Hi Kayaker and others,

It was not too difficult to both patch the program and find correct serial for my name. I have however some problems to understand how the correct serial is generated.
After the new string "FirstnameHappyIconName" is created (at 0041409D I think) various string operations are performed (moving between memory locations, scan for blanks etc). then at 004140D9 I find first character of my "Firstname" in cl and a test cl, cl is performed. In my case the result is not equal, so I do not jump here thus entering a routine that is processing one by one each character of "FirstnameHappyIconName" string until end of string is found, so until at 004140FA I do not jump.
Then my serial appears in edx, correct one is found at 00414116 in ecx (in hex) and if equal I jump to registered.
My doubts are:
1. test cl, cl at 004140D9 - what is it actually doing and when the result will be equal? (so we jump and bypass the procedure between 004140DD and 004140FA).
2. what is really happening between 004140DD and 004140FA? What is the outcome of this loop?
3. what is the call at 00414104 doing? I tried to trace it but without success - I only found some kind of check for strange characters like "-", "+" etc.

Hope someone will find time to answer
Thanks
JaneK

Hi JaneK,

Maybe I can help :-)

My doubts are:
1. test cl, cl at 004140D9 - what is it actually doing and when the result will be equal? (so we jump and bypass the procedure between 004140DD and 004140FA).

You are right about there being many string manipulation operations prior to this instruction (stosd, movsb, scansb...ect) and the fact that the first character of the first name is loaded in cl at the test cl,cl instruction. This test cl,cl instruction is testing for a zero value in cl and since cl holds the first letter of our name we can probably assume it is testing for the NULL (0) end of string character. Possibly it is checking if the user has entered an actual name or if they left it blank. As long as you enter a name, this value in cl will never be 0 and you will never bypass the procedure between 004140DD and 004140FA.

2. what is really happening between 004140DD and 004140FA? What is the outcome of this loop?

Well, this loop is performing an algorithm on "FirstnameHappyIconName" and it is at the *heart* of the protection scheme. Try to figure out this little snippet of code, but if you get stuck take a look at my explanation and key gen under Project #3 TASKS 3&4.

3. what is the call at 00414104 doing? I tried to trace it but without success - I only found some kind of check for strange characters like "-", "+" etc.

This call is also at the heart of the protection only this time an algorithm is being performed on the serial you entered. Trace a little further past the "strange character" checks until you get to the code between 004163C8 and 004163F7. This is where the second part of the mystery of this key gen resides

Hope this Helps...

Regards,
Clandestiny

Hi JaneK,

The call at 414104 converts the key you entered into hex, check eax after the call. The only reason I recognised this quickly is that I've run across this sort of thing before and because I generally use the same serial value for all my reversing, I know what it is in hex!

I have just posted a detailed description in the Task1&2 section with some commented code that may help. Then you can see how Clandestiny's key gen works.

mersenne

Many thanks to both of you.
All clear now.

Janek