Posted by Wicher 
Topic: In this post I’ll show you how to do basic ‘cracking’ of a piece of software and make WebDAV work in Windows Vista. Yes, I’m excited too! I’ll be making snarky remarks about ‘Windows’ in the process, though. If you can’t handle that kind of humour stop reading now.
WebDAV. Filesystems over HTTP. What a fantastic invention. Sadly, every Windows version in the past decade has contained a botched implementation of this protocol.
Fact #1. I run WebDAV servers.
Fact #2. Some people still use ‘Windows’.
Herein, as with any collection of facts containing #2, lies a problem.
So I have been on the hunt for a sane third-party implementation for Vista. And it just so happens that a certain ISP (XS4ALL) offers WebDAV access. They must have run into trouble with Vista’s anti-implementation of WebDAV too as they’re offering a third-party WebDAV client to the Windows hoi polloi.
And it happens to work rather well. You get an extra ‘drive’ so to any userspace program it’s just as if it’s interfacing a regular filesystem. One problem, though:
It seems to be ‘configured’ to disallow access to other servers than XS4ALL’s.
Some explanation for fellow GNU/Linux users: To you, this most probably is a foreign concept. Why anyone wishes to artificially limit the usefullness of their code is difficult to grasp. FLOSS users work together to improve eachother’s code. Well, on proprietary systems such as Windows it’s common to have intentionally limited utility and the users are used to it — remember, they are already artificially limiting themselves by not using FLOSS.
We FLOSS users don’t have artificially limited software on our systems. What we do have, however, is nearly endless configurability. So let’s do it our way. Let’s make this thing do what we want it to do. But how? Tell a clueless end-user to reroute their DNS so we can spoof webdisk.xs4all.nl serverside and pray the software will accept our dodgy SSL certificate? Blank stares all around. No, we have to come up with something better – we have to give them an ‘updated’ version of the .exe !
Start by downloading XS4ALL-webdisk.exe from this page. It says its version number is 5.00.06 and its MD5sum should be 9d008d79099cd1c74abe6e0f1397b0a1. If you get a different checksum don’t worry – you may still be able to crack it, because at the very least you know what to look for when you’re done reading this. I can’t provide you with the version I downloaded because I don’t own the copyright and I haven’t received a license to redistribute.
Go ahead and run the installer. Then, try connecting to a WebDAV server of choice and observe that any attempts will be defeated.
Next, get a hex editor. Here’s the freeware one that I picked. With your editor, open wdfsctl.exe from wherever it is you installed the Webdisk. You should see something resembling this:
To the left, in blue, is the offset. It’s the position in the file. To the right of the offset are bytes in hexadecimal representation. To the far right is the text representation of those bytes.
Now, an .exe can have text mixed in with executable code. A text representation of executable instructions does not make sense which is why you encounter copious amounts of gibberish in the right column. But, as you scroll up and down in the file, you’ll discover lots of proper English sentences in the right column. Select the text and the corresponding bytes will be highlighted. Move over to those bytes in the middle column, change them, and observe that the corresponding text representation also changes. It works the other way around, too. Fun as that may seem we can’t go around changing strings (bits of text are called strings) willy-nilly. Specifically, we cannot change their length or position. Why not? Well, bits and pieces of the program are referenced from other bits and pieces of the program by their offset. Change the offset (position) of some program instruction in the binary (by adding text in front of it or something) and you’ll have to update any and all references to this position. It can be done but we aren’t going to do it. HxD helpfully warns you if you’re trying to do it.
OK, let’s go string hunting. We’re looking for something that is matching xs4all.nl since the restriction most probably works by whitelisting. It took me a quite a while to find it, but it’s at offset 6DAB2. You’ll find the string x.s.4.a.l.l...n.l there. Look over to the hex representation and you’ll find it’s a pattern of characters separated by 00. That’s called null-delimited. Mind you, the 00 you see in the hex representation is not the same as ‘00′ in the text representation:
- Enter a ‘.’ in the text representation and you get
2Ein the hex representation. - Enter a ‘0′ in the text representation and you get
30in the hex representation. - Enter a
00in the hex representation and you get a ‘.’ in the text representation.
It’s the hex representation that counts. Now, after some poking around I established that this string itself is null-terminated, too. So, to end the string, the hex representation has to read 00 00 00 because the characters inside the string are null-terminated as well. That’s two levels of null-termination.
After discovering this, it’s time to dick around with patterns. Change the ‘4′ in x.s.4.a.l.l...n.l to a null by typing ‘00′ in the hex representation at byte 06, offset 0006DAB0. Run the program. Try to connect to https://ha.xs/quux . Chances of success are very slim, but the program doesn’t stop you from trying! You can put anything in front of ‘.xs’ and it will try to connect. Change byte 00 to ‘a’ (in the text representation) and convince yourself that the program will now get out of your way should you attempt to connect to https://fabuloushaxs/quux, but it still stops you from connecting to https://fabuloushaxz/quux.
It appears that the string we’ve just changed has to match the end of the host we’re trying to connect to. So, originally, for https://justconnectmetomyserveralready.net/mydir it would check whether it ends with xs4all.nl which, of course, it doesn’t. However, we can make the string very, very short. In fact, we can make it empty, causing it to always match the end of any host we enter. To do that, just enter 00 in the hex representation at byte 00 at offset 0006DAB0. Connect to your favourite WebDAV server. It works, doesn’t it?
As you can see this approach to configuration requires levels of technical comprehension beyond those we can reasonably expect to find in the average wildtype user of this particular proprietary operating system. The WebDisk-program lacks end-user configurability, there is no such thing as easily redistributable /etc/webdisk/*conf with user overrides stored in a ~/.webdiskrc such as we have come to expect from mature operating systems.
I found hex-editing executable files a refreshing approach to configuration management, but I can’t say it’s user friendly. That is sad, because the platform does show some potential — for instance, the file search agent in ‘Windows Explorer’ nicely compensates for any lack of reasoning ability in the users expected to buy in on this platform.
But until there is out-of-the-box support for bog-standard decade-old networking protocols and usability issues like the hex configuration interface are resolved, we’ll have to conclude that Windows is not ready for the desktop yet.
Joking aside, what we have just done is actually pretty basic. ‘Real’ crackers, the folks that let you bypass registration requirements or serial number checks, use tools to look into the memory area of a running program to see which steps make up its behaviour. They don’t just edit some strings, they add and change instructions (and offsets). That requires a much deeper understanding of what’s going on.
There’s various other stuff to be modified. You can change the window title or the help texts. I disabled the auto-update by replacing the URLs at offset 0006BA60, maybe you should do so too.
Stuck? If you want the exact same binary I’m running, binary-patch the original with this diff. You then have the XS4ALL Webdisk “XS2ALL -OH RLY? YA RLY!” edition.
Now for some legalities. For me, to publish how I edited this .exe, is perfectly legal. Redistributing the original program isn’t. Me or you distributing any modified versions isn’t either. That’s basic copyright law. With some types of binary patches it may be different. However, the particular patch posted above is tiny and contains no ‘original work’ – just pointers to which part of the original to replace with my handiwork. So there.
Tags: crack, en_GB, hack, hex editing, WebDAV, windows, XS2ALL, XS4ALL Webdisk —
