Monday, December 16, 2013

Learn a real language!

OK, just looked at an app for a friend.  It's a tool that helps fix corrupted video files.  A quick glance through the files included in the archive shows that it uses MOSTLY open source utils to do the heavy lifting, while it is simply a GUI that checks the licenses, and pulls the strings.  The protection on this application was a simple serial number, and without a valid number, it would only do 50% of the file.  The main executable was pretty straightforward.  Matter of fact, a little TOO straightforward.  Ease of understanding is your enemy if you're facing me.  So, watching the code, I see that they open a file with an extension of .elua.  First, I thought my eyes were playing tricks on me, and it was just the EULA (End User License Agreement), which is normally a text file telling you the rights you give up by choosing to use the program.  Not in this case, this was actually a .elua file.  So, I see them open the file, get the file size, malloc a buffer for it, and then read it in.  Then, there is a STUPID decrypt loop.  I kid you not, the C code for it probably looked like this:

for(x = 0; x < fileSize; x++)
{
buffer[x] ^= 0x4F;
buffer[x] -= 0x16;
}

it was simply an xor with 4F, and a subtract 16h.  I guess it keeps the prying eyes out, but that's about all.  They had written the code to DO this feat of software engineering in C, so they could have just as easily have used one of the REAL encryption functions from openssl or something.  Anyway, it gets worse.  What this file is, is the code for the GUI, in LUA!  Yes, I know some video games do some things in LUA, but if you can write the C code to decrypt your file, and call the LUA interpreter to handle it, you should be able to spend the 20 minutes it would take to learn how to do the rest of the GUI in C++ under MFC.  It's not the most involved GUI in the world.  It's really rather simple.  Since this company is still in business I can't point you to the program, or their site, but trust me.  The main app has about 6 buttons on it, and none of them does anything involved.  So, back to the story.  We now know what's going on, so I whip up a quick application to read their file, and spit out an unencrypted version of it for my perusal.  And it has the string table, and fun things like that.  A function that gets info about your machine for pseudo-finger printing so that they can *in theory* lock the application to your computer.  Function to check to see if you have a license file, to read it in.  To check that your serial number in the license file is valid, etc.  All the things that you would expect.  So, I look at their code to handle the license file.  Here are the steps:

open file
read in file, up to 100 bytes!
grab the 1st 4 bytes.  (Yes, only 4).
Build a string from the last 4 digits of your fingerprint code.  (9 - digit 3) (9 - digit 1) (9 - digit 4) (9 - digit 2)
Compare this generated code to the code that you entered. Oh also compare it to the fixed value 4475.
If either of these matches, LICENSE IS GOOD!  FULL VERSION!

*FACEPALM*  They had a reasonable idea going along, and then 4 digits?  Seriously?  Backdoor code left in by the developer?  WHY?  And in LUA, where any jackleg can come along, decrypt the file, and see your original source.  Just pathetic!

****UPDATE****

I did a little more digging, and the situation gets a little MORE pathetic.  I thought about this, and considered "Maybe they know nothing about C, and this was their only way to make a product!  They found some code online that let them embedded a LUA VM, and launch their code, and the load/decrypt was all that they could muster."  In which case, I can kinda understand their suckage.  Not so kemosabe.  As they like to say in the NFL, "Upon further review".  I spent a few minutes digging into the application that launches their script.  It's not JUST a launcher!  It contains a library of functions in a custom namespace that they call from inside their LUA script.  What really triggered this, is I was curious to find out how their "Machine ID" function worked.  So, they have the chops to develop an entire library of utility functions in C, on windows AND Mac!  Yet they can't be bothered to develop a GUI in something other than LUA.  And, as I typed that last sentence, it hit me.  This is the worlds lamest cross-platform application.  Develop the GUI once in LUA, write stock C code, compile it on windows, and mac, and ship it.  OK, well, moving on.  So where DOES this vaunted Machine ID come from?  Why from here:  "SELECT ReleaseDate FROM Win32_BIOS"  I should check the Mac version, since this facility isn't available on the Mac.  Stay tuned.  This could be epic!