Cracking TiGa's Vista Sidebar Gadget Crackme - by Sunshine

Target : TiGa's Vista Sidebar Gadget Crackme
Downloaded from : Crackmes.de
Author of target: TiGa
Requirements:

* a texteditor
* a bit knowledge about html and javascript
* MSDN Library 2008
Additional: * something to drink; I prefer always coffee or beer :-)
* good music; I listened to Flyleaf :-)

Download whole package here! (includes tutorial, crackme, reversed crackme and keygen in C).

So what's a Gadget?
I think all of you using Windows Vista know the sidebar - the extra area on the desktop where some extra apps or featurs are placed, for example a little calculator or weather information. Such a feature is called a gadget. In fact, a gadet is just a small html site, often including a bit javascript or vbscript to make it somehow interactive. Then it's actually packed and given the extension '.gadget' and that's it.
So to have a look inside TiGa's gadget, just append '.zip' to its filename and extract it.
To install it, double-click on it and it will be added to the sidebar. You can find all extra installed gadgets under %userprofile%\appdata\local\microsoft\windows sidebar\gadgets. The appdata directory is in most cases invisible, so the best is to enter this complete directory path in the Run command in Start Menu. As we can see now, there are several files in tiga's gadget folder, following the most important:

Crackme.html The main site of the gadget you see on the sidebar.
Gadget.xml Every gadget must include a .xml file describing its properties like name etc.
settings.html When you right-click the gadget and choose options, you come to a dialog expecting us to enter a name and a serial. This dialog is stored in this file.

Killing the nag...
When loading the crackme into the sidebar, a lot of popups faces us - notepad, paint, windows calculator etc. are loaded and annoy us. Cause everything is plain html, just load crackme.html into a texteditor and look a bit around. Looking for the body-onload-event we see that the function setContentText() is executed. There you find already some serial-calculation stuff and also following lines:

System.Sound.playSound(varPatatePwellMauditCave + "\\Media\\Chord.wav");
System.Shell.execute("notepad.exe");
System.Shell.execute("pbrush.exe");
System.Shell.execute("calc.exe");
System.Shell.execute(System.Gadget.path + "\\CouldHaveBeenSomeReallyBadThing.exe");

Obviously that's our nag so just delete these 5 lines or comment them out with <!-- ... -->.

The serial...
Ok, the gadget says 'unregistered' to us. So go to the settings dialog, type in any name and serial and press Ok - nothing happens. Now have a look at settings.html: Again we see that on loading the page the function loadSettings() is executed. We also note that name textbox has the id "VarName" and the serial box the id "VarSerial1".
What does the loadSettings() funtion? In fact it just insert a name and a serial into the boxes. If you open the settings dialog again, the name/serial you typed are still in the boxes. So nothing special.
More interesting is the line above it:
System.Gadget.onSettingsClosing = settingsClosing; This means when the settings dialog is closed, settingsClosing() is executed where in fact is the serial calculation:

variableName = VarName.value;
System.Gadget.Settings.write("variableName", variableName);
variableSerial1 = VarSerial1.value;
System.Gadget.Settings.write("variableSerial1", variableSerial1);

variableSerial2 = VarName.value.length * VarName.value.length;
var vTime = System.Time.currentTimeZone;
var varZone1 = vTime.standardDisplayName;
var varMint = varZone1.length;
var varZone2 = vTime.displayName;
var varZone3 = vTime.DSTDisplayName;
var varvarvar = varZone2.length + varZone3.length;
variableSerial2 = varMint * varvarvar * VarName.value.length;
variableSerial2 *= VarName.value.length;
System.Gadget.Settings.write("variableSerial2", variableSerial2);

The first four lines are just responsible for saving the given name and serial - not important for us. Then follows some fancy serial calculation depending on the time zone strings. The calculated value is stored in the setting variableSerial2. But no comparison is here!? So variableSerial2 must be read somewhere -> in crackme.html.

variableName = System.Gadget.Settings.read("variableName");
varUneFoisStunGarsComprendsTu = System.Gadget.Settings.read("variableSerial1");
var varasoie = System.Machine.CPUs;
variableConstant = System.Gadget.Settings.read("variableSerial2");
var envPath = varasoie.count + (System.Shell.RecycleBin.sizeUsed + 1) + variableConstant * (System.Shell.RecycleBin.fileCount + 10);
if (envPath == varUneFoisStunGarsComprendsTu && (envPath) && (variableName) && variableName != varHappyApiHappy)
{
     gadgetContent.innerText = "Registered to:\n" + variableName;
}
else
{
     gadgetContent.innerText = defaultText;
     ....
}

That's our check. The specified name and serial and also the calculated variableSerial2 are read and the final serial envPath is calculated. As you see, also the number of cpus, the size of your recyclebin and the items of your recyclebin are involved. Then envPath is compared to the entered serial if they are equal. Also envPath and your entered name must not be empty and your entered name must not be "BackDoor". I think TiGa means that with writing "Activate the backdoor" in his readme - that we should also be able to use "BackDoor" as a username.

The crack...
So to crack it, I decided the following: when closing the settings dialog, the envpath variable should be calculated and set as our entered serial! This makes it a selfkeygen. So here is what I added to settings.html (in fact just copied from crackme.html and set the variableSerial1 setting to envPath)

...
variableSerial2 *= VarName.value.length;
System.Gadget.Settings.write("variableSerial2", variableSerial2);
<!-- keygen -->
variableName = System.Gadget.Settings.read("variableName");
varUneFoisStunGarsComprendsTu = System.Gadget.Settings.read("variableSerial1");
var varasoie = System.Machine.CPUs;
variableConstant = System.Gadget.Settings.read("variableSerial2");
var envPath = varasoie.count + (System.Shell.RecycleBin.sizeUsed + 1) + variableConstant * (System.Shell.RecycleBin.fileCount + 10);
<!-- set the right serial as entered -->
System.Gadget.Settings.write("variableSerial1", envPath);

Finally do not forget to delete the variableName != varHappyApiHappy check in crackme.html:

...
if (envPath == varUneFoisStunGarsComprendsTu && (envPath) && (variableName) )
...

Finished! We can now enter every name and serial to get registered. Moreover when you reopen the settings dialog, you see inside the serial textbox the real serial for your name!
Then just pack everything into a zipfile and append ".gadget" to it and we have our selfkeygen-gadget ;-)

You can also find inside the archive a 'normal' (.exe) keygen written in C. Did it just for educational purposes. I was to lazy to really debug the javascript code, so I just printed some variable values out with document.write() and referenced the MSDN. One problem was that javascript variables are not typed - e.g. System.Shell.RecycleBin.sizeUsed returned a string and the +1 means to append a '1' and not to add 1!

Hopefully you found this solution interesting :-) Happy coding & reversing!

Sunshine, May 2k8

This site is part of Sunshine's Homepage