Reversing the protection scheme of Opera 3.60
a not so easy protection scheme
student
Not Assigned
30 July 1999
by -alx
Courtesy of Reverser's page of reverse engineering
slightly edited
by reverser+
fra_00xx
98xxxx
-alx
1100
NA
PC
I have hesitated before publishing this essay. Opera is a browser so good that once you get used to it you will never want to go back to the huge stupid browsersaurii. Opera deserves our support and our help. And now we publish an essay that explains its most recent version protection scheme. Why do we do it? Wont this damage Opera?
There are two reasons: first (I checked) the "ready-made cracks" (lamers' food) for Opera (3.6) abound on the web: a simple altavista search has given me 198 different pages two minutes ago. Therefore I think and hope that this essay could be more helpful than anything else for the programmers of Opera, allowing them to see the flaws in their protection scheme (which are pretty evident) from an (advanced :-) newbye perspective.
Secondly the more people will use Opera the more people will 'see the light', at least in the browsers' field. And I can imagine that this essay will motive people to delve even deeper in the inner code of this little jewel of an application.
Yes, please pay for Opera (I did it, as the Opera people probably know :-)
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert

An useful essay for beginners who alredy know the usage of some tools (SoftIce and WinDasm) but do not know the right way......
This is a collection of attempts with only one purpose: remove the 30-days limitation from a shareware (Opera 3.60)
Reversing the protection scheme of Opera 3.60
a not so easy protection scheme
Written by -alx


Introduction
I think I'm an "advanced" beginner but cracking Opera 3.60 has taken me 2 days instead of the 2 hours of Opera 3.20! This means that Opera's programmers read HAL's essay and you should read it too.

Tools required
SoftIce
WinDasm 8.93
an hex editor (I use UltraEdit 5.20)


Target's URL/FTP
Here you can download all versions of Opera in many of the most common languages

Essay
First of all, let's run Opera 3.60.
As you can see, there is a "Thanks for using Opera"
window with your 
remaining days and some options: Evaluate, Purchase,
Register.
Click on Register and Opera will ask you for a name,
an organization and a 
registration code. Type whatyouwant in the first two fields and a 12
chars reg-code in the last one.

A message box appairs: "You have probably entered a
pre 3.50 reg-code".

Ok, now go to Help......Register Opera... and type a
14 chars reg-code.
Another message box will inform you that your code is
wrong.

Why are there 2 different message boxes? 
Because Opera's programmers probably have changed
their previous protection 
scheme (Opera 3.20 end so on) with a more complex one;
I think it's more 
complex because it wants more chars than previous one
(see my introduction  about opera 3.20).  

Well, return to the registration window (RW from now),
press CTRL-D and

breakpoint at MessageBoxA; (have you read HAL's essay ?)

:bpx MessageBoxA

return to RW, fill the fields and press OK.

SoftIce pops up just before the message box.
press F12, read the message and click on OK. You will
land here:

:00470195 E86123FFFF              call 004624FB
:0047019A 389D80FDFFFF            cmp byte ptr [ebp+FFFFFD80], bl
:004701A0 7513                    jne 004701B5
.........
......... 
:004701C6 FF1520664F00            Call [USER32.MessageBoxA,]
:004701CC 56                      push esi            <----here
:004701CD 8BF8                    mov edi, eax
:004701CF E8FA57FBFF              call 004259CE
:004701D4 59                      pop ecx
:004701D5 8BC7                    mov eax, edi
:004701D7 5F                      pop edi
:004701D8 5E                      pop esi
:004701D9 5B                      pop ebx
:004701DA C9                      leave
:004701DB C21800                  ret 0018

Feel free to study the code (this is only a little
part) and to test 
the jumps; you will obtain only a "warnig" message and
some 
"General protection fault" errors.

Ok, we are in 4701C6; let's exit from this CALL (press
F12) and we 
land on 488C77

:00488BA6 8BCA                    mov ecx, edx
:00488BA8 B811030000              mov eax, 00000311
:00488BAD 2BC8                    sub ecx, eax
:00488BAF 0F84F9030000            je 00488FAE
:00488BB5 81E90F7D0000            sub ecx, 00007D0F
:00488BBB 0F84E0030000            je 00488FA1
:00488BC1 81E9E10F0000            sub ecx, 00000FE1
:00488BC7 0F8432020000            je 00488DFF
:00488BCD 81E9A1000000            sub ecx, 000000A1
:00488BD3 0F8400010000            je 00488CD9
:00488BD9 83E905                  sub ecx, 00000005
:00488BDC 747D                    je 00488C5B         <-------- 
:00488BDE 83E90C                  sub ecx, 0000000C   
                  
:00488BE1 744F                    je 00488C32         
                
:00488BE3 EB03                    jmp 00488BE8        
..........                                            
                
..........
:00488C5B 8B0D3C175100            mov ecx, dword ptr [0051173C]
:00488C61 33F6                    xor esi, esi
:00488C63 56                      push esi
:00488C64 56                      push esi
:00488C65 53                      push ebx

* Reference to String Resource ID=22004: "Opera Registration"
                                  |
:00488C66 68F4550000              push 000055F4
:00488C6B 57                      push edi
:00488C6C FF351C0F5100            push dword ptr [00510F1C]
:00488C72 E85C74FEFF              call 004700D3       
     
:00488C77 81FFF5550000            cmp edi, 000055F5    <----we are HERE
:00488C7D 751F                    jne 00488C9E
:00488C7F 83F801                  cmp eax, 00000001

We are in a
unpatchable-never-ending-multiple-choice-loop!
something
like: 
while (?) {  
  switch (?) {
     case: ? ;
     case: ? ; 
  }  
}  

try to breakpoint at 488BA6 and you will understand
the problem 
(and also why I have spent two days on this 
scheme!!).
This code deals with menu, bar's button, the "Thanks
for using Opera" 
window  etc. 
Try to fill the RW and press OK; how many times
SoftIce pop up? 
too many.

This first approach doesn't seem the right one; Do you
remember +ORC's
words? 
(maximum result with minimum effort)

At this point, I decided to try a dead-listing
approach in order to
find some
string references to a greeting message ("Thanks for
registering
......")

First I disassembled Opera and then I started to
search for "regist"
and you MUST do it too; here is the most important
string (in my
opinion):

:004911EE 55                      push ebp  <-- here the CALL starts
:004911EF 8BEC                    mov ebp, esp
:004911F1 51                      push ecx
:004911F2 56                      push esi
:004911F3 57                      push edi
:004911F4 33F6                    xor esi, esi
:004911F6 33FF                    xor edi, edi
:004911F8 3935B0145100            cmp dword ptr [005114B0], esi
:004911FE 7413                    je 00491213    <--- first jump
:00491200 68FCFCF300              push 00F3FCFC
:00491205 FF1588604F00            Call dword ptr [004F6088]
:0049120B 6A01                    push 00000001
:0049120D A3B0145100              mov dword ptr [005114B0], eax
:00491212 5F                      pop edi
:00491213 A11C175100              mov eax, dword ptr [0051171C]
:00491218 3BC6                    cmp eax, esi
:0049121A 740F                    je 0049122B    <--- second one
:0049121C 33C9                    xor ecx, ecx
*************************************************************************
:0049121E 39B0E8040000            cmp dword ptr [eax+000004E8], esi    
*  
:00491224 0F94C1                  sete cl             
                
* 
:00491227 8BC1                    mov eax, ecx        
                
* 
:00491229 EB03                    jmp 0049122E ---    
                
* 
:0049122B 6A01                    push 00000001   |   
                
*
:0049122D 58                      pop eax         |   
                
*
:0049122E 3BC6                    cmp eax, esi  <-    
                
*
:00491230 7525                    jne 00491257  <---- third one        
*
*************************************************************************
:00491232 8B0D3C175100            mov ecx, dword ptr [0051173C]
:00491238 56                      push esi
:00491239 56                      push esi
:0049123A 6A24                    push 00000024
:0049123C 56                      push esi

 "This copy of Opera is already registered.Do you want to cha"   <----HERE
                                  |
:0049123D 68F1550000              push 000055F1
:00491242 FF7508                  push [ebp+08]
:00491245 E889EEFDFF              call 004700D3
:0049124A 83E806                  sub eax, 00000006
:0049124D F7D8                    neg eax
:0049124F 1BC0                    sbb eax, eax
:00491251 40                      inc eax
:00491252 8945FC                  mov dword ptr [ebp-04], eax
:00491255 740E                    je 00491265
:00491257 56                      push esi
:00491258 6A04                    push 00000004
:0049125A FF7508                  push [ebp+08]
:0049125D E816000000              call 00491278
:00491262 83C40C                  add esp, 0000000C
:00491265 3BFE                    cmp edi, esi
:00491267 5F                      pop edi
:00491268 5E                      pop esi
:00491269 740B                    je 00491276
:0049126B 68B0145100              push 005114B0
:00491270 E8564BF9FF              call 00425DCB
:00491275 59                      pop ecx
:00491276 C9                      leave
:00491277 C3                      ret

What a little CALL !!! and there are only THREE conditional jumps
before  our target-string!!. 
well, I think now it's more interesting to study this
code using SoftIce 
than starting a random patch with a Hex editor; 
So, press CTRL-D and search for this code in memory. 
I think the lines after the string are the most
representative:

:s 30:00 l ffffffff 68 F1 55 00 00 FF 75 08

What have you found? nothing!!!

well, go to RW, press CTRL-D, and breakpoint at GetDlgItemTextA

:bpx GetDlgItemTextA

fill the fields and press OK..........

SoftIce pops up. good. press F12 and now retry the previous search
(remember to delete the last breakpoint.... GetDlgItemTextA)

:s 30:00 l ffffffff 68 F1 55 00 00 FF 75 08
Pattern found at 0030:0049123D

ok, let's Un-assemble at this address:

:u 49123D

BINGO!!!!!!

We have found our little CALL! Let's breakpoint at its
beginning and go to RW......................
Hey! What's happening ? Why does SoftIce pop up before
the RW? 

It's very simple! If you are a registered user, our
little CALL 
will inform you that there is no need to register
again! (and you 
won't see the RW).
Now there is the very interesting part: how does our
little CALL know
you are/aren't a registered user? it uses a FLAG!!!! 

If you pay attention you can see that two jumps are
conditioned
by two flags and the last one by a registers
comparing. (in relation
with the result of previous jumps).

So, our REG-FLAG is [EAX+000004E8]; Write down on
paper is right
address 
(994728) and when SoftIce break at 4911EE try to
change is value from
00 
to 01. Press CTRL-D and ...................

"This copy of Opera is already registered"
"Do you want to change the registration information?"

click on NO

Now go to Help ....... About Opera ..........  and
YES! Opera is 
registered!!

very good. Now we have to find where is the code that
set the REG-FLAG at
the Opera's execution beginning and then patch it.

Return to WinDasm and search for "+000004E8]". EAX is
not important; the register may be another.

First result:

:0045DB1E 899ED8030000            mov dword ptr[esi+000003D8], ebx
:0045DB24 899EA8020000            mov dword ptr[esi+000002A8], ebx
:0045DB2A 899EAC020000            mov dword ptr[esi+000002AC], ebx
:0045DB30 899E50020000            mov dword ptr[esi+00000250], ebx
:0045DB36 899E54020000            mov dword ptr[esi+00000254], ebx
:0045DB3C 899E58020000            mov dword ptr[esi+00000258], ebx
:0045DB42 899E5C020000            mov dword ptr[esi+0000025C], ebx
:0045DB48 6820070000              push 00000720
:0045DB4D 899EE8040000            mov dword ptr[esi+000004E8], ebx <--- HERE 

Here, our REG-FLAG is probably setted to zero like
many other flags.
(ebx=00)

Second result:
:0045E2D3 E82EF00500              call 004BD306
:0045E2D8 8B0E                    mov ecx, dword ptr [esi]
:0045E2DA E873EB0500              call 004BCE52
:0045E2DF 8986E8040000            mov dword ptr [esi+000004E8], eax <--- HERE

hmmmmm, smell it!!!!! We are very close our target.

Probably, call 004BCE52 check the encrypted file (have
you read HAL's essay?) 
where Opera stores the registered user's code, name
and organization.

Let's trace this function! first, breakpoint at
45E2D8, close Opera and then
re-run it...................yes, SoftIce pops up
before the nag window;
press F8 twice and you land here:

* Referenced by a CALL at Addresses:0045E2DA   , :00497347   
|
:004BCE52 8D8138010000            lea eax, dword ptr[ecx+00000138]
:004BCE58 85C0                    test eax, eax
:004BCE5A 741A                    je 004BCE76              (1)
:004BCE5C 803800                  cmp byte ptr [eax],00     
:004BCE5F 7415                    je 004BCE76              (2)
:004BCE61 81C190030000            add ecx, 00000390
:004BCE67 51                      push ecx
:004BCE68 E88650FDFF              call 00491EF3
:004BCE6D 85C0                    test eax, eax
:004BCE6F 59                      pop ecx
:004BCE70 7404                    je 004BCE76              (3)
:004BCE72 6A01                    push 00000001
:004BCE74 58                      pop eax
:004BCE75 C3                      ret

wow! this is the shortest function I have ever seen!
(notice that it is called two times).

Study this function and then patch it!!!


Final Notes

I hope you have understood that the main problem of
this essay is
finding 
the protection and not to crack it. 
Reading this essay and then de-protect Opera is very
easy but as you 
already know this has taken me much time.

Notice that in Opera there are tons of string
references 
but none deals with a greeting message (but IT MUST
EXISTS!!!!!).
We have found only a warning (it does not exist in
Opera 3.20) and we
have 
never seen it before patching the REG-FLAG. 

Notice that if I persevered with my first approach I
would probably get
crazy.
(so, open your mind. be SUPPLE).



thanks to:

    Jade for her moral support 
    Sugar for his unvaluable music
    +ORC; without him, all this would have not been possible.


-alx


YES, I'll send you another that follows the ZEN way. 



Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside reverser's page of reverse engineering, choose your way out:


redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?