21Hex DockIt
Several weeks ago there was a request for 21Hex DockIt, an ActiveX control that makes
normal Visual Basic forms dockable. I spent a few minutes on it and knew right away
that it wasn't using the standard ActiveX licensing methods that I have talked about in
the past. I spent a few more minutes looking around then just got bored with it.
Since then, SiraX made a key generator to create your own registration codes for
the control. I downloaded the keygen and played with it a little bit and thought I
would look more into the methods this control uses to license itself.
After I first installed the control, I started up VB, Filemon, and Regmon. I
added DockIt to the project and tried to put it on a form. Immediately, a box popped
up asking for a registration code. So I jumped over to Filemon and saw no reference
to a .lic file and nothing else that looked unusual so I closed Filemon. I looked at
Regmon and it had some suspicious looking registry entries it was looking at, but nothing
in the HKCR\Licenses area. In particular, I noticed that it looked for these two
entries:
- HKCU\Software\21Hex\DockIt\CtrlType and
- HKCU\Software\21Hex\DockIt\Disabled
Now I would guess that in order to have a registered version of the control, Disabled
should be set to zero (false). But what is this CtrlType entry? At the time, I
thought that might be what tells it whether it is registered or not, but this obviously
wasn't going to be a 5-minute crack. I set it aside and basically forgot that I was
working on it. When I saw the keygen that SiraX had done, I pulled out my notes and
decided took a closer look. I crack software not only to have that version, but to
know what methods each company uses, hoping that their techniques will be the same for
future versions (or other products they make). When I get a serial number I often
crack the control anyway just to learn about how they protected their software.
One thing strange I noticed is that it doesn't look for a serial number when you are
using the demo version. I thought that was strange. So I looked at the Regmon
output that I had saved and saw that when it looks at the
HKCU\Software\21Hex\DockIt\CtrlType registry key, there is already a value there:
0xE48941. I dissassembled the DockIt.ocx file and (on a long shot) did a
search for "E49491." Sure enough, I found it in this little bit of code:
- * Referenced by a CALL at Addresses:
|:100025DD , :1000262A
|
:1000C5DC 55
push
ebp
:1000C5DD 8BEC
mov ebp,
esp
:1000C5DF A128470110 mov eax, dword ptr
[10014728]
:1000C5E4 56
push
esi
:1000C5E5 3D01527F00 cmp eax, 007F5201
:1000C5EA 57
push
edi
:1000C5EB 7508
jne
1000C5F5
:1000C5ED FF3500210110 push dword ptr [10012100]
:1000C5F3 EB4B
jmp
1000C640
:1000C5F5 3D4189E400 cmp eax, 00E48941
<--------HERE IT IS
:1000C5FA 7508
jne
1000C604
:1000C5FC FF3508210110 push dword ptr [10012108]
:1000C602 EB3C
jmp
1000C640
:1000C604 3D704D9A03 cmp eax, 039A4D70
:1000C609 7508
jne
1000C613
:1000C60B FF3504210110 push dword ptr [10012104]
:1000C611 EB2D
jmp
1000C640
- * Possible StringData Ref from Data Obj ->"21Hex
DockIt illegal license key"
|
:1000C613 BF2C450110 mov edi, 1001452C
:1000C618 8BC7
mov eax,
edi
....
Now the string "21Hex DockIt illegal license key" right away tells
me I am in the right place. I see on the line where I found my string that it
compares eax to 00E48941. Well, I know that my registry has that value so that
compare will succeed. But that's not what we want. Looking around, I see two
other compares on eax. One compares it to 007F5201 and the other compares it to 039A4D70.
Now I can guess that one of those values probably means that it is the registered
version and the other one probably means it is a demo that has expired. So just to
play around, I open up regedit.exe and find HKCU\Software\21Hex\DockIt\CtrlType and change
the value to 007F5201, the first value it compares.
I then created a new project in VB and tried to add the DockIt control to a form.
And hey! No more nag screen! It was that simple. In fact, with this
registry key present, you can put anything as the serial number and it will work just
fine.
So what's the lesson here? First of all, when an ActiveX control is created, it
must look somewhere else to find out if it is registered, either the registry or a file
somewhere. This is because a control is freely distributable. They cannot make
the control a full version without having some other file or registry entry that only the
developer has. Otherwise, anyone could develop with that control.
The second lesson is that it is so tempting to use traditional methods of targeting the
registration screen when cracking a control. With ActiveX controls, you should
target the code that reads the registry or a file. It isn't wrong to target the
registration screen, that works too. And there are a hundred other ways to crack the
control. Its just that ActiveX technology has some inherent weaknesses and it is so
much easier to target those weaknesses first. In the case of DockIt, it turns out
that you put this one value into the registry and it doesn't care what you use for the
serial number.
To make things easier, I have created a .reg file to merge with the registry. Put
the following text into a text file and save it with the .reg extension.
Double-click on the file and you will be registered:
- ------CUT HERE------
- REGEDIT4
[HKEY_CURRENT_USER\Software\21Hex\DockIt]
"CtrlType"=dword:007f5201
"RegId"="<Put anything you want here>"
- ------CUT HERE------
|