BEGINNERS: Awesome AW: MOST STUPID PROTECTION OF THE YEAR 1997!
Hardcoded and unencrypted registration codes: a touristic tour for
Most stupid protection 1997
(31 December 1997, heavily edited by Fravia+)
Courtesy of Fravia's page
of reverse engineering
Well, Tristan is a beginner turned cracker, that has found
a protection really stupid indeed. In fact so 'blöd', that I would suggest
assigning -in this very last day of the year- the award
of MOST STUPID PROTECTION SCHEME 1997 to cyberspace.hq for their Add
Note that already the idea to make a special software
application in order to automatically
register a site by search engines is pretty stupid (and inehrently bogus)
in itself, as anyone that
knows a little 'searchengining' knows.
So my compliments to cyberspace.hq:
I doubt that you could find anywhere on the Web a more utterly stupid and
ridicolous protection scheme (yet I'm not betting much on that: it would not
wonder me at all if this would happen :-)
Awesome AW: MOST STUPID PROTECTION OF THE YEAR 1997!
(c) Tristan 1997
Hardcoded and unencrypted registration codes: a touristic tour for
Hi all from the +HCU, and especially +ORC for his tutorials and his
followers who made them accessible to us.
A few words before I start with the real essay.
I started to learn cracking only one year ago, but in a first phase
I only followed the evolution of our techniques reading essays and
trying out ready made cracks.
After a long period of researches, I began to reverse on my own.
I found a lot of incredible easy protection schemes, and I can only
encorage anyone reading this that has not yet done it, maybe scared
by the 'advanced stuff', to start cracking on his own.
In fact I don't understand why the cuckoo I didn't started to crack
I have an advice for beginners and an incredibly stupid protection
scheme to report. My advice is "really, newbies, try your hand!
You can only learn, and there is no way you would loose against
such feeble protection schemes as the ones I found until now".
And the subject of this essay is related to this advice: I found
a mighty candidate for the "most stupid protection" award.
Awesome AW: an example of an Incredibly Stupid Protection Scheme
The target is Add Web 1.23 from cyberspace hq.
You can download it from www.download.com or from its web page at
http://www.cyberspacehq.com/home.htm, else (as soon as they will
take it away :-) you'll of course find any current or previous
version of it elsewhere on the web, if you have learned how to
First you should research a little: study the target. You will then
see that there exist three different versions of Add Web.
The first is the one you get after installation, without registering.
Yeah you guessed it: it's the 'unregistered version' which permits
you to register your home page at 10 search engines.
The next, higher, version is the 'registered version' which allows
you to register your home page at about 355 search engines (well
quite a lot too many, I think, since there are only a couple of
dozens of really important search engines, most of the others are
just pilfered 'bogus' subsets).
Last but not least there is a 'gold registered version' which allows
you the following:
"The GOLD version adds the ability for you to customize
the report headers and footers, and allows you to edit
the text in e-mail reports."
I pasted it from the Add Web Help file, because I couldn't remember
it after having closed the Help file. The two 'registered' Versions
can be accessed by simple Registration number inputs.
Ohh and another aspect shouldn't be left out:
the price of this program:
Huuh $89? Quite a lot for this software! I think the whole Win95
isn't so expensive (which on the other hand is quite understandable
seen how buggy it is).
And now you think: borabora! If the target is so expensive, then it
will have a nearly uncrackable protection scheme.
Let's see: here follows the crack:
I opened the file addweb.exe (by the way 732.160 bytes long) with
Wdasm 8.9. And now I looked for relevant strings like 'now registered'
or 'sorry this was a bad reg. number' (Just like +Orc and all his
students told us). And there comes the funny Part:
I found string references like this:
...and a lot more
Hmm what do you think are these strings? Well for me they don't look like Error
Messages, so what could they be then? Why not encoded registration numbers.
Well yes but why are they encoded thattaway?
Or could it be that...? No, it can't be! Would be too easy!
0r perhaps they are really blank registration keys?
Pahh! Too simple (but worth a try nevertheless...)
And so I entered one of these numbers, just to see what nasty message I would have
got and I could noy believe my eyes: Bingo! There comes the happy message:
'Thanks for your 49 (or 89) dollars'... for a registration number which isn't
even encoded! A shame! Puah! This "crack" took me two minutes ,without any
working with my brain.
Well, the crack isn't already done, because i said to you that there are two
kind of registration: the normal and the gold one.
Looking at the About Box told me that I registered for a normal version.
So i decided to have a 'zen' look at the hardcoded registration codes
A small 'zen cracking' exercise
Do it NOW, before reading the following, is a (very very tiny) 'zen cracking'
Look at the registration codes above! You dig it?
Hope you tried for yourself instead of just reading on. It's (once more) so
easy I could cry! The following applies:
- All registration numbers start with AW (Gosh, could it possibly be a
contraction of AddWeb? :-)
- all gold versions registration numbers begin with G after AW (G for Gold
how original... hmm... do you see a simile?)
- all other reg. numbers which don't have a G are normal versions
now go and have a look yourself if you don't believe me, it's so stupid that
it's zum kotzen.
Why should we use a registration ready made number? Let us transform it into a
real crack, as it should be if the programmers would not have been so stupid.
Starting Wdasm again we search the strings until we land to the position of
one of the registration numbers above, as soon as you land there the code
will look, for example, like the following snippet:
* Referenced by a Jump at Address:045A459(C)
:045A495 8B831C050000 mov eax, dword ptr [ebx+0000051C]
* StringData Ref from Code Obj ->"AW25-7JREG7C-3H1EG54" <-this is our reg, code "..class" tppabs="http://Fravia.org/..class" | (one of the normal version) :045A49B BA68AB4500 mov edx, 0045AB68 <-pass as parameter in edx :045A4A0 E85792FAFF call 004036FC <-compare entered reg code :045A4A5 753A jne 0045A4E1 <-reg code wrong: evil jump :045A4A7 C6831305000001 mov byte ptr [ebx+513], 01 <-goodcode : flag one here :045A4AE C6831105000000 mov byte ptr [ebx+511], 00 <-good: flag zero here Watch it! :045A4B5 66B91F00 mov cx, 001F <-Parameters for the... :045A4B9 66BA0C00 mov dx, 000C <-...following... :045A4BD 66B86300 mov ax, 0063 <-...call :045A4C1 E872C4FAFF call 00406938 <-In this call the reg. Code is saved :045A4C6 DD9B14050000 fstp qword ptr [ebx+514] ...in our Win95 registry I think :045A4CC 9B wait :045A4CD C7832805000001000000 mov dword ptr [ebx+528], 1 <-More flags like expiration dates :045A4D7 C7832C050000D0070000 mov dword ptr [ebx+52C], 7D0 <-and the year 2000 * Referenced by a Jump at Address:045A4A5(C) | :045A4E1 8B831C050000 mov eax, dword ptr [ebx+51C] * StringData Ref from Code Obj>"AWGM-MCC77WA-G55WGS5" <-reg. code "for.class" tppabs="http://Fravia.org/for.class" a gold version | :045A4E7 BA88AB4500 mov edx, 0045AB88 :045A4EC E80B92FAFF call 004036FC <-Again the comparison :045A4F1 753A jne 0045A52D <-And again a jump if it is wrong :045A4F3 C6831305000001 mov byte ptr [ebx+513], 01 <-Now the flags registered if 1 :045A4FA C6831105000001 mov byte ptr [ebx+511], 01 <-Normal or gold? Gold please. :045A501 66B91F00 mov cx, 001F All what now follows is the same like above :045A505 66BA0A00 mov dx, 000A :045A509 66B86200 mov ax, 0062 :045A50D E826C4FAFF call 00406938 :045A512 DD9B14050000 fstp qword ptr [ebx+514] :045A518 9B wait :045A519 C783280500000B000000 mov dword ptr [ebx+528], B :045A523 C7832C050000CE070000 mov dword ptr [ebx+52C], 7CE <-Only 1998 for goldy? Now come my two solution for this to crack: First decide if you want to get a normal version or a gold version of this crap, just for the sake of it. For a normal version take the location of the jne at :0045A4A5 and for the gold the jne at :0045A4F1 Now another decision, regarding the evil jump: Nop out or turn around? The first solution would turn 753A to 9090 (see below about nopping) and the second would turn 753A to 743A (75="jne" 74="je)" (The second solution has one flaw: if you entered the valid reg. number then the evil jump would be done :-) Since plane 0x90 noppîng (as +ORC teached us) could eventually trigger a protectionist 'bait' (it won't of course happen here with such doof programers, but let's say we are paranoid for the sake of it), and we are scared that one day the most stupid protection will turn out being in the reality- the most clever cracker's bait around (protectionists, are you reading this?), which will destroy our harddisk and our screen (yes, you can destroy a screen through software, it's great fun for some viri :-) as soon as we nop two bytes with the ubiquitous 0x90... well, so here is the "elegant nopping table" for you:
elegant nopping: two bytes nopping: basic
inc ax 40 1000000
dec ax 48 1001000
- - ~ - -
inc bx 43 1000011
dec bx 4B 1001011
- - ~ - -
inc cx 41 1000001
dec cx 44 1000100
- - ~ - -
inc dx 42 1000010
dec dx 4A 1001010
Of course there are also 4 bytes nops, like FEC0 inc al and FEC8 dec al. The
more you study opcodes the more you see that you can crack 'secret' intel
opcodes as well, it's just like cracking software!
If you want to re-obtain your own copy of Add Web unregistered
then start regedit from win95 and search for AddWeb.
In the sub dir Init you find the entry RegNum which, after
deletion, gives you your own 'unregistered' version of this
target to play with.
Final, final hint:
One of the interesting things of this essay is that you can
work a lot even if you don't understand NOTHING of all this
cracking stuff! Learn to crack! It's (often enough) easier
than you can imagine.
Final, final, final (and really last) comment:
For any suggestions you can reach me at:
I am currently working on Winimage (anyone working on that?
Sorry for my bad english, my native tongue is German, so you can write
me in German too, Tristan.
All rights released.
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Back to the most stupid protections
Is reverse engineering legal?