Cracking TiGa's Vista Sidebar Gadget Crackme - by Sunshine
Download whole package here! (includes tutorial, crackme, reversed crackme and keygen in C).
what's a Gadget?
So to have a look inside TiGa's gadget, just append '.zip' to its filename and extract it.
To install it, double-click on it and it will be added to the sidebar. You can find all extra installed gadgets under %userprofile%\appdata\local\microsoft\windows sidebar\gadgets. The appdata directory is in most cases invisible, so the best is to enter this complete directory path in the Run command in Start Menu. As we can see now, there are several files in tiga's gadget folder, following the most important:
|Crackme.html||The main site of the gadget you see on the sidebar.|
|Gadget.xml||Every gadget must include a .xml file describing its properties like name etc.|
|settings.html||When you right-click the gadget and choose options, you come to a dialog expecting us to enter a name and a serial. This dialog is stored in this file.|
When loading the crackme into the sidebar, a lot of popups faces us - notepad, paint, windows calculator etc. are loaded and annoy us. Cause everything is plain html, just load crackme.html into a texteditor and look a bit around. Looking for the body-onload-event we see that the function setContentText() is executed. There you find already some serial-calculation stuff and also following lines:
System.Shell.execute(System.Gadget.path + "\\CouldHaveBeenSomeReallyBadThing.exe");
Obviously that's our nag so just delete these 5 lines or comment them out with <!-- ... -->.
Ok, the gadget says 'unregistered' to us. So go to the settings dialog, type in any name and serial and press Ok - nothing happens. Now have a look at settings.html: Again we see that on loading the page the function loadSettings() is executed. We also note that name textbox has the id "VarName" and the serial box the id "VarSerial1".
What does the loadSettings() funtion? In fact it just insert a name and a serial into the boxes. If you open the settings dialog again, the name/serial you typed are still in the boxes. So nothing special.
More interesting is the line above it:
System.Gadget.onSettingsClosing = settingsClosing; This means when the settings dialog is closed, settingsClosing() is executed where in fact is the serial calculation:
|variableName = VarName.value;
variableSerial1 = VarSerial1.value;
variableSerial2 = VarName.value.length * VarName.value.length;
var vTime = System.Time.currentTimeZone;
var varZone1 = vTime.standardDisplayName;
var varMint = varZone1.length;
var varZone2 = vTime.displayName;
var varZone3 = vTime.DSTDisplayName;
var varvarvar = varZone2.length + varZone3.length;
variableSerial2 = varMint * varvarvar * VarName.value.length;
variableSerial2 *= VarName.value.length;
The first four lines are just responsible for saving the given name and serial - not important for us. Then follows some fancy serial calculation depending on the time zone strings. The calculated value is stored in the setting variableSerial2. But no comparison is here!? So variableSerial2 must be read somewhere -> in crackme.html.
varUneFoisStunGarsComprendsTu = System.Gadget.Settings.read("variableSerial1");
var varasoie = System.Machine.CPUs;
variableConstant = System.Gadget.Settings.read("variableSerial2");
var envPath = varasoie.count + (System.Shell.RecycleBin.sizeUsed + 1) + variableConstant * (System.Shell.RecycleBin.fileCount + 10);
if (envPath == varUneFoisStunGarsComprendsTu && (envPath) && (variableName) && variableName != varHappyApiHappy)
gadgetContent.innerText = "Registered to:\n" + variableName;
gadgetContent.innerText = defaultText;
That's our check. The specified name and serial and also the calculated variableSerial2 are read and the final serial envPath is calculated. As you see, also the number of cpus, the size of your recyclebin and the items of your recyclebin are involved. Then envPath is compared to the entered serial if they are equal. Also envPath and your entered name must not be empty and your entered name must not be "BackDoor". I think TiGa means that with writing "Activate the backdoor" in his readme - that we should also be able to use "BackDoor" as a username.
So to crack it, I decided the following: when closing the settings dialog, the envpath variable should be calculated and set as our entered serial! This makes it a selfkeygen. So here is what I added to settings.html (in fact just copied from crackme.html and set the variableSerial1 setting to envPath)
Finally do not forget to delete the variableName != varHappyApiHappy check in crackme.html:
Finished! We can
now enter every name and serial to get registered. Moreover when you reopen
the settings dialog, you see inside the serial textbox the real serial for your
Then just pack everything into a zipfile and append ".gadget" to it and we have our selfkeygen-gadget ;-)
You can also find
inside the archive a 'normal' (.exe) keygen written in C. Did it just for educational
some variable values out with document.write() and referenced the MSDN.
returned a string
and the +1 means to append a '1' and not to add 1!
Hopefully you found this solution interesting :-) Happy coding & reversing!
Sunshine, May 2k8
This site is part of Sunshine's Homepage