SB (5) +Jonathan’s Checking-digit-length Method Part (A)

By +Jonathan

2002-8-11

 

+Jonathan’s checking-digits method is an extreme important method among Reverse Engineer tricks. It is base on the knowledge of FLAG which can control EVERY thing (include whether you are registered or not) !

 

  <<Theory>>

  Many types of software will check the length of the SN (serial number) you had typed. Therefore, if the length you typed is not right in the first place, they will immediately, for example, mov al, 01 or xor eax, eax (which means making a BAD flag) ; hence, you only need to make a reversed instruction. Usually is MOV AL, 01 ( B0 01)

 

  <<Example>>

   [API 32.EXE]

:004046B6 83C40C                      add esp, 0000000C                             * Translate into Hex*

:004046B9 83F810                       cmp eax, 00000010     (10 h = 16)    *Is your SN “16” digits long?

:004046BC 7D08                           jge 004046C6                                      *continue checking*       

:004046BE 33C0                           xor eax, eax                                          *Bagger off! Bad cracker*

:004046C0 5F                                pop edi

:004046C1 5E                                pop esi

:004046C2 5D                                pop ebp

:004046C3 5B                                pop ebx

:004046C4 59                                 pop ecx

:004046C5 C3                                 ret                     

 

Can you feel it?  If the SN (serial number) you type is not 16 digits long, you will not continue being checked. Instead it zero out you EAX!! Therefore you can simply change 33 C0 into B0 01. (This is a beautiful Brute Force trick) Most importantly, the checking digits length routine is the place where the protection scheme is!!

But~~~~~the brute force trick has one problem that it will only write “ Registered to” instead of “Registered to +Jonathan” The reason is quite simple since the program even not yet load your name when they are checking the length.(which means the EIP of the length checking routine  is at the very beginning of the  protection!!)  Thus we have another way, calculate the real SN with which skill you may make a Kengen (In Part (B)).  In this way you will get “Registered to +Jonathan (or your name)”    Now let us begin the lesson:

 

Name:  eXeScop 6.30

Price:   $ 20

Download:  http://hp.vector.co.jp/authors/VA003525/EXESC630.ZIP         (560 kb)

 

First of all, we have to load it into W32Dasm. Then find the “invalid password” String Data. Since this is what you see, if you type 12345678 as a password:

Let’s see the snip:

 

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: 004A6146(C), :004A615A(C)

                                                                                                        

:004A61D9   6A00                       push 00000000

:004A61DB  8D55EC                  lea edx, dword ptr [ebp-14]

 

* Possible StringData Ref from Code Obj ->"Invalid ID or Name;"

                                 

:004A61DE  B870624A00          mov eax, 004A6270

:004A61E3   E808900000           call 004AF1F0

 

<<See the Reference Jump? Let’s trace it:>>

 

:004A613F E8D8800000              call 004AE21C       *checking SN routine* 

:004A6144 84C0                             test al, al                 *compare flag*

:004A6146 0F848D000000           je 004A61D9         * if al = 0, beggar off*

:004A614C A1C4294B00              mov eax, dword ptr [004B29C4]

:004A6151 8B00                             mov eax, dword ptr [eax]

:004A6153 E8E0DCF5FF             call 00403E38

:004A6158 85C0                             test eax, eax             *if al=0, beggar off*   

:004A615A 7E7D                            jle 004A61D9

 

As you can see, the registration depends on FLAG. Let’s break into the call 004AE21C which is the checking SN routine.

 

:004AE21C 55                          push ebp

:004AE21D 8BEC                    mov ebp, esp

:004AE21F 51                          push ecx

:004AE220 53                           push ebx

:004AE221 8955FC                 mov dword ptr [ebp-04], edx

:004AE224 8B45FC                 mov eax, dword ptr [ebp-04]

:004AE227 E8C05DF5FF       call 00403FEC

:004AE22C 33C0                      xor eax, eax

:004AE22E 55                           push ebp

:004AE22F 68BEE24A00        push 004AE2BE

:004AE234 64FF30                  push dword ptr fs:[eax]

:004AE237 648920                   mov dword ptr fs:[eax], esp

:004AE23A 33DB                     xor ebx, ebx

:004AE23C 8B45FC                 mov eax, dword ptr [ebp-04]

:004AE23F E8F45BF5FF        call 00403E38

:004AE244 83F80A                  cmp eax, 0000000A              *compare if the SN you typed is A H (=10)*               

:004AE247 755F                       jne 004AE2A8                       *jump if not the same*

 

Now we will be landed at 004AE2A8 (since we type 8 digits NOT 10 digits). And 004AE2A8 is a short snip which will return (ret) in just 5 line. After you return, this is what you see:

 

:004AE2C3 EBF0                    jmp 004AE2B5

:004AE2C5 8BC3                    mov eax, ebx   *you sort here*

:004AE2C7 5B                         pop ebx

:004AE2C8 59                          pop ecx

:004AE2C9 5D                         pop ebp

:004AE2CA C3                         ret                     *back to 004A613F*

 

Have you see it move the FLAG from EBX to EAX (EAX==EBX) where EBX = 0!! Now as usual we will change 8B C3 into B0 01which means “ mov AL, 01” according to my theory right?  Yes it is now cracked ^_^