<HTML>

<HEAD>

<!--  formamus.htm version 02 February 1998 

      INSTRUCTIONS FOR SUBMITTING: DO NOT USE HTML EDITORS!

      SEARCH THIS TEXT FOR THE STRING "Your_" 

      AND REPLACE WITH WHATEVER YOU WANT TO PUBLISH! 

      THANKS A LOT: this will allow automated retrieval -->

<TITLE>xava_27.htm</TITLE>

</HEAD>



<body BGCOLOR=#C0C0C0 TEXT=#001010 VLINK=#405040>

<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" HEIGHT="22"  WIDTH= "100%">

<TR><td></td>

<td>

<!-- Choose  a TITLE probably wont be changed -->

<center><FONT SIZE="+2">PhotoShop 5.0 / Digimarc 1.6.82</fonT><br>

        <FONT SIZE="+1">Commercial stupidity is alive & well</fonT>

</center>

</td>



<td>

<!-- Choose  a PROJECT GIF, leave this if unsure -->

<center>

<br>

<font color=gray>Most stupid protections award</FonT>

</center></td></tr>

<tR>

<td bgcolor="#FFFFEA"><center>

<FONT COLOR="890000">

<!-- CHOOSE A DATE (will probably be changed) -->29 June 1998</FONT></center>

</td>

<td bgcolor="#FFFFEA"><center>by <font size=+3>

<!-- CHOOSE A HANDLE (wont be changed) -->

XaVaX

</fonT></center>

</td>

<td VALIGN="center" bgcolor="#FFFFEA">

<!--

<a href="hcu98_3.htm" tppabs="http://fravia.org/hcu98_3.htm"><IMG SRC="hcu1.gif" tppabs="http://fravia.org/hcu1.gif" ALT="+cracker" ALIGN=BOTTOM 

WIDTH=114 HEIGHT=43 BORDER=0 VSPACE=0 HSPACE=0></a>

-->

</td>

</tr>

<TR><td>&nbsp;</td>

<TD BGCOLOR="898030"><center>Courtesy of Fravia's page of reverse engineering
  (borrowed).</center></TD>

<td BGCOLOR="898030">

<center>

<!-- Your truly+ will edit only if really necessary -->slightly edited<br>

by fravia+</center></td>

</TR>

<!-- this is for the data.....fra_00xx....yymmdd....handle..beg+int...not ass... -->

<tr><td><font color="#C4C0CF">fra_00xx<bR>980629<br>XaVaX<br>1100<br>NA<br>PC<br></fonT></td><td><i><center>

See: commercial stupidity, as usual... when will they learn it? Internet DOES NOT work like that... it does not 

make any sense to develop stupid protection schemes alone in your little provincial corner... 

silly limuted 'regionalism' (as usual: this is also valid in <u>all</u> political, linguistical and cultural fields) 

is doomed to catastrophic petty results!<br>Learn to exploit the "non-commercial" 

HUGE power of the web! You should propose a project and 

let hundred UNKNOWN people make you (effective and valid) proposals for free... thattaway 

you would 

get hundred different and valid protection schemes instead of the crap that you have "developed" 

(if you really want to call it 'developing') all alone by yourself inside your little premises 

with your -commercially 

lobotomized- little programmers... Read the following, stupid commercial oriented 

protectors & silly commercial oriented gullible clients... when will you learn it?

</i></center></td>

<td></td>

</tr>

<TR><td></td>

<!-- Leonard Cohen's old song, because we are poets, not only crackers -->

<TD BGCOLOR="898030"><center></i><b>There is a crack, a crack in everything 

That's how the light gets in</b></center>

<!-- Leonard Cohen's old song, because we are poets, not only crackers -->

</center></TD><td></td>

</TR>

<TR>

<td VALIGN= "MIDDLE" bgcolor="#C6E7C6"><font color=blue><center>

Rating</FONT></FONT></center>

</TD>

<td VALIGN = "MIDDLE" bgcolor="#C6E7C6"><font color=blue><center>

<!-- CHOOSE A RATING (may be changed) -->

( )<B>Beginner</B> (x)<B>Intermediate</B> ( )<B>Advanced</B> ( )<B>Expert</B></FONT>

</center></td>

<td></td>

</tr>

</table>

<!-- END HEAD  -->

<bR>

<!-- CORPUS  -->



<!-- CHOOSE A COMMENT (may be changed)  -->

Yet another example of artificial intelligence being no match for natural stupidity. 

<hR>

<center>

   <FONT SIZE="+2">

<!-- CHOOSE A TITLE (wont probably be changed) -->

PhotoShop 5.0 / Digimarc 1.6.82

   </FONT><BR>

   <FONT SIZE="+2">

<!-- CHOOSE A SUBTITLE (wont probably be changed) -->



   </FONT><BR>

   <FONT COLOR="0B7FC1">

<!-- REPEAT YOUR CHOSEN HANDLE HERE -->Written by 

XaVaX

   </FONT>

</center><br><br>



<!-- INTRO STARTS HERE -->

<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" HEIGHT="45"  WIDTH= "100%">

<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Introduction</fonT>

</fonT></center></td></tr></table>

<pre>

<!-- PASTE HERE YOUR INTRODUCTION -->

This is an addendum to the excellent essay by Frog's Print of 6/8/97

concerning the weakness of the protection applied to the Digimarc watermarking plug-in

supplied with PhotoShop 4.0.  As you will see, things have not changed much in the

latest release included with PhotoShop 5.0.

</prE>

<br><br>



<!-- TOOLS STARTS HERE -->

<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" HEIGHT="45"  WIDTH= "100%">

<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Tools required</fonT>

</fonT></center></td></tr></table>

<!-- PASTE HERE YOUR REQUIRED TOOLS -->

SoftIce 3.22 (what else?)<br>

W32DSM89<br>

Hex WorkShop

<br><br>



<!-- TARGET URL STARTS HERE -->

<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" HEIGHT="45"  WIDTH= "100%">

<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Target's URL/FTP</fonT>

</fonT></center></td></tr></table>

<!-- DON'T FORGET TO PASTE HERE THE URL/FTP OF YOUR TARGET(S) -->

http://www.digimarc.com

<br><br>



<!-- PROGRAM HISTORY STARTS HERE -->

<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" HEIGHT="45"  WIDTH= "100%">

<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Program History</fonT>

</fonT></center></td></tr></table>

<!-- PASTE HERE YOUR TARGET'S HISTORY (if any) -->

To keep this as short as possible I'll refer you to the essay by Frog's Print on a

previous version of Digimarc for a detailed description - you can find it in the 

essays section on this site (6/8/97). 

<br><br>



<!-- REAL ESSAY  STARTS HERE -->

<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" HEIGHT="45"  WIDTH= "100%">

<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Essay</fonT></fonT>

</center></td></tr></table>

<!-- PASTE HERE THE TEXT OF YOUR ESSAY

     THIS IS OF COURSE THE MOST IMPORTANT PART

     PLEASE CHECK THE MARGINS WHEN YOU ARE FINISHED! 

     SHOULD NOT BLAST NETSCAPE MARGINS OUT! HAVE A LOOK INSIDE

     YOUR OWN BROWSER WHEN YOU HAVE FINISHED!  -->

<pre>

The file used by the Digimarc system for creating a watermark is digisign.8BF (a DLL)

and it is to be found in \plug-ins\digimarc under photoshop5.

The creator ID and password are stored in digimarc.ini in the same directory.

After reading the essay by Frog's Print on the previous version, I decided to 

see if the programmers had learnt anything since as digisign.8BF has grown

from 128 kB to 230 kB in version 1.6.82 - not much, it seems!

Run Photoshop.EXE, open an image and select FILTER/DIGIMARC/EMBED WATERMARK

We're presented with a dialog box which shows the 'Creator ID' as 'Picturemark

Demo' and an adjacent 'Configure' button.  Clicking the button shows a 'Change 

Creator ID' dialog box with 2 edit boxes. The first edit box accepts 2 digits 

and the second accepts up to 8 digits. From examination of the code, acceptable 

numbers are 10101 or &gt;=100000 for the larger entry.

GetDlgItemTextA is called for every entered digit so I went 'fishing' and found

GetDlgItemInt to be a more expedient breakpoint to get into the main part of

the number verification routine after a short period of tracing via softice.



So - BPX GetDlgItemInt and enter a number eg 11-111111

Click OK and softice pops up but not quite where we want to be so CTL-D and we 

get to this interesting block of code on the second pop:

(F12 to get back to the Digisign DLL)

:10014AB1 FFD7                    call edi		;the GetDlgItemInt call

:10014AB3 8BF8                    mov edi, eax		;the hex equivalent of our number

:10014AB5 8D842418010000          lea eax, dword ptr [esp+00000118]

:10014ABC 57                      push edi

:10014ABD 6848A20210              push 1002A248		;ie valid characters etc

:10014AC2 50                      push eax

:10014AC3 E8AE290000              Call 10017476		;lots of checks on our entry

:10014AC8 83C40C                  add esp, 0000000C

:10014ACB 8D4C2410                lea ecx, dword ptr [esp+10]

:10014ACF 55                      push ebp

:10014AD0 6848A20210              push 1002A248

:10014AD5 51                      push ecx

:10014AD6 E89B290000              Call 10017476		;ie valid characters etc

:10014ADB 8B460C                  mov eax, dword ptr [esi+0C]

:10014ADE 8B0E                    mov ecx, dword ptr [esi]

:10014AE0 83C40C                  add esp, 0000000C

:10014AE3 8D542410                lea edx, dword ptr [esp+10]

:10014AE7 8B4920                  mov ecx, dword ptr [ecx+20]

:10014AEA 85C0                    test eax, eax

:10014AEC 8D842418010000          lea eax, dword ptr [esp+00000118]

:10014AF3 52                      push edx

:10014AF4 50                      push eax

:10014AF5 7507                    jne 10014AFE

:10014AF7 E8040FFFFF              call 10005A00 	;THE REAL VALIDITY TEST

:10014AFC EB05                    jmp 10014B03

:10014AFE E83D0AFFFF              call 10005540

:10014B03 85C0                    test eax, eax		;EAX must be non-zero

:10014B05 744F                    je 10014B56		;*** blast this

:10014B07 85ED                    test ebp, ebp		;EBP must be non-zero

:10014B09 744B                    je 10014B56		;*** blast this

:10014B0B 85FF                    test edi, edi		;EDI must be non-zero

:10014B0D 7447                    je 10014B56		;*** blast this

:10014B0F 8B460C                  mov eax, dword ptr [esi+0C]

:10014B12 85C0                    test eax, eax

:10014B14 7520                    jne 10014B36		;*** blast this for good measure

:10014B16 8B5608                  mov edx, dword ptr [esi+08]

:10014B19 6A01                    push 00000001

:10014B1B 53                      push ebx

:10014B1C 897A44                  mov dword ptr [edx+44], edi

:10014B1F FF154C810110            Call dword ptr [1001814C]



With the indicated mods, going through the configure option again with any number

entry will create an entry in the digimarc.ini file.

We may expect some check to be done on this data at a later time to keep the 

'bad guys' locked out but this is not so - we now have our own watermark ID 

which can be changed anytime and as often as we like.

(Obviously this is of no real value to anyone as there is no corresponding

entry in the database maintained by Digimarc for registered users)



This was such a non-event that I went on to have a look at the possibility of 

changing the watermark already embedded in a picture (by a registered Creator 

of course)

In very little time with the aid of softice and W32DSM I isolated the following:



* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:10007500(C)

|

:1000767E FF10                    call dword ptr [eax]

:10007680 8B442414                mov eax, dword ptr [esp+14]

:10007684 83F801                  cmp eax, 00000001

:10007687 7495                    je 1000761E		;*** blast this

:10007689 83F802                  cmp eax, 00000002

:1000768C 7490                    je 1000761E		;*** and this

:1000768E 8B442424                mov eax, dword ptr [esp+24]

:10007692 C744241446000000        mov [esp+14], 00000046

:1000769A 85C0                    test eax, eax

:1000769C 7408                    je 100076A6

:1000769E C744241428000000        mov [esp+14], 00000028



Making these changes will allow a previously watermarked picture to be

watermarked again with a different Creator ID and URL, options etc



Where is the security for those who have paid for this technology?





</prE>

<br><br>



<!-- FINAL NOTES STARTS HERE -->

<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" HEIGHT="45"  WIDTH= "100%">

<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Final Notes</fonT>

</fonT></center></td></tr></table>

<pre>

<!-- PASTE HERE YOUR FINAL NOTES (if any) -->

In defense of Digimarc, private individuals can obtain for free a valid ID number

for their own use in watermarking their own creations.  

Corporate users pay an annual fee of $99 US and receive support in tracking their

art on the net as well as other services.

This is quite reasonable except for the fact that the miserable protection on 

this clever technology makes it absolutely worthless for anyone expecting some 

security for their creations.  

</pre>

<br><br>



<!-- OB DUH STARTS HERE -->

<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" HEIGHT="45"  WIDTH= "100%">

<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Ob Duh</fonT></fonT>

</center></td></tr></table>

 <center>

   <i>I wont even bother explaining you 

   that you should BUY this target program if you intend to use it for a longer 

   period than the allowed one. Should you want 

   to STEAL this software instead, you don't need to crack its protection 

   scheme at all: you'll 

   find it on most Warez sites, complete and already regged, farewell.</i>

</center>



<!-- WAY OUT STARTS HERE -->

<hr>

<p align="center"><i>&quot;Borrowed from Fravia's Dome&quot;</i>

<hr>

<!-- THAT'S ALL, THANKS A LOT this will allow automated retrieval -->

</BODY>

</HTML>