| Target: | Kama Sutra of Vatsyayana, e-book in hlp format |
| URL: | OmniMedia Digital Publishing |
| Protection: | very simple |
| Tools needed: | W32Dasm 8.9, hexeditor |
OmniMedia wants to make money with a nice idea: they compile books (which have no copyright anymore) into the Windows HLP-format and let the user read only a part of it. The rest of the book is locked using "SoftLock" (www.softlock.com) - you can purchase a password which will unlock this part. Sounds interesting, but how can you prevent the user from accessing these pages?
Download an e-book (the Kama Sutra should be nice) and install it. Run it and watch, how it is protected. Now let's recall what we know about Helpfiles.
Helpfiles are viewed using Microsoft's WinHelp. If you need some functionality which WinHelp can't provide, it is possible to write your own functions. They must be compiled in a DLL and you have to register them in your project-file like this:
RegisterRoutine("user32.dll", "MessageBox", "I=USSU")
After registering you can use the MessageBox-function.
Let's return to our target. It's obvious that we have to look for a dll. Check the directory where the Kama Sutra is installed and bingo, there is a dll - "slomni32.dll". Run W32Dasm, save the result and open it in your favourite editor (I prefer UltraEdit). Scroll down to the section "EXPORTED FUNCTIONS" and what do we find? 2 functions: slProdCheckA and slRegisterA (sl = SoftLoc). They made it too easy. The file "softlock.ini" (in the Windows-directory) contains all your SoftLock products and all the passwords which you have obtained. If you have a valid password for the e-book, the function returns 1, else 0. I don't show you how to crack it, it is very easy. All OmniMedia e-books use the same dll. You can put the patched dll in the Windows\Help-directory and delete the one shipped with the e-book(s).
But wait, there is another way you can "crack" the Helpfile. As I mentioned above, every function must be registered first. Open the Helpfile in your hexeditor. If you scroll down a little bit you can find the following:
RR(`SLOMNI32',`slProdCheckA',`i=SS') and RR(`SLOMNI32',`slRegisterA',`i=SSSSSS').
As if that wouldn't be enough, you will even find more:
IF(slProdCheckA("BIIBAXQF","10083"),`SaveMark(`pw_ok')')
The 1st string(BIIBAXQF) looks like the password, the 2nd seems to be the product-id. (Unfortunatly, I couldn't test it. The Registration Wizard complained about some error 5 ...) The reason for these plain textstrings is very simple - in Helpfiles you can only use macros (e.g. IF or IfThen are macros) and "markers" (which can be used for conditional tests), it's more like a script language with all its advantages and disadvantages.
As you can see, this kind of "protection" is completely useless. However, if you want to keep the Helpfiles you have to purchase the password. Remember, stealing software is a criminal act (and bad style).