A crack in Redgate's Reflector

Above all things related to software development, those who get my warmest affection are the protection mechanisms. Almost every application out there (mainly commercial ones) have a different approach that materializes the individual vision of one programmer. Some choose commercial protection oriented software, some choose cryptography, some encode, other use math, etc. What makes them different is what makes me interested in them. This interest took me yesterday to Redgate's Reflector. But before continuing let me state the following: although I don't favor cracking, especially when a program has prices affordable by everyone like Reflector does, I believe that cracking is a necessity. Be it for validating the strength of the protections in place, be it for bypassing those protections and validate that a piece of software we just bought or downloaded it from the Internet does what it acclaims.

With that said let me tell you why I'm posting about a bypass of Redgate's Reflector protection scheme: because it just took me less than one minute to find it. Considering all the obfuscation effort that Redgate put on Reflector, this seems like they cracked open their own safety mechanisms.  Given their great work with Reflector, I think that such an error deserves a public post.

The story begins when I needed to use Reflector and it informed me that I had to buy the full version if I wanted to continue using it.

If you have been following the news, my country -Portugal- is in a huge recession, which means that we don't have money. So, as I only use Reflector a couple of times  a year, I decided to see if I could do anything to convince Reflector to work just one more time. I grabbed my second favorite debugger, Windbg, and run Reflector. As the application initialized, it started dumping some data to the debugger's output window:

 

Reflector.exe Information: 0 : Retrieving licence for .NET Reflector 7.0 {2447b2f0-fe09-4d98-8e51-93b07466303e}

Reflector.exe Information: 0 : Machine hash is local

Reflector.exe Information: 0 : Local machine hash is XXXX

Reflector.exe Information: 0 : Persisting

Reflector.exe Information: 0 : Product .NET Reflector

Reflector.exe Information: 0 : Activated False

Reflector.exe Information: 0 : Edition

Reflector.exe Information: 0 : Serial Number

Reflector.exe Information: 0 : Blob {2447b2f0-fe09-4d98-8e51-93b07466303e}

Reflector.exe Information: 0 : Hash XXXX

Reflector.exe Information: 0 : Trial Tampered

Reflector.exe Information: 0 : Expires 2011-11-13 02:59:43 UTC

Reflector.exe Information: 0 : Extended False

Reflector.exe Information: 0 : Installed 2011-10-14 02:59:43 UTC

Reflector.exe Information: 0 : First Used 2011-10-14 02:59:43 UTC

Reflector.exe Information: 0 : Last Used 2011-10-17 09:52:05 UTC

Reflector.exe Information: 0 : Stored to registry

I thought the value {2447b2f0-fe09-4d98-8e51-93b07466303e} was a curious one as it resembled a GUID. Also, the phrase "Stored to registry" seemed, hmmm... suspicious? I grabbed that value and searched the registry for it. This value was being used here:

I deleted the key from the registry and rerun Redgate's Reflector, and guess what?  The trial date was reset.

Ups!...

PS: After I found this, I searched the Internet for this trial reset hack and found that it is known for some time. But, I didn't find any reference to this leak of information by Redgate. This is the second reason why I decided to post it.