BEGINNERS: Awesome AW: MOST STUPID PROTECTION OF THE YEAR 1997!
Hardcoded and unencrypted registration codes: a touristic tour for beginners

most stupid
Most stupid protection 1997

by Tristan

(31 December 1997, heavily edited by Fravia+)
Courtesy of Fravia's page of reverse engineering

Well, Tristan is a beginner turned cracker, that has found a protection really stupid indeed. In fact so 'blöd', that I would suggest assigning -in this very last day of the year- the award of MOST STUPID PROTECTION SCHEME 1997 to cyberspace.hq for their Add Web 1.23
Note that already the idea to make a special software application in order to automatically register a site by search engines is pretty stupid (and inehrently bogus) in itself, as anyone that knows a little 'searchengining' knows.
So my compliments to cyberspace.hq: I doubt that you could find anywhere on the Web a more utterly stupid and ridicolous protection scheme (yet I'm not betting much on that: it would not wonder me at all if this would happen :-) 
Awesome AW: MOST STUPID PROTECTION OF THE YEAR 1997!


Hardcoded and unencrypted registration codes: a touristic tour for 
beginners

by Tristan


Hi all from the +HCU, and especially +ORC for his tutorials and his 
followers who made them accessible to us. 
A few words before I start with the real essay. 
I started to learn cracking only one year ago, but in a first phase 
I only followed the evolution of our techniques reading essays and 
trying out ready made cracks. 
After a long period of researches, I began to reverse on my own. 
I found a lot of incredible easy protection schemes, and I can only 
encorage anyone reading this that has not yet done it, maybe scared 
by the 'advanced stuff', to start cracking on his own.
In fact I don't understand why the cuckoo I didn't started to crack 
earlier myself. 
I have an advice for beginners and an incredibly stupid protection 
scheme to report. My advice is "really, newbies, try your hand! 
You can only learn, and there is no way you would loose against 
such feeble protection schemes as the ones I found until now". 
And the subject of this essay is related to this advice: I found 
a mighty candidate for the "most stupid protection" award.

Awesome AW: an example of an Incredibly Stupid Protection Scheme

The target is Add Web 1.23 from cyberspace hq.
You can download it from www.download.com or from its web page at 
http://www.cyberspacehq.com/home.htm, else (as soon as they will 
take it away :-) you'll of course find any current or previous 
version of it elsewhere on the web, if you have learned how to 
search.

First you should research a little: study the target. You will then 
see that there exist three different versions of Add Web. 
The first is the one you get after installation, without registering. 
Yeah you guessed it: it's the 'unregistered version' which permits 
you to register your home page at 10 search engines. 
The next, higher, version is the 'registered version' which allows 
you to register your home page at about 355 search engines (well 
quite a lot too many, I think, since there are only a couple of 
dozens of really important search engines, most of the others are 
just pilfered 'bogus' subsets).
Last but not least there is a 'gold registered version' which allows 
you the following:
"The GOLD version adds the ability for you to customize 
the report headers and footers, and allows you to edit 
the text in e-mail reports."
I pasted it from the Add Web Help file, because I couldn't remember
it after having closed the Help file. The two 'registered' Versions 
can be accessed by simple Registration number inputs.
Ohh and another aspect shouldn't be left out:
the price of this program:
 
Pricing:

Version        Price
====================
Standard      $49.00
Gold          $89.00  

Huuh $89? Quite a lot for this software! I think the whole Win95 
isn't so expensive (which on the other hand is quite understandable 
seen how buggy it is). 
And now you think: borabora! If the target is so expensive, then it 
will have a nearly uncrackable protection scheme. 

Let's see: here follows the crack:

First approach:

I opened the file addweb.exe (by the way 732.160 bytes long) with 
Wdasm 8.9. And now I looked for relevant strings like 'now registered' 
or 'sorry this was a bad reg. number' (Just like +Orc and all his 
students told us). And there comes the funny Part:
I found string references like this:

"AW21-JH8WFHB-84EWFW8"
"AW23-JH843H8-8426298"
"AW98-2J882DB-JW01192"
"AWD8-362HF83-8EHE532"
"AWE1-F373736-UJU8376"
"AWGD-WDWD824-4962345"
"AWGE-DWE837A-FE97438"
...and a lot more

Hmm what do you think are these strings? Well for me they don't look like Error 
Messages, so what could they be then? Why not encoded registration numbers.
Well yes but why are they encoded thattaway? 
Or could it be that...? No, it can't be! Would be too easy!
0r perhaps they are really blank registration keys? 
Pahh! Too simple (but worth a try nevertheless...)

And so I entered one of these numbers, just to see what nasty message I would have 
got and I could noy believe my eyes: Bingo! There comes the happy message: 
'Thanks for your 49 (or 89) dollars'... for a registration number which isn't 
even encoded! A shame! Puah! This "crack" took me two minutes ,without any 
working with my brain.

Well, the crack isn't already done, because i said to you that there are two 
kind of registration: the normal and the gold one. 
Looking at the About Box told me that I registered for a normal version. 
So i decided to have a 'zen' look at the hardcoded registration codes 
above.

A small 'zen cracking' exercise


Do it NOW, before reading the following, is a (very very tiny) 'zen cracking' 
exercise :-)
Look at the registration codes above! You dig it?



Hope you tried for yourself instead of just reading on. It's (once more) so 
easy I could cry! The following applies:

- All registration numbers start with AW (Gosh, could it possibly be a 
  contraction of AddWeb? :-)
- all gold versions registration numbers begin with G after AW (G for Gold 
  how original... hmm... do you see a simile?)
- all other reg. numbers which don't have a G are normal versions
now go and have a look yourself if you don't believe me, it's so stupid that 
it's zum kotzen.

Second approach:

Why should we use a registration ready made number? Let us transform it into a 
real crack, as it should be if the programmers would not have been so stupid.
Starting Wdasm again we search the strings until we land to the position of 
one of the registration numbers above, as soon as you land there the code 
will look, for example, like the following snippet:


* Referenced by a Jump at Address:045A459(C)
|
:045A495 8B831C050000         mov eax, dword ptr [ebx+0000051C]

* StringData Ref from Code Obj ->"AW25-7JREG7C-3H1EG54"  <-this is our reg, code "..class" tppabs="http://Fravia.org/..class" | (one of the normal version) :045A49B BA68AB4500 mov edx, 0045AB68 <-pass as parameter in edx :045A4A0 E85792FAFF call 004036FC <-compare entered reg code :045A4A5 753A jne 0045A4E1 <-reg code wrong: evil jump :045A4A7 C6831305000001 mov byte ptr [ebx+513], 01 <-goodcode : flag one here :045A4AE C6831105000000 mov byte ptr [ebx+511], 00 <-good: flag zero here Watch it! :045A4B5 66B91F00 mov cx, 001F <-Parameters for the... :045A4B9 66BA0C00 mov dx, 000C <-...following... :045A4BD 66B86300 mov ax, 0063 <-...call :045A4C1 E872C4FAFF call 00406938 <-In this call the reg. Code is saved :045A4C6 DD9B14050000 fstp qword ptr [ebx+514] ...in our Win95 registry I think :045A4CC 9B wait :045A4CD C7832805000001000000 mov dword ptr [ebx+528], 1 <-More flags like expiration dates :045A4D7 C7832C050000D0070000 mov dword ptr [ebx+52C], 7D0 <-and the year 2000 * Referenced by a Jump at Address:045A4A5(C) | :045A4E1 8B831C050000 mov eax, dword ptr [ebx+51C] * StringData Ref from Code Obj>"AWGM-MCC77WA-G55WGS5" <-reg. code "for.class" tppabs="http://Fravia.org/for.class" a gold version | :045A4E7 BA88AB4500 mov edx, 0045AB88 :045A4EC E80B92FAFF call 004036FC <-Again the comparison :045A4F1 753A jne 0045A52D <-And again a jump if it is wrong :045A4F3 C6831305000001 mov byte ptr [ebx+513], 01 <-Now the flags registered if 1 :045A4FA C6831105000001 mov byte ptr [ebx+511], 01 <-Normal or gold? Gold please. :045A501 66B91F00 mov cx, 001F All what now follows is the same like above :045A505 66BA0A00 mov dx, 000A :045A509 66B86200 mov ax, 0062 :045A50D E826C4FAFF call 00406938 :045A512 DD9B14050000 fstp qword ptr [ebx+514] :045A518 9B wait :045A519 C783280500000B000000 mov dword ptr [ebx+528], B :045A523 C7832C050000CE070000 mov dword ptr [ebx+52C], 7CE <-Only 1998 for goldy? Now come my two solution for this to crack: First decide if you want to get a normal version or a gold version of this crap, just for the sake of it. For a normal version take the location of the jne at :0045A4A5 and for the gold the jne at :0045A4F1 Now another decision, regarding the evil jump: Nop out or turn around? The first solution would turn 753A to 9090 (see below about nopping) and the second would turn 753A to 743A (75="jne" 74="je)" (The second solution has one flaw: if you entered the valid reg. number then the evil jump would be done :-) Since plane 0x90 noppîng (as +ORC teached us) could eventually trigger a protectionist 'bait' (it won't of course happen here with such doof programers, but let's say we are paranoid for the sake of it), and we are scared that one day the most stupid protection will turn out being in the reality- the most clever cracker's bait around (protectionists, are you reading this?), which will destroy our harddisk and our screen (yes, you can destroy a screen through software, it's great fun for some viri :-) as soon as we nop two bytes with the ubiquitous 0x90... well, so here is the "elegant nopping table" for you:
elegant nopping: two bytes nopping: basic

inc ax         40	1000000
dec ax         48 	1001000
 - - ~ - -
inc bx         43       1000011
dec bx         4B	1001011
 - - ~ - -
inc cx         41	1000001
dec cx         44	1000100
 - - ~ - -
inc dx         42	1000010
dec dx         4A	1001010

Of course there are also 4 bytes nops, like FEC0 inc al and FEC8 dec al. The 
more you study opcodes the more you see that you can crack 'secret' intel 
opcodes as well, it's just like cracking software!

Final hint: 
            If you want to re-obtain your own copy of Add Web unregistered 
            then start regedit from win95 and search for AddWeb. 
            In the sub dir Init you find the entry RegNum which, after 
            deletion, gives you your own 'unregistered' version of this 
            target to play with.

Final, final hint:
            One of the interesting things of this essay is that you can
	    work a lot even if you don't understand NOTHING of all this 
            cracking stuff! Learn to crack! It's (often enough) easier 
            than you can imagine.

Final, final, final (and really last) comment: 
            For any suggestions you can reach me at:
         		to(point)tristan(at)usa(point)net
	    I am currently working on Winimage (anyone working on that? 
	    Write me!)
	    
Sorry for my bad english, my native tongue is German, so you can write 
me in German too, Tristan.

All rights released.

-----Tristan--------
(c) Tristan 1997
You are deep inside Fravia's page of reverse engineering, choose your way out:

redBack to the most stupid protections
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_Fravia
redIs reverse engineering legal?