Truth about HTML Guardian
Step-by-step instruction how easy hack pages protected by HTML Guardian.
|
| |
Trust no one
The Conspiracy is Out There
|
|
Introduction
|
Once surfing the Internet I came across one interesting page. Text was not
singled out. The browser didn't also react to the clicks of the right mouse
button. Nothing really happened. At the beginning of the text on a green
background there were proud words "The source code of this page is protected
by HTML Guardian".
I didn't understand the staff and tried to see page source. Oops! File
empty.But it was empty at the first sight. The text was displaced on a few
screens downward. Trick for nuts.I pushed DEL-key and in a few seconds the
situation was all right. I saw the following:
"The source code of this page is encrypted with HTML Guardian, the
world's standart for website protection. Visit http://www.protware.com for
details." Yes STANDART :)
Well well, I think and go to the link. |
|
www.protware.com
|
On www.protware.com I discovered this:
"HTML Guardian sets the standard for intellectual
property protection on the Web."
Very funny. On crypted page they wrote standart, but
on site they wrote standard.
Hee-hee, I think. Very interesting.
I investigated this site and saw the following:
Creating a professional-looking website requires a huge amount of time,
effort, and knowledge and experience in many areas of expertise - from image
editing to programming. But the result of all this effort can be simply
taken and reused by anyone. In today's highly competitive environment, this
is something serious web developers would like to prevent.
As a solution for this situation, in June 1997 ProtWare released Web-Cipher
!, the HTML Guardian predecessor, which quickly became extremely popular.
Today, HTML Guardian is the de facto
world standard for protection of intellectual property on the Web.
It is being used by thousands of corporations, organizations, web design
companies, software developers, web hosting providers, universities,
colleges, agencies, foundations, small- and medium-size businesses,
non-profit organizations and individuals in more than 100 countries all over
the globe.
Sounds good really? In BUY section I saw:
A one computer license for HTML Guardian Professional costs
$39.95.
A one computer license for HTML Guardian Enterprise costs
$69.95.
Not so much,doesn't it? But they lie
and it is the loss of money. Below I will try show it to you.
|
|
THEY LIE TO US |
To hack this de facto world standard of
protection I need 5-7 minutes. Very strong cipher :) I must tell you how you
can do it. Maybe I save some money for people, who want to buy this
do-nothing software. So, I start.
1. Analyzing document.
See on HTML-code below inscription
The source code of this page is encrypted with... The
content of the document makes impression complete abracadabra: text is not
quite readable, it is not divided into lines and paragraphs, the width of
the text exceeds the width of screen considerably.
But we make sure that this is HTML and not something else by finding at the
beginning and at the end of the document standard tags: <html>,
<head> and others.
The small formatting clears the situation - all content of page is placed in
a script, being in a logical heading between the descriptors
<script> and
</script>.
... ... ...
The language of script is not indicated, but I know that it is set as
default as JavaScript.
It is necessary to say that I almost do not know Javascript. I remember only
some general information about syntax, for example, that after operators
they put semicolon and variable value placed between single
apostrophes.Great! A few minutes after I diligently tap the Enter key after
every combination of symbols: "';"(don't forget to use the
search). Now the code is clearly visible. A result is represented in a
browser without changes. I do a back-up copy. Let's study the structure of
protection script. At the beginning we see the code. As far as I understand
these are the starting settings and checkings. Next we see:
l1l=document.all;
var naa=true;
ll1=document.layers;
lll=window.sidebar;
naa=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));
l11=navigator.userAgent.toLowerCase();
function lI1(l1I){return l11.indexOf(l1I)>0?true:false};
lII=lI1('kht')|lI1('per');
naa|=lII;
I don't understand anything :(
Continue investigation.
OOO0=new Array();
OOO0[0]='<html>\r\n~zcead><script>eval … ‘;
A few kilobytes of abracadabra are appropriated a variable. Look like that
this variable contains the coded text. Continue investigation...
Next I see:
OO00='fu';
OO0O='uxoRqZXEpNDrITBy';
OO00+='nction __'+'__(_'+'O0){';
Interesting. Look here OO00='fu'; OO00+='nction
__'+'__(_'+'O0){'; You see word function?
The variable OO00 will contain the function __(_O0){;.
It is already something clever. Obviously the function of decoding begins to
gather. Pay attention to this line: OO0O='of uxoRqZXEpNDrITBy'; Probably, it
is the key which is used for enciphering. Continue research in a hope to
understand something, because this key is not interest for us. The other
area of code make me think:
OOOO='v%61r%20l%32%3D%77i\156%64ow%2E%6F%70er\ …’;
We have already seen it :) Looks like a piece of sly Shell-code. But at the
same time it is clear that it is not binary data. Probably, it is a text
coded by standard facilities of JavaScript. All right, I hope it will soon
be clear. Turn the castor of scrolling of the mouse. Aha!
There is an increase of variable of OO0[0]:
OOO0[0]+='x[jzv:k`yGkbykd lkk{wzck… ‘; (many
kilobytes of abracadabra)
Looks like some binary encrypted data.
Scroll the next...
Again the acquainted combination:
OO00+='eva';
O000='lQZhNcMgBOBwqMIbPObOkEFOOiJnVfQX';
OO00+='l(unes'+'cape(_O0))}';
eval(OO00);
O0O0='sEOYyCfDJRGissrwXOgPOOnrulOOWFkmKjoFBhvZ';
OO00='';
And below OOOO+='%20Ar%72a\171%28%29%2C%6C%30%3Dnew%20…’;
What to say, all put into places. Judge for yourself:again there is an
increase of variables OOO0[0] and OOOO, a few service variables are entered,
a function is constructed. By the way, it is quite clearly which function:
eval(unescape(_O0))
After that finally OO00 =
function(_O0){(_eval(unescape(_O0))}
The function of eval() executes the programmatic code passed to it. Such the
compiler itself in a compiler. But what does procedure of unescape() do? It
converts the hexadecimal Unicode into a string. It mean unescape() decodes a
line.
All absolutely clear - unescape brings content over of variable of OOOO to
the normal kind, to executable JS-code. Thus, it appears that the coded
program which decrypts OOO0[0] - text of document is kept in this variable.
Reading documents on this function, I understood that the code of
program-decipherer had been initially coded by the built-in function of
escape() in order to frighten off inexperienced hackers, - in fact, in a
document in this case there almost will be not a single intelligent
operator.
Great, all is clear now. It is time to get a code, decrypting the content of
the document.
2. Decrypting content of document.
We must find ALL value of OOOO variable (or other contains not
binary code like %20A\162ra%79%28%29%2C\154%30%3D). In my case I
have 3 part of OOOO variable. After that we must use unescape
function to this variable for decode it. And finally we have decoded text.
We put it into text field TT. You can see 100% working code:
<body>
<input id="TT" type="text" style="width: 800px; height: 100px">
<script>
OOOO='\166ar%20\154%32%3D\167i%6E\144\...';
OOOO+='%20A\162ra%79%28%29%2C\154%30%...';
OOOO+=''k%3Bde%66\141u\154\164%3A%6C%31...';
TT.value=unescape(OOOO);
</script>
After putting this page into browser we can copy/paste from text field the
following decrypting program:
var l2=window.opera?1:0;
function l3(l4){
l5=/zc/g;
l6=String.fromCharCode(0);
l4=l4.replace(l5,l6);
var l7=new Array(),l8=_1=l4.length,l9,lI,il=16256,_1=0,I=0,li='';
do{
l9=l4.charCodeAt(_1);
lI=l4.charCodeAt(++_1);
l7[I++]=lI+il-(l9<<7)
}while(_1++<l8);
var l1=new Array(),l0=new Array(),Il=128;
do{
l0[Il]=String.fromCharCode(Il)
}while(--Il);
Il=128;
l1[0]=li=l0[l7[0]];
ll=l7[0];
_l=1;
var l_=l7.length-1;
while(_l<l_){
switch(l7[_l]<Il?1:0){
case 0 :
l0[Il]=l0[ll]+String(l0[ll]).substr(0,1);
l1[_l]=l0[Il];
if(l2){li+=l0[Il]};
break;
default:l1[_l]=l0[l7[_l]];
if(l2){li+=l0[l7[_l]]};
l0[Il]=l0[ll]+String(l0[l7[_l]]).substr(0,1);
break
};
Il++;
ll=l7[_l];
_l++
};
if(!l2){return(l1.join(''))}
else{return li}
};
var lO='';
for(ii=0;ii<OOO0.length;ii++)
{lO+=l3(OOO0[ii])
};
if(naa) {document.write(lO)};
This is the decoding code of the text which is kept in the variable OOO0[0].
A bit confusing. But fortunately, we don't need to understand what exactly
this program does. We are interested in the last line, in its very part
document.write(lO). Obviously, that exactly this variable of lO
will contain the final (deciphered) code of the page.
Thus, there is the last jerk to success. Remove OOOO and functions
eval() and unescape() (does not forget to do
back-up copies just in case). Then repeat the act which we have just done,
for reliability instead of conclusion of the deciphered code in the
alphanumeric field, we put it in a text file. For this purpose we replace
the line of
if(naa){document.write(lO)};
with such sequence of commands (or comment out this line, adding commands
below):
var fs = new
ActiveXObject("Scripting.FileSystemObject");
var decfile = fs.OpenTextFile("finaldecoded.html", 2, true);
decfile.WriteLine(lO);
decfile.Close();
Voila. We got the deciphered file :)
For decoding of files, treated by this program, neither thorough knowledge
of script language nor algorithms of encoding was required. Just a little
attention and non-standard approach was enough. A few minutes - and I have a
script, decoding any file, treated by this program. But in fact I do not
write harmful software and do not trench not upon whose copyrights.
|
|
Alternative way |
I found it
here. It's a very simple way. But this way not
work on crypted javascript.js files. For decrypt such files use my way
described above.
Web pages source cannot be protected by any means because the internet
browsers can understand only HTML and other mark up languages.
Most of the website and software use JavaScript to encode the content and
the same JavaScript is used to decrypt the content at the client.
While trying to view source of source if you find the content are encrypted
by JavaScript. Here is one way to reveal the source content of web pages.
Just copy and paste the below lines in to address bar of the encrypted
website now you can view the JavaScript generated original HTML source
javascript:var
sorc=document.documentElement.outerHTML;document.open("text/plain");document.write(sorc);
This can break all the encrypted code generated by the software namely
HTML Protector, HTML Guardian and others.
This can decrypt the code generated by the escape and unescape functions of
the JavaScript
|
|
Resume |
I am badly impressed by the programmers, taking money for "defense" which
even a dilettante can crack. It is high time to understand: however was
tangled JavaScript - or VBScript, whatever ingenious algorithms were used,
there always will be a man who has enough patience to decipher it. It is
possible to disconnect the menu of browser, it is possible to create sites
wholly on Flash, it is possible to place text as graphic arts, it is
possible to make different ways. But friend, nothing will help :)
Trust no one. The Conspiracy is Out There. |
|
And finally automatic encoding gadget :)
|
|
|
|
|
Copyright © 2010-2012 Igor "Igogo" Bushin. All rights reserved worldwide.
|
|
|
|
|
