Hi guys,
I need help very badly. Im cracking PC-cillin 2000. im already at a point were my fake serial was manipulated to produce a seed value ( i think). from this seed value it took some numbers again and placed it in a certain location. then it went back to manipulate my fake serial. it called a function were my serial was manipulated using floating point instructions!!!!
Hell, i dont know anything about floating point instructions. Can somebody direct me to the right way or is there anybody who has a copy of the intel floating point instructions?

I would appreciate any help. Tahnks in advance guys.
OeDiFuZz

Check the Intel programmers reference manuals, or see Chapter 14 (I think) of Art of Assembly.

Regards

Carpathia

Hi:

I have worked on a couple of targets like that. They may be a REAL pain. :P

Do not get intimidated by it. First thing, set up your data window to read floats. either by clicking on the data type in the upper margin of the data window, it will cycle between byte, word, dword, short float, long float, 10 byte float, until you are able to recognize your serial. the Format command has the same effect.

Any search on +intel +float +opcode will take you to the intel assembler manuals. Also if you search for the opcode you are trying to understand, you are going to land in a page of an assembler online manual with the details.
As an exemple,
http://developer.intel.com/design/pentium/manuals/24319001.pdf

You can easily spot and keep track where the intermediate results are stored. usual Hex and string data will show as "invalid" "denormal" or some weird 0.000001345-38 numbers in the data window set to float mode, but the results you are interested in will show as small integers (0000874523.0) or have small fractional parts. Hope this help.

Bratsch

I forgot to add:

The float protections I have seen rely, as their main deterrant, on the use of float arithmetic itself. The numeric manipulations are quite trivial, unless the protectionist is a master in numeric methods. Float arithmetics does not lend itself to SHR ROR or XOR instructions, which are a privilege of bin and hex INTEGER numeric systems. The typical tests I have seen in float protections are something like: " If I divide the serial number by 1983, and then by 613 is the remainder equal to 0? If yes jmp good guy", sort of things.

Carpathia-- thanks for reminding me. i have forgotten about the Art
of Assembly. i already downloaded it a couple of months ago.

Bratsch-- thanks for your input.

i still have one more question guys. any one of you can answer. this may
a pretty dumb question but i really would know. i was reading a tut by
Wyatt wherein he was cracking a VB app which calculates the valid serial
using FPU instructions. there he explained some of the commands. my question
is where can i see in softice the status word register used by the
coprocessor (coz he was refering to C3,C2,C1,C0 as the "condition code"-
these are bits 14,10,9 & 8 of thte status word register)?

Thanks again guys.

PC-cillin 2000 ?? Just a piece of cakes, coz it didn't use "benefit" of Floating Point at all.
In Softice, type "wf f" to display the floating point stack in 10-byte real format.You will soon discover that , all calculations only use some very-long interger numbers. 8-)

U must ensure that register has been shown is "ST0, ST1,..and so on" , and NOT "MM0,MM1,..."

Pls, forgive me for my broken English 8)
Good Luck.

Hi,

I stumbled across this basic overview of the FPU architecture and instruction set which might be of some help.

h*ttp://thunder.prohosting.com/~asm1/fpu1.txt

Regards,

McNy@Work-- You're forgiven ;-).Thanks man for your valuable help.
Im new to cracking but i've already cracked some apps that uses the x86
instruction set. I had no trouble cracking them. this is the first time
i've encountered FPU instruction set that's why i couldnt make any sense
on the figures i saw in the ST0, ST1,... and so on. hence i got lost in
the dark codewoods of FPU instruction set.

Kayaker-- i appreciate your help man. i'll take a look at that link.


'Til next time guys. thanks.
OeDiFuZz