The Cracking Method
Up to now I have touched on several weaknesses of ActiveX technology. I have talked
about .LIC files, registry entries, and a bit about hacking web sites. I thought this
would be a good time to stop and review what we have been over so far. And I thought a
good way to do that is to show how I go about cracking an ActiveX control. This e-mail
isn't about solutions, it is about questions you (and the software developers) should be
asking. This is kind of my checklist of what to do as you go about testing (cracking) the
security of a particular control:
PHASE I: THE DOWNLOAD
Of course, you need to have an ActiveX control in order to crack it. So you fire up
your browser and type in the URL and wait for the page to load. As the home page loads I
begin forumulating my strategy. The home page says a lot about a company. You can really
tell right away who is maintaining the site. Is it some guy who hosts the web site from
one of the 15 computers in his basement and doesn't wait for security patches but instead
uses a hex editor to fix it himself? Or is it a team of developers who have the time to
sit and read through log files? Or is it the marketing manager who hired a temp to set up
the site and they just go in and look at their hit counter once a month? This says a lot
about the web site and it says a lot about their software. Think about how the web
designer feels about security.
The first thing I want to know is where the downloads are. I jump to that page and
before I start the download I view the source just to see what goodies are there. I also
make a note of where the downloads are coming from. If the download is downloaded via
http, I check to see if I can browse just the directory (without the filename).
Surprisingly, often I can. So while I am there I look to see if they have retail versions,
source code, etc. They usually don't but sometimes I get lucky.
And then I start the download. And while I am waiting I take a look around the web
site. Now this part I'm not going to get into too much detail about, but online
registration and online purchasing pages always get my attention.
While I am on the subject, it is usually helpful to subscribe to the mailing lists that
announce web security issues such as BUGTRAQ, NTBUGRAQ, NTSECURITY, RISKS-DIGEST, etc. By
being on these lists you can try out new exploits before they get fixed. So anyway as the
software is downloading, I have been through their web and FTP sites. I have scanned all
IP addresses near their web site and have tried a few other exploits I know of. Many times
I get a serial number before the demo is even downloaded. But not always.
So if I don't have a serial number yet. I do a quick web search. So by now, there
is a good chance that I already have a serial number or crack. But again, not always.
Maybe there is a newer version or maybe the software isn't very popular.
o if I don't have anything yet, it's on to the install.
PHASE II: INSTALLATION
During this phase, it is important to pay attention. You may have to come back to it
later to crack the software. Look at what is going on. Think about what is going on.
Here are some things I ask myself:
- Does the downloaded file indicate that the demo version is different than the real
version (ControlDemo15.zip vs. Control15.zip)?
- Which installation program are they using?
- Does it prompt you for a serial number during installation?
- Is there anything interesting in the temp directory while the program is installing
(i.e., register.dll)?
- Where is the OCX file being installed (program directory or System directory)?
- Does it ask if you want to register online?
I am not going to explain all of these things, but it gives you some ideas of what I
watch for. There are a hundred ways to crack a control. If one doesn't work, paying
attention during installation can give you some more clues.
There are also some tricks you can do with install programs. For example, Wise install
has the /x switch that extracts all the files from an install. And there are decompilers
for InstallShield compressed files.
PHASE III: THE SAMPLE PROJECT
So if you still have a demo version of the control, it is time to actually do some
work. Open up Visual Basic (or whatever ActiveX container you are using) and add a
reference to the control. Fire up the registry and file monitors and set the appropriate
filters then place the control on a form.
Now what happened? Was there a nag screen? Did the nag screen have an option to
register right there?
Then take a look at the monitors. Is it using a license file or registry entry? Is it
looking up a serial number in an INI file? Is there anything else suspicious? Remember
that if you missed something and have to repeat, you need to remove the reference to the
control from the project then add it again. VB Gets the license once then doesn't request
it again for other instances of the control.
Then just use some of the methods I have explained in the past. Start with the easy
ones and just keep working on it.
PART IV: THINK
By now you should have a good idea of what type of protection the software is using and
what strategy to use to crack it. If the license or registry cracks I have explained don't
work, try another approach. There is always a weak spot. You just need to find it. And you
just need to think.
For those of you who have read +orc's essays, you know that he talks about sipping a
good Russian wodka and getting into the Zen of cracking. Well, the point is that you need
to stop thinking about what you are doing so your brain can do its work. Have you ever
tried thinking about your breathing? Suddenly you can't breathe without thinking about it.
Now stop thinking about it and you breathe normal again. Or have you ever looked at one of
those stereograms at the store and seen nothing but a blur of colors but then after 15
minutes suddenly you see an eagle or the moon or something?
What I am saying is that one day I had trouble cracking VisualComponents products until
one day I just sat back and decided to reinstall the product. Then it just came to me as I
sat there staring at the installation directory. I saw a file called vciprgm.ini. I opened
it up and saw most of the components of the serial number right there. Then it made sense
to me. I replaced it with the vciprgm.ini from one of their products I owned and it
worked! Stare and think.
So have you seen the theme here yet? You need to think. You need to think up close and
you need to think from far away. You need to think like a web site designer and you need
to think like an ActiveX programmer who is under pressure. And sometimes you need to let
go and let your subconscious mind take over. Relax yourself and just let the software
crack itself. It will happen.
Forget all the assembly skills and advanced debugging software others say you need.
Have I even mentioned these things yet? Up to now it has been just a few simple tools and
your brain. Of course as time goes along the other skills help but that doesn't mean you
can't start cracking now with just your brain. Cracking is more than patching. You can
crack codes and crack web sites and crack installations and crack people.
Just be responsible and don't hurt people. I don't feel guilty cracking a control that
I know I will never use anyway. Why should I? But it is another thing to be malicious and
just crack to hurt people. We are not just hackers. We are software developers who like
the security game. And we like to learn. And we like to collect. So be careful what you do
with this knowledge.
It is like Vidal Sassoon once said: "If you don't look good, we don't look
good."
|