Exploit submission Wizard 5 Those infamous net based protections.
Your_date	by Tsehp
	Courtesy of Fravia's page of reverse engineering	slightly edited by tsehp+
	There is a crack, a crack in everything That's how the light gets in
Rating	( )Beginner (x)Intermediate ( )Advanced ( )Expert

One day, I was bored to submit my site to altavista, yahoo, all the major search engines. I was sure that an 
app was already written for that. Instead of giving dollars to funny companies offering you to rank you site
at the top of those engines. I found exploit and tried it, a 1000 search engines database to submit with a 
mouse click. On the trial version, you can submit to 10 only. I found an old serial on altavista but still
not functionning, there's more to be done.

This is a vbasic 6.0 program, you just can't reverse with smartcheck. Just remember that a vbasic app doesn't
call directly the win api's but uses an intermediate runtime dll (vbrun or msvbm).  

The serial check

Look at the serial for evaluation : HKEY_CURRENT_USER\Software\Exploit Information Technology Limited\Submission Wizard\Registration
contains the same word : Free Submission Wizard Only.
We can fire softice and set a bpx regopenkeyExa, wait for this key to be opened, do a bpx regqueryvalueExa and do a bpmb on the key loaded
in memory to see where exploit tests it. You will always get back to subwiz5 by doing F12. In vbasic, the app uses imports from the runtime dll,
in this case to do a string compare, it uses call j___vbaStrCmp to see if the two strings pushed are equal, take a note to where you landed
in subwiz and decompile this app with ida, you will land around here :

.text:0049E4AE call j_rtcLeftCharBstr ; gets x chars from a string (the value pushed before is 2, so two chars are taken)
.text:0049E4B3 mov edx, eax
.text:0049E4B5 lea ecx, [ebp-48h]
.text:0049E4B8 call j___vbaStrMove
.text:0049E4BD push eax
.text:0049E4BE push offset dword_0_43FA38 ;a table to compare with (strings kx or dn or ew or pw in my version)
.text:0049E4C3 call j___vbaStrCmp ; compares the first two char of the serial you register with the mem table.
.text:0049E4C8 neg eax
.text:0049E4CA sbb eax, eax
.text:0049E4CC neg eax
.text:0049E4CE neg eax
.text:0049E4D0 xor esi, esi <--This is the patch to do, so the prog is registered without touching the eval serial in the registry.
.text:0049E4D2 nop 
.text:0049E4D3 mov [ebp-0F4h], si
.text:0049E4DA lea eax, [ebp-48h]
.text:0049E4DD push eax

A flag is set in mem for exploit to see if it's still registered, you can find it yourself by doing this : let the prog patched like this run, try to submit
one time, an error occurs (we'll see that in the next part) and try to submit again, a dialog box appears to tell you it's not registered. Why ?
The error that occured when you tried to submit putted the flag to not registered.
Look a little further in this location :

.

.text:0049E524 jmp short loc_0_49E535
.text:0049E526 ; ---------------------------------------------------------------------------
.text:0049E526 
.text:0049E526 loc_0_49E526: ; CODE XREF: .text:0049E4FDj
.text:0049E526 mov dword ptr [ebp-4], 3Fh
.text:0049E52D or word_0_5072EC, 0000h <-- very strange this value was FFFF.
.text:0049E535 
.text:0049E535 loc_0_49E535: ; CODE XREF: .text:0049E524j
.text:0049E535 mov dword ptr [ebp-4], 41h
.text:0049E53C mov eax, [ebp+8]
.text:0049E53F mov eax, [eax]
.text:0049E541 push dword ptr [ebp+8]

If you look at this mem value before doing the first submission, it's at ffff, and after the nag appeared, it's value is 0000.
You just have to find with ida all the references to val 5072ec and force the prog to put FFFF inside it, everytime it tries tp set it to 0000.

That's all with the boring local protection, we look now at the most interesting part :

The net based protection

Usually, apps checks serials registered inside your computer, more and more conceiled inside fake keys on the registry or crypted data inside some
files. You can always register a fake one found on astalavista and this works.

But if the app checks for a registered serial on their server, the case is worse. No keygens, no simulated inputs works here. We just have to spy
the app with a port sniffer and look whats happening.
I personnaly use Netmon provided with windows 2000 server, you can find several on the web. They hook to your ethernet card and shows all
the packets that goes thru, without interfering with the connection.

To see whats happening, start with a fresh install of exploit, register this serial : KX11j9johnnzuk6at.

Then enter a site and try to submit it to several search engines with your port sniffer working.

I started a submission with exploit and find those packet at first :

00000030 47 45 54 20 2F 77 69 7A 64 61 GET./wizda
00000040 74 61 2F 6B 65 79 73 2F 6B 78 31 31 6A 2E 64 61 ta/keys/kx11j.da
00000050 74 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 t.HTTP/1.0..Host
00000060 3A 20 77 77 77 2E 65 78 70 6C 6F 69 74 2E 6E 65 :.www.exploit.ne
00000070 74 0D 0A 0D 0A t.... 

This is the http command GET./wizdata/keys/kx11j.dat etc....

Very tricky, it asks for a file on their server beginning with the same first two letters of the serial you registered.
Ang gess what's happening if the file is not found -> get lost, your serial is not valid.

We are gonna change this to make believe the file was found, the vbasic uses the call to send() fonction to send data on the net, you will
easily find the import with ida, inside the file cihttp.ocx (I found the call with softice to the send api), just do a bpx on it and watch for the data pushed to this function as an argument. When you find what I described above in mem, you're at the good point. Do several F12 at this point to go back to subwiz5.exe and you will find this :

loc_0_4D9D68: ; CODE XREF: .text:004D9D5Fj
.text:004D9D68 ; .text:004D9ED3j
.text:004D9D68 mov dword ptr [ebp-4], 0C6h
.text:004D9D6F movsx eax, word_0_5071E0
.text:004D9D76 test eax, eax
.text:004D9D78 jnz loc_0_4D9ED8 <-Patch this to jump
.text:004D9D7E mov dword ptr [ebp-4], 0C7h
.text:004D9D85 cmp word_0_5071E2, 0FFFFh
.text:004D9D8D jnz loc_0_4D9EC7

This tests a result from a previous call to a controlX named cihttp.ocx. Subwiz just checks if the file was succesfully found.

Now, with all those patches, exploit works well and the essay could stop here. But I had one question in mind :
If they ask for info on the net, they could record some too, just to track you, stupid consumer of trial apps. Just for learning purposes you know ?

After a failed attempt to submit with the serial I gave you, exploit reverts to the trial serial. Submit again with the eval serial and record everything
with your port sniffer.

I was looking to my sniffer reports and found this :

00000: 08 00 3E 15 97 DB 00 00 E8 E7 19 FE 08 00 45 00 ..>.�..��.���..��.�..E.
00010: 03 83 24 5F 40 00 80 06 C4 9F D4 C6 57 3A D8 7A .�$_@.�.ğ��W:�z
00020: 09 FB 05 4D 00 50 98 A1 77 02 C2 2D 81 B7 50 18 .�.M.P�w.�-����w.�-��P.
00030: 44 70 F3 21 00 00 50 4F 53 54 20 2F 63 67 69 2D Dp�!..POST /cgi-
00040: 62 69 6E 2F 77 69 7A 61 72 64 2F 77 69 7A 6C 6F bin/wizard/wizlo
00050: 67 2E 63 67 69 20 48 54 54 50 2F 31 2E 30 0D 0A g.cgi HTTP/1.0.. <--sends info to their cgi script.
00060: 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D Accept: text/htm
00070: 6C 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 65 78 70 l..Host: www.exp <--to their address
00080: 6C 6F 69 74 2E 6E 65 74 0D 0A 41 63 63 65 70 74 loit.net..Accept
00090: 3A 20 74 65 78 74 2F 70 6C 61 69 6E 0D 0A 55 73 : text/plain..Us
000A0: 65 72 2D 41 67 65 6E 74 3A 20 53 75 62 6D 69 73 er-Agent: Submis
000B0: 73 69 6F 6E 20 57 69 7A 61 72 64 20 56 65 72 73 sion Wizard Vers
000C0: 69 6F 6E 20 35 2E 33 20 2D 20 4D 69 6C 6C 65 6E ion 5.3 - Millen
000D0: 6E 69 75 6D 20 45 64 69 74 69 6F 6E 20 52 65 67 nium Edition Reg
000E0: 69 73 74 65 72 65 64 20 54 72 69 61 6C 0D 0A 52 istered Trial..R
000F0: 65 66 65 72 65 72 3A 20 53 75 62 6D 69 73 73 69 eferer: Submissi
00100: 6F 6E 20 57 69 7A 61 72 64 20 56 65 72 73 69 6F on Wizard Versio
00110: 6E 20 35 2E 33 20 2D 20 4D 69 6C 6C 65 6E 6E 69 n 5.3 - Millenni
00120: 75 6D 20 45 64 69 74 69 6F 6E 20 52 65 67 69 73 um Edition Regis
00130: 74 65 72 65 64 20 54 72 69 61 6C 0D 0A 43 6F 6E tered Trial..Con
00140: 74 65 6E 74 2D 74 79 70 65 3A 20 61 70 70 6C 69 tent-type: appli
00150: 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F 72 cation/x-www-for

***/*** This was cutted for my own privacy.

00360: 69 7A 61 72 64 20 4F 6E 6C 79 26 64 69 73 6B 69 izard Only&diski
00370: 64 3D 35 34 34 32 2D 39 44 35 43 26 76 61 6C 63 d=5454-9B4C&valc <--Very very strange serial sent to them.
00380: 6F 64 65 3D 4E 6F 5F 43 6F 64 65 0D 0A 0D 0A 0D ode=No_Code.....
00390: 0A . 

After an attempt to enter a fake serial, this app gives them a serial info about your app, this serial is watermarked inside your app, so they can
identify you later. We don't want to get busted don't we ?

This feature is very easy to remove, just look for "www.exploit.net" inside subwiz5.exe as a UNICODE string, just change a character, this horrible
feature will disappear.

More and more apps are sending info about you on the net, impossible to avoid with a typical firewall for
internet based applications. You just can't avoid their connection or they cease to function.
We have no other solution than to spy them with a sniffer, and report what you found to the RCE scene.

Tsehp

homepage links search_forms +ORC how to protect academy database
reality cracking how to search javascript wars
tools anonymity academy cocktails antismut CGI-scripts mail_Fravia
Is reverse engineering legal?