BEGINNERS: Awesome AW: MOST STUPID PROTECTION OF THE YEAR 1997!
Hardcoded and unencrypted registration codes: a touristic tour for beginners

most stupid
Most stupid protection 1997

by Tristan

(31 December 1997, heavily edited by fravia+)
Courtesy of fravia's page of reverse engineering

Well, Tristan is a beginner turned cracker, that has found a protection really stupid indeed. In fact so 'blöd', that I would suggest assigning -in this very last day of the year- the award of MOST STUPID PROTECTION SCHEME 1997 to cyberspace.hq for their Add Web 1.23
Note that already the idea to make a special software application in order to automatically register a site by search engines is pretty stupid (and inehrently bogus) in itself, as anyone that knows a little 'searchengining' knows.
So my compliments to cyberspace.hq: I doubt that you could find anywhere on the Web a more utterly stupid and ridicolous protection scheme (yet I'm not betting much on that: it would not wonder me at all if this would happen :-) 
Awesome AW: MOST STUPID PROTECTION OF THE YEAR 1997!


Hardcoded and unencrypted registration codes: a touristic tour for 
beginners

by Tristan


Hi all from the +HCU, and especially +ORC for his tutorials and his 
followers who made them accessible to us. 
A few words before I start with the real essay. 
I started to learn cracking only one year ago, but in a first phase 
I only followed the evolution of our techniques reading essays and 
trying out ready made cracks. 
After a long period of researches, I began to reverse on my own. 
I found a lot of incredible easy protection schemes, and I can only 
encorage anyone reading this that has not yet done it, maybe scared 
by the 'advanced stuff', to start cracking on his own.
In fact I don't understand why the cuckoo I didn't started to crack 
earlier myself. 
I have an advice for beginners and an incredibly stupid protection 
scheme to report. My advice is "really, newbies, try your hand! 
You can only learn, and there is no way you would loose against 
such feeble protection schemes as the ones I found until now". 
And the subject of this essay is related to this advice: I found 
a mighty candidate for the "most stupid protection" award.

Awesome AW: an example of an Incredibly Stupid Protection Scheme

The target is Add Web 1.23 from cyberspace hq.
You can download it from www.download.com or from its web page at 
http://www.cyberspacehq.com/home.htm, else (as soon as they will 
take it away :-) you'll of course find any current or previous 
version of it elsewhere on the web, if you have learned how to 
search.

First you should research a little: study the target. You will then 
see that there exist three different versions of Add Web. 
The first is the one you get after installation, without registering. 
Yeah you guessed it: it's the 'unregistered version' which permits 
you to register your home page at 10 search engines. 
The next, higher, version is the 'registered version' which allows 
you to register your home page at about 355 search engines (well 
quite a lot too many, I think, since there are only a couple of 
dozens of really important search engines, most of the others are 
just pilfered 'bogus' subsets).
Last but not least there is a 'gold registered version' which allows 
you the following:
"The GOLD version adds the ability for you to customize 
the report headers and footers, and allows you to edit 
the text in e-mail reports."
I pasted it from the Add Web Help file, because I couldn't remember
it after having closed the Help file. The two 'registered' Versions 
can be accessed by simple Registration number inputs.
Ohh and another aspect shouldn't be left out:
the price of this program:
 
Pricing:

Version        Price
====================
Standard      $49.00
Gold          $89.00  

Huuh $89? Quite a lot for this software! I think the whole Win95 
isn't so expensive (which on the other hand is quite understandable 
seen how buggy it is). 
And now you think: borabora! If the target is so expensive, then it 
will have a nearly uncrackable protection scheme. 

Let's see: here follows the crack:

First approach:

I opened the file addweb.exe (by the way 732.160 bytes long) with 
Wdasm 8.9. And now I looked for relevant strings like 'now registered' 
or 'sorry this was a bad reg. number' (Just like +Orc and all his 
students told us). And there comes the funny Part:
I found string references like this:

"AW21-JH8WFHB-84EWFW8"
"AW23-JH843H8-8426298"
"AW98-2J882DB-JW01192"
"AWD8-362HF83-8EHE532"
"AWE1-F373736-UJU8376"
"AWGD-WDWD824-4962345"
"AWGE-DWE837A-FE97438"
...and a lot more

Hmm what do you think are these strings? Well for me they don't look like Error 
Messages, so what could they be then? Why not encoded registration numbers.
Well yes but why are they encoded thattaway? 
Or could it be that...? No, it can't be! Would be too easy!
0r perhaps they are really blank registration keys? 
Pahh! Too simple (but worth a try nevertheless...)

And so I entered one of these numbers, just to see what nasty message I would have 
got and I could noy believe my eyes: Bingo! There comes the happy message: 
'Thanks for your 49 (or 89) dollars'... for a registration number which isn't 
even encoded! A shame! Puah! This "crack" took me two minutes ,without any 
working with my brain.

Well, the crack isn't already done, because i said to you that there are two 
kind of registration: the normal and the gold one. 
Looking at the About Box told me that I registered for a normal version. 
So i decided to have a 'zen' look at the hardcoded registration codes 
above.

A small 'zen cracking' exercise


Do it NOW, before reading the following, is a (very very tiny) 'zen cracking' 
exercise :-)
Look at the registration codes above! You dig it?



Hope you tried for yourself instead of just reading on. It's (once more) so 
easy I could cry! The following applies:

- All registration numbers start with AW (Gosh, could it possibly be a 
  contraction of AddWeb? :-)
- all gold versions registration numbers begin with G after AW (G for Gold 
  how original... hmm... do you see a simile?)
- all other reg. numbers which don't have a G are normal versions
now go and have a look yourself if you don't believe me, it's so stupid that 
it's zum kotzen.

Second approach:

Why should we use a registration ready made number? Let us transform it into a 
real crack, as it should be if the programmers would not have been so stupid.
Starting Wdasm again we search the strings until we land to the position of 
one of the registration numbers above, as soon as you land there the code 
will look, for example, like the following snippet:


* Referenced by a Jump at Address:045A459(C)
|
:045A495 8B831C050000         mov eax, dword ptr [ebx+0000051C]

* StringData Ref from Code Obj ->"AW25-7JREG7C-3H1EG54"  "AWGM-MCC77WA-G55WGS5" 
elegant nopping: two bytes nopping: basic

inc ax         40	1000000
dec ax         48 	1001000
 - - ~ - -
inc bx         43       1000011
dec bx         4B	1001011
 - - ~ - -
inc cx         41	1000001
dec cx         44	1000100
 - - ~ - -
inc dx         42	1000010
dec dx         4A	1001010

Of course there are also 4 bytes nops, like FEC0 inc al and FEC8 dec al. The 
more you study opcodes the more you see that you can crack 'secret' intel 
opcodes as well, it's just like cracking software!

Final hint: 
            If you want to re-obtain your own copy of Add Web unregistered 
            then start regedit from win95 and search for AddWeb. 
            In the sub dir Init you find the entry RegNum which, after 
            deletion, gives you your own 'unregistered' version of this 
            target to play with.

Final, final hint:
            One of the interesting things of this essay is that you can
	    work a lot even if you don't understand NOTHING of all this 
            cracking stuff! Learn to crack! It's (often enough) easier 
            than you can imagine.

Final, final, final (and really last) comment: 
            For any suggestions you can reach me at:
         		to(point)tristan(at)usa(point)net
	    I am currently working on Winimage (anyone working on that? 
	    Write me!)
	    
Sorry for my bad english, my native tongue is German, so you can write 
me in German too, Tristan.

All rights released.

-----Tristan--------
(c) Tristan 1997
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to the most stupid protections
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?