SB (5) +Jonathan’s Checking-digit-length Method Part (B)

SB (5) +Jonathan’s Checking-digit-length Method Part (B)

By +Jonathan

2002-8-11

In part B we are going to calculate the real SN (non brute force) which you may write a KeyGen ^_^ As I had said before that Brute force trick will not show your name even if it is actually registered, but in that way we can save lots of time which I had teach you in Part A!! Let us begin with the snip:

(“your SN” means the SN you typed)

:004AE244 83F80A cmp eax, 0000000A * Is the SN you typed 10 digits long?*

:004AE247 755F jne 004AE2A8 *If not, jump to the place where it move a BAD flag to EAX*

:004AE249 8B55FC mov edx, dword ptr [ebp-04] *move your password into EDX*

Notice: *[EBX-04] is the original place to store your Password*

* Possible StringData Ref from Code Obj ->"A1910"

:004AE24C B8D4E24A00 mov eax, 004AE2D4 *move the A1910 into EAX*

:004AE251 E8CE5EF5FF call 00404124 *Check if the first 5 digit is A1910 && If the first 5 digits is

A1910, EAX = 1 (otherwise EAX = 0)*

:004AE256 48 dec eax *If EAX – 1 = 0

:004AE257 7410 je 004AE269 then jump* (If EAX – 1 ≠ 0, no jump)

:004AE259 8B55FC mov edx, dword ptr [ebp-04] * Load your password from (EBX-4) again *

* Possible StringData Ref from Code Obj ->"A1423"

:004AE25C B8E4E24A00 mov eax, 004AE2E4 *move A1423 into EAX*

:004AE261 E8BE5EF5FF call 00404124 *Check if the first 5 digit is A1423 && If the first 5 digits is

A1423, EAX = 1 (otherwise EAX = 0)*

:004AE266 48 dec eax *If EAX – 1 = 0

:004AE267 753F jne 004AE2A8 then DO NOT jump* (If EAX – 1 ≠ 0, no jump)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:004AE257(C)

:004AE269 B802000000 mov eax, 00000002 *Let EAX = 2*

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:004AE286(C)

:004AE26E 8B55FC mov edx, dword ptr [ebp-04] *Load your password into EDX*

:004AE271 8A5402FF mov dl, byte ptr [edx+eax-01] *Let DL = EDX + EAX –1*

:004AE275 80FA30 cmp dl, 30 *Is this digits lower than “0” in ASCII ?*

:004AE278 722E jb 004AE2A8 *If true, jump to the place where it move a BAD flag to EAX*

:004AE27A 8B4DFC mov ecx, dword ptr [ebp-04] *Load your password into ECX*

:004AE27D 80FA39 cmp dl, 39 *Is this digit greater than “9” in ASCII ?*

:004AE280 7726 ja 004AE2A8 *If true, jump to the place where it move a BAD flag to EAX*

:004AE282 40 inc eax *Let EAX = EAX + 1 ( Remember that the original EAX = 2)*

:004AE283 83F80B cmp eax, 0000000B * Do we finish checking 9 times?*

:004AE286 75E6 jne 004AE26E *If it is the 11 in EAX (which means finish), it won’t jump*

:004AE288 8B45FC mov eax, dword ptr [ebp-04] *Load the your SN into EAX*

:004AE28B 0FB64008 movzx eax, byte ptr [eax+08] *Let EAX = the 9^th digit of EAX* (EAX= your SN)

:004AE28F 8B55FC mov edx, dword ptr [ebp-04] *Load the your SN into EAX*

:004AE292 0FB65209 movzx edx, byte ptr [edx+09] *Let EDX = the 10^th digit of EAX* (EAX= your SN)

**Remember that [EAX] = first digit; [EAX+1] = second digit; hence, [EAX+8] = 9^th digit**

:004AE296 03C2 add eax, edx *Let EAX = EAX + EDX*

:004AE298 B90A000000 mov ecx, 0000000A *Let ECX = A h (= 16 in decimal number)

:004AE29D 33D2 xor edx, edx *Let EDX = 0*

:004AE29F F7F1 div ecx *EAX / ECX = EAX ……..EDX (EDX is the remainder)

:004AE2A1 83FA04 cmp edx, 00000004 * Is the remainder = 4 ? *

:004AE2A4 7502 jne 004AE2A8 * If the remainder ≠ 4, jump to 004AE2A8*

:004AE2A6 B301 mov bl, 01 *move GOOD flag into BL*

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:004AE247(C), :004AE267(C), :004AE278(C), :004AE280(C), :004AE2A4(C)

:004AE2A8 33C0 xor eax, eax *Let EAX = 0*

:004AE2AA 5A pop edx *Save EDX*

:004AE2AB 59 pop ecx *Save First ECX*

:004AE2AC 59 pop ecx *Save Second ECX*

:004AE2AD 648910 mov dword ptr fs:[eax], edx *Save your serial number into fs:[EAX]*

:004AE2B0 68C5E24A00 push 004AE2C5 *Load the place where it will return*

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:004AE2C3(U)

:004AE2B5 8D45FC lea eax, dword ptr [ebp-04] *Let EAX = your SN*

:004AE2B8 E8FB58F5FF call 00403BB8 *save SN*

:004AE2BD C3 ret *return*

______________________________________________________________________________________

Do you get it?? J The program checks if the first 5 digits is either A1910 or A1423 in the first place. Then it try to make sure that the SN you typed are all Number. After these initial checking, it made the (9^th plus 10^th digits) divided by 10 (decimal number) and check if the remainder is “4”. (otherwise it will not move GOOD flag) Notice that the program make a Formula in order to check all the digits:

:004AE269 B802000000 mov eax, 00000002

:004AE26E 8B55FC mov edx, dword ptr [ebp-04]

:004AE271 8A5402FF mov dl, byte ptr [edx+eax-01]

EDX is your SN. If this is the first time it checks the digit, it will let EAX be 2. As a result, the formula will be as follow: DL = [ your SN + 2 –1 ] = [ your SN + 1] = the second digit. If it is the second time loop, it will do an “INC EAX” command which mean EAX = 3. This formula is being used to get all the digits 2^nd ~ 10^th ( 1^st is the letter “A” NOT a number, still remember?) Oh! One important trick in the SOFT-ICE is that you can by pass the 9 times loops by doing a “F-7” command on the next line. After that, the program make your SN (which is EAX) divided by A in HEX (which is ECX and the “10” in DEC) ,and the check if the remainder equal to 4. OK let us calculate some Real Serial Number ^_^

DEC (decimal number)

HEX

(Hexadecimal number)

ASCII (American Standard Code for Information Interchange

So let calculate some SN:

(1) A191000017 actually you can make a SN by A1910???17 or A1423???17 ( “?” is any integer number)

(2) A142300017

(49 + 55) / 10 = 104 / 10 = 100…….4

(3) A191012308

(4) A142311108

(48 + 56) / 10 = 104 / 10 = 100…….4