Heya.

Well I have a shareware program here that uses a sonewhat easy serial protection sheme, but I can't find the right serial.
That wouldnt be so interesting, but the facts are this:
(i can't post code, cauz I'm at work, hope it's clear nevertheless)

1. Name and Serial are read in with GetWindowText
2. An algo calculatesa serial from the name
3. MySerial and AlgoSerial are compared

If they are the same:

"The serial was right, but it doesnt work with this version of the program"

If they are not equal:

"Sorry wrong serial."

Weird.
Well i traced a bit thru the code after the JNE and found that some memory is tested, if the word saved there is between 1 and 6 it says "Right Serial".
The problem is that long before FF is written over that memory area and it seems that this is done everytime - which can't be true, cauz then it wouldnt be possible at all to enter a valid serial.
I checked it with IDA and wdasm but it i wasn't able to figure out, from where it was called or jumped to.

So I have two questions in one

1. Anyone seen this before and has any tips for me?
2. Is there a function in SoftICE to check, from where a specific code location was called? (the bpr <xxx> T cmd doesnt work for me.

thx'n'cya

Joda

Hi Joda,

1. Nope
2. If I understand correctly, and you want to essentially trace backwards from code section to code section to find out how a particular address was reached, 'bpm address x' should do the trick.

If you set the bpm break at the start of the code section you're interested in (i.e. at the push ebp that starts the call), then when it breaks there will be a FromIP in the command window, which will be where it was called from.

You can then set a regular bpx on this FromIP address or check things out in Wdasm and continue on like that. This will allow you to step backwards as far as you want to go.

G'luck

Kayaker

Hi Joda:
I think that this program is validating your serial in at least another segment of the code. such function is the one that sets up the value from 1 to 6 in the memory position you identified. That evaluation probably occurs before the piece of code you reversed. By the time you get to the snippet you described, it may have decided "bad boy" already and written FF in the flag you located, because the "correct" serial you entered passes the sencond test, but not the first one.
The serial comparison you saw may be a residual from a previous version of the shareware, or a decoy for bad boys like you (and me). I would follow kayaker's suggestion trying to catch Who writes that number from 1 to 6 in the memory position you isolated, and that may give you a clue to the rest of the protection.

Regards

Bratscher

Hi guys.

Yes Bratscher that was, what I thought also. Yesterday i found out that it seems to go through that FF writing routine everytime, i enter a new letter or number of serial number and / or name.
But i pushed the program on my stack - working on another thing now ;-). Resolving that calls is a bit boring and I'm loosing the survey - guess I need another or better form of writing down notes on the asm code of the program.

Thx for the tip Kayaker, works fine for me :-).

Well after work and aspirin-power i guess I'll give that new prog another try, analysing the serial routine, perhaps coding a keygen for it and then get back to that FF prog.

cyAll

Joda