June 99
|
Writing Key Generator for Balance 95
|
Win '95 Program
Win Code Reversing
|
|
by ViPeR
|
|
|
Code Reversing For Beginners
|
|
|
Program Details
Program Name: Balance 95 (abal95.zip)
Program Type: checkbook balancing and analysis software.
Program Location: Here
Program Size: 797 K
|
|
|
Tools Used:
Softice V3.2 - Debugger
|
Rating
|
Easy
( X ) Medium ( ) Hard ( ) Pro
( )
|
There
is a crack, a crack in everything. That's how the light gets in. |
Balance 95
'Key generator for Balance 95'
Written by ViPeR
Balance 95 facilitates the balancing and analysis of checking accounts. Entries are added using a dialog box which has
several features to speed entry. Balance 95 has graphing functions which permit the graphical presentation of account
information. There is an audit dialog box to help you reconcile your statement. Your account information can be sorted
several ways and a purge function is included to make reducing file size easy. A toolbar contains buttons for common
tasks. The program includes a calendar and calculator and password protection for files.
About this protection system
|
45 day trial period. You need to enter name, and key in order to register this program.
For this example, I use:
Name : ProfViper
Registration number : 5454545. (it should be of size 7 characters. trust me on that)
Here, I assume the variable reg_name[7]="ProfViper". So, reg_name[0]='P',
reg_name[1]='r', etc.
I will say it is much easier to look at the source code below first in order to understand how the author
calculate the registration number based on your name. Anyway, here is what you see after
you used W32dasm on the isbl95re.dll. (yeh right, the checking routine is inside
that DLL file.
Exported fn(): CheckRegistration(char*,char*) ; <-- see this?
:0040157C 55 push ebp
:0040157D 8BEC mov ebp, esp
:0040157F 83C4DC add esp, FFFFFFDC
:00401582 53 push ebx
:00401583 56 push esi
:00401584 57 push edi
:00401585 8B750C mov esi, dword ptr [ebp+0C]
:00401588 FF7508 push [ebp+08]
:0040158B E8DC050000 call 00401B6C
:00401590 59 pop ecx
:00401591 83F807 cmp eax, 00000007 ;registration number should
;contain 7 characters
:00401594 7407 je 0040159D
:00401596 33C0 xor eax, eax
:00401598 E9FE000000 jmp 0040169B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401594(C)
|
:0040159D 33D2 xor edx, edx
:0040159F 8955FC mov dword ptr [ebp-04], edx
:004015A2 33C9 xor ecx, ecx
:004015A4 894DF8 mov dword ptr [ebp-08], ecx
:004015A7 33FF xor edi, edi
:004015A9 56 push esi
:004015AA E8BD050000 call 00401B6C
:004015AF 59 pop ecx
:004015B0 33DB xor ebx, ebx
:004015B2 3BC3 cmp eax, ebx
:004015B4 7E0C jle 004015C2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015C0(C)
|
:004015B6 0FBE141E movsx edx, byte ptr [esi+ebx]
:004015BA 0155FC add dword ptr [ebp-04], edx
:004015BD 43 inc ebx
:004015BE 3BC3 cmp eax, ebx
:004015C0 7FF4 jg 004015B6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015B4(C)
|
:004015C2 33DB xor ebx, ebx
:004015C4 EB08 jmp 004015CE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015D3(C)
|
:004015C6 0FBE141E movsx edx, byte ptr [esi+ebx]
:004015CA 8955F8 mov dword ptr [ebp-08], edx
:004015CD 43 inc ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015C4(U)
|
:004015CE 8D48FF lea ecx, dword ptr [eax-01]
:004015D1 3BD9 cmp ebx, ecx
:004015D3 7CF1 jl 004015C6
:004015D5 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015DF(C)
|
:004015D7 0FBE3C1E movsx edi, byte ptr [esi+ebx]
:004015DB 43 inc ebx
:004015DC 83FB02 cmp ebx, 00000002
:004015DF 7CF6 jl 004015D7
:004015E1 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015F8(C)
|
:004015E3 8B4508 mov eax, dword ptr [ebp+08]
:004015E6 8A1418 mov dl, byte ptr [eax+ebx]
:004015E9 52 push edx
:004015EA E8B3000000 call 004016A2
:004015EF 59 pop ecx
:004015F0 89449DDC mov dword ptr [ebp+4*ebx-24], eax
:004015F4 43 inc ebx
:004015F5 83FB07 cmp ebx, 00000007
:004015F8 7CE9 jl 004015E3
:004015FA 8B45FC mov eax, dword ptr [ebp-04] ; eax=hex sum of name
:004015FD B909000000 mov ecx, 00000009
:00401602 99 cdq
:00401603 F7F9 idiv ecx ; eax/9, edx=remainder
:00401605 3B55DC cmp edx, dword ptr [ebp-24]
:00401608 7407 je 00401611
:0040160A 33C0 xor eax, eax
:0040160C E98A000000 jmp 0040169B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401608(C)
|
:00401611 8B45F8 mov eax, dword ptr [ebp-08] ;eax=reg_name[length-2]
;reg_name[length-2]='e'
;in our case
:00401614 B909000000 mov ecx, 00000009
:00401619 99 cdq
:0040161A F7F9 idiv ecx ; eax/9, edx=remainder
:0040161C 3B55E0 cmp edx, dword ptr [ebp-20]
:0040161F 7404 je 00401625
:00401621 33C0 xor eax, eax
:00401623 EB76 jmp 0040169B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040161F(C)
|
:00401625 8BC7 mov eax, edi ;eax=reg_name[1]
:00401627 B909000000 mov ecx, 00000009
:0040162C 99 cdq
:0040162D F7F9 idiv ecx ; eax/9, edx=remainder
:0040162F 3B55E4 cmp edx, dword ptr [ebp-1C]
:00401632 7404 je 00401638
:00401634 33C0 xor eax, eax
:00401636 EB63 jmp 0040169B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401632(C)
|
:00401638 8B45F8 mov eax, dword ptr [ebp-08]
:0040163B 03C7 add eax, edi ;eax=reg_name[1]+reg_name[length-2]
:0040163D B909000000 mov ecx, 00000009
:00401642 99 cdq
:00401643 F7F9 idiv ecx ; eax/9, edx=remainder
:00401645 3B55E8 cmp edx, dword ptr [ebp-18]
:00401648 7404 je 0040164E
:0040164A 33C0 xor eax, eax
:0040164C EB4D jmp 0040169B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401648(C)
|
:0040164E 8B45F8 mov eax, dword ptr [ebp-08]
:00401651 03C7 add eax, edi ; eax=reg_name[1]+reg_name[length-2]
:00401653 B907000000 mov ecx, 00000007
:00401658 99 cdq
:00401659 F7F9 idiv ecx ; eax/7, edx=remainder
:0040165B 83C202 add edx, 00000002 ; edx=edx+2
:0040165E 3B55EC cmp edx, dword ptr [ebp-14]
:00401661 7404 je 00401667
:00401663 33C0 xor eax, eax
:00401665 EB34 jmp 0040169B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401661(C)
|
:00401667 8B45FC mov eax, dword ptr [ebp-04]
:0040166A 03C7 add eax, edi ;eax=(sum of Name in hex)+reg_name[1]
:0040166C B909000000 mov ecx, 00000009
:00401671 99 cdq
:00401672 F7F9 idiv ecx ; eax/9, edx=remainder
:00401674 3B55F0 cmp edx, dword ptr [ebp-10] ; compare
:00401677 7404 je 0040167D
:00401679 33C0 xor eax, eax
:0040167B EB1E jmp 0040169B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401677(C)
|
:0040167D 8B45FC mov eax, dword ptr [ebp-04]
:00401680 03C7 add eax, edi ; eax=(sum of Name in hex)+reg_name[1]
:00401682 B906000000 mov ecx, 00000006
:00401687 99 cdq
:00401688 F7F9 idiv ecx ; divide by 6, the remainder is in edx
:0040168A 83C203 add edx, 00000003 ; edx=edx+3
:0040168D 3B55F4 cmp edx, dword ptr [ebp-0C] ; compare them
:00401690 7404 je 00401696
:00401692 33C0 xor eax, eax
:00401694 EB05 jmp 0040169B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401690(C)
|
:00401696 B801000000 mov eax, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401598(U), :0040160C(U), :00401623(U), :00401636(U), :0040164C(U)
|:00401665(U), :0040167B(U), :00401694(U)
|
:0040169B 5F pop edi
:0040169C 5E pop esi
:0040169D 5B pop ebx
:0040169E 8BE5 mov esp, ebp
:004016A0 5D pop ebp
:004016A1 C3 ret
The Source Code for the Key Generator
|
//
// Key Generator for Balance 95
// Author : +ViPeR+
// compiled using VC++ 6.0
// June 1, 1999
#include <stdio.h>
#include <string.h>
void main(){
// size_t = unsign integer
char reg_name[255] = {0};
size_t i = 0;
size_t decCode = 0;
size_t one = 0;
size_t two = 0;
size_t three = 0;
size_t four = 0;
size_t five = 0;
size_t six = 0;
size_t seven = 0;
size_t length = 0;
printf(" __ __ \n");
printf(" \\ \\ / / ___ _____ ________ _______ \n");
printf(" \\ \\ / / / / / ___ \\ / ______/ / ___ / \n");
printf(" \\ / / / / _____/ / ______/ / __ / \n");
printf(" \\ / /__/ /__/ /_______/ /__/ \\__\\ \n");
printf(" \n");
printf(" [ Key Generator for Balance95 ] \n");
printf(" [ http://www.lithic.com/software/software.html ] \n");
printf(" \n");
printf("Name: ");
scanf("%s", reg_name);
length = strlen(reg_name);
for(i = 0 ; i < length; i++)
{
decCode += reg_name[i];
}
one = decCode % 9;
two = reg_name[length-2] % 9;
three = reg_name[1] % 9;
four = (reg_name[length-2] + reg_name[1]) % 9;
five = (reg_name[length-2] + reg_name[1]) % 7 + 2;
six = (decCode + reg_name[1]) % 9;
seven = (decCode + reg_name[1]) % 6 + 3;
printf("Key : %d%d%d%d%d%d%d\n", one, two, three, four, five, six, seven);
}
|
Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that these
software houses will continue to produce even *better* software for
us to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems.
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
Essay
by: ViPeR
Page Created: 2nd June
1999