tARGET pROGRAM: QControl 1.01
pROTECTION: Registration Number
cURE: Registration
Number and KeyGen
uRL: http://www.andtechnologies.com/
pROGRAM sIZE:
1.01 Mb
tOOLS uSED: - SoftICE 4.01
- Delphi 3.0
dESCRIPTION: Qcontrol is a Win32
program which allows you to manage print queues/jobs on microsoft Windows and
Novell NetWare
networks. You can
access all printers/queues from a central, browsable administration point which
you can quickly navigate, and you don't need to install drivers on your desktop
in order to be able to manage jobs on all of your printers.
cOMPILED bY: Watcom C++
rEGISTRATION fEE: $195
Hi
Again! I hope you will enjoy my third TuT and helps you learn more!
ĥĤĴ| Register The Program
`ŻŻŻ'ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ'ŻŻŻŻ´
First
- Install the program.
- Run it ! Now, Go Utility/Register and put
your company name and a fake registration number.
I entred:
Company Name:
tBS '99
Registration Number:
11223344
DO NOT PRESS OK YET!!!, Press CTRL-D, Type
bpx GetDlgItemTextA to break when that function is called. CTRL-D again or F5
to return to QC. Click on " oK ". Bang! now we should look at the
funny SI window, press F12 two times and trace with F10 a bit till you land
here...
:0041013D 0FB705483B4300 movzx
eax, word ptr [00433B48] <-- Calculat & Put Bt of our company name in EAX
:00410144 8945F0 mov
dword ptr [ebp-10], eax <-- Put Bt in EBP-10
:00410147 C745F400000000
mov [ebp-0C], 00000000 <-- Emptying the place for the serial
:0041014E C705245B4300483B4300mov dword ptr [00435B24], 00433B48 <-- Useless
:00410158 A1245B4300 mov
eax, dword ptr [00435B24] <-- Put our company name in EAX
:0041015D 803800 cmp
byte ptr [eax], 00 <-- Check if we entered nothing or if we are at the end of
the company name
:00410160 7416
jz 00410178 <-- if equal jump
:00410162 A1245B4300
mov eax, dword ptr [00435B24] <-- Useless (repetition with line 00410158)
:00410167 0FB600 movzx eax, byte ptr [eax] <-- Put the 1st
char in EAX 't'
:0041016A 6BC049
imul eax,eax,49 <-- Multiplies EAX with 49h
:0041016D 0145F4
add dword ptr [ebp-0C], eax <-- Put & add the result in EBP-0C
:00410170 FF05245B4300
inc dword ptr [00435B24] <-- Increment position of the company name to 'B'
:00410176 EBE0
jmp 00410158 <-- Just redo it (there is no condition)
:00410178 8B45F4
mov eax, dword ptr [ebp-0C] <-- Put the result of the total multiplication of our company
name in EAX
:0041017B 0FAF45F0
imul eax, dword ptr [ebp-10] <-- Multiplies again, this time with 'Bt' and put the real
serial in EAX
:0041017F 8945F4 mov
dword ptr [ebp-0C], eax <-- Put the real serial in EBP-0C
:00410182 8B45F4 mov
eax, dword ptr [ebp-0C] <-- Useless (repetition again Arghh!!)
:00410185 50 push
eax <-- Save the real serial into the stack
After this code there are some pushs &
movs so let's us suppose the line 0041017B is the last one in the serial
creation routine, so do a ? EAX and write down the decimal one "middle
part
214F4928 0558844200 "!OI("
this
Go to QC, type it! :( what's wrong with
that, Hmmm !!! think a little bit, let's try the Hex numbers
214F4928 0558844200 "!OI("
this
Go to QC, type it! Yeah!! it's says 'thank
you for registering', you've just cracked it.
(note that the letters in the serial must be
Capital ones)
Wow! You see that is very easy protection,
this TuT is to show you a little of how to use intuition when
reverse-engineering a program. It might be wise to periodically check on the
decimal or hex values that the registers hold. But anyway there is another job
for us is the DeathBlow.
in line 00410167
EAX <= 116 // t is 116 dec ;EAX=116
0041016A EAX <= 116 * 73 // 49h is 73 dec ;EAX=8468
0041016D EBP-0C <= EBP-0C + 8468 // EBP-0C = 0 ;EBP-0C=8468
00410170 Inc by 1 to reach B
00410176 redo
repeat it until the end of the company name // EBP-0C = 32850
in line 0041017B EAX=32850 * EBP-10 // EBP-10 = Bt ;Bt is 17012 dec
;EAX=558844200
so if we convert it to hex, it will look
like this 214F4928
Now! we have all the rules to make a KeyGen.
Here is my source code for delphi but before...
1ĝ) Create a form
2ĝ) Create two edit boxes, 1st for Company
name and the 2nd for the registration number
3ĝ) Click on the 1st edit box in the form
4ĝ) Go to events in Object Inspector
5ĝ) Dbl Click on the right side of OnKeyUp ,
you should be between begin and end, right! please if not try again!
6ĝ) Copy/paste this code
7ĝ) Delete the first begin wish came after:
procedure TOKBottomDlg.Edit1KeyUp(Sender: TObject; var Key: word; Shift:
TShiftState);
So, there is no button, Esc to quit and for
the Reg Num just type what do you want!
The KeyGen:
`ŻŻŻ'ŻŻŻŻŻŻŻ´
----------------------Cut
Here--------------------------------------------------------------------------------------------
var
CNValue : LongInt;
CNValue1 : LongInt;
Serial : LongInt;
L,position : Byte;
begin
if key<>vk_escape then // Detect if any key was pressed except the Escape key
begin
L:=length(edit1.text); // What's the length of our company name
if l=0 then edit2.text:='Please Enter Your Company Name' // If equal to 0
then write a message
else // Else continue
begin
CNValue1:=0;
position:=1;
While
position <= L do
begin
CNValue:= Ord(edit1.text[position])*
$49;
CNValue1:=CNValue1+CNValue;
position:=position+1;
end;
CNValue:= Ord(Edit1.Text[2]); // This four lines reverse the 1st two chars
Serial:=CNValue * 256; // of the Company Name,
CNValue:= Ord(Edit1.Text[1]); // and convert them
Serial:=Serial + CNValue; // to Decimal Value
Serial:=CNValue1 * Serial;
edit2.text:=inttohex((Serial),8); // Prints the serial in hex format with eight Digits
end;
end
else close; // If Esc key was pressed then Quit
----------------------Cut
Here-----------------------------------------------------------------------------------------------
ĥĤĴ| Ending:
`ŻŻŻŻŻŻŻŻŻŻŻ´
Well, that's that. I hope you could follow
it all, For any comments or if there's anything that I didn't explain too well
then don't hesitate to mail me at: tBS@iquebec.com.
Greetingz to:
tKC , Northpole , Styx2000 , WaVeR`, DyNoBrEmO , Ivanopulo , rEd , schUmU , DaVinci , Nitallica , LagPRO , Socko , Fli7e , DnNuke, TDVFR ,
MonoMeow.