===============================================================================
Target:   Security Administrator v1.3
Level:    Easy [X]  Medium [ ]  Hard [ ]
===============================================================================
21/Aug/`99 | Toolz: WDasm - SoftICE >v3 - Hexworkshop(i like the shell interface :)
===============================================================================

i'm going to go through this program to make it
seem simple as possiable.

1. Working Out The Valid Serial
2. Bonus Serial Generating Code ;)


When the program is installed and is run a box pops up wanting a serial,
just click close we will work with the other registration box, goto
the Help menu and select Register, there thats a better box ;)

Enter a number which you can remember and know the length of, i enterd
'12345' well actually i entered my phone number but i won't put that here ;)
Click Ok, a messaegbox appears with 'Sorry, this registration code is invalid!'
now we have to find the serial routine so lets find where that error box was called
from, what better tool than WDasm, load up W32Dasm and select the Disassembler menu
then 'Open file to disassemble' select your secagent.exe and wait for about 2-5 mins.

Once finished open up the String Refs (second button from the right, Strn REF)
go down the list until you find the error msg 'Sorry, this registration code is invalid!', you should find "Sorry, this registration" double click and close the string ref window

now we see

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471C70(C)
|
:00471CAA 6A10                    push 00000010

* Possible StringData Ref from Code Obj ->"Error"
                                  |
:00471CAC B9281D4700              mov ecx, 00471D28

* Possible StringData Ref from Code Obj ->"Sorry, this registration code "
                                        ->"is invalid!"
                                  |
:00471CB1 BA301D4700              mov edx, 00471D30
:00471CB6 A1C0404700              mov eax, dword ptr [004740C0]
:00471CBB 8B00                    mov eax, dword ptr [eax]
:00471CBD E84250FDFF              call 00446D04


From this we can say that the messagebox was called by a conditional jump from
00471C70... lets go take a look

:00471C64 8B55FC                  mov edx, dword ptr [ebp-04]
:00471C67 8BC3                    mov eax, ebx
:00471C69 E842B0FFFF              call 0046CCB0
:00471C6E 84C0                    test al, al
:00471C70 7438        je 00471CAA 


now we must set a breakpoint here and have a snoop around. In most cases you're
see that there is two mov's or pushes above a call, this could be our valid serial
and invalid one. btw: patching the je won't work i tried ;)

===============
SETTiNG THE BPX
===============

We need to set a bpx on 00471C69, so loadup Numega Symbol Loader, goto the
file menu, click open module and choose the secagent.exe, now goto the Module
menu and click Load, click yes at the error box about symbol translation
now we get taken into softice at the programs entry point, now type
BPX 00471C69 and press Ctrl+D to exit, now the program continues to load
when we are presented with the first registration box click close and open the
one from the help menu.

Once again enter your false number '12345' and click ok, bing! now we are in SoftICE


:00471C64 8B55FC                  mov edx, dword ptr [ebp-04]
:00471C67 8BC3                    mov eax, ebx
:00471C69 E842B0FFFF   call 0046CCB0 
:00471C6E 84C0                    test al, al
:00471C70 7438                    je 00471CAA 

ok lets see if the correct serial is in one of those registers above
first type D EDX and it shows us that 12345 is in there, oh oh oh oh
this must mean the correct serial is in eax then oh oh, now type
D EAX and now we can see the......hmmm DOH :) looks like..like its not there,
....The Call must do some check routine then, lets explore

Press F8 to go into the call, now heres where it gets confusing, what do we look
for? well we should start of by looking for CMP's as these are compares between
two things..

So now start to press F10 until you find the first cmp instruction

:0046CCB0 55                      push ebp
:0046CCB1 8BEC                    mov ebp, esp
:0046CCB3 51                      push ecx
:0046CCB4 53                      push ebx
:0046CCB5 56                      push esi
:0046CCB6 8955FC                  mov dword ptr [ebp-04], edx
:0046CCB9 8BF0                    mov esi, eax
:0046CCBB 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CCBE E81171F9FF              call 00403DD4
:0046CCC3 33C0                    xor eax, eax
:0046CCC5 55                      push ebp
:0046CCC6 68A4CD4600              push 0046CDA4
:0046CCCB 64FF30                  push dword ptr fs:[eax]
:0046CCCE 648920                  mov dword ptr fs:[eax], esp
:0046CCD1 33DB                    xor ebx, ebx
:0046CCD3 C605B858470000          mov byte ptr [004758B8], 00
:0046CCDA B8BC584700              mov eax, 004758BC
:0046CCDF E8C06CF9FF              call 004039A4
:0046CCE4 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CCE7 E8346FF9FF              call 00403C20
:0046CCEC 83F80C                  cmp eax, 0000000C  <---------- numbero 1
:0046CCEF 0F8599000000            jne 0046CD8E

ok so we found the first one, what is it comparing, well EAX and 0C,
lets look what is in eax, look to the top of your screen, top right
it will say EAX=00000005  if you don't see your register window type
WR to activate it. So eax is 5 and its comparing it to 0C what is 0C
well 0C is hex for 12, so its comparing 5 to 12, hmmm any ideas?

well maybe its not important press F10 few more times we hit a jne which jumps
to 0046CD8E this appears to restore all the registers to there normal state and exit
the call so looks like we have to pass this cmp

5 and 12 hmmm well could the 5 be our serial length? well 12345 is 5 numbers,
lets double check by exiting from softice and this time around entering 123456
now F8 at the call and F10 till you reach the cmp again, Hey look! it now compares
6 with 12, so this means our serial MUST be 12 numbers long...

Exit SI and this time around enter  123456789123, once we reach the cmp we notice
at now it compares 0C to 0C and the jne we can pass through.
if we scroll down through the code we notice there is a series of cmp's
almost 99% a number by number check

:0046CCEC 83F80C                  cmp eax, 0000000C         <---Check serial Length Serial ==12
:0046CCEF 0F8599000000            jne 0046CD8E         <--- we can now pass
:0046CCF5 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CCF8 803838                  cmp byte ptr [eax], 38
:0046CCFB 0F858D000000            jne 0046CD8E
:0046CD01 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD04 80780233                cmp byte ptr [eax+02], 33
:0046CD08 0F8580000000            jne 0046CD8E
:0046CD0E 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD11 80780331                cmp byte ptr [eax+03], 31
:0046CD15 7577                    jne 0046CD8E
:0046CD17 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD1A 80780439                cmp byte ptr [eax+04], 39
:0046CD1E 756E                    jne 0046CD8E
:0046CD20 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD23 80780830                cmp byte ptr [eax+08], 30
:0046CD27 7565                    jne 0046CD8E
:0046CD29 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD2C 80780935                cmp byte ptr [eax+09], 35
:0046CD30 755C                    jne 0046CD8E
:0046CD32 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD35 80780A53                cmp byte ptr [eax+0A], 53
:0046CD39 7553                    jne 0046CD8E
:0046CD3B 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD3E 80780B45                cmp byte ptr [eax+0B], 45
:0046CD42 754A                    jne 0046CD8E


Lets press F10 until we reach the second cmp at 0046CCF8 'cmp byte ptr [eax], 38'
now this is comparing the first byte of eax with 38, first of all what is the first
byte of eax? well type D eax Hey look! theres our serial and the first byte would be
'1' which is the first number of our serial, now that is compared with 38, 38? that would
be an ascii number so to convert type  ? 38  and softice will tell us that 38 is equal to
8 so it compares 1 with 8 and our first number of our serial isn't 8 so the next jump will
exit the serial routine.

Now we know 2 things,  1) serial must be 12 dig`s long  2) first number must be 8

so open the registration box again and this time enter  823456789123
click ok and press F8 at the call and press F10 until we reach that same cmp again
now we se that we can pass through the next jump, almost straight after we meet another Cmp
instruction 

'cmp byte ptr [eax+02], 33' this time it compares the first byte of eax + 2 to 33
we know that eax is our serial so the first byte +2 is the 3rd number to check this
type  D EAX+2 we can see in our dump screen that is says 3, this is compared with 33
type ? 33 to find out what 33 is and look its 3!! what a guess eh :) we may continue on

Now we know our serial must have a structure like 8x3xxxxxxxxx

==
S4
==


Hopefully your starting to get the idea, you should beable to finsh but i'll go on :)

Open up the registration box and enter 823456789123
                                       ^ ^
                                       Must be

once again click ok and press F8 at the call and F10 till the next cmp instruction
which is 'cmp byte ptr [eax+03], 31'  type D eax+3 to find out that its checking the fourth
number of our serial '4' with  31 which is '1' (type ? 31) so the fourth number of our serial
must be a 1.

now we have 8x31xxxxxxxx

(Copy+paste time :) )


==
S5
==

Open up the registration box and enter 823156789123
                                       ^ ^^
                                       Must be

once again click ok and press F8 at the call and F10 till the next cmp instruction
which is 'cmp byte ptr [eax+04], 39'  type D eax+4 to find out that its checking the fifth
number of our serial '5' with  39 which is '9' (type ? 39) so the fifth number of our serial
must be a 9.

==
S6
==

Now we know our serial must have a structure like 8x319xxxxxxx

Open up the registration box and enter 823196789123
                                       ^ ^^^
                                       Must be

once again click ok and press F8 at the call and F10 till the next cmp instruction
which is 'cmp byte ptr [eax+08], 30'  type D eax+8 to find out that its checking the ninth
number of our serial '9' with  30 which is '0' (type ? 30) so the ninth number of our serial
must be a 0.

==
S7
==

Now we know our serial must have a structure like 8x319xxx0xxx

Open up the registration box and enter 823196780123
                                       ^ ^^^   ^
                                         Must be

once again click ok and press F8 at the call and F10 till the next cmp instruction
which is 'cmp byte ptr [eax+09], 35'  type D eax+9 to find out that its checking the tenth
number of our serial '1' with  35 which is '5' (type ? 35) so the tenth number of our serial
must be a 5.

==
S8
==

Now we know our serial must have a structure like 8x319xxx05xx

Open up the registration box and enter 823196780523
                                       ^ ^^^   ^^
                                         Must be

once again click ok and press F8 at the call and F10 till the next cmp instruction
which is 'cmp byte ptr [eax+0A], 53'  type D eax+a to find out that its checking the eleventh
number of our serial '2' with  53 which is 'S' (type ? 53) so the eleventh number of our serial
must be a S.

==
S9
==

Now we know our serial must have a structure like 8x319xxx05Sx

Open up the registration box and enter 8231967805S3
                                       ^ ^^^   ^^^
                                         Must be  Note capitals

once again click ok and press F8 at the call and F10 till the next cmp instruction
which is 'cmp byte ptr [eax+0B], 45'  type D eax+b to find out that its checking the 12th
number of our serial '3' with  45 which is 'E' (type ? 45) so the 12th number of our serial
must be a E.

As soon as you exit SI you will be registered, thats it! you found a serial by process of checking
certain numbers

we now know your serial must be like  8x319xxx05SE where the x's are any number/letter can be
we can now program some code to show this serial to the screen with random numbers where the x's
are :- heres the pascal code,

=================================================================
{****************************************}
{*Security Adminstrator Serial Generator*}
{*Coded by [yAtEs]                      *}
{****************************************}

Uses crt;

Var
a2nd,a6th,a7th,a8th:integer;

Begin
Clrscr;
textcolor(1);
Writeln('=======================================================');
Writeln('Security Adminstrator v1.3  Serial Generator  [yAtEs]  ');
Writeln('=======================================================');
textcolor(14);
Randomize;

a2nd:=random(9)+0;
a6th:=random(9)+0;
a7th:=random(9)+0;
a8th:=random(9)+0;
Writeln;
Writeln ('Serial: 8',a2nd,'319',a6th,a7th,a8th,'05SE');
Readln;
end.
=================================================================

Of course this code isn't perfect (mine never is ;)) this only produces random numbers
for the spaces, don't forget we can have characters too, i leave that to you, if you code
one that produces random characters and numbers in PASCAL and your a newbie then email me
it, i'd be interested to see if anyone botheres :)

gREETz:-
Acid_Burn,Appbusta,Axion,Bjanes,Craftyhac,Carpathia,Dezm,Inferno,
medivh,Nitrus,NeutralN,Smaegle,_targ0n,thorny,The_Corpse,tornado,
Zoltan,_y and the C4N team + all other great people i have met =:)->-<.

If you didn't understand any part of this tutorial then please let me know
as this we help me to write the misundertund part in more detail in future
thankyou.
==============================
[yAtEs][ECL`99] RY@hotpop.com
==============================
=================================================================