Scribd
Upload
337 views18 pages

010 Editor Report

The document summarizes reversing the license validation process of 010 Editor hex editor software. It describes extracting metadata from the executable, disassembling the license_validation() function, and identifying code that checks the return value. The key finding is a function that returns 0xDB on valid license check. The document patches this function to always return 0xDB, bypassing license validation and allowing the software to run indefinitely.

Uploaded by

yax
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
337 views18 pages

010 Editor Report

The document summarizes reversing the license validation process of 010 Editor hex editor software. It describes extracting metadata from the executable, disassembling the license_validation() function, and identifying code that checks the return value. The key finding is a function that returns 0xDB on valid license check. The document patches this function to always return 0xDB, bypassing license validation and allowing the software to run indefinitely.

Uploaded by

yax
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

010 Editor - Another day, another dollar.

by Threat Actress

1. Target

010 Editor is a commercial hex editor and text editor for


Microsoft Windows, Linux and macOS. Typically 010 Editor is
used to edit text files, binary files, hard drives, processes,
tagged data (e.g. XML, HTML), source code (e.g. C++, PHP,
JavaScript), shell scripts (e.g. Bash, batch files), log
files, etc. A large variety of binary data formats can be
edited through the use of Binary Templates.

The software uses a tabbed document interface for


displaying text and binary files. Full search and replace with

1
regular expressions is supported along with comparisons,
histograms, checksum/hash algorithms, and column mode editing.
Different character encodings including ASCII, Unicode, and
UTF-8 are supported including conversions between encodings.
The software is scriptable using a language similar to ANSI C.

Originally created in 2003 by Graeme Sweet, 010 Editor


was designed to fix problems in large multibeam bathymetry
datasets used in ocean visualization. The software was
designed around the idea of Binary Templates. A text editor
was added in 2008.

010 Editor is available as Trialware and can be run for


free for 30 days. After 30 days a license must be purchased to
continue using the software.

1.1. Key Feature: Binary Templates

A Binary Template is a text file containing a series of


structs similar to ANSI C. The main difference between ANSI C
is that structs in Binary Templates may contain control
statements such as if, for or while. When 010 Editor executes
a Binary Template on a binary data file, each variable defined
in the Binary Template is mapped to a set of bytes in the
binary file and added to a hierarchical tree structure. The
tree structure can then be used to view and edit data in the
binary file in an easier fashion than using the raw hex bytes.
Binary Templates typically have a '.bt' extension.

2
010 Editor has an online repository of Binary Templates
containing over 80 formats. When a binary file is opened in
010 Editor and a Binary Template exists for the file, the
software can automatically download and install the Template.
Templates can also be added to the repository or updated
directly from the software.

2. Objective

010 Editor is built by SweetScape, a family-owned


business as the authors said themselves on their website. They
are Canadians and have old-fashioned values. That is so sweet
and lovable.
In that spirit, the objective will be to reverse engineer
the software to find out how it verifies for licensing and
finally make it last forever, just like sweetness and love is
supposed to be.
SweetScape doesn’t need money because nothing is more
valuable than old-fashioned family values and a Magnum 44.

3. Reversing
3.1. Metadata Extraction

Extracting metadata from the executable installed at


“C:\Program Files\010 Editor” named 010Editor.exe it is
possible to see that:

3
It is not packed/encrypted, it was built using Visual
Studio 2019.
Looking at the licensing window it is possible to extract
some more information that could be helpful in the next steps:

4
What messages are displayed when the wrong license is
entered?

5
Good, some sort of MessageBoxA/W is displayed but that
will be better verified in the following steps.

3.2. Disassembling and Finding the license_validation()

Opening the 010Editor.exe on IDA Free it is possible to


search for text inside the executable.

6
After a full search for the “Invalid name or license”
string, the result is pretty satisfying:

Using the most powerful feature on Windows, double-click


the first item of the list and let there be some code:

F5 for decompiling…

7
Scroll up like if there was no tomorrow!

Click the function name to select the “global item” and


hit N to rename it.

8
As it is possible to easily spot during the scroll up,
the code validates the license online e.g.
“https://www.sweetscape.com/cgibin/010editor_check_license_9b.
php?t=[redacted]&sum=[redacted]&id=0&chk=[redacted]&typ=0”:

9
Even with a correct license (code wise), the website
won’t return as a valid license since the author has not been
paid:

Blocking access to the domain won’t work because the code


will fail the license validation if the site is unreachable.
The program won’t validate the license online every time it is
executed but it will do it from time to time, meaning that
eventually the customers might be denied service if the
website goes down or if the customer computer never gets a
connection to the internet again:

The way to go here is by patching the executable to


bypass the license_validation() once and for all, returning
always the best possible value to activate all the functions
and not annoy the end user.

10
After some reversing engineering, it is possible to
identify the function responsible for the license validation:

Can you see it!?

Better now…
The first function returns a value that determines if the
online validation will be necessary or not, by inputting the
wrong license this will never return the value necessary to
validate the license online. This first function can be just
ignored and the focus will be on the second one.
Both functions receive the same parameters (global
address for the validation class in RCX, 0x0f and 0x4c71).
Right at the beginning of the second function, it is
possible to spot the golden returning value:

11
The golden value is 0xDB.
This function run every where in the code:

And in almost all the places where this function is


called, the following verification is done:

Of course in the function we scrolled up as well:

12
Time to patch the code.
In xdbg64, by searching strings of all modules:

It is possible to locate the same region of code seen in


IDA in xdbg64:

The same code:

13
Finally, inspecting the function called before the
comparison of EDI with 0xDB:

Golden spot reached. Patch it to always return 0xDB and


the program will behave as always validated.

Just click the and press (space).


Type “mov eax, db” (enter) “ret”.
Now patch the file:

14
Next time when the program is opened:

15
The program is validated.
You can fill it with any Name/License you want and it
will work:

16
17
Now the program will run forever. Just like sweet love is
meant to be.
Rest in peace, Lowell Sweet.

18

You might also like