|
|
|
Used
Tools:
|
|
This essay shows that still more shareware programs have easy protection.In this essay you will learn how to sniff serial with softice, what is lstrcatA and wsprintf means.At then end of essay you can download my win32asm keygen with source code.
|
This program is simple uninstaller.It cleans temporar internet files, redundant and dead shortcuts.It is writen in visual c.Therefore it size is so small it is 160 k.How i know it is writen in C ?.I use Gettype.It is very good program to find the information about exe.Whether it is packed or not which compiler .....We open our program it shows us nag screen to register program.Open register dialog and write Mister Stop as a name and 999888777 as a password.Before we clicking Ok button we goto SoftICE and breakpoint getwindowtexta and getdlgitemtexta.Go back to program and hit ok button.We will back to SoftICE.We see that SoftICE breaked due to getdlgitemtexta.We have two info therefore we hit F11 two times to back to program.After some F10's you will be here.
:00405B6E E85A030000 call 00405ECD ;Serial calculation and comparison :00405B73 83C408 add esp, 00000008 :00405B76 85C0 test eax, eax :00405B78 7440 je 00405BBA ;Bad guy jump :00405B7A 8D9500FEFFFF lea edx, dword ptr [ebp+FFFFFE00] :00405B80 52 push edx :00405B81 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] :00405B87 50 push eax
We F8 when we are at 00405B6E You will see this.
:00405ECD 55 push ebp :00405ECE 8BEC mov ebp, esp :00405ED0 81EC00010000 sub esp, 00000100 :00405ED6 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] :00405EDC 50 push eax :00405EDD 8B4D08 mov ecx, dword ptr [ebp+08] :00405EE0 51 push ecx :00405EE1 E88C000000 call 00405F72 ;Calculate serial :00405EE6 83C408 add esp, 00000008 :00405EE9 8D9500FFFFFF lea edx, dword ptr [ebp+FFFFFF00] :00405EEF 52 push edx :00405EF0 8B450C mov eax, dword ptr [ebp+0C] :00405EF3 50 push eax :00405EF4 E8B7020000 call 004061B0 ;Compare serials :00405EF9 83C408 add esp, 00000008 :00405EFC 85C0 test eax, eax :00405EFE 7507 jne 00405F07 ;Bad guy :00405F00 B801000000 mov eax, 00000001 :00405F05 EB02 jmp 00405F09 ;good guy
When we are at 00405EE1 we hit F8 and step into this call.As you have noticed noping bad guy jump also crack this program.
:00405FBF 8B95FCFEFFFF mov edx, dword ptr [ebp+FFFFFEFC] :00405FC5 83C201 add edx, 00000001 :00405FC8 8995FCFEFFFF mov dword ptr [ebp+FFFFFEFC], edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00405FBD(U) | :00405FCE 8B85FCFEFFFF mov eax, dword ptr [ebp+FFFFFEFC] :00405FD4 3B85F4FEFFFF cmp eax, dword ptr [ebp+FFFFFEF4] :00405FDA 7322 jnb 00405FFE ;all characters added ? :00405FDC 8B4D08 mov ecx, dword ptr [ebp+08] :00405FDF 038DFCFEFFFF add ecx, dword ptr [ebp+FFFFFEFC] :00405FE5 0FBE11 movsx edx, byte ptr [ecx] ;take one charecter :00405FE8 031590C04000 add edx, dword ptr [0040C090] ;add 38 ** :00405FEE 8B85F8FEFFFF mov eax, dword ptr [ebp+FFFFFEF8] :00405FF4 03C2 add eax, edx ;add total to eax :00405FF6 8985F8FEFFFF mov dword ptr [ebp+FFFFFEF8], eax :00405FFC EBC1 jmp 00405FBF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00405FDA(C) | :00405FFE 8B8DF8FEFFFF mov ecx, dword ptr [ebp+FFFFFEF8] :00406004 51 push ecx
Where this 38 comes form ?.add edx, dword ptr [0040C090] means add a double word which is at 40C090 to edx.I found this value via d 40C090 in SoftICE.All ** values are found in this way.In this part program take one character of name and add 38.Then it sum them all.
:0040603C 8B8DFCFEFFFF mov ecx, dword ptr [ebp+FFFFFEFC] :00406042 3B8DF4FEFFFF cmp ecx, dword ptr [ebp+FFFFFEF4] :00406048 7323 jnb 0040606D ; have we processed all :0040604A 8B5508 mov edx, dword ptr [ebp+08] :0040604D 0395FCFEFFFF add edx, dword ptr [ebp+FFFFFEFC] :00406053 0FBE02 movsx eax, byte ptr [edx] ;take one char from name :00406056 0FAF0594C04000 imul eax, dword ptr [0040C094] ;multiply with 52 ** :0040605D 8B8DF8FEFFFF mov ecx, dword ptr [ebp+FFFFFEF8] :00406063 03C8 add ecx, eax ;write sum to ecx :00406065 898DF8FEFFFF mov dword ptr [ebp+FFFFFEF8], ecx :0040606B EBC0 jmp 0040602D
Ok,lets go on with F10.After some tracing you will see this.
:004060BF 8B8DFCFEFFFF mov ecx, dword ptr [ebp+FFFFFEFC] :004060C5 3B8DF4FEFFFF cmp ecx, dword ptr [ebp+FFFFFEF4] :004060CB 7322 jnb 004060EF ;have we processed all :004060CD 8B5508 mov edx, dword ptr [ebp+08] :004060D0 0395FCFEFFFF add edx, dword ptr [ebp+FFFFFEFC] :004060D6 0FBE02 movsx eax, byte ptr [edx] ;take one char from name :004060D9 030598C04000 add eax, dword ptr [0040C098] ;add 12 ** :004060DF 8B8DF8FEFFFF mov ecx, dword ptr [ebp+FFFFFEF8] :004060E5 03C8 add ecx, eax ;write sum to ecx :004060E7 898DF8FEFFFF mov dword ptr [ebp+FFFFFEF8], ecx :004060ED EBC1 jmp 004060B0
Now we have 3 parts of serial.We are going on with F10 you will see this
:00406141 8B8DFCFEFFFF mov ecx, dword ptr [ebp+FFFFFEFC] :00406147 3B8DF4FEFFFF cmp ecx, dword ptr [ebp+FFFFFEF4] :0040614D 7323 jnb 00406172 :0040614F 8B5508 mov edx, dword ptr [ebp+08] :00406152 0395FCFEFFFF add edx, dword ptr [ebp+FFFFFEFC] :00406158 0FBE02 movsx eax, byte ptr [edx] ;take one char from name :0040615B 0FAF059CC04000 imul eax, dword ptr [0040C09C] ;multiply with 14 ** :00406162 8B8DF8FEFFFF mov ecx, dword ptr [ebp+FFFFFEF8] :00406168 03C8 add ecx, eax ;add sum to ecx :0040616A 898DF8FEFFFF mov dword ptr [ebp+FFFFFEF8], ecx :00406170 EBC0 jmp 00406132
After all this calculation we can see our serial.After lstrcatA api type d
ecx .You will see 500-56264-1214-15148 at SoftICE's data window.I have coded
a keygen for this easy protection.Keygen is coded again in W32Asm. It is 335
lines code.Heheh it sounds crazy but it is far from it.First off all I dont
write everytime this 335 line code.I have ready template for my keygen.I just
find keygen routine of program copy it to my keygen template, some modifications
tada keygen is ready.It is small it is compact and works on every windows.If
you code this keygen in delphi it is 300 Kb.What a blaoted software.This CleanPC
is only 160 Kb.As you see coding in assembly is fun and it has more benefits.If
you dont know any programming language and want to start I suggest you C++ and
Assembly.I dont know if you care but I have decided to put my keygen source.In
order to compile this package you need Tasm 5.0 and include files.If you dont
have Tasm I suggest you to download CogenII from Protools
Put my keygen source file to where tasm32 is.Run make.exe and your keygen is
ready to go.You can download Keygen and source
code[cleanpc.zip - MISSING].I suggest you to look this sources with UltraEdit or any good text
editor.You can play with sources and change whatever you want.
|
No notes.I am tired, just simile :)