June 99
Writing Key Generator for Balance 95
Win '95 Program
Win Code Reversing
 
 
by ViPeR 
 
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: Balance 95 (abal95.zip)
Program Type: checkbook balancing and analysis software.
Program Location: Here 
Program Size: 797 K
 
   
Tools Used:
Softice V3.2 - Debugger
 
Rating
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
 
  
 
Balance 95
'Key generator for Balance 95'
Written by ViPeR
 
 
Introduction
 
Balance 95 facilitates the balancing and analysis of checking accounts. Entries are added using a dialog box which has several features to speed entry. Balance 95 has graphing functions which permit the graphical presentation of account information. There is an audit dialog box to help you reconcile your statement. Your account information can be sorted several ways and a purge function is included to make reducing file size easy. A toolbar contains buttons for common tasks. The program includes a calendar and calculator and password protection for files.
 
About this protection system
 
45 day trial period. You need to enter name, and key in order to register this program.
For this example, I use:
Name : ProfViper
Registration number : 5454545. (it should be of size 7 characters. trust me on that)
Here, I assume the variable reg_name[7]="ProfViper". So, reg_name[0]='P', reg_name[1]='r', etc.
 
The Essay 
     

  I will say it is much easier to look at the source code below first in order to understand how the author calculate the registration number based on your name. Anyway, here is what you see after you used W32dasm on the isbl95re.dll. (yeh right, the checking routine is inside that DLL file.

Exported fn(): CheckRegistration(char*,char*) ; <-- see this?
:0040157C 55                      push ebp
:0040157D 8BEC                    mov ebp, esp
:0040157F 83C4DC                  add esp, FFFFFFDC
:00401582 53                      push ebx
:00401583 56                      push esi
:00401584 57                      push edi
:00401585 8B750C                  mov esi, dword ptr [ebp+0C]
:00401588 FF7508                  push [ebp+08]
:0040158B E8DC050000              call 00401B6C
:00401590 59                      pop ecx
:00401591 83F807                  cmp eax, 00000007 ;registration number should
                                                    ;contain 7 characters
:00401594 7407                    je 0040159D
:00401596 33C0                    xor eax, eax
:00401598 E9FE000000              jmp 0040169B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401594(C)
|
:0040159D 33D2                    xor edx, edx
:0040159F 8955FC                  mov dword ptr [ebp-04], edx
:004015A2 33C9                    xor ecx, ecx
:004015A4 894DF8                  mov dword ptr [ebp-08], ecx
:004015A7 33FF                    xor edi, edi
:004015A9 56                      push esi
:004015AA E8BD050000              call 00401B6C
:004015AF 59                      pop ecx
:004015B0 33DB                    xor ebx, ebx
:004015B2 3BC3                    cmp eax, ebx
:004015B4 7E0C                    jle 004015C2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015C0(C)
|
:004015B6 0FBE141E                movsx edx, byte ptr [esi+ebx]
:004015BA 0155FC                  add dword ptr [ebp-04], edx
:004015BD 43                      inc ebx
:004015BE 3BC3                    cmp eax, ebx
:004015C0 7FF4                    jg 004015B6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015B4(C)
|
:004015C2 33DB                    xor ebx, ebx
:004015C4 EB08                    jmp 004015CE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015D3(C)
|
:004015C6 0FBE141E                movsx edx, byte ptr [esi+ebx]
:004015CA 8955F8                  mov dword ptr [ebp-08], edx
:004015CD 43                      inc ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015C4(U)
|
:004015CE 8D48FF                  lea ecx, dword ptr [eax-01]
:004015D1 3BD9                    cmp ebx, ecx
:004015D3 7CF1                    jl 004015C6
:004015D5 33DB                    xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015DF(C)
|
:004015D7 0FBE3C1E                movsx edi, byte ptr [esi+ebx]
:004015DB 43                      inc ebx
:004015DC 83FB02                  cmp ebx, 00000002
:004015DF 7CF6                    jl 004015D7
:004015E1 33DB                    xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015F8(C)
|
:004015E3 8B4508                  mov eax, dword ptr [ebp+08]
:004015E6 8A1418                  mov dl, byte ptr [eax+ebx]
:004015E9 52                      push edx
:004015EA E8B3000000              call 004016A2
:004015EF 59                      pop ecx
:004015F0 89449DDC                mov dword ptr [ebp+4*ebx-24], eax
:004015F4 43                      inc ebx
:004015F5 83FB07                  cmp ebx, 00000007
:004015F8 7CE9                    jl 004015E3
:004015FA 8B45FC                  mov eax, dword ptr [ebp-04] ; eax=hex sum of name
:004015FD B909000000              mov ecx, 00000009
:00401602 99                      cdq
:00401603 F7F9                    idiv ecx ; eax/9, edx=remainder
:00401605 3B55DC                  cmp edx, dword ptr [ebp-24]
:00401608 7407                    je 00401611
:0040160A 33C0                    xor eax, eax
:0040160C E98A000000              jmp 0040169B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401608(C)
|
:00401611 8B45F8                  mov eax, dword ptr [ebp-08] ;eax=reg_name[length-2]
                                                              ;reg_name[length-2]='e'
															  ;in our case
:00401614 B909000000              mov ecx, 00000009
:00401619 99                      cdq
:0040161A F7F9                    idiv ecx ; eax/9, edx=remainder
:0040161C 3B55E0                  cmp edx, dword ptr [ebp-20]
:0040161F 7404                    je 00401625
:00401621 33C0                    xor eax, eax
:00401623 EB76                    jmp 0040169B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040161F(C)
|
:00401625 8BC7                    mov eax, edi ;eax=reg_name[1]
:00401627 B909000000              mov ecx, 00000009
:0040162C 99                      cdq
:0040162D F7F9                    idiv ecx ; eax/9, edx=remainder
:0040162F 3B55E4                  cmp edx, dword ptr [ebp-1C]
:00401632 7404                    je 00401638
:00401634 33C0                    xor eax, eax
:00401636 EB63                    jmp 0040169B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401632(C)
|
:00401638 8B45F8                  mov eax, dword ptr [ebp-08]
:0040163B 03C7                    add eax, edi ;eax=reg_name[1]+reg_name[length-2] 
:0040163D B909000000              mov ecx, 00000009
:00401642 99                      cdq
:00401643 F7F9                    idiv ecx ; eax/9, edx=remainder
:00401645 3B55E8                  cmp edx, dword ptr [ebp-18]
:00401648 7404                    je 0040164E
:0040164A 33C0                    xor eax, eax
:0040164C EB4D                    jmp 0040169B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401648(C)
|
:0040164E 8B45F8                  mov eax, dword ptr [ebp-08]
:00401651 03C7                    add eax, edi ; eax=reg_name[1]+reg_name[length-2]                    
:00401653 B907000000              mov ecx, 00000007
:00401658 99                      cdq
:00401659 F7F9                    idiv ecx ; eax/7, edx=remainder
:0040165B 83C202                  add edx, 00000002 ; edx=edx+2
:0040165E 3B55EC                  cmp edx, dword ptr [ebp-14]
:00401661 7404                    je 00401667
:00401663 33C0                    xor eax, eax
:00401665 EB34                    jmp 0040169B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401661(C)
|
:00401667 8B45FC                  mov eax, dword ptr [ebp-04]
:0040166A 03C7                    add eax, edi ;eax=(sum of Name in hex)+reg_name[1]
:0040166C B909000000              mov ecx, 00000009
:00401671 99                      cdq
:00401672 F7F9                    idiv ecx ; eax/9, edx=remainder
:00401674 3B55F0                  cmp edx, dword ptr [ebp-10] ; compare
:00401677 7404                    je 0040167D
:00401679 33C0                    xor eax, eax
:0040167B EB1E                    jmp 0040169B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401677(C)
|
:0040167D 8B45FC                  mov eax, dword ptr [ebp-04]
:00401680 03C7                    add eax, edi ; eax=(sum of Name in hex)+reg_name[1]
:00401682 B906000000              mov ecx, 00000006 
:00401687 99                      cdq
:00401688 F7F9                    idiv ecx ; divide by 6, the remainder is in edx
:0040168A 83C203                  add edx, 00000003 ; edx=edx+3
:0040168D 3B55F4                  cmp edx, dword ptr [ebp-0C] ; compare them
:00401690 7404                    je 00401696
:00401692 33C0                    xor eax, eax
:00401694 EB05                    jmp 0040169B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401690(C)
|
:00401696 B801000000              mov eax, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401598(U), :0040160C(U), :00401623(U), :00401636(U), :0040164C(U)
|:00401665(U), :0040167B(U), :00401694(U)
|
:0040169B 5F                      pop edi
:0040169C 5E                      pop esi
:0040169D 5B                      pop ebx
:0040169E 8BE5                    mov esp, ebp
:004016A0 5D                      pop ebp
:004016A1 C3                      ret

The Source Code for the Key Generator 

//
// Key Generator for Balance 95
// Author : +ViPeR+
// compiled using VC++ 6.0
// June 1, 1999

#include <stdio.h>
#include <string.h>

void main(){
    // size_t = unsign integer
    char reg_name[255] = {0};
    size_t i = 0;
    size_t decCode = 0;
    size_t one = 0;
    size_t two = 0;
    size_t three = 0;
    size_t four = 0;
    size_t five = 0;
    size_t six = 0;
    size_t seven = 0;
    size_t length = 0;

    printf(" __     __                                          \n");
    printf(" \\ \\   / /  ___   _____     ________   _______      \n");
    printf("  \\ \\ / /  /  /  / ___  \\  / ______/  / ___   /		\n");
    printf("   \\   /  /  /  /  _____/ / ______/  /  __   /		\n");
    printf("    \\ /  /__/  /__/      /_______/  /__/  \\__\\		\n");
    printf("                                                    \n");
    printf("           [ Key Generator for Balance95 ]           \n");
    printf("   [ http://www.lithic.com/software/software.html ]           \n");
    printf("                                                    \n");
    printf("Name: ");
    scanf("%s", reg_name);

    length = strlen(reg_name);

    for(i = 0 ; i < length; i++)
    {
        decCode += reg_name[i];
    }

    one = decCode % 9;
    two = reg_name[length-2] % 9;
    three = reg_name[1] % 9;
    four = (reg_name[length-2] + reg_name[1]) % 9;
    five = (reg_name[length-2] + reg_name[1]) % 7 + 2;
    six = (decCode + reg_name[1]) % 9;
    seven = (decCode + reg_name[1]) % 6 + 3;

    printf("Key : %d%d%d%d%d%d%d\n", one, two, three, four, five, six, seven);
}
Ob Duh 
 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
   
 

Essay by: ViPeR
Page Created: 2nd June 1999