hal_oper.htm Your


	BEGINNERS: Use Opera! (Bye Bye Navigator ?) (Cracking in order to help - 1) A very interesting new browser!	Not Assigned
15 February 1998	by HAL+
	Courtesy of Fravia's page of reverse engineering
fra_00E7 980216 Hal 1000 NA PC	OK, I'll admit it: I'm in doubt, yet overall I believe I'm right, so let's go on... The Opera Browser deserves to be spread: it is (almost) as good as Navigator 3, which as anyone should know is the best version of Netscape's browser (I myself am using a 'panzered' version of Netscape 3, with some homemade adds-on)... navigator's breed went downhill (or should one say bughill?) after version 3, trying to tackle the overbloated monstruosities of our M$-banes... as if anybody could beat Micro$oft in overbloating code... I reckon you should try Opera... it deservers it... should this browser ameliorate...well it needs some ameliorations for sure, see the interesting add-on by Lord Lucifer at the bottom, with some advices the opera Authors would be well advised to take into consideration for their future versions... Anyway, if this Opera browser will be ameliorated (by the Authors or by us :-) we'll begin to use it even more seriously, may be even as a WEAPON against the bugged 'big (overbloated) two'... what about a Opera-only section of this site? All slaves using the commercial browsers out unless they at least try to use this nice browser!. You have here a very easy, beginners oriented cracking essay, that I publish clearly in the hope to HELP Opera... don't think they will loose anything from this, quite the contrary, since Opera is anyway everywhere to have (actually "to steal") already regged, (I checked) and because I believe that if some serious reverser begin to study the inner 'guts' of opera, and to propose some ameliorations to it (as we will -may be- do in our 'our tools' section, gegebenfalls), this browser will have much more chances to survive. And to survive (and eventually to triumph) it deserves, IMO. And now enjoy this easy yet interesting session... and USE OPERA, or at least try it out and send your proposal for ameliorations...
	There is a crack, a crack in everything That's how the light gets in
Rating	(x)Beginner ( )Intermediate ( )Advanced ( )Expert	Beginners only

An useful essay for beginners in order to see what happen if you write down a very nice software and you leave it "nearly" unprotected ;-)
I will assume you know the very basic of soft-ice!!

This is the end, my only friend ? Tiny,fast,configurable : I don't ask more! Written by Hal+

Introduction

I first met it surfing around  Mammon's homepage I rushed to download it and everything
started: I started to look around and finally I managed to bypass the simple protection.

Tools required

- Soft-ice 3.2 ( What else!)
- W32 Dasm
- An hex editor if you wanna patch it.
- A pen a paper, some good music .
- Last but not least: Brain

Target's URL/FTP

Opera v. 3.10: Get it, It think you won't regret using this browser... don't let the (paid) hypo about the 'FOUR' version of M$-MSIE and Netscape submerge you... judge by yourself!

Program History

I first download Opera v. 3.0 in couple of day I heard of version 3.10: it seems to be faster, a little smaller and ... try it!

Essay

Well, try to run it a couple of time ( I'm referring to version 3.10): 
     as you can see it asks for Name, Organization , and Serial Number. 
     Let's try to make it happy! type in something it wants "both name and 
     organization". Unless you're very lucky the s/n you typed in won't be the 
     good one: it says "Invalid.....", but it seems we're lucky: the window 
     seem to be created by MessageBox call (Remember: Windows has standard icons 
     for MessageBoxes!! )so let's put a 
 > bpx MessageBoxA 
     try to "register" again and you'll land in softice, F12 (P Ret), hit Ok and 
     you're back again. 

Well, let's begin: 
  
 * Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:0049E370 FF159C8B4E00            Call dword ptr [004E8B9C]  ; call to messageboxa
* Referenced by a   Jump at Address:0049E331(C)
|
:0049E376 5D                      pop ebp
:0049E377 C3                      ret


you land here, F12 and you are  in: 

 * Referenced by a   Jump at Address:0045A4A1(U)
|
:0045A4A8 8D8588FEFFFF            lea eax, dword ptr [ebp+FFFFFE88]
:0045A4AE 50                      push eax
:0045A4AF 57                      push edi
:0045A4B0 E8703E0400              call 0049E325
:0045A4B5 83C410                  add esp, 00000010 ;you are here 
:0045A4B8 5F                      pop edi
:0045A4B9 5E                      pop esi
:0045A4BA C9                      leave
:0045A4BB C21000                  ret 0010 

 I had a look around, but as I can't find out the heart of the protection scheme just tracing 
 I used the dead-listing approach. Start Wdasm, decompile Opera.exe ( it takes a while, to 
 create a 18 Mb file! ). 
 Well now all we have to do is looking for the code referenced by "Invalid registration.. etc" 

:00449D73 8BCE                    mov ecx, esi
:00449D75 E824010000              call 00449E9E
:00449D7A 85C0                    test eax, eax
:00449D7C 7509                    jne 00449D87
:00449D7E 57                      push edi
:00449D7F 57                      push edi

* Possible Reference to String Resource ID=20099: "Invalid registration code. Please check..."
                                  |
:00449D80 68834E0000              push 00004E83
:00449D85 EB30                    jmp 00449DB7 

 hey, wait a moment, look at 00449D7C, oh my God  a conditional jump! and it jumps 
 over the nag!! Well it's done! Put a bpx on the jne: 
 >bpx 00449D7C , F12 and try to register, blam, you are on the jne, well change the 
 Z flag and it'll let you go: you old Good Guy!! F12 and the nag's gone! You are in. 
 But, if now it seems to be all right , when we come back ? 
 NO!! The Nag, again. 
 It wasn't so easy after all! Hey, it now Knows my name and my organization, how is it 
 possible ? 
 Well after a session in Filemonitor i discovered it uses a file Ousr310.dat 
 to save reg. datas if we delete it we'll have again a clean nag (yes I know 
 I'm using filemonitor but I didn't put it in the tool section... well don't 
 worry we won't use it). 
 After jumping a lot around  the code, I just discovered Hot Water!!: 
 try always the easiest, the most-obvious-it-can't-be-so-easy!! way before 
 everything else!! 
 Look at address 
:00449D75 E824010000              call 00449E9E 

 it's just before our check. 

 * Referenced by a CALL at Addresses:00449C1E  ,:00449C7C  ,:00449D75  ,:0049B4A7   
|
:00449E9E 55                      push ebp
:00449E9F 8BEC                    mov ebp, esp
:00449EA1 83EC10                  sub esp, 00000010
:00449EA4 56                      push esi
:00449EA5 8B7508                  mov esi, dword ptr [ebp+08]
:00449EA8 85F6                    test esi, esi
:00449EAA 7435                    je 00449EE1
:00449EAC 56                      push esi ; try d esi 
:00449EAD E81E800700              call 004C1ED0
:00449EB2 83F80C                  cmp eax, 0000000C ; 
:00449EB5 59                      pop ecx
:00449EB6 7529                    jne 00449EE1 ; Bad guy /Good guy -> Nop it
:00449EB8 8D45F0                  lea eax, dword ptr [ebp-10]
:00449EBB 56                      push esi
:00449EBC 50                      push eax
:00449EBD E82E810700              call 004C1FF0 

:00449EC2 59                      pop ecx
:00449EC3 8D45F0                  lea eax, dword ptr [ebp-10]
:00449EC6 59                      pop ecx
:00449EC7 50                      push eax
:00449EC8 E87EFFFFFF              call 00449E4B
:00449ECD 59                      pop ecx
:00449ECE 8D45F0                  lea eax, dword ptr [ebp-10]; try d ecx     
:00449ED1 56                      push esi
:00449ED2 50                      push eax ; try d eax 
:00449ED3 E878800700              call 004C1F50 

 in 00449eb6 if you failed the check at 00449eb2  you're obviously a bad guy!! 
 if you can reach 00449ece you ( surely a good guy ) will be surprised to find in ecx, 
 and eax your code: it has been calculated just for you! Take the pen and write down 
 it! 
 If you want,  instead,  to bypass the protection scheme well you just have 
 to NOP 00449eb6 and make it simple jump (without checking) at 00449d7c  
 (75 09 -> EB 09). 

:00449D75 E824010000              call 00449E9E
:00449D7A 85C0                    test eax, eax
:00449D7C 7509                    jne 00449D87
:00449D7E 57                      push edi 

 Patch it, run it you'll have the regged version of a browser that seems to be even better than 
 Netscape, and it's so much smaller!!

Final Notes

I didn't believe to manage to bypass the prot scheme, I am just a beginner: 
this makes me think that this nice pro wasn't very hard protected!! 

  I am sorry for my English!  Thanks to: 

 +ORC -> his essays are unavaluable!! 

 fravia+ -> one of the most interesting site of the whole Net.
            I think Fravia's home page is a sort of fractal: 
            you can spend there hours and hours and you always 
            see something new, something interesting you didn't 
            noticed before, and it grows and it grows... 
 
 +GreyThorne -> Censorship will never win till there's people who 
                wants to look inside "the black box" to understand 
                how it works.

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:

links

+ORC

tools

Is reverse engineering legal?

An ADD-ON by Lord Lucifer

(17 February 1998) Hello, Fravia+ I use the Opera web browser after having enough of netscape.... The major problem with opera however is that many of your pages do not load properly... After a small bit of research, I found several causes.... <BODY BGCOLOR=#C0C0C0 TEXT=#001010 VLINK=#405040> <TABLE BORDER CELLSPACING=2 HEIGHT="22" WIDTH="100%"> <TR><TD></TD> <TD>  ... For some reason, by placing HEIGHT in front of WIDTH, the width value is ignored by opera. I dont really know html that well, but this seems odd, and netscape doesn't do this... The result of this is the whole heading table is not full width, and thus its quite a pain to read. After a bit of experimenting, I found all you have to do is to place WIDTH infront of HEIGHT: <TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22"> It then works fine in both Opera and Netscape. Dont ask me why, perhaps a bug, or is the the proper html syntax?? Another thing Ive found is that if you have the following:  ... <PRE> Your text, duh <CENTER> blah blah </CENTER> Text after center.. </PRE> then all the text after 'blah blah' is no longer formatted properly. It all appears a a mig mess, with no line feeds.... Again, this is no problem with netscape...the same thing happens if none of the text is formatted with the <PRE></PRE> format. This is suitable for the comment, intro, notes, etc... but not for the actaul essay part as all the code and text is one big mess... well, Opera is by no means perfect, but in comparison with bloated netscape, (and absolute trash ie) its by far the best... (especially on my old clunker 486 with 8mb ram. :) To remedy these problems, you could easily edit formamus.htm to change the HEIGHT/WIDTH problems throughout the file... that way, at least the newer essays would be compatible... and for the <PRE></PRE> problem, I guess all that could really be done is a comment, warning the authors of the problem... well thanks for your time... I hope you will address these minor problems... I do recommend Opera... It runs nearly flawlessly on my aged computer... In fact Ive only managed to crash it once.... I usually crashed netscape several time a day... oh well... Lord Lucifer