"CleanPC v1.1"
Mr_Stop 
Location: http://members.aol.com/helhasan/myhomepage/
Program Type: Uninstall Program
       Used Tools:
 SoftICE,W32Dasm 
Easy ( X )  Medium ( )  Hard ( )  Expert ( ) 


Firstwords

This essay shows that still more shareware programs have easy protection.In this essay you will learn how to sniff serial with softice, what is lstrcatA and wsprintf means.At then end of essay you can download my win32asm keygen with source code.

Essay

This program is simple uninstaller.It cleans temporar internet files, redundant and dead shortcuts.It is writen in visual c.Therefore it size is so small it is 160 k.How i know it is writen in C ?.I use Gettype.It is very good program to find the information about exe.Whether it is packed or not which compiler .....We open our program it shows us nag screen to register program.Open register dialog and write Mister Stop as a name and 999888777 as a password.Before we clicking Ok button we goto SoftICE and breakpoint getwindowtexta and getdlgitemtexta.Go back to program and hit ok button.We will back to SoftICE.We see that SoftICE breaked due to getdlgitemtexta.We have two info therefore we hit F11 two times to back to program.After some F10's you will be here.

:00405B6E E85A030000              call 00405ECD ;Serial calculation and comparison
:00405B73 83C408                  add esp, 00000008
:00405B76 85C0                    test eax, eax
:00405B78 7440                    je 00405BBA  ;Bad guy jump
:00405B7A 8D9500FEFFFF            lea edx, dword ptr [ebp+FFFFFE00]
:00405B80 52                      push edx
:00405B81 8D8500FFFFFF            lea eax, dword ptr [ebp+FFFFFF00]
:00405B87 50                      push eax

We F8 when we are at 00405B6E You will see this.

:00405ECD 55                      push ebp
:00405ECE 8BEC                    mov ebp, esp
:00405ED0 81EC00010000            sub esp, 00000100
:00405ED6 8D8500FFFFFF            lea eax, dword ptr [ebp+FFFFFF00]
:00405EDC 50                      push eax
:00405EDD 8B4D08                  mov ecx, dword ptr [ebp+08]
:00405EE0 51                      push ecx
:00405EE1 E88C000000              call 00405F72 ;Calculate serial
:00405EE6 83C408                  add esp, 00000008
:00405EE9 8D9500FFFFFF            lea edx, dword ptr [ebp+FFFFFF00]
:00405EEF 52                      push edx
:00405EF0 8B450C                  mov eax, dword ptr [ebp+0C]
:00405EF3 50                      push eax
:00405EF4 E8B7020000              call 004061B0 ;Compare serials
:00405EF9 83C408                  add esp, 00000008
:00405EFC 85C0                    test eax, eax
:00405EFE 7507                    jne 00405F07 ;Bad guy
:00405F00 B801000000              mov eax, 00000001
:00405F05 EB02                    jmp 00405F09 ;good guy

When we are at 00405EE1 we hit F8 and step into this call.As you have noticed noping bad guy jump also crack this program.

:00405FBF 8B95FCFEFFFF            mov edx, dword ptr [ebp+FFFFFEFC]
:00405FC5 83C201                  add edx, 00000001
:00405FC8 8995FCFEFFFF            mov dword ptr [ebp+FFFFFEFC], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405FBD(U)
|
:00405FCE 8B85FCFEFFFF            mov eax, dword ptr [ebp+FFFFFEFC]
:00405FD4 3B85F4FEFFFF            cmp eax, dword ptr [ebp+FFFFFEF4]
:00405FDA 7322                    jnb 00405FFE ;all characters added ?
:00405FDC 8B4D08                  mov ecx, dword ptr [ebp+08]
:00405FDF 038DFCFEFFFF            add ecx, dword ptr [ebp+FFFFFEFC]
:00405FE5 0FBE11                  movsx edx, byte ptr [ecx]  ;take one charecter
:00405FE8 031590C04000            add edx, dword ptr [0040C090] ;add 38 **
:00405FEE 8B85F8FEFFFF            mov eax, dword ptr [ebp+FFFFFEF8]
:00405FF4 03C2                    add eax, edx	;add total to eax
:00405FF6 8985F8FEFFFF            mov dword ptr [ebp+FFFFFEF8], eax
:00405FFC EBC1                    jmp 00405FBF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405FDA(C)
|
:00405FFE 8B8DF8FEFFFF            mov ecx, dword ptr [ebp+FFFFFEF8]
:00406004 51                      push ecx

Where this 38 comes form ?.add edx, dword ptr [0040C090] means add a double word which is at 40C090 to edx.I found this value via d 40C090 in SoftICE.All ** values are found in this way.In this part program take one character of name and add 38.Then it sum them all.

:0040603C 8B8DFCFEFFFF            mov ecx, dword ptr [ebp+FFFFFEFC]
:00406042 3B8DF4FEFFFF            cmp ecx, dword ptr [ebp+FFFFFEF4]
:00406048 7323                    jnb 0040606D ; have we processed all
:0040604A 8B5508                  mov edx, dword ptr [ebp+08]
:0040604D 0395FCFEFFFF            add edx, dword ptr [ebp+FFFFFEFC]
:00406053 0FBE02                  movsx eax, byte ptr [edx] ;take one char from name
:00406056 0FAF0594C04000          imul eax, dword ptr [0040C094] ;multiply with 52 **
:0040605D 8B8DF8FEFFFF            mov ecx, dword ptr [ebp+FFFFFEF8]
:00406063 03C8                    add ecx, eax ;write sum to ecx
:00406065 898DF8FEFFFF            mov dword ptr [ebp+FFFFFEF8], ecx
:0040606B EBC0                    jmp 0040602D

Ok,lets go on with F10.After some tracing you will see this.

:004060BF 8B8DFCFEFFFF            mov ecx, dword ptr [ebp+FFFFFEFC]
:004060C5 3B8DF4FEFFFF            cmp ecx, dword ptr [ebp+FFFFFEF4]
:004060CB 7322                    jnb 004060EF ;have we processed all
:004060CD 8B5508                  mov edx, dword ptr [ebp+08]
:004060D0 0395FCFEFFFF            add edx, dword ptr [ebp+FFFFFEFC]
:004060D6 0FBE02                  movsx eax, byte ptr [edx] ;take one char from name
:004060D9 030598C04000            add eax, dword ptr [0040C098] ;add 12 ** 
:004060DF 8B8DF8FEFFFF            mov ecx, dword ptr [ebp+FFFFFEF8]
:004060E5 03C8                    add ecx, eax ;write sum to ecx
:004060E7 898DF8FEFFFF            mov dword ptr [ebp+FFFFFEF8], ecx
:004060ED EBC1                    jmp 004060B0

Now we have 3 parts of serial.We are going on with F10 you will see this

:00406141 8B8DFCFEFFFF            mov ecx, dword ptr [ebp+FFFFFEFC]
:00406147 3B8DF4FEFFFF            cmp ecx, dword ptr [ebp+FFFFFEF4]
:0040614D 7323                    jnb 00406172
:0040614F 8B5508                  mov edx, dword ptr [ebp+08]
:00406152 0395FCFEFFFF            add edx, dword ptr [ebp+FFFFFEFC]
:00406158 0FBE02                  movsx eax, byte ptr [edx] ;take one char from name
:0040615B 0FAF059CC04000          imul eax, dword ptr [0040C09C] ;multiply with 14  **
:00406162 8B8DF8FEFFFF            mov ecx, dword ptr [ebp+FFFFFEF8]
:00406168 03C8                    add ecx, eax ;add sum to ecx
:0040616A 898DF8FEFFFF            mov dword ptr [ebp+FFFFFEF8], ecx
:00406170 EBC0                    jmp 00406132

After all this calculation we can see our serial.After lstrcatA api type d ecx .You will see 500-56264-1214-15148 at SoftICE's data window.I have coded a keygen for this easy protection.Keygen is coded again in W32Asm. It is 335 lines code.Heheh it sounds crazy but it is far from it.First off all I dont write everytime this 335 line code.I have ready template for my keygen.I just find keygen routine of program copy it to my keygen template, some modifications tada keygen is ready.It is small it is compact and works on every windows.If you code this keygen in delphi it is 300 Kb.What a blaoted software.This CleanPC is only 160 Kb.As you see coding in assembly is fun and it has more benefits.If you dont know any programming language and want to start I suggest you C++ and Assembly.I dont know if you care but I have decided to put my keygen source.In order to compile this package you need Tasm 5.0 and include files.If you dont have Tasm I suggest you to download CogenII from Protools Put my keygen source file to where tasm32 is.Run make.exe and your keygen is ready to go.You can download Keygen and source code[cleanpc.zip - MISSING].I suggest you to look this sources with UltraEdit or any good text editor.You can play with sources and change whatever you want.

Final Words

No notes.I am tired, just simile :)

040FCFE 01 db 1 ; ; no. of bytes to compare