Log in

View Full Version : St4rsh1ps Unl1m1ted 2_3c


UriPui
March 10th, 2003, 13:02
Hi,

there seems to be a very hard serial generating in that game. Perhaps you can give
me a clue how to find the right one.

All I know is that it converts from your serial
o=0
i=1
z=2
s=5
g=6

and put this into a hex value:

'123456789' = 75BCD15 = EAX = ECX

then

AND ECX,0FF (Only takes the last two digits)

and compares it with a value created from your name.

Try
Name: Chris
Serial: 000000000

It says allright but still aborts after 1OO years of playing what shows it's still
l0cked.

There must be another check. Searched for the message but found nothing.


Can you give me a clue?
h***://***.a__p_e_z__o__n_e.com/ (WITHOUT underscores)

I really like to know how this works...


Thanks in advance

Iwarez
March 10th, 2003, 13:23
If it is like I think it is, then the serial has an easy check for the serial entry and some other checks throughout the game. Very clever and sometimes harder to find.

UriPui
March 10th, 2003, 13:41
Hmm,



is there a way to get the right serial though? Perhaps you know a tutorial about
the same type of serial checking?

regards

squidge
March 10th, 2003, 15:12
It's very easy to get an ACCEPTED serial, but quite a bit harder to get a serial that will unlock the entire program. You'll have the watch all the variables the serial routine uses (incl the name and serial fields) and set some memory breakpoints on them to see where else they are accessed.

I remember cdrwin having a very similar system - you could generate a unlock key for it very easily, but unless you get the system exactly right (ie, not just the first check), then it wrote random files over your entire hd.

Iwarez
March 11th, 2003, 01:30
You just have to watch where the serial is stored and put a memory breakpoint on that. Or get all the references from IDA and look where there are calculations done with the serial...

UriPui
March 11th, 2003, 11:29
First, thanks for your ideas and the hint to look for CDRWin. It's bad I can't find
a usable good tutorial about reversing CDRWin. The one on Krobars page
is very hard to understand why and where?


My ideas 'till now:

Hmm,

probably it saves the key to the file 'd_e_b_u_g_._d_a_t_' (without underscores).

After you entered a, on the first sight, right serial it performs some _fopens and so on
what saves it into that file. Perhaps it reads it after the dialog box during the
game and compares it with something. Unfortunately I can't check it further
because it's a dx-application what causes me OllyDBG and my whole system
to lock-up when I reach a breakpoint. And I don't want to use S_o_f_t__i_c__e.


Any hints for a real NewestBie?


Thanks

squidge
March 11th, 2003, 11:38
can't you get it to run in a window? a lot of dx-enabled apps can.

UriPui
March 11th, 2003, 11:59
I'm afraid not. Not that application. It seems that it doesn't offer a windowed mode

squidge
March 11th, 2003, 14:37
then it looks like it's a job for sice

UriPui
March 12th, 2003, 11:08
@squidge: yeah, s1ce is really nice, _and_ it works with dx, but I don't like
it because it's resident in memory (like T_R_W). OllyDBG provides somewhat
like a safe enviroment.


Ok, but I found out other things:

1. The file 'd_e_b_u_g_._d_a_t_' is loaded two times. One time at the start
of the game, the second time before I reach the limit (1OO turns) of the locked
version. I checked it with filemon (launched game, loaded savegame that
is just before the 1OOth turn, alt+tab to explorer and launched filemon)

2. The second point is that after it shows me the message about the locked game
it doesn't accept the 'd_e_b_u_g_._d_a_t_' (respective my serial) any more
although it has run the time before. Yeah, now I have that nice serial dialog box
again.

UriPui
March 18th, 2003, 14:54
Well, I think I've stepped further:

Code:

FirstSerialCheck:
005352F4 |. C705 54735900 >MOV DWORD PTR DS:[597354],3A9
005352FE |. E8 FD0F0000 CALL <STUN.GenerateMagicNumber>
00535303 |. 8BF0 MOV ESI,EAX
00535305 |. C705 54735900 >MOV DWORD PTR DS:[597354],163
0053530F |. 83E6 0F AND ESI,0F
00535312 |. E8 E90F0000 CALL <STUN.GenerateMagicNumber>
00535317 |. 83E0 0F AND EAX,0F
0053531A |. C1E0 04 SHL EAX,4
0053531D |. 0BF0 OR ESI,EAX
0053531F |. 8D8424 7C04000>LEA EAX,DWORD PTR SS:[ESP+47C]
00535326 |. 50 PUSH EAX
00535327 |. E8 84100000 CALL STUN.005363B0
0053532C |. 8BD0 MOV EDX,EAX
0053532E |. B9 0F000000 MOV ECX,0F
00535333 |. 33C0 XOR EAX,EAX
00535335 |. 8D7C24 31 LEA EDI,DWORD PTR SS:[ESP+31]
00535339 |. C64424 30 00 MOV BYTE PTR SS:[ESP+30],0
0053533E |. 83C4 04 ADD ESP,4
00535341 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00535343 |. 66:AB STOS WORD PTR ES:[EDI]
00535345 |. 85ED TEST EBP,EBP
00535347 |. 895424 20 MOV DWORD PTR SS:[ESP+20],EDX
0053534B |. AA STOS BYTE PTR ES:[EDI]
0053534C |. 0F85 FF010000 JNZ <STUN.NoValiedSerial>
00535352 |. 8BCA MOV ECX,EDX
00535354 |. 81E1 FF000000 AND ECX,0FF ; Check 1st serial
0053535A |. 3BF1 CMP ESI,ECX
0053535C |. 0F85 EF010000 JNZ <STUN.NoValiedSerial>


SecondSerialCheck:
004785C2 |. C705 54735900 >MOV DWORD PTR DS:[597354],34
004785CC |. E8 2FDD0B00 CALL <STUN.GenerateMagicNumber>
004785D1 |. 83E0 0F AND EAX,0F
004785D4 |. C1E0 08 SHL EAX,8
004785D7 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004785DA |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004785DD |. 0B45 F8 OR EAX,DWORD PTR SS:[EBP-8]
004785E0 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004785E3 |. C705 54735900 >MOV DWORD PTR DS:[597354],1C9
004785ED |. E8 0EDD0B00 CALL <STUN.GenerateMagicNumber>
004785F2 |. 83E0 0F AND EAX,0F
004785F5 |. C1E0 0C SHL EAX,0C
004785F8 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004785FB |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
004785FE |. 0B4D F8 OR ECX,DWORD PTR SS:[EBP-8]
00478601 |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
00478604 |. E8 979C0000 CALL <STUN.GetSerialValue> ; Here is the 2nd check of the serial
00478609 |. 25 00FF0000 AND EAX,0FF00
0047860E |. 3945 FC CMP DWORD PTR SS:[EBP-4],EAX
00478611 |. 74 0F JE SHORT STUN.00478622
00478613 |. C705 58AF5700 >MOV DWORD PTR DS:[57AF58],1
0047861D |. E8 8EDC0B00 CALL <STUN.ModifyKeyFile>
00478622 |> 833D 58AF5700 >CMP DWORD PTR DS:[57AF58],0 ; SkipCheck
00478629 |. 74 1C JE SHORT STUN.00478647
0047862B |. 833D DC445800 >CMP DWORD PTR DS:[5844DC],64
00478632 |. 72 13 JB SHORT STUN.00478647
00478634 |. C705 5C3C5900 >MOV DWORD PTR DS:[593C5C],1
0047863E |. C605 70465800 >MOV BYTE PTR DS:[584670],1
00478645 |. EB 07 JMP SHORT STUN.0047864E
00478647 |> C605 70465800 >MOV BYTE PTR DS:[584670],0
0047864E |> 8BE5 MOV ESP,EBP
00478650 |. 5D POP EBP
00478651 \. C3 RETN

GenerateMagicNumber:
00536300 >/$ 68 48715900 PUSH STUN.00597148
00536305 |. E8 66FEFFFF CALL STUN.00536170
0053630A |. 8B15 54735900 MOV EDX,DWORD PTR DS:[597354]
00536310 |. 8B0D 64735900 MOV ECX,DWORD PTR DS:[597364]
00536316 |. 03C2 ADD EAX,EDX
00536318 |. 83C4 04 ADD ESP,4
0053631B |. 8901 MOV DWORD PTR DS:[ECX],EAX
0053631D |. A1 5C735900 MOV EAX,DWORD PTR DS:[59735C]
00536322 |. 3D 00000100 CMP EAX,10000
00536327 |. 72 62 JB SHORT STUN.0053638B
00536329 |. A1 64735900 MOV EAX,DWORD PTR DS:[597364]
0053632E |. 56 PUSH ESI
0053632F |. 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
00536332 |. 0FAF08 IMUL ECX,DWORD PTR DS:[EAX]
00536335 |. 41 INC ECX
00536336 |. 81E1 FFFF0000 AND ECX,0FFFF
0053633C |. 8908 MOV DWORD PTR DS:[EAX],ECX
0053633E |. 8B35 64735900 MOV ESI,DWORD PTR DS:[597364]
00536344 |. B8 E9042FF8 MOV EAX,F82F04E9
00536349 |. F725 5C735900 MUL DWORD PTR DS:[59735C]
0053634F |. 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
00536352 |. 0FAF06 IMUL EAX,DWORD PTR DS:[ESI]
00536355 |. C1EA 10 SHR EDX,10
00536358 |. 40 INC EAX
00536359 |. 25 FFFF0000 AND EAX,0FFFF
0053635E |. 8906 MOV DWORD PTR DS:[ESI],EAX
00536360 |. 0FAFC2 IMUL EAX,EDX
00536363 |. C1E8 10 SHR EAX,10
00536366 |. 8BD0 MOV EDX,EAX
00536368 |. 5E POP ESI
00536369 |. C1E0 05 SHL EAX,5
0053636C |. 03C2 ADD EAX,EDX
0053636E |. C1E0 07 SHL EAX,7
00536371 |. 03C2 ADD EAX,EDX
00536373 |. 8BD1 MOV EDX,ECX
00536375 |. C1E2 05 SHL EDX,5
00536378 |. 03D1 ADD EDX,ECX
0053637A |. C1E2 07 SHL EDX,7
0053637D |. 03D1 ADD EDX,ECX
0053637F |. C1E2 04 SHL EDX,4
00536382 |. C1E0 04 SHL EAX,4
00536385 |. C1EA 10 SHR EDX,10
00536388 |. 03C2 ADD EAX,EDX
0053638A |. C3 RETN
0053638B |> 8B15 64735900 MOV EDX,DWORD PTR DS:[597364]
00536391 |. 8B4A 04 MOV ECX,DWORD PTR DS:[EDX+4]
00536394 |. 0FAF0A IMUL ECX,DWORD PTR DS:[EDX]
00536397 |. 41 INC ECX
00536398 |. 81E1 FFFF0000 AND ECX,0FFFF
0053639E |. 0FAFC1 IMUL EAX,ECX
005363A1 |. 890A MOV DWORD PTR DS:[EDX],ECX
005363A3 |. C1E8 10 SHR EAX,10
005363A6 \. C3 RETN
...
00536170 /$ 81EC 00020000 SUB ESP,200
00536176 |. 83C9 FF OR ECX,FFFFFFFF
00536179 |. 33C0 XOR EAX,EAX
0053617B |. 8D5424 00 LEA EDX,DWORD PTR SS:[ESP]
0053617F |. 56 PUSH ESI
00536180 |. 57 PUSH EDI
00536181 |. 8BBC24 0C02000>MOV EDI,DWORD PTR SS:[ESP+20C]
00536188 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0053618A |. F7D1 NOT ECX
0053618C |. 2BF9 SUB EDI,ECX
0053618E |. 8BC1 MOV EAX,ECX
00536190 |. 8BF7 MOV ESI,EDI
00536192 |. 8BFA MOV EDI,EDX
00536194 |. C1E9 02 SHR ECX,2
00536197 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00536199 |. 8BC8 MOV ECX,EAX
0053619B |. 33C0 XOR EAX,EAX
0053619D |. 83E1 03 AND ECX,3
005361A0 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
005361A2 |. 8D7C24 08 LEA EDI,DWORD PTR SS:[ESP+8]
005361A6 |. 83C9 FF OR ECX,FFFFFFFF
005361A9 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
005361AB |. F7D1 NOT ECX
005361AD |. 49 DEC ECX
005361AE |. 75 09 JNZ SHORT STUN.005361B9
005361B0 |. 5F POP EDI
005361B1 |. 5E POP ESI
005361B2 |. 81C4 00020000 ADD ESP,200
005361B8 |. C3 RETN
005361B9 |> 0FBE5424 08 MOVSX EDX,BYTE PTR SS:[ESP+8]
005361BE |. BE 01000000 MOV ESI,1
005361C3 |. 3BCE CMP ECX,ESI
005361C5 |. 7E 17 JLE SHORT STUN.005361DE
005361C7 |> 0FBE4434 08 /MOVSX EAX,BYTE PTR SS:[ESP+ESI+8]
005361CC |. C1E2 09 |SHL EDX,9
005361CF |. 03C2 |ADD EAX,EDX
005361D1 |. BF 83841E00 |MOV EDI,1E8483
005361D6 |. 99 |CDQ
005361D7 |. F7FF |IDIV EDI
005361D9 |. 46 |INC ESI
005361DA |. 3BF1 |CMP ESI,ECX
005361DC |.^7C E9 \JL SHORT STUN.005361C7
005361DE |> 5F POP EDI
005361DF |. 8BC2 MOV EAX,EDX
005361E1 |. 5E POP ESI
005361E2 |. 81C4 00020000 ADD ESP,200
005361E8 \. C3 RETN


The program is doing two checks of the serial, that's
why it passes the first but not the second one.

Now, I'm stucked. I have no idea how to calculate my own serial. Because I cannot use breakpoints while using DirectX.


Any ideas?

squidge
March 18th, 2003, 18:26
Since you seem to know where the second serial check is, can't you rip the code out into a standalone file, and play with it from there?