8BEC mov epb, esp there are several lines of code, then the first je: :0044AC31 8BF1 mov esi, ecx :0044AC33 397DOC cmp dword ptr [ebp+0C], edi :0044AC36 0F842A010000 je 0044AD66 ;This jumps to the error ;message As you scroll down the call, there are several of these je's, all preceded by the same pattern - a mov statement, a cmp, and the je. All of them go to this error message. But down at the very bottom there are two other jumps; look closely, just before the bad message, is a series of calls, followed by the same mov and cmp pattern we saw all through this routine - but reversed. And then there's one more call, and finally a "test eax, eax" statement, followed by the familiar conditional jump - but this time, it's a jne. And after looking more closely, we see that it doesn't go to the same place as the others - 44AD3D instead of 44AD66. And then there's another je, to another spot in the same routine - where the "bad guy" message is displayed. The jne jump is out of pattern, so let's see where it goes. Hmmm... another subroutine. How dull. But the final jump is to the screen drawing routine. Let's see - if we force the jump to this routine, do we get regged? Well, let's switch it. Line :0044AD0B 7530 jne 0044AD3D. Hunt it up in HeD (search for FF B6 C8 06 00 00 first, then search for 7530 - it's easier that way.) Let's change this jne to a jmp, by changing it from 75 30 to EB 30. Same jump, but now it's forced... We load up Opera, type in a name and an org, some random number in the reg box, and click register. The box vanishes, and away we go. No error messages. But is it really regged? Close Opera. Open it again. ARRRRGH! That same box! Wailing and gnashing of teeth ensues... But wait. We know that should be the right routine (alright, OK, I cheated - I pulled a valid reg from a friend and used it to see if there was a "Thank you" type screen if we register. There isn't.) So why isn't it completing the registration process? As it happens, this would PROBABLY work; you would just be annoyed a lot. But this is a dirty reverse, not up to our high standards. Let's look again... Well, what about these calls? Where do they go? Let's find out... Go back into the code. Trace back to the last call before that jne we changed. There it is, :0044AD04 E84B010000 call 0044AE54. Let's dig... This call is deep and convoluted. I followed all the calls tracing out what it did, and there are at least two points where things get to be 4 calls deep. What IS all this? Well, only 4 registers really change - and only one, eax, is tested when we return. Where does eax change for the last time? Don't look too hard - at the very end of the top routine, there is the following code sequence: :0044AEA0 7405 je 044AEA7 ;jump to ret :0044AEA2 6A01 push 00000001 ;put 1 on the top of the ;stack :0044AEA4 58 pop eax ;pull the top of the ;stack - 1 - into eax :0044AEA5 eb02 jmp 0044AEA9 ;jump to ret :0044AEA7 33C0 xor eax,eax ;zeroes eax = BAD FLAG! :0044AEA9 5E pop esi :0044AEAA C9 leave :0044AEAB C20400 ret 0004 That's it. After all that run around, the flag is a 1 in the eax reg. There are dozens of ways to reverse it; I chose a 4 byte reverse that was very easy to do... I selected the very first jump in the call, this one here... :0044AE60 7445 je 0044AEA7 Originally, this was a test for a bad flag, so I could just reverse it - make it a jne - along with every other conditional jump. That would work, but there are dozens of calls. So instead, I redirected it, as follows... :0044AE60 EB40 jmp 0044AEA2 As you can see, I made it a jmp, so it ALWAYS follows the jump - even if I put in a correct code, an incorrect code, or no code at all - and I shortened the offset to put it right on the "push" statement above. That way, we get the "good guy" flag, the rest of the routine runs normally, and we got no troubles, no worries... I just want to throw in a "Thank you" to Fravia+, +Gthorne, all the +HCUkers, and, of course, +ORC... questions, comments, death threats, suggestions can all be sent to kofk(at)usa(dot)net, they'll eventually reach me, after being bounced around a few times. On second thought, send the death threats to Bill@Micro$oft.com... he deserves them more than I do... Ozymandias

(c) Ozymandias 1998.
WARNING: this tutorial is published for EDUCATIONAL PURPOSES only! Nobody except you is responsible for what you do with the things you read here. Also, if you intend to use shareware programs for a period longer than the allowed one remember that you have to BUY them!
A small addition, by Fravia+, 17 July 1998
Well, I use a french version of Opera 3.21, and I have noticed that the same scheme is still used, albeit in different locations:
:0044AB07 55                      push ebp
:0044AB08 8BEC                    mov ebp, esp
:0044AB0A 83EC10                  sub esp, 00000010
:0044AB0D 56                      push esi
:0044AB0E 8B7508                  mov esi, dword ptr [ebp+08] ;; see if param=0
:0044AB11 85F6                    test esi, esi               ;; if zero then bad luser
:0044AB13 7445                    je 0044AB5A   ;; ** this is Ozymandias' jump, just patch it
:0044AB15 56                      push esi	;;    to jmp :0044AB55 and get a good flag
:0044AB16 E835910700              call 004C3C50
...
:0044AB45 7513                    jne 0044AB5A ;; ax=1? --> bad luser
:0044AB47 0FBE06                  movsx eax, byte ptr [esi]
:0044AB4A 50                      push eax
:0044AB4B E8E09A0700              call 004C4630
:0044AB50 85C0                    test eax, eax
:0044AB52 59                      pop ecx
:0044AB53 7405                    je 0044AB5A   ;; ax=0? --> bad luser
:0044AB55 6A01                    push 00000001 ;; good registered hero
:0044AB57 58                      pop eax	;; flag popped in ax
:0044AB58 EB02                    jmp 0044AB5C

* Referenced by a Jump at Addresses:0044AB13(C), :0044AB1F(C), :0044AB45(C), :x0044AB53(C)
|
:0044AB5A 33C0                    xor eax, eax  ;; bad luser flag in ax

* Referenced by a Jump at Address:0044AB58(U)
|
:0044AB5C 5E                      pop esi
:0044AB5D C9                      leave
:0044AB5E C20400                  ret 0004	;; back to caller
... so, there you're, use Opera, reverse it black and blue, but then REGISTER YOUR COPY! Those guys that developed this juwel and are bravely fighting against the browsersaurii deserve it! (And yes, I did register my cracked copy... see mal eine an!)
You are deep inside Fravia's page of reverse engineering, choose your way out:
redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?