Disclaimer: Please note, the information herein is copyright to Hellforge. No portion of this text may be duplicated. Furthermore, damage or problems arising after reading this text is left to the users disposal. Neither Hellforge, nor its members can be held responsible for any direct or indirect result of following this text. The full liability of following this text is on the reader (YOU). The information is provided for educational purposes, misuse of this information is strictly prohibited. If you do not agree with this agreement, then please hit the "back" button on your browser, and go to hell. - Mercution.
 

Ok, crackers, today I am in the mood of making a tutorial with some Mathematical operations, that will be necessary for finding the serial for this little program. The protection is good, so we must think a little bit, if we want to reverse it. The whole protection consist of 3 loops that will give us enough information what we must do for getting the program say ‘Registered’, instead of bad word that says ‘Unregistered’. As always I would suggest you to print this tut and sit in front of the program code tracing with help of it.
 

Let’s begin….

1:-Execute the program and enter some digits as a serial. { Why digits? You will see later…}
2:-Active SoftIce and set hmemcpy breakpoint, typing     bpx hmemcpy
3:-Press Enter and F5, and you again in Windows, press any digit to jump to SoftIce.
4:-As you got to SoftIce, press F11 and F12 as many times as you get here….

00401169      XOR    ECX, ECX                    { After this command ECX=0…}
0040116B      MOV    AL, [ECX+ESP+2C]      { First chars of serial is MOVed to AL….}
0040116F      CMP    AL, 30                         { Compares AL with 30…}
00401171         JL     00401243                   { Jump to ‘bad cracker’ if Less….}
00401177      CMP      AL, 39                       { CoMPares AL with 39…}
00401179        JG      00401243                   { Jump to ‘bad cracker’ if AL is Greater…}
0040117F       INC      ECX                           { ECX is increased by 1…-loop counter}
00401180      CMP      ECX, 07                     { Compare ECX with 7..}
00401183         JL      0040116B                   { Jump to beginning of the loop if ECX is Less}

Note:
This is just a verification part that checks whether your first 7 chars of serial were digits beginning from 0 to 9. Also, if you did not entered 7 or more chars then you again go to bad routine.

00401185     XOR    EDX, EDX                  { The program nullifies the EDX register for using it as a loop counter, as you will later see, it takes the chars of you serial as EDX is changing by 1 each loop…}
00401187      LEA    EDI, [ESP+2C]          { Loads the address of the string where your serial is…}
0040118B      OR      ECX, -01                  { ECX=ECX or –01..}
0040118E      XOR    EAX, EAX                 { EAX=0…}
00401190     REPNZ SCASB
00401192      MOV   AL, [EDX+ESP+10]    { Here the program is referring to another string, where, it takes some numbers for calculating serial, from. }
00401196       NOT   ECX                         { ECX= not ECX, not is a logical operation that changes all the bits of the operand to opposite ones. Example, if you had a 1 it makes 0, and reverse…}
00401198       DEC   ECX                         { Decrease ECX, after this operation in ECX will be the length of your serial. This length will take a great role in calculating the serial number…}
00401199       ADD   CL, AL                      { ADDiton; Adds to numbers-the length of your serial and the number that is located at this address  [EDX+ESP+10] , }
0040119B       MOV   AL, [EDX+ESP+2C]   { MOVs your char of the serial to AL register. As your loop counter changes { That is EDX} the program will take each loop the char that correspond to EDX value }
0040119F       XOR   CL, AL                      { XORing of Sum { ADD   CL, AL } and your char }
004011A1       MOV  [EDX+EPS+10], CL    { Storing the result at this address}
004011A5       INC    EDX                          { In this loop EDX is you loop counter,….EDX=EDX+1}
004011A6       CMP   EDX, 07                    { Compares EDX value with 7, so 7 cycles will be there}
004011A9         JL      00401187                { Jump if EDX is Less then 7}

Note:
This is our main loop where all the calculations will take place, to make it more clear { If somebody did not understand } the program makes this:

1:- It loads a number { a constant }, and moves it to AL register { You can see the code }
2:- Then to this number the length of your serial is ADDed, so there is going to form another number.
3:- This ‘another’ number is XORed with first char of your serial.
4:- The final number is stored as elements of array, and in the next loop they will be compared with other values, and if they match- you are good reverser.

Constant Numbers: { This numbers are located at [EDX+ESP+10] , there are many numbers as elements of array. We do not have to regard all the numbers, ‘coz the loop counter is 7, I am going to give you more then 7, but you should take only first 7.  So, when you type      d [EDX+ESP+10] you should see these numbers in the data window:

35 33 42 12 29 1E 07 17 BC 54 01 01 FC 2C 02 00

Let’s see what happens in the next loop, then we are going to make some calculations…

Some people would start calculating the serial from this point, but I suggest you to look through the code of the next loop { It helped me a lot in reversing this little program }. Let’s see the last loop..

004011AB     MOV      ESI, 00404020         { New string appears. It says TSCube. Type d ESI to see this nick, and look at the left top of the data window, there you are going to see the numbers
54 53 43 75 62 65 00 00…This numbers are going to be compared with values that you got in previous loop}
004011B0      LEA      EAX, [ESP+10]         { Here they go, this numbers from previous loop, type d EAX and you will see them, a little bit later the program will take them one by one for comparing…This numbers you obtained after XORing process}
004011B4     MOV        DL, [EAX]              { Take one number and MOVs it to DL…}
004011B6     MOV         CL, DL                  { From DL to CL }
004011B8     CMP          DL, [ESI]              { Comparing, your number with 54 (‘T’), first loop }
004011BA     JNZ          004011D8             { Jump to bad routine if they are not equal }
004011BC     TEST           CL, CL                { Test CL, if you reach this point and CL will be equal to 0 then you may consider that you will jump to Good message…}
004011BE       JZ           004011D4             { Jump if Zero }
004011C0      MOV        DL, [EAX+1]          { Takes next your number that you got after xoring }
004011C3      MOV        CL, DL                  { MOVe it to CL}
004011C5      CMP     DL, [ESI+1]             { Compares it with 53 that is ‘S’…}
004011C8      JNZ       003011D8              { Jump to bad routine if they are not equal }
004011CA     ADD       EAX, 02                 { Shifts the string, where your numbers (that you got after xoring ) are located by two. So, the program will take next 2 for comparing..}
004011CD     ADD        ESI, 02                  { Shifts the name also by 2  }
004011D0     TEST         CL, CL                  { Checks if the value of CL=0 }
004011D2     JNZ         004011B4              { Jump if it is not equal to 0, Jumps to the start of the loop}

004011D4     XOR          EAX, EAX              { XORs EAX and EAX, after this operation EAX=0 }
004011D6     JMP         004011DD              { Jump to good routine }

Note:
Ok, this is our last loop from which I have gathered enough information for reversing the program. Now, you are ready to receive my way of reversing it. Some words about this last loop-it is a comparison loop that is comparing all the elements of the array you got in the previous loop and compares with the numbers:   54 53 43 75 62 65 00 00

Strategy:
So, as you all understood we somehow should obtain these numbers { After manipulation with serial}
54 53 43 75 62 65 00 00

Let us see the constant numbers { Just first 7 of them } : 35 33 42 12 29 1E 07
Let’s assume that as a serial you have entered:   X1 X2 X3 X4 X5 X6 X7 { Now we do not know exact length of the serial }

Brief operations that we have seen in those loops:

Cycle #1:-It TAKES first constant, ADDS to it length of the serial and makes XOR with first char of serial
              (35+length of serial ) xor X1    and this operation should be equal to 54
Let, length of serial be L, so :
              (35+L) xor X1=54
Cycle #2: (33+L) xor X2=53
Cycle #3: (42+L) xor X3=43
Cycle #4: (12+L) xor X4=75
Cycle #5: (29+L) xor X5=62
Cycle #6: (1E+L) xor X6=65
Cycle #7: (07+L) xor X7=00

Let us use the information how to find the serial from last cycle. Remember, in the first loop the program was checking whether you have entered as serial only digits. And the range of the digits is from 0-9, in hex that is from 30-39.
So, using this information the last cycle tells us everything we should know about the length of the serial. As, you can see, to get result zero after xoring the 2 numbers have to be equal. For example,
5 xor 5 is 0. So the range of only available serial length is that: 39h-07 and that is 32h (50 decimal).

So, the available length of the serial is that [7-50], but to have something zero in the last cycle you have to have the range from 29h to 32h, so you have to put instead of L these numbers { that are in the range and find X1,X2,X3,X4,X5,X6,X7. Oh, let me guess and put instead of L 32h, let’s see…

1: (35+32) xor 54=X1          67 xor 54=X1 => X1=33  and the char is digit ‘3’
2: (33+32) xor 53=X2          65 xor 53=X2 => X2=36  and the char is digit ‘6’
3: (42+32) xor 43=X3          X3=’7’
4: (12+32) xor 75=X4          X4=’1’
5: (29+32) xor 62=X5          X5=’9’
6: (1E+32) xor 65=X6          X6=’5’
7: (07+32) xor 00=X7          X7=’9’

Almost End:
You see we have found the numbers that will provide us going to the Good Message, but you do not have to forget that the length of our serial was chosen as 32h and 50 decimal. We have found first 7 and after these 7 you can enter any sequence of digits that you want. The main idea is to have first these 7 and the length of serial 50 of digit.
Serial:          36719591111111111111111111111111111111111111111111
 

No comments.
 

All members from Genocide Crew, {czDrillard congrats with receiving Council status; Gandalf thanks for .gif}
 http://www.genocidecrew.cjb.net/

All members from Hellforge  { LaZaRuS, Acid_Cool_178, Ac|dfusion, Dark_Wolf, Mercution…}
Enormous thanks goes to Acid_Cool_178 and Mercution {his design of this tut}for providing me with LOGOs
http://www.kickme.to/Hellforge

tHe CrEaM members   { For their good intend to help everybody }

To every one who makes tutorials…
Cool coders:
        Terminal Cilla, AntiXrist, Chafe, The+Q, LaZaRuS, defiler, Lucifer48,
        CzDrillard { he is great in making good Math algos}
Reversers  :
        SiFLyiNG, mIST, zvem, TSCube, Marton, and everybody I forgot to add..
 

Any mistakes, corrections, or comments may be mailed to the members individually, or to the group : hellforge@hellforge.org.