|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
|
|
|
Fire up soft-ice(Ctrl-D) and set a break point on hmemcpy (bpx hmemcpy). Click the "Register" button and *BOOM*, you are back into Soft-Ice. Type x, enter, x enter and press F11 to go back to the caller. Press F12 7 times and F10 23 times (you will hit several "RET") until you are in the following code:
:004DB9E4 E8C76BF5FF call 004325B0 :004DB9E9 8B45F4 mov eax, dword ptr [ebp-0C] ; <-- You are here :004DB9EC 50 push eax : : :Press F10 several times and you land here,
:004DBA1C E8FB57FFFF call 004D121C ; You are here now. : : :Step inside this call by pressing F8. Then, keep pressing F10,
:004D121C 55 push ebp :004D121D 8BEC mov ebp, esp :004D121F 81C4E8FDFFFF add esp, FFFFFDE8 :004D1225 33C0 xor eax, eax :004D1227 8985E8FEFFFF mov dword ptr [ebp+FFFFFEE8], eax :004D122D 8D45EC lea eax, dword ptr [ebp-14] :004D1230 8B15DC0F4D00 mov edx, dword ptr [004D0FDC] :004D1236 E8A532F3FF call 004044E0 :004D123B 33C0 xor eax, eax :004D123D 55 push ebp :004D123E 680C134D00 push 004D130C :004D1243 64FF30 push dword ptr fs:[eax] :004D1246 648920 mov dword ptr fs:[eax], esp :004D1249 8D45EC lea eax, dword ptr [ebp-14] :004D124C E897FEFFFF call 004D10E8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004D11DC(C) | :004D1251 33C9 xor ecx, ecx :004D1253 B201 mov dl, 01 :004D1255 A1F4034D00 mov eax, dword ptr [004D03F4] :004D125A E8D5F9FFFF call 004D0C34 :004D125F 8945F8 mov dword ptr [ebp-08], eax :004D1262 33C0 xor eax, eax :004D1264 55 push ebp :004D1265 68DE124D00 push 004D12DE :004D126A 64FF30 push dword ptr fs:[eax] :004D126D 648920 mov dword ptr fs:[eax], esp :004D1270 8D85E8FEFFFF lea eax, dword ptr [ebp+FFFFFEE8] :004D1276 8B4DF0 mov ecx, dword ptr [ebp-10] ; :004D1279 BA24134D00 mov edx, 004D1324Until you are at 004D1279. If you d ecx, you will see the fake key '54545454' in the data window, and d edx, you will see '$'.
:004D127E E8252DF3FF call 00403FA8 :004D1283 8B95E8FEFFFF mov edx, dword ptr [ebp+FFFFFEE8]Type d edx and edx now contains '$54545454'. Notice that the length of this string is 9. Let's keep tracing the code.
:004D1289 8D85ECFEFFFF lea eax, dword ptr [ebp+FFFFFEEC]
:004D128F B9FF000000 mov ecx, 000000FF
:004D1294 E89F2CF3FF call 00403F38 ; copy '$54545454' to a new address
; d edx and you will see it.
:004D1299 8D85ECFEFFFF lea eax, dword ptr [ebp+FFFFFEEC]
:004D129F 50 push eax
:004D12A0 8D85E8FDFFFF lea eax, dword ptr [ebp+FFFFFDE8]
:004D12A6 8B55EC mov edx, dword ptr [ebp-14] ; edx contains Name
:004D12A9 B9FF000000 mov ecx, 000000FF
:004D12AE E8852CF3FF call 00403F38 ; calculate the length of 'ProfViper'
:004D12B3 8D95E8FDFFFF lea edx, dword ptr [ebp+FFFFFDE8] ; edx contains Name
:004D12B9 8B45F8 mov eax, dword ptr [ebp-08]
:004D12BC 59 pop ecx ; ecx contains the fake key
:004D12BD E846F8FFFF call 004D0B08 ; this is the call we need to step in.
:
:
:
(2)The door to the key generating roution
===============================================================================
* Referenced by a CALL at Address:
|:004D12BD
|
:004D0B08 53 push ebx
:004D0B09 56 push esi
:004D0B0A 57 push edi
:004D0B0B 83C4C0 add esp, FFFFFFC0
:004D0B0E 8BF1 mov esi, ecx
:004D0B10 8D3C24 lea edi, dword ptr [esp]
:004D0B13 33C9 xor ecx, ecx
:004D0B15 8A0E mov cl, byte ptr [esi]
:004D0B17 80F909 cmp cl, 09 ; 8 chars of fake reg. code + 1)
; from here, we know the key should
; be at least 8 chars.
:004D0B1A 7202 jb 004D0B1E
:004D0B1C B109 mov cl, 09
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D0B1A(C)
|
:004D0B1E 880F mov byte ptr [edi], cl
:004D0B20 46 inc esi
:004D0B21 47 inc edi
:004D0B22 F3 repz
:004D0B23 A4 movsb
:004D0B24 8BF2 mov esi, edx
:004D0B26 8D7C240A lea edi, dword ptr [esp+0A]
:004D0B2A 33C9 xor ecx, ecx
:004D0B2C 8A0E mov cl, byte ptr [esi]
:004D0B2E 80F932 cmp cl, 32
:004D0B31 7202 jb 004D0B35
:004D0B33 B132 mov cl, 32
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D0B31(C)
|
:004D0B35 880F mov byte ptr [edi], cl
:004D0B37 46 inc esi
:004D0B38 47 inc edi
:004D0B39 F3 repz
:004D0B3A A4 movsb
:004D0B3B 8BD8 mov ebx, eax
:004D0B3D 33D2 xor edx, edx
:004D0B3F 8A54240A mov dl, byte ptr [esp+0A]
:004D0B43 42 inc edx
:004D0B44 83FA32 cmp edx, 00000032
:004D0B47 7F0E jg 004D0B57
:004D0B49 8D44140A lea eax, dword ptr [esp+edx+0A]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D0B55(C)
|
:004D0B4D C6002A mov byte ptr [eax], 2A
:004D0B50 42 inc edx
:004D0B51 40 inc eax
:004D0B52 83FA33 cmp edx, 00000033
:004D0B55 75F6 jne 004D0B4D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D0B47(C)
|
:004D0B57 8BCC mov ecx, esp
:004D0B59 8D54240A lea edx, dword ptr [esp+0A]
:004D0B5D 8BC3 mov eax, ebx
:004D0B5F E8FCFEFFFF call 004D0A60 ; call the real-key calculation
; routine.
:
:
At this point, you have two choice:
(i) if you step through the call 004D0A60, you will see the key in the data window. Actually, this is the second valid key for you to register this program. (you will see it later soon).In my case, it shows $D3712ECE. Note that only 'D3712ECE' is the registration key. Enter this key and you are registered.
(ii) step inside the call 004D0A60 and see what happen.
(3) Another key you can use ===============================================================================
Nothing interesting until 004D0AAA.
:
:
:004D0AA1 50 push eax
:004D0AA2 8BCB mov ecx, ebx
:004D0AA4 8D54240E lea edx, dword ptr [esp+0E] ; edx contains Name
:004D0AA8 8BC6 mov eax, esi
:004D0AAA E805FEFFFF call 004D08B4 ; here, it generate '9AC65A60'.
; If you enter this key, you will
; see the thank you messagebox.
; if you are interested in writing
; a key generator you should check
; this routine.
:004D0AAF 8D442440 lea eax, dword ptr [esp+40]
Do a d eax at this point, you will see '$9AC65A60' in the data window. Actually, this is your first
registration key. You may exit Soft-Ice and enter 9AC65A60 to register and see
the thank you message box.
:004D0AB3 8BD4 mov edx, esp
:004D0AB5 33C9 xor ecx, ecx
:004D0AB7 8A08 mov cl, byte ptr [eax]
:004D0AB9 41 inc ecx
:004D0ABA E85921F3FF call 00402C18 ; comparision routine
;
:004D0ABF 0F94C0 sete al
:004D0AC2 84C0 test al, al
:004D0AC4 7538 jne 004D0AFE ; if the fake key is not the same as the first
; real key, continue to generate the second
; real key and compare them.
:004D0AC6 B301 mov bl, 01
:004D0AC8 889E75030000 mov byte ptr [esi+00000375], bl
:004D0ACE 8D442440 lea eax, dword ptr [esp+40]
:004D0AD2 50 push eax
:004D0AD3 8BCB mov ecx, ebx
:004D0AD5 8D54240E lea edx, dword ptr [esp+0E]
:004D0AD9 8BC6 mov eax, esi
:004D0ADB E8D4FDFFFF call 004D08B4 ; this routine generate another key.
; In my case, it gives 'D3712ECE'
; if you are interested in writing
; a key generator you should check
; this routine.
:004D0AE0 8D442440 lea eax, dword ptr [esp+40]
:004D0AE4 8BD4 mov edx, esp
:004D0AE6 33C9 xor ecx, ecx
:004D0AE8 8A08 mov cl, byte ptr [eax]
:004D0AEA 41 inc ecx
:004D0AEB E82821F3FF call 00402C18 ; compare the real key 'D3712ECE'
; with fake key.
:004D0AF0 0F94C0 sete al
:004D0AF3 3C01 cmp al, 01
:004D0AF5 7507 jne 004D0AFE
:004D0AF7 C6867503000001 mov byte ptr [esi+00000375], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D0AC4(C), :004D0AF5(C)
|
:004D0AFE 83C44C add esp, 0000004C
:004D0B01 5F pop edi
:004D0B02 5E pop esi
:004D0B03 5B pop ebx
:004D0B04 C3 ret
(4) Comparision routine =============================================================================== The following code is the comparision routine after the real key is been generated. See the comments for the details.
* Referenced by a CALL at Addresses: |:00403642 , :004D0ABA , :004D0AEB | :00402C18 53 push ebx :00402C19 56 push esi :00402C1A 51 push ecx :00402C1B 89CE mov esi, ecx :00402C1D C1EE02 shr esi, 02 :00402C20 7426 je 00402C48 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402C3E(C) | :00402C22 8B08 mov ecx, dword ptr [eax] :00402C24 8B1A mov ebx, dword ptr [edx]In our case,
:00402C26 39D9 cmp ecx, ebx ; do the comparision :00402C28 7545 jne 00402C6F ; not equel? bad cracker. :00402C2A 4E dec esi :00402C2B 7415 je 00402C42 :00402C2D 8B4804 mov ecx, dword ptr [eax+04] :00402C30 8B5A04 mov ebx, dword ptr [edx+04]Take the next four real key values and next four fake key values and compare them.
:00402C33 39D9 cmp ecx, ebx ; do the comparision
:00402C35 7538 jne 00402C6F ; not equal? bad cracker.
:00402C37 83C008 add eax, 00000008 ; adjust eax (coz we have
; compared 8 chars.)
:00402C3A 83C208 add edx, 00000008 ; adjust edx
:00402C3D 4E dec esi
:00402C3E 75E2 jne 00402C22
:00402C40 EB06 jmp 00402C48
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402C2B(C)
|
:00402C42 83C004 add eax, 00000004
:00402C45 83C204 add edx, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402C20(C), :00402C40(U)
|
:00402C48 5E pop esi
:00402C49 83E603 and esi, 00000003
:00402C4C 7436 je 00402C84
:00402C4E 8A08 mov cl, byte ptr [eax] ; cl='C'
:00402C50 3A0A cmp cl, byte ptr [edx] ; compare '5' with 'C'
:00402C52 7530 jne 00402C84 ; not equal? bad cracker
:00402C54 4E dec esi
:00402C55 7413 je 00402C6A
:00402C57 8A4801 mov cl, byte ptr [eax+01] ; similar to above.
:00402C5A 3A4A01 cmp cl, byte ptr [edx+01]
:00402C5D 7525 jne 00402C84
:00402C5F 4E dec esi
:00402C60 7408 je 00402C6A
:00402C62 8A4802 mov cl, byte ptr [eax+02]
:00402C65 3A4A02 cmp cl, byte ptr [edx+02]
:00402C68 751A jne 00402C84
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402C55(C), :00402C60(C)
|
:00402C6A 31C0 xor eax, eax
:00402C6C 5E pop esi
:00402C6D 5B pop ebx
:00402C6E C3 ret
|
|
I didn't really trace the code that generate the registration key. If you are interested in writing a key generator your own, you may check the code at location 004D08B4. (if you do, could you send me one copy of it?)
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
|
|