blade-r
July 4th, 2001, 06:12
Hi,
I've a problem with a unix program, i must generate a valid serial for this proggy but i can't understand what appen when i send a serial code to server. I've find a routine that (i think
) is interesting:
LNDecrypt(%s)
:0040A660 8B44240C mov eax, dword ptr [esp+0C]
:0040A664 81EC14020000 sub esp, 00000214
:0040A66A 89442410 mov dword ptr [esp+10], eax
:0040A66E 53 push ebx
:0040A66F 8B9C242C020000 mov ebx, dword ptr [esp+0000022C]
:0040A676 56 push esi
:0040A677 8B842438020000 mov eax, dword ptr [esp+00000238]
:0040A67E 57 push edi
:0040A67F 8BBC2430020000 mov edi, dword ptr [esp+00000230]
:0040A686 55 push ebp
:0040A687 8BAC243C020000 mov ebp, dword ptr [esp+0000023C]
:0040A68E 8B8C2444020000 mov ecx, dword ptr [esp+00000244]
:0040A695 8B942448020000 mov edx, dword ptr [esp+00000248]
:0040A69C 8944241C mov dword ptr [esp+1C], eax
:0040A6A0 8B84244C020000 mov eax, dword ptr [esp+0000024C]
:0040A6A7 894C2418 mov dword ptr [esp+18], ecx
:0040A6AB 8B8C2428020000 mov ecx, dword ptr [esp+00000228]
:0040A6B2 89542414 mov dword ptr [esp+14], edx
:0040A6B6 89442410 mov dword ptr [esp+10], eax
:0040A6BA 850DD4C24400 test dword ptr [0044C2D4], ecx
:0040A6C0 0F84BF000000 je 0040A785
:0040A6C6 6A02 push 00000002
:0040A6C8 68D0C14400 push 0044C1D0
* Reference To: KERNEL32._lopen, Ord:028Eh
|
:0040A6CD FF15EC7A4600 Call dword ptr [00467AEC]
:0040A6D3 8BF0 mov esi, eax
:0040A6D5 85F6 test esi, esi
:0040A6D7 0F8CA8000000 jl 0040A785
:0040A6DD 8B84242C020000 mov eax, dword ptr [esp+0000022C]
:0040A6E4 8D4C2424 lea ecx, dword ptr [esp+24]
:0040A6E8 50 push eax
* Possible StringData Ref from Data Obj ->"LSADMAPI"
|
:0040A6E9 6868D04400 push 0044D068
* Possible StringData Ref from Data Obj ->"%%lu : %s : %s"
|
:0040A6EE 6858D04400 push 0044D058
:0040A6F3 51 push ecx
* Reference To: USER32.wsprintfA, Ord:0264h
|
:0040A6F4 FF15407D4600 Call dword ptr [00467D40]
:0040A6FA 83C410 add esp, 00000010
:0040A6FD 83F801 cmp eax, 00000001
:0040A700 7E24 jle 0040A726
:0040A702 8D4C0423 lea ecx, dword ptr [esp+eax+23]
:0040A706 80390A cmp byte ptr [ecx], 0A
:0040A709 751B jne 0040A726
:0040A70B 807C04220D cmp byte ptr [esp+eax+22], 0D
:0040A710 7414 je 0040A726
:0040A712 3DFF000000 cmp eax, 000000FF
:0040A717 730D jnb 0040A726
:0040A719 C6010D mov byte ptr [ecx], 0D
:0040A71C C64404240A mov [esp+eax+24], 0A
:0040A721 C644042500 mov [esp+eax+25], 00
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040A700(C), :0040A709(C), :0040A710(C), :0040A717(C)
|
:0040A726 8B442410 mov eax, dword ptr [esp+10]
:0040A72A 8B4C2414 mov ecx, dword ptr [esp+14]
:0040A72E 8B542418 mov edx, dword ptr [esp+18]
:0040A732 50 push eax
:0040A733 8B442420 mov eax, dword ptr [esp+20]
:0040A737 51 push ecx
:0040A738 8B4C2428 mov ecx, dword ptr [esp+28]
:0040A73C 52 push edx
:0040A73D 50 push eax
:0040A73E 55 push ebp
:0040A73F 53 push ebx
:0040A740 57 push edi
:0040A741 51 push ecx
* Reference To: KERNEL32.GetTickCount, Ord:0145h
|
:0040A742 FF157C7A4600 Call dword ptr [00467A7C]
:0040A748 8D4C2444 lea ecx, dword ptr [esp+44]
:0040A74C 50 push eax
:0040A74D 8D842448010000 lea eax, dword ptr [esp+00000148]
:0040A754 51 push ecx
:0040A755 50 push eax
* Reference To: USER32.wsprintfA, Ord:0264h
|
:0040A756 FF15407D4600 Call dword ptr [00467D40]
:0040A75C 83C42C add esp, 0000002C
:0040A75F 8BF8 mov edi, eax
:0040A761 6A02 push 00000002
:0040A763 6A00 push 00000000
:0040A765 56 push esi
* Reference To: KERNEL32._llseek, Ord:028Dh
|
:0040A766 FF15D87A4600 Call dword ptr [00467AD8]
:0040A76C 8D842424010000 lea eax, dword ptr [esp+00000124]
:0040A773 57 push edi
:0040A774 50 push eax
* Reference To: KERNEL32._lwrite, Ord:0290h
|
:0040A775 8B2DE87A4600 mov ebp, dword ptr [00467AE8]
:0040A77B 56 push esi
:0040A77C FFD5 call ebp
:0040A77E 56 push esi
* Reference To: KERNEL32._lclose, Ord:028Bh
|
:0040A77F FF15F47A4600 Call dword ptr [00467AF4]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040A6C0(C), :0040A6D7(C)
|
:0040A785 5D pop ebp
:0040A786 5F pop edi
:0040A787 5E pop esi
:0040A788 5B pop ebx
:0040A789 81C414020000 add esp, 00000214
:0040A78F C3 ret
* Referenced by a CALL at Addresses:
|:0040A9CC , :0040AAE4 , :0040AE4F , :0040B04D , :0040B27B
|:0040BAFB , :0040BB89 , :0040BBBB , :0040BC5A , :0040BCF9
|:0040BD2C , :0040BDFA , :0040BFF6 , :0040C0D9 , :0040C0FD
|
:0040A790 81EC90010000 sub esp, 00000190
:0040A796 E8451C0000 call 0040C3E0
* Possible StringData Ref from Data Obj ->"USPInitialise"
|
:0040A79B 6820D14400 push 0044D120
:0040A7A0 6A01 push 00000001
:0040A7A2 E8C91C0000 call 0040C470
:0040A7A7 8D442408 lea eax, dword ptr [esp+08]
:0040A7AB 83C408 add esp, 00000008
:0040A7AE 50 push eax
:0040A7AF 6801010000 push 00000101
* Reference To: WSOCK32.WSAStartup, Ord:0073h
|
:0040A7B4 E8C5320000 Call 0040DA7E
:0040A7B9 85C0 test eax, eax
:0040A7BB 7411 je 0040A7CE
* Possible StringData Ref from Data Obj ->"USPInitialise: WSAStartup failed"
|
:0040A7BD 68FCD04400 push 0044D0FC
:0040A7C2 6A01 push 00000001
:0040A7C4 E8A71C0000 call 0040C470
:0040A7C9 83C408 add esp, 00000008
:0040A7CC EB05 jmp 0040A7D3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A7BB(C)
|
:0040A7CE E81D000000 call 0040A7F0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A7CC(U)
|
:0040A7D3 C705F8D0440001000000 mov dword ptr [0044D0F8], 00000001
:0040A7DD 81C490010000 add esp, 00000190
:0040A7E3 C3 ret
:0040A7E4 CC int 03
:0040A7E5 CC int 03
:0040A7E6 CC int 03
:0040A7E7 CC int 03
:0040A7E8 CC int 03
:0040A7E9 CC int 03
:0040A7EA CC int 03
:0040A7EB CC int 03
:0040A7EC CC int 03
:0040A7ED CC int 03
:0040A7EE CC int 03
:0040A7EF CC int 03
* Referenced by a CALL at Address:
|:0040A7CE
|
:0040A7F0 57 push edi
:0040A7F1 B8FFFFFFFF mov eax, FFFFFFFF
:0040A7F6 BF60424600 mov edi, 00464260
:0040A7FB B900010000 mov ecx, 00000100
:0040A800 F3 repz
:0040A801 AB stosd
:0040A802 5F pop edi
:0040A803 C3 ret
I think that with this function i can create a valid S/n but i can't understand how the encryption scheme works.... can anyone help me Please !!
Thank you
P.s. sorry for my poooor english...
I've a problem with a unix program, i must generate a valid serial for this proggy but i can't understand what appen when i send a serial code to server. I've find a routine that (i think

LNDecrypt(%s)
:0040A660 8B44240C mov eax, dword ptr [esp+0C]
:0040A664 81EC14020000 sub esp, 00000214
:0040A66A 89442410 mov dword ptr [esp+10], eax
:0040A66E 53 push ebx
:0040A66F 8B9C242C020000 mov ebx, dword ptr [esp+0000022C]
:0040A676 56 push esi
:0040A677 8B842438020000 mov eax, dword ptr [esp+00000238]
:0040A67E 57 push edi
:0040A67F 8BBC2430020000 mov edi, dword ptr [esp+00000230]
:0040A686 55 push ebp
:0040A687 8BAC243C020000 mov ebp, dword ptr [esp+0000023C]
:0040A68E 8B8C2444020000 mov ecx, dword ptr [esp+00000244]
:0040A695 8B942448020000 mov edx, dword ptr [esp+00000248]
:0040A69C 8944241C mov dword ptr [esp+1C], eax
:0040A6A0 8B84244C020000 mov eax, dword ptr [esp+0000024C]
:0040A6A7 894C2418 mov dword ptr [esp+18], ecx
:0040A6AB 8B8C2428020000 mov ecx, dword ptr [esp+00000228]
:0040A6B2 89542414 mov dword ptr [esp+14], edx
:0040A6B6 89442410 mov dword ptr [esp+10], eax
:0040A6BA 850DD4C24400 test dword ptr [0044C2D4], ecx
:0040A6C0 0F84BF000000 je 0040A785
:0040A6C6 6A02 push 00000002
:0040A6C8 68D0C14400 push 0044C1D0
* Reference To: KERNEL32._lopen, Ord:028Eh
|
:0040A6CD FF15EC7A4600 Call dword ptr [00467AEC]
:0040A6D3 8BF0 mov esi, eax
:0040A6D5 85F6 test esi, esi
:0040A6D7 0F8CA8000000 jl 0040A785
:0040A6DD 8B84242C020000 mov eax, dword ptr [esp+0000022C]
:0040A6E4 8D4C2424 lea ecx, dword ptr [esp+24]
:0040A6E8 50 push eax
* Possible StringData Ref from Data Obj ->"LSADMAPI"
|
:0040A6E9 6868D04400 push 0044D068
* Possible StringData Ref from Data Obj ->"%%lu : %s : %s"
|
:0040A6EE 6858D04400 push 0044D058
:0040A6F3 51 push ecx
* Reference To: USER32.wsprintfA, Ord:0264h
|
:0040A6F4 FF15407D4600 Call dword ptr [00467D40]
:0040A6FA 83C410 add esp, 00000010
:0040A6FD 83F801 cmp eax, 00000001
:0040A700 7E24 jle 0040A726
:0040A702 8D4C0423 lea ecx, dword ptr [esp+eax+23]
:0040A706 80390A cmp byte ptr [ecx], 0A
:0040A709 751B jne 0040A726
:0040A70B 807C04220D cmp byte ptr [esp+eax+22], 0D
:0040A710 7414 je 0040A726
:0040A712 3DFF000000 cmp eax, 000000FF
:0040A717 730D jnb 0040A726
:0040A719 C6010D mov byte ptr [ecx], 0D
:0040A71C C64404240A mov [esp+eax+24], 0A
:0040A721 C644042500 mov [esp+eax+25], 00
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040A700(C), :0040A709(C), :0040A710(C), :0040A717(C)
|
:0040A726 8B442410 mov eax, dword ptr [esp+10]
:0040A72A 8B4C2414 mov ecx, dword ptr [esp+14]
:0040A72E 8B542418 mov edx, dword ptr [esp+18]
:0040A732 50 push eax
:0040A733 8B442420 mov eax, dword ptr [esp+20]
:0040A737 51 push ecx
:0040A738 8B4C2428 mov ecx, dword ptr [esp+28]
:0040A73C 52 push edx
:0040A73D 50 push eax
:0040A73E 55 push ebp
:0040A73F 53 push ebx
:0040A740 57 push edi
:0040A741 51 push ecx
* Reference To: KERNEL32.GetTickCount, Ord:0145h
|
:0040A742 FF157C7A4600 Call dword ptr [00467A7C]
:0040A748 8D4C2444 lea ecx, dword ptr [esp+44]
:0040A74C 50 push eax
:0040A74D 8D842448010000 lea eax, dword ptr [esp+00000148]
:0040A754 51 push ecx
:0040A755 50 push eax
* Reference To: USER32.wsprintfA, Ord:0264h
|
:0040A756 FF15407D4600 Call dword ptr [00467D40]
:0040A75C 83C42C add esp, 0000002C
:0040A75F 8BF8 mov edi, eax
:0040A761 6A02 push 00000002
:0040A763 6A00 push 00000000
:0040A765 56 push esi
* Reference To: KERNEL32._llseek, Ord:028Dh
|
:0040A766 FF15D87A4600 Call dword ptr [00467AD8]
:0040A76C 8D842424010000 lea eax, dword ptr [esp+00000124]
:0040A773 57 push edi
:0040A774 50 push eax
* Reference To: KERNEL32._lwrite, Ord:0290h
|
:0040A775 8B2DE87A4600 mov ebp, dword ptr [00467AE8]
:0040A77B 56 push esi
:0040A77C FFD5 call ebp
:0040A77E 56 push esi
* Reference To: KERNEL32._lclose, Ord:028Bh
|
:0040A77F FF15F47A4600 Call dword ptr [00467AF4]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040A6C0(C), :0040A6D7(C)
|
:0040A785 5D pop ebp
:0040A786 5F pop edi
:0040A787 5E pop esi
:0040A788 5B pop ebx
:0040A789 81C414020000 add esp, 00000214
:0040A78F C3 ret
* Referenced by a CALL at Addresses:
|:0040A9CC , :0040AAE4 , :0040AE4F , :0040B04D , :0040B27B
|:0040BAFB , :0040BB89 , :0040BBBB , :0040BC5A , :0040BCF9
|:0040BD2C , :0040BDFA , :0040BFF6 , :0040C0D9 , :0040C0FD
|
:0040A790 81EC90010000 sub esp, 00000190
:0040A796 E8451C0000 call 0040C3E0
* Possible StringData Ref from Data Obj ->"USPInitialise"
|
:0040A79B 6820D14400 push 0044D120
:0040A7A0 6A01 push 00000001
:0040A7A2 E8C91C0000 call 0040C470
:0040A7A7 8D442408 lea eax, dword ptr [esp+08]
:0040A7AB 83C408 add esp, 00000008
:0040A7AE 50 push eax
:0040A7AF 6801010000 push 00000101
* Reference To: WSOCK32.WSAStartup, Ord:0073h
|
:0040A7B4 E8C5320000 Call 0040DA7E
:0040A7B9 85C0 test eax, eax
:0040A7BB 7411 je 0040A7CE
* Possible StringData Ref from Data Obj ->"USPInitialise: WSAStartup failed"
|
:0040A7BD 68FCD04400 push 0044D0FC
:0040A7C2 6A01 push 00000001
:0040A7C4 E8A71C0000 call 0040C470
:0040A7C9 83C408 add esp, 00000008
:0040A7CC EB05 jmp 0040A7D3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A7BB(C)
|
:0040A7CE E81D000000 call 0040A7F0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A7CC(U)
|
:0040A7D3 C705F8D0440001000000 mov dword ptr [0044D0F8], 00000001
:0040A7DD 81C490010000 add esp, 00000190
:0040A7E3 C3 ret
:0040A7E4 CC int 03
:0040A7E5 CC int 03
:0040A7E6 CC int 03
:0040A7E7 CC int 03
:0040A7E8 CC int 03
:0040A7E9 CC int 03
:0040A7EA CC int 03
:0040A7EB CC int 03
:0040A7EC CC int 03
:0040A7ED CC int 03
:0040A7EE CC int 03
:0040A7EF CC int 03
* Referenced by a CALL at Address:
|:0040A7CE
|
:0040A7F0 57 push edi
:0040A7F1 B8FFFFFFFF mov eax, FFFFFFFF
:0040A7F6 BF60424600 mov edi, 00464260
:0040A7FB B900010000 mov ecx, 00000100
:0040A800 F3 repz
:0040A801 AB stosd
:0040A802 5F pop edi
:0040A803 C3 ret
I think that with this function i can create a valid S/n but i can't understand how the encryption scheme works.... can anyone help me Please !!
Thank you
P.s. sorry for my poooor english...
