Cracking
TiGa's Vista Sidebar Gadget Crackme
-
by
Sunshine |
|
Download whole package here! (includes tutorial, crackme, reversed crackme and keygen in C).
So
what's a Gadget?
I think all of you using Windows Vista know the sidebar - the extra area
on the desktop where some extra apps or featurs are placed, for example a little
calculator or weather information. Such a feature is called a gadget. In fact,
a gadet is just a small html site, often including a bit javascript or vbscript
to make it somehow interactive. Then it's actually packed and given the extension
'.gadget' and that's it.
So to have a look inside TiGa's gadget, just append '.zip' to its filename and
extract it.
To install it, double-click on it and it will be added to the sidebar. You can
find all extra installed gadgets under %userprofile%\appdata\local\microsoft\windows
sidebar\gadgets. The appdata directory is in most cases invisible, so the
best is to enter this complete directory path in the Run command in Start Menu.
As we can see now, there are several files in tiga's gadget folder, following
the most important:
Crackme.html | The main site of the gadget you see on the sidebar. |
Gadget.xml | Every gadget must include a .xml file describing its properties like name etc. |
settings.html | When you right-click the gadget and choose options, you come to a dialog expecting us to enter a name and a serial. This dialog is stored in this file. |
Killing
the nag...
When loading the crackme into the sidebar, a lot of popups faces us - notepad,
paint, windows calculator etc. are loaded and annoy us. Cause everything is
plain html, just load crackme.html into a texteditor and look a bit around.
Looking for the body-onload-event we see that the function setContentText()
is executed. There you find already some serial-calculation stuff and also following
lines:
System.Sound.playSound(varPatatePwellMauditCave
+ "\\Media\\Chord.wav"); System.Shell.execute("notepad.exe"); System.Shell.execute("pbrush.exe"); System.Shell.execute("calc.exe"); System.Shell.execute(System.Gadget.path + "\\CouldHaveBeenSomeReallyBadThing.exe"); |
Obviously that's our nag so just delete these 5 lines or comment them out with <!-- ... -->.
The
serial...
Ok, the gadget says 'unregistered' to us. So go to the settings dialog, type
in any name and serial and press Ok - nothing happens. Now have a look at settings.html:
Again we see that on loading the page the function loadSettings() is
executed. We also note that name textbox has the id "VarName" and
the serial box the id "VarSerial1".
What does the loadSettings() funtion? In fact it just insert a name
and a serial into the boxes. If you open the settings dialog again, the name/serial
you typed are still in the boxes. So nothing special.
More interesting is the line above it:
System.Gadget.onSettingsClosing = settingsClosing;
This means when the settings dialog is closed, settingsClosing()
is executed where in fact is the serial calculation:
variableName = VarName.value; System.Gadget.Settings.write("variableName", variableName); variableSerial1 = VarSerial1.value; System.Gadget.Settings.write("variableSerial1", variableSerial1); variableSerial2 = VarName.value.length * VarName.value.length; var vTime = System.Time.currentTimeZone; var varZone1 = vTime.standardDisplayName; var varMint = varZone1.length; var varZone2 = vTime.displayName; var varZone3 = vTime.DSTDisplayName; var varvarvar = varZone2.length + varZone3.length; variableSerial2 = varMint * varvarvar * VarName.value.length; variableSerial2 *= VarName.value.length; System.Gadget.Settings.write("variableSerial2", variableSerial2); |
The first four lines are just responsible for saving the given name and serial - not important for us. Then follows some fancy serial calculation depending on the time zone strings. The calculated value is stored in the setting variableSerial2. But no comparison is here!? So variableSerial2 must be read somewhere -> in crackme.html.
variableName
= System.Gadget.Settings.read("variableName"); varUneFoisStunGarsComprendsTu = System.Gadget.Settings.read("variableSerial1"); var varasoie = System.Machine.CPUs; variableConstant = System.Gadget.Settings.read("variableSerial2"); var envPath = varasoie.count + (System.Shell.RecycleBin.sizeUsed + 1) + variableConstant * (System.Shell.RecycleBin.fileCount + 10); if (envPath == varUneFoisStunGarsComprendsTu && (envPath) && (variableName) && variableName != varHappyApiHappy) { gadgetContent.innerText = "Registered to:\n" + variableName; } else { gadgetContent.innerText = defaultText; .... } |
That's our check. The specified name and serial and also the calculated variableSerial2 are read and the final serial envPath is calculated. As you see, also the number of cpus, the size of your recyclebin and the items of your recyclebin are involved. Then envPath is compared to the entered serial if they are equal. Also envPath and your entered name must not be empty and your entered name must not be "BackDoor". I think TiGa means that with writing "Activate the backdoor" in his readme - that we should also be able to use "BackDoor" as a username.
The
crack...
So to crack it,
I decided the following: when closing the settings dialog, the envpath variable
should be calculated and set as our entered serial! This makes it a selfkeygen.
So here is what I added to settings.html (in fact just copied from crackme.html
and set the variableSerial1 setting to envPath)
... |
Finally do not forget to delete the variableName != varHappyApiHappy check in crackme.html:
... |
Finished! We can
now enter every name and serial to get registered. Moreover when you reopen
the settings dialog, you see inside the serial textbox the real serial for your
name!
Then just pack everything into a zipfile and append ".gadget" to it
and we have our selfkeygen-gadget ;-)
You can also find
inside the archive a 'normal' (.exe) keygen written in C. Did it just for educational
purposes. I was to lazy to really debug the javascript code, so I just printed
some variable values out with document.write() and referenced the MSDN.
One problem was that javascript variables are not typed - e.g. System.Shell.RecycleBin.sizeUsed
returned a string
and the +1 means to append a '1' and not to add 1!
Hopefully you found this solution interesting :-) Happy coding & reversing!
Sunshine, May 2k8
This site is part of Sunshine's Homepage