Emerson
December 26th, 2004, 19:29
Hi,
I'm looking for a few tips on how I should look at code when I'm reversing it with regards to using it in a keygen. Below is a small section from a real app's serial validation routine. I guess I'm after the thought process that you would have when looking at this code. Theres 2 variables, Hardware ID and serial. They are marked accordingly. The routine should return EAX = 1 if all is well.
Something along the lines of :-
Ok, we start at the bottom and work up. From the NEG EAX down simply equates to :- IF EAX = 0 THEN EAX = 1
Then above that we have XOR EAX, EDX. So at this point EAX must equal EDX to make the above line true.
Up again is :-
SHR EAX, 8
AND DL, 0
Ok, So we are only interested in the middle 16 bits of EAX as the roll will zero out the top 8 and the AND will nuke the bottom 8.
Up once more is XOR EDX, ECX. As the step above will SHR, the importaint bits are only the top 16. So the top 16 bits of both registers must match here.
And so on........ (I could probably explain like this all the way to the top but I just cant seem to rewrite it from the bottom up, or even if this is how I should attack it)
I've already fished a working serial for my machine, but I've been reasonably sucessful at serial fishing for some time and I'm starting to feel a bit lame now when I find algo's that look simple to reverse and I dont do it. I'm also thinking that maybe I'm reading to much detail and not looking at the whole, so to speak. Kinda like reading a sentence where each word has little meaning until the whole sentence is read. Know what I mean ?
No solutions yet please, I dont think that would help me much at the moment.
Thanks,
Emerson
I'm looking for a few tips on how I should look at code when I'm reversing it with regards to using it in a keygen. Below is a small section from a real app's serial validation routine. I guess I'm after the thought process that you would have when looking at this code. Theres 2 variables, Hardware ID and serial. They are marked accordingly. The routine should return EAX = 1 if all is well.
Something along the lines of :-
Ok, we start at the bottom and work up. From the NEG EAX down simply equates to :- IF EAX = 0 THEN EAX = 1
Then above that we have XOR EAX, EDX. So at this point EAX must equal EDX to make the above line true.
Up again is :-
SHR EAX, 8
AND DL, 0
Ok, So we are only interested in the middle 16 bits of EAX as the roll will zero out the top 8 and the AND will nuke the bottom 8.
Up once more is XOR EDX, ECX. As the step above will SHR, the importaint bits are only the top 16. So the top 16 bits of both registers must match here.
And so on........ (I could probably explain like this all the way to the top but I just cant seem to rewrite it from the bottom up, or even if this is how I should attack it)
Code:
XOR EAX, EAX
MOV ECX, DWORD PTR SS:[EBP+8] << Serial (DWORD)
MOV EDX, ECX
ADD ECX, 6AECED9F
IMUL EDX, EDX,8497123
SUB EAX, EDX
MOV EDX, DWORD PTR SS:[EBP+C] << Hardware ID (DWORD)
IMUL EDX, EDX,16846817
SUB EAX, 65101561
XOR EDX, ECX
SHR EAX, 8
AND DL, 0
XOR EAX, EDX
NEG EAX
SBB EAX, EAX
INC EAX
I've already fished a working serial for my machine, but I've been reasonably sucessful at serial fishing for some time and I'm starting to feel a bit lame now when I find algo's that look simple to reverse and I dont do it. I'm also thinking that maybe I'm reading to much detail and not looking at the whole, so to speak. Kinda like reading a sentence where each word has little meaning until the whole sentence is read. Know what I mean ?
No solutions yet please, I dont think that would help me much at the moment.
Thanks,
Emerson