=============================================================================== Target: Security Administrator v1.3 Level: Easy [X] Medium [ ] Hard [ ] =============================================================================== 21/Aug/`99 | Toolz: WDasm - SoftICE >v3 - Hexworkshop(i like the shell interface :) =============================================================================== i'm going to go through this program to make it seem simple as possiable. 1. Working Out The Valid Serial 2. Bonus Serial Generating Code ;) When the program is installed and is run a box pops up wanting a serial, just click close we will work with the other registration box, goto the Help menu and select Register, there thats a better box ;) Enter a number which you can remember and know the length of, i enterd '12345' well actually i entered my phone number but i won't put that here ;) Click Ok, a messaegbox appears with 'Sorry, this registration code is invalid!' now we have to find the serial routine so lets find where that error box was called from, what better tool than WDasm, load up W32Dasm and select the Disassembler menu then 'Open file to disassemble' select your secagent.exe and wait for about 2-5 mins. Once finished open up the String Refs (second button from the right, Strn REF) go down the list until you find the error msg 'Sorry, this registration code is invalid!', you should find "Sorry, this registration" double click and close the string ref window now we see * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00471C70(C) | :00471CAA 6A10 push 00000010 * Possible StringData Ref from Code Obj ->"Error" | :00471CAC B9281D4700 mov ecx, 00471D28 * Possible StringData Ref from Code Obj ->"Sorry, this registration code " ->"is invalid!" | :00471CB1 BA301D4700 mov edx, 00471D30 :00471CB6 A1C0404700 mov eax, dword ptr [004740C0] :00471CBB 8B00 mov eax, dword ptr [eax] :00471CBD E84250FDFF call 00446D04 From this we can say that the messagebox was called by a conditional jump from 00471C70... lets go take a look :00471C64 8B55FC mov edx, dword ptr [ebp-04] :00471C67 8BC3 mov eax, ebx :00471C69 E842B0FFFF call 0046CCB0 :00471C6E 84C0 test al, al :00471C70 7438  je 00471CAA  now we must set a breakpoint here and have a snoop around. In most cases you're see that there is two mov's or pushes above a call, this could be our valid serial and invalid one. btw: patching the je won't work i tried ;) =============== SETTiNG THE BPX =============== We need to set a bpx on 00471C69, so loadup Numega Symbol Loader, goto the file menu, click open module and choose the secagent.exe, now goto the Module menu and click Load, click yes at the error box about symbol translation now we get taken into softice at the programs entry point, now type BPX 00471C69 and press Ctrl+D to exit, now the program continues to load when we are presented with the first registration box click close and open the one from the help menu. Once again enter your false number '12345' and click ok, bing! now we are in SoftICE :00471C64 8B55FC mov edx, dword ptr [ebp-04] :00471C67 8BC3 mov eax, ebx :00471C69 E842B0FFFF  call 0046CCB0  :00471C6E 84C0 test al, al :00471C70 7438 je 00471CAA ok lets see if the correct serial is in one of those registers above first type D EDX and it shows us that 12345 is in there, oh oh oh oh this must mean the correct serial is in eax then oh oh, now type D EAX and now we can see the......hmmm DOH :) looks like..like its not there, ....The Call must do some check routine then, lets explore Press F8 to go into the call, now heres where it gets confusing, what do we look for? well we should start of by looking for CMP's as these are compares between two things.. So now start to press F10 until you find the first cmp instruction :0046CCB0 55 push ebp :0046CCB1 8BEC mov ebp, esp :0046CCB3 51 push ecx :0046CCB4 53 push ebx :0046CCB5 56 push esi :0046CCB6 8955FC mov dword ptr [ebp-04], edx :0046CCB9 8BF0 mov esi, eax :0046CCBB 8B45FC mov eax, dword ptr [ebp-04] :0046CCBE E81171F9FF call 00403DD4 :0046CCC3 33C0 xor eax, eax :0046CCC5 55 push ebp :0046CCC6 68A4CD4600 push 0046CDA4 :0046CCCB 64FF30 push dword ptr fs:[eax] :0046CCCE 648920 mov dword ptr fs:[eax], esp :0046CCD1 33DB xor ebx, ebx :0046CCD3 C605B858470000 mov byte ptr [004758B8], 00 :0046CCDA B8BC584700 mov eax, 004758BC :0046CCDF E8C06CF9FF call 004039A4 :0046CCE4 8B45FC mov eax, dword ptr [ebp-04] :0046CCE7 E8346FF9FF call 00403C20 :0046CCEC 83F80C cmp eax, 0000000C <---------- numbero 1 :0046CCEF 0F8599000000 jne 0046CD8E ok so we found the first one, what is it comparing, well EAX and 0C, lets look what is in eax, look to the top of your screen, top right it will say EAX=00000005 if you don't see your register window type WR to activate it. So eax is 5 and its comparing it to 0C what is 0C well 0C is hex for 12, so its comparing 5 to 12, hmmm any ideas? well maybe its not important press F10 few more times we hit a jne which jumps to 0046CD8E this appears to restore all the registers to there normal state and exit the call so looks like we have to pass this cmp 5 and 12 hmmm well could the 5 be our serial length? well 12345 is 5 numbers, lets double check by exiting from softice and this time around entering 123456 now F8 at the call and F10 till you reach the cmp again, Hey look! it now compares 6 with 12, so this means our serial MUST be 12 numbers long... Exit SI and this time around enter 123456789123, once we reach the cmp we notice at now it compares 0C to 0C and the jne we can pass through. if we scroll down through the code we notice there is a series of cmp's almost 99% a number by number check :0046CCEC 83F80C cmp eax, 0000000C <---Check serial Length Serial ==12 :0046CCEF 0F8599000000 jne 0046CD8E <--- we can now pass :0046CCF5 8B45FC mov eax, dword ptr [ebp-04] :0046CCF8 803838 cmp byte ptr [eax], 38 :0046CCFB 0F858D000000 jne 0046CD8E :0046CD01 8B45FC mov eax, dword ptr [ebp-04] :0046CD04 80780233 cmp byte ptr [eax+02], 33 :0046CD08 0F8580000000 jne 0046CD8E :0046CD0E 8B45FC mov eax, dword ptr [ebp-04] :0046CD11 80780331 cmp byte ptr [eax+03], 31 :0046CD15 7577 jne 0046CD8E :0046CD17 8B45FC mov eax, dword ptr [ebp-04] :0046CD1A 80780439 cmp byte ptr [eax+04], 39 :0046CD1E 756E jne 0046CD8E :0046CD20 8B45FC mov eax, dword ptr [ebp-04] :0046CD23 80780830 cmp byte ptr [eax+08], 30 :0046CD27 7565 jne 0046CD8E :0046CD29 8B45FC mov eax, dword ptr [ebp-04] :0046CD2C 80780935 cmp byte ptr [eax+09], 35 :0046CD30 755C jne 0046CD8E :0046CD32 8B45FC mov eax, dword ptr [ebp-04] :0046CD35 80780A53 cmp byte ptr [eax+0A], 53 :0046CD39 7553 jne 0046CD8E :0046CD3B 8B45FC mov eax, dword ptr [ebp-04] :0046CD3E 80780B45 cmp byte ptr [eax+0B], 45 :0046CD42 754A jne 0046CD8E Lets press F10 until we reach the second cmp at 0046CCF8 'cmp byte ptr [eax], 38' now this is comparing the first byte of eax with 38, first of all what is the first byte of eax? well type D eax Hey look! theres our serial and the first byte would be '1' which is the first number of our serial, now that is compared with 38, 38? that would be an ascii number so to convert type ? 38 and softice will tell us that 38 is equal to 8 so it compares 1 with 8 and our first number of our serial isn't 8 so the next jump will exit the serial routine. Now we know 2 things, 1) serial must be 12 dig`s long 2) first number must be 8 so open the registration box again and this time enter 823456789123 click ok and press F8 at the call and press F10 until we reach that same cmp again now we se that we can pass through the next jump, almost straight after we meet another Cmp instruction 'cmp byte ptr [eax+02], 33' this time it compares the first byte of eax + 2 to 33 we know that eax is our serial so the first byte +2 is the 3rd number to check this type D EAX+2 we can see in our dump screen that is says 3, this is compared with 33 type ? 33 to find out what 33 is and look its 3!! what a guess eh :) we may continue on Now we know our serial must have a structure like 8x3xxxxxxxxx == S4 == Hopefully your starting to get the idea, you should beable to finsh but i'll go on :) Open up the registration box and enter 823456789123 ^ ^ Must be once again click ok and press F8 at the call and F10 till the next cmp instruction which is 'cmp byte ptr [eax+03], 31' type D eax+3 to find out that its checking the fourth number of our serial '4' with 31 which is '1' (type ? 31) so the fourth number of our serial must be a 1. now we have 8x31xxxxxxxx (Copy+paste time :) ) == S5 == Open up the registration box and enter 823156789123 ^ ^^ Must be once again click ok and press F8 at the call and F10 till the next cmp instruction which is 'cmp byte ptr [eax+04], 39' type D eax+4 to find out that its checking the fifth number of our serial '5' with 39 which is '9' (type ? 39) so the fifth number of our serial must be a 9. == S6 == Now we know our serial must have a structure like 8x319xxxxxxx Open up the registration box and enter 823196789123 ^ ^^^ Must be once again click ok and press F8 at the call and F10 till the next cmp instruction which is 'cmp byte ptr [eax+08], 30' type D eax+8 to find out that its checking the ninth number of our serial '9' with 30 which is '0' (type ? 30) so the ninth number of our serial must be a 0. == S7 == Now we know our serial must have a structure like 8x319xxx0xxx Open up the registration box and enter 823196780123 ^ ^^^ ^ Must be once again click ok and press F8 at the call and F10 till the next cmp instruction which is 'cmp byte ptr [eax+09], 35' type D eax+9 to find out that its checking the tenth number of our serial '1' with 35 which is '5' (type ? 35) so the tenth number of our serial must be a 5. == S8 == Now we know our serial must have a structure like 8x319xxx05xx Open up the registration box and enter 823196780523 ^ ^^^ ^^ Must be once again click ok and press F8 at the call and F10 till the next cmp instruction which is 'cmp byte ptr [eax+0A], 53' type D eax+a to find out that its checking the eleventh number of our serial '2' with 53 which is 'S' (type ? 53) so the eleventh number of our serial must be a S. == S9 == Now we know our serial must have a structure like 8x319xxx05Sx Open up the registration box and enter 8231967805S3 ^ ^^^ ^^^ Must be Note capitals once again click ok and press F8 at the call and F10 till the next cmp instruction which is 'cmp byte ptr [eax+0B], 45' type D eax+b to find out that its checking the 12th number of our serial '3' with 45 which is 'E' (type ? 45) so the 12th number of our serial must be a E. As soon as you exit SI you will be registered, thats it! you found a serial by process of checking certain numbers we now know your serial must be like 8x319xxx05SE where the x's are any number/letter can be we can now program some code to show this serial to the screen with random numbers where the x's are :- heres the pascal code, ================================================================= {****************************************} {*Security Adminstrator Serial Generator*} {*Coded by [yAtEs] *} {****************************************} Uses crt; Var a2nd,a6th,a7th,a8th:integer; Begin Clrscr; textcolor(1); Writeln('======================================================='); Writeln('Security Adminstrator v1.3 Serial Generator [yAtEs] '); Writeln('======================================================='); textcolor(14); Randomize; a2nd:=random(9)+0; a6th:=random(9)+0; a7th:=random(9)+0; a8th:=random(9)+0; Writeln; Writeln ('Serial: 8',a2nd,'319',a6th,a7th,a8th,'05SE'); Readln; end. ================================================================= Of course this code isn't perfect (mine never is ;)) this only produces random numbers for the spaces, don't forget we can have characters too, i leave that to you, if you code one that produces random characters and numbers in PASCAL and your a newbie then email me it, i'd be interested to see if anyone botheres :) gREETz:- Acid_Burn,Appbusta,Axion,Bjanes,Craftyhac,Carpathia,Dezm,Inferno, medivh,Nitrus,NeutralN,Smaegle,_targ0n,thorny,The_Corpse,tornado, Zoltan,_y and the C4N team + all other great people i have met =:)->-<. If you didn't understand any part of this tutorial then please let me know as this we help me to write the misundertund part in more detail in future thankyou. ============================== [yAtEs][ECL`99] RY@hotpop.com ============================== =================================================================