terça-feira, 18 de Outubro de 2011

A crack in Redgate's Reflector


Above all things related to software development, those who get my warmest affection are the protection mechanisms. Almost every application out there (mainly commercial ones) have a different approach that materializes the individual vision of one programmer. Some choose commercial protection oriented software, some choose cryptography, some encode, other use math, etc. What makes them different is what makes me interested in them. This interest took me yesterday to Redgate's Reflector. But before continuing let me state the following: although I don't favor cracking, especially when a program has prices affordable by everyone like Reflector does, I believe that cracking is a necessity. Be it for validating the strength of the protections in place, be it for bypassing those protections and validate that a piece of software we just bought or downloaded it from the Internet does what it acclaims.
With that said let me tell you why I'm posting about a bypass of Redgate's Reflector protection scheme: because it just took me less than one minute to find it. Considering all the obfuscation effort that Redgate put on Reflector, this seems like they cracked open their own safety mechanisms.  Given their great work with Reflector, I think that such an error deserves a public post.

The story begins when I needed to use Reflector and it informed me that I had to buy the full version if I wanted to continue using it.


If you have been following the news, my country -Portugal- is in a huge recession, which means that we don't have money. So, as I only use Reflector a couple of times  a year, I decided to see if I could do anything to convince Reflector to work just one more time. I grabbed my second favorite debugger, Windbg, and run Reflector. As the application initialized, it started dumping some data to the debugger's output window:
 
Reflector.exe Information: 0 : Retrieving licence for .NET Reflector 7.0 {2447b2f0-fe09-4d98-8e51-93b07466303e}
Reflector.exe Information: 0 : Machine hash is local
Reflector.exe Information: 0 : Local machine hash is XXXX
Reflector.exe Information: 0 : Persisting
Reflector.exe Information: 0 : Product .NET Reflector
Reflector.exe Information: 0 : Activated False
Reflector.exe Information: 0 : Edition
Reflector.exe Information: 0 : Serial Number
Reflector.exe Information: 0 : Blob {2447b2f0-fe09-4d98-8e51-93b07466303e}
Reflector.exe Information: 0 : Hash XXXX
Reflector.exe Information: 0 : Trial Tampered
Reflector.exe Information: 0 : Expires 2011-11-13 02:59:43 UTC
Reflector.exe Information: 0 : Extended False
Reflector.exe Information: 0 : Installed 2011-10-14 02:59:43 UTC
Reflector.exe Information: 0 : First Used 2011-10-14 02:59:43 UTC
Reflector.exe Information: 0 : Last Used 2011-10-17 09:52:05 UTC
Reflector.exe Information: 0 : Stored to registry

I thought the value {2447b2f0-fe09-4d98-8e51-93b07466303e} was a curious one as it resembled a GUID. Also, the phrase "Stored to registry" seemed, hmmm... suspicious? I grabbed that value and searched the registry for it. This value was being used here:


I deleted the key from the registry and rerun Redgate's Reflector, and guess what?  The trial date was reset.

Ups!...

PS: After I found this, I searched the Internet for this trial reset hack and found that it is known for some time. But, I didn't find any reference to this leak of information by Redgate. This is the second reason why I decided to post it.

1 comentário:

Sergio Castillo Yrizales disse...

Ya no funciona esta soluciòn =(. No tenes otra? =)