Hello,

I'm reversing safe serial and I have to put a break on execution in a memory range (access to sase.ocx)

I've tried bpx eip if eip>xxx where xxx is the beginning of the sase.ocx module... and it does not work.

Whats wrong? And does anyone knows how to proceed ?

Thierry.

Hi Thierry,

Well I dont wabt to ruin all your fun, but here goes:


Getting the four 3byte encode numbers is easy:

bpx CreateFileA
F12
d *(eip+642e9)

Here is a TASM framework for a keygen, which uses the codeserver.ocx in an smart little way to do the work for us...

extrn LoadLibraryA : proc
extrn FreeLibrary : proc
extrn GetProcAddress : proc

.data
szLibrary db 'c:\codeserv.ocx',0
szDllRegisterServer db 'DllRegisterServer',00h
sub_8B41DC dd 0
hLibrary dd 0

; ---------------
dd 20
sase_CustomerCode db 32 dup(0)
dd 3
sase_MaxExecs db '255', 4 dup(0) ; (0-255, 255=unlimmited)
dd 3
sase_MaxDays db '255', 4 dup(0) ; (0-255, 255=unlimmited)
dd 3
sase_LicType db '131', 4 dup(0) ; (0-9999). 131 for enterprise SAFEREG
dd 1
sase_Counter db '0', 4 dup(0) ; (0-255, 255=unlimited)
dd 12
SAFEREG_EncodeBytes db '188193240217', 4 dup(0) ; SAFEREG (188,193,240,217)
off_UnlockCode dd 0
off_ConfirmationCode dd 0
; ---------------


.code
code_begin:

; ---------------

call LoadLibraryA, offset szLibrary
test eax,eax
jz error_Loading_DLL

mov dword ptr [hLibrary], eax

push offset szDllRegisterServer
push eax
call GetProcAddress
test eax,eax
jz error_Loading_DLL

add eax, 43598h ; add RVA+43598h to get offset of sub_8B41DC
mov dword ptr [sub_8B41DC],eax

add eax, 29Ch
mov byte ptr [eax], 0C3h ; patch a RET at 008B4478

; ---------------

push 31 ; The max length of the string to get +1
push offset sase_CustomerCode ; Pointer to the sase_CustomerCode string
push IDC_EDIT1 ; The text box to get the string from
push __hWnd ; The handle of the dialog
call GetDlgItemTextA ; Get the szName string

xor eax, eax ; check the size of the string
xor ecx, ecx
dec ecx
lea edi, sase_CustomerCode
repne scasb
not ecx
dec ecx
mov dword ptr [sase_CustomerCode - 4], ecx

mov dword ptr [off_UnlockCode], 0
mov dword ptr [off_ConfirmationCode], 0

push 1
push offset sase_CustomerCode
push offset sase_MaxExecs
push offset sase_MaxDays
push offset sase_LicType
push offset sase_Counter
push offset SAFEREG_EncodeBytes
push offset off_UnlockCode
push offset off_ConfirmationCode
xor cl, cl ; [ ] Uninstall
xor dl, dl ; [ ] Reset Execution
xor al, al ; [ ] Reset Install Dat
call sub_8B41DC

cmp dword ptr [off_UnlockCode], 0
jz error_Invalid_CustomerCode

cmp dword ptr [off_ConfirmationCode], 0
jz error_Invalid_CustomerCode

push dword ptr [off_UnlockCode]
push IDC_EDIT2 ; The edit box to put the info into
push _hDlg ; The dialog handle
call SetDlgItemText ; Set the text

push dword ptr [off_ConfirmationCode]
push IDC_EDIT3 ; The edit box to put the info into
push _hDlg ; The dialog handle
call SetDlgItemText ; Set the text
ret ; return

error_Invalid_CustomerCode:
ret ; return

code_end:
end code_begin


Best Regards, xor37h

wtf no keygens allowed!

do not use bpx, use bpr cs:begining_of_the_module_in_ram cs:end_of_the_module_in_ram R(ead) or (e)X(ecute)

when a piece of code is executed, it has to be read first!

Now BPR is not included in Sice versions 4.26 and 4.27

esther,

If you could just chill out, i DID NOT post a keygen, I posted a crippled none target specific peice of code that showed how one could do a keygen.

This post is not more incriminating than what you would be able to see in one of the numerous flexlm threads or so.

So mr-look-for-something-to-scream-and-shout-about, take a could shower...

Best Regards, xor37h

Hi ,
Why bothered if its a cripped skeleton