View Full Version : TalkPCR Key File Project
Timmy
December 1st, 2000, 12:56
This project is ideal to wet newbies heads with a program that uses an unknown binary file and not a serial number that you type in to register a program.
TalkPCR (V2.4) is a good radio scanner control program and it uses a key file for registration. Luckily (as far as I know) there are no cracks for this program on the net so it has to be tackled totally from scratch. It is a Delphi 3 program and as it requires a key file, there is no registration box. The task is to create a key file that would be placed in the programs directory and would make the program run in registered mode.
The key file is specific to the computer the program is run on (according to the author), but he has left a check for a master key file that he must have used when testing the program. The master key file (this will allow the program to run in registered mode on any computer) and the computer specific key file are almost identical, so creating a master key file is the object (slightly easier than the computer specific one, but this can be done once you fully understand what the format of the key file is and how it is manipulated within the program).
Tips to start with:
Run the program and use filemon to see what the key file name the program is looking for.
Create a file with this name and repeat the above step.
This will tell you the size the key file is supposed to be.
Modify the file you have created so that it is the correct size.
IDA is the best disassembler to use for this program (but is not absolutely necessary), disassemble the program and use the signatures B3VCL and B32VCL. This will make the task in hand a lot clearer. Once disassembled, you will be able to search for where the key file is loaded into memory and what happens next.
You need to set breakpoints in Softice where the key file is loaded and also where the manupulation routines do their work. Do not rush, take it one step at a time - one part leads nicely on to the next. The first manipulation routine is easy and the second is straight forward once the penny drops.
The easiest way to create the key file is to write a small program to do it for you. Once you know what is going on in the second manipulation routine this is fairly easy.
The key file should contain a user name (not necessarily the computers registered owner name for the master key file), a serial number (actually any text will do) and whatever other information the program requires - you will see what this is as you reverse the program. Also the key file should contain data that will tell the program that the registration date is the day on which you finally cracked the program (and not the default of 30/12/99).
Have fun, this is an interesting project and will teach you how to create, from scratch, an unseen binary registration file. The download URL is:
ht*p://www.mahy.demon.co.uk/TalkPCR/TalkPCR.htm
hz
December 1st, 2000, 13:57
hi timmy,
Now this is getting interesting. I have only
managed two or three keyfiles and one of
those I had to patch. Btw, you have succeeded in creating the keyfile yourself, have'nt you?.
regards
hz
hz
December 1st, 2000, 16:36
hi,
filemon or apispy show no sign of it trying
to open a keyfile. I disassembled it with
WDasm and saw a reference to a key, so
I tried with talkprc.key and talkpcr.reg but
still nothing. ?
regards
hz
Kayaker
December 1st, 2000, 21:16
Hi Guys,
Dumb question for you Timmy. This program is supposed to do what? You plug a radio scanner into your COM port? The docs are kind of sketchy... I wanted to test out the EEPROM demo disabled function but it seems without a scanner that part is always in demo mode. Are there any other demo restrictions?
Hi hz, you've got the correct filename Talkpcr.key and it should show up in both Filemon and APISpy. APISpy will tell you the size it will be looking for. The way it checks in the program that the required file size is correct is using the difference in the value of the stack pointer ESP before and after the ReadFile. Kind of a neat trick actually. I thought GetFileSize would be used, especially since there's 4 refs to it in the disassembled code, but it's not.
I haven't generated a keyfile, but with the correct size of a fake one and a single jump patch, the program thinks it's registered (gives Pre-registered status in the About box, so this may not act as a Master key). That's why I wanted to test if it's truely out of demo mode.
Kayaker
hz
December 1st, 2000, 22:28
hi Kayaker.
thanks for the reply, yeah I got a patch
too, there's a place you can patch that
appears to be full regged. Still no luck with
apispy. I only installed apispy yesterday so
maybe I need something in one of the lib files, then again it shows all the other files.
Getfilesize would show up would'nt it?, I mean if the prog checked the size and it was'nt right then don't even bother to read it. As for what its for, I was under the impression it worked thru your modem.
I never even looked at the docs though.
regards
hz
Timmy
December 1st, 2000, 23:38
I'm on windows 98 BTW. Using filemon, the program looks for TalkPCR.key, if it finds it, it tries to read 768 (300h) bytes and then starts playing with what it loads. I have gone a long way with this app so any questions with references to specific bpx's and/or memory locations, I hopefully should be able to help.
If you haven'y got a scanner connected it will still come up with the box asking you if you want to run in "Demo" mode (or whatever) - but this is not the point. The object of the exercise is to create a key file so the program misses out the first nag screen (NOT WITH PATCHING) and when you click on help/about you see "Pre-registered to" - any name, "Serial No", whatever, and "Date Registered" (the date you cracked it) with the fields that you have entered in the key file.
hz ... Filemon on the first pass looks for TalkPCR.key, then (when you have made a file with this name) it then shows that the program reads 768 bytes from this file (this IS actually the total length of the file).
Kayaker ... As far as I know the only demo restrictions are the initaial nag screen and then periodically a reminder pops up telling you that the prog is unregistered (I could be wrong here).
Once you know where the key file is loaded it is then decrypted (or should I say - rearranged) to another memory loction (look slightly above in the softice data window - {edx and eax are marvellous pointers} ). The key file is then really decrypted (the interesting part - starts at CS:004ca611), and copied to yet another memory location. Later there are calls to a function (xx4xxc7c) - very interesting. A basic explanation of this function to follow if required.
REMEMBER - It is NOT a program patch that is required, only a valid key file that will allow the program to run in non demo mode (the help/about window will verify this).
hz ... I have a valid master key file and the source to create it (to be posted as and when), the next step after figuring out what is going on in the "second" decryption routine is to post a message explaining what is happening in this routine. I will then (hopefully) help with the next step.
If a key file specific to the computer that the program is running on is used instead of a master then the "Pre-registered" bit changes to just "Registered".
It might just be me but when you get deep into this one, the process of generating a key file becomes obsessive.
It's just my opinion, but the newer you are to reversing, the deeper you go for solutions. I have found that stepping into most calls is mostly a waste of time, that is why I suggested IDA for the disassembler and to use the two signatures - I know IDA is very difficult for newbies and experienced alike but if you are used to WDASM try to use IDA once you have cracked a target and eventually you will see IDA does an outstanding job.
Feedback ?
hz
December 2nd, 2000, 00:29
hi,
got it sorted now, probably should'nt say this but I left the 'r' off th end of the keyfile name (embarrased). Think I'm doing too much at once, bouncing betwen this
and two others. Btw Kayaker if you fancy
a challenge when your not busy, try advanced catalgouer h*ttp://acat.hypermart.net. its packed with upx, easily unpacked with procdump, I've been banging my head with this all night.
regards
hz
Timmy
December 4th, 2000, 21:09
Since it's become quiet I guess I'll post my source for the TalkPCR.key generation in pascal. (I use pascal and/or Delphi as ,for me anyway, it is very easy to read and understand when I come back to it later).
var
OutFile : file;
FileBuffer,
Buffer : array [$01..$300] of byte;
X,
Y : integer;
RegisteredOwner,
SerialNumber,
RegType,
KeyType,
RegDate : String;
begin
for X := $01 to $300 do
Buffer[X] := $00; { just a filler byte }
RegisteredOwner := 'Timmy';
SerialNumber := ' Don''t need one';
RegType := 'TalkPCR registration key';
KeyType := '_Master___';
RegDate := '336';
for X := $01 to length(RegisteredOwner) do
Buffer[X + $294] := ord(RegisteredOwner[X]);
Buffer[X + $294] := $00;
for X := $01 to length(SerialNumber) do
Buffer[X + $83] := ord(SerialNumber[X]);
Buffer[X + $83] := $00;
for X := $01 to length(RegType) do
Buffer[X + $03] := ord(RegType[X]);
Buffer[X + $03] := $00;
for X := $01 to length(KeyType) do
Buffer[X + $1BB] := ord(KeyType[X]);
Buffer[X + $1BB] := $00;
for X := $01 to length(RegDate) do
Buffer[X + $13B] := ord(Regdate[X]);
Buffer[X + $13B] := $00;
FileBuffer := Buffer; { Twin bit rotation routine }
for X := $01 to $100 do
begin
if FileBuffer[X] and $02 = $00 then Buffer[X + $100] := Buffer[X + $100] and $F7
else Buffer[X + $100] := Buffer[X + $100] or $08;
if FileBuffer[X] and $40 = $00 then Buffer[X + $100] := Buffer[X + $100] and $7F
else Buffer[X + $100] := Buffer[X + $100] or $80;
if FileBuffer[X + $100] and $08 = $00 then Buffer[X + $200] := Buffer[X + $200] and $FE
else Buffer[X + $200] := Buffer[X + $200] or $01;
if FileBuffer[X + $100] and $80 = $00 then Buffer[X + $200] := Buffer[X + $200] and $DF
else Buffer[X + $200] := Buffer[X + $200] or $20;
if FileBuffer[X + $200] and $01 = $00 then Buffer[X] := Buffer[X] and $FD
else Buffer[X] := Buffer[X] or $02;
if FileBuffer[X + $200] and $20 = $00 then Buffer[X] := Buffer[X] and $BF
else Buffer[X] := Buffer[X] or $40;
end;
X := $01;
Y := $01;
while X <= $100 do
begin
FileBuffer[Y] := Buffer [X];
FileBuffer[Y + $01] := Buffer[X + $100];
FileBuffer[Y + $02] := Buffer[X + $200];
X := X + $01;
Y := Y + $03;
end;
AssignFile(OutFile,'TalkPCR.key');
ReWrite(OutFile,1);
BlockWrite(OutFile,FileBuffer,$300);
CloseFile(OutFile);
end;
end.
goatass
December 6th, 2000, 13:27
Timmy, it was nice of you to post a new project but this one is way too complicated for newbies, notice only you and kayaker understand what's going on from the 3 total people that posted comments about it. There is a enc/dec envolved in this keyfile and it uses Delphi so there are alot of extra useless code that newbies have to fish through which makes learning that more difficult.
For now lets stick with simple serial protections and move on from there. We are trying to teach people not overload them with new stuff.
p.s. You should pass your project ideas by the modorator of this board first.
Don't take this the wrong way I have nothing against your project I just think it's way too difficult for newbies, Kayaker's project was on the border line it involved too many things but they were not too complicated to understand so it succeeded.
Goatass
Timmy
December 6th, 2000, 19:35
I see what you mean. It maybe a good idea to delete my keyfile posting and save the project for a later date if it is required. I know not everyone agrees but I do think that writing a keygen or keyfile generation routine as part of a project is necessary though. This is because by definition a newbie is just learning the basics of reversing and I would hazard a guess that most are not experienced programmers and if they can write a keygen (in a high level language - as opposed to pinching bits of code from a target) it gives the reverser a total understanding of the protection of the target and helps them learn to program as well.
As for the part about stepping through unnecessary code, thats where IDA became very useful with TalkPCR. Maybe a project could be started that utilises a particular tool so that the project is not just about cracking a target but also teaches about using a tool as well. Like you say, it might be a bit soon for this but a consideration for the future?
If I come up with anything else how do I reach the moderator, just email the +Sandman ?
goatass
December 8th, 2000, 11:03
Hi Timmy, I agree with your point of view as well, and yes I think we could use your program in a later project for sure.
You could e-mail me your project and we could coordinate with the others about what project should be done first.
Goatass
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.