Hi! sorry my question if this dont is the correct board, I working in this code and have problems
for understand for why has only 1 serial valid, I think that this has more serials, I have problems
with my study only take a 1 serial correct, can helpme please, sorry my english.

my (bad??) study:


the tale start in the offset 401540;

00401540 /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]

here mov the serial into EAX

example: 111 111 1111 --> 423A35C7h

later 7 and 8 push e1e235d1 (correct serial!), push 33c65319 and push eax

so call a serialcheck where
MOV EAX,DWORD PTR SS:[ESP+4] -> here mov the serial from the dialog box
MOV ECX,DWORD PTR SS:[ESP+C] -> here mov the correct serial (only 1??)
XOR EAX,ECX -> no understand this piece
IMUL EAX,DWORD PTR SS:[ESP+8] -> imul and get out from the rutine

later this use this aritmetic comprobation and take...

XOR EDX,EDX
* * * * * MOV ECX,138D
* * * * * DIV ECX * * * * * * * * * *
* * * * * ADD ESP,0C
* * * * * MOV EAX,EDX
* * * * * NEG EAX
* * * * * SBB EAX,EAX
* * * * * INC EAX


I write a bruteforcer and this only send a 1 serial, I think have a trouble with my study



SERIAL CHECK


00402723 * *. E8 18EEFFFF * *CALL SERIALCHECK.00401540
00402728 * *. 83C4 08 * * * *ADD ESP,8
0040272B * *. 85C0 * * * * * TEST EAX,EAX
0040272D * *. 0F84 D3000000 *JE SERIALCHECK.00402806


1)00401530 */$ 8B4424 04 * * *MOV EAX,DWORD PTR SS:[ESP+4]
2)00401534 *|. 8B4C24 0C * * *MOV ECX,DWORD PTR SS:[ESP+C]
3)00401538 *|. 33C1 * * * * * XOR EAX,ECX * * * * * * * * ; *SERIALCHECK.0040FDD2
4)0040153A *|. 0FAF4424 08 * *IMUL EAX,DWORD PTR SS:[ESP+8]
5)0040153F *\. C3 * * * * * * RETN


6)00401540 */$ 8B4424 04 * * *MOV EAX,DWORD PTR SS:[ESP+4]
7)00401544 *|. 68 D135E2E1 * *PUSH E1E235D1
8)00401549 *|. 68 1953C633 * *PUSH 33C65319
9)0040154E *|. 50 * * * * * * PUSH EAX
10)0040154F *|. E8 DCFFFFFF * *CALL SERIALCHECK.00401530
11)00401554 *|. 33D2 * * * * * XOR EDX,EDX
12)00401556 *|. B9 8D130000 * *MOV ECX,138D
13)0040155B *|. F7F1 * * * * * DIV ECX * * * * * * * * * ; *SERIALCHECK.0040FDD2
14)0040155D *|. 83C4 0C * * * *ADD ESP,0C
15)00401560 *|. 8BC2 * * * * * MOV EAX,EDX
16)00401562 *|. F7D8 * * * * * NEG EAX
17)00401564 *|. 1BC0 * * * * * SBB EAX,EAX
18)00401566 *|. 40 * * * * * * INC EAX
19)00401567 *\. C3 * * * * * * RETN


en (6) comienza la rutina de generacion de serial, el mueve a EAX el valor ingresado
del serial convertido a hexadecimal, luego en (7),(8) y (9) guarda en la pila los valores
y hace un call a (1), donde mueve a eax el valor ingresado, a ecx el serial valido y
hace un "xor eax,ecx" luego hace una multiplicacion con signo y sale de la rutina.
en (11) hace una limpieza de edx y luego en (12) mueve a edx con 138dh para dividor en
(13) con eax, me queda un resto en edx el cual luego muevo a eax (15) lo niego (16)
y despues lo resto pero con acarreo si este fue 1, luego lo incremento y me salgo.


brute forcer



//---------------------------------------------------------------------------

#include <vcl.h>
#include <stdlib.h>
#include <iostream.h>
#pragma hdrstop

#include "MUnit1.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
* * * *: TForm(Owner)
{
}
//---------------------------------------------------------------------------

void __fastcall TForm1::Button1Click(TObject *Sender)
{
unsigned long A,B,C,D,E,F,G,H,I;
DWORD J,K,P1=3789698513,P2=868635417,P3=5005;
try
{
K=StrToInt64(Edit1->Text);
if(K < 4294967295)
{
RichEdit1->Lines->Clear();
J=0;
do{
__asm
{
* *xor eax,eax;
* *mov eax,K
* *mul eax,P3;
* *mov A,eax
* *idiv eax,P2;
* *mov D,edx;
* *mov B,eax
* *or eax,P1;
* *mov F,eax;
}

RichEdit1->Lines->Add("SERIAL: *" + AnsiString(F));
Edit2->Text = AnsiString(J+1);
Edit2->Refresh();
K++;
J++;
}while(K<4294967295);

*SaveDialog1->Execute();
*RichEdit1->Lines->SaveToFile(SaveDialog1->FileName);
}
else if (K >=4294967295)
{
RichEdit1->Lines->Add("out from range ");
}
}
catch(...)
{

RichEdit1->Lines->Add("Write Only numbers in decimal format ok :) ");
}

Edit1->Clear();
Edit2->Clear();


}
//---------------------------------------------------------------------------

void __fastcall TForm1::Button2Click(TObject *Sender)
{
Close();
}
//-------------------


the program always repeat the serial and no change, I think is my analizing is bad

I hope can helpme with this

Best Regards, AarzaK. :D

Basically, the code you are trying to reverse is (in a short C line):

if( ( (serial^0xE1E235D1)*0x33C65319) % 0x138D == 0) Success("!!!")

or, in a more easily readable form:

int SerialCheck(int serial, int magic1, int magic2)
{
* *serial = serial ^ magic2;
* *serial = serial * magic1;
* *return serial;
}

..

if( SerialCheck(serial, 0x33C65319, 0xE1E235D1) % 0x138D == 0)
* * //success!


This is of course not yet an answer, but it makes the whole problem a lot easier to think about ;-)

-kw

Now if I am not mistaken this will end up as:


Take a random x between 0 and 0xD1817 (highest value to end below 0xFFFFFFFF after being multiplied by 0x138D)

multiply that x by 0x138D
Then check if there is a valid 32bit number to reach it after the SerialCheck algorithm:

for(i=0; i<0xFFFFFFFF; i++)
{
*if(i * 0x33C65319 == x) //ignore the overflow
* * return i^0xE1E235D1; //your CORRECT serial
}

If there was one, you are done.. Else I would say use ((x+1) % 0xD1818) as your next starting number and try again until you find one that works.


-kw

Thanks kw!!!!!!!!!! now this work fine, my code:

BRUTEFORCER


//---------------------------------------------------------------------------

#include <vcl.h>
#include <math.h>
#pragma hdrstop

#include "Unit1.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
* * * *: TForm(Owner)
{
}
//---------------------------------------------------------------------------

void __fastcall TForm1::Button1Click(TObject *Sender)
{
DWORD A,B,C,D,E,I,P;
DWORD EC=3789698513;
try
{
do{
I=GetTickCount();
Edit1->Text = I;
Edit1->Refresh();
asm mov eax,I
asm xor eax,EC
asm mov A,eax
B=A*868635417;
asm mov eax,B
asm mov ecx,5005
asm mov D,eax
D %=5005;
asm mov edx,D
asm mov eax,edx
asm neg eax
asm sbb eax,eax
asm inc eax
asm mov C,eax
}while(C==0);
Memo1->Lines->Add(I);
}
catch(...)
{
Application->MessageBox("Inserta Solo Numeros","Cuidado :0",MB_OK);
}

}
//---------------------------------------------------------------------------



is a little slow but send a correct serials



this a crackme (coded by AarzaK - Was Sent...) with the protection:




//---------------------------------------------------------------------------

#include <vcl.h>
#include <math.h>
#pragma hdrstop

#include "Unitk.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
* * * *: TForm(Owner)
{
}
//---------------------------------------------------------------------------

void __fastcall TForm1::Button1Click(TObject *Sender)
{
DWORD A,B,C,D,E,I;
DWORD EC=3789698513;
DWORD EA=868635417;
try
{
I = StrToInt64(Edit1->Text);
//A=I^ECX;
asm mov eax,I
asm xor eax,EC
asm mov A,eax
B=A*868635417;
asm mov eax,B
asm mov ecx,5005
asm mov D,eax
D %=5005;
asm mov edx,D
asm mov eax,edx
asm neg eax
asm sbb eax,eax
asm inc eax
asm mov C,eax
if (C==0)
{
Application->MessageBox("Well Done Cracker now making a Keygen and Submit","Felicitaciones",MB_OK);
Application->MessageBox("DONT BELIEVE, YOUR SERIAL IS BAD","ESTO ES UN CHISTE!!!",MB_OK);
}
else
{
Application->MessageBox("Well Done Cracker now making a Keygen and Submit","You Are Awesome!",MB_OK);
}
}
catch(...)
{
Application->MessageBox("Insert only Numbers","Warning! :0",MB_OK);
}

}
//---------------------------------------------------------------------------





muchas gracias por la ayuda :D

don't send recycled text .
please!!

f........u...............c............?.......

声讯电话录音 调度声讯电话录音（电话录音系统）是一种能同时进行多路电话实时录音及语音播放的设备，声讯电 话录音 (http://www.googlejk.cn/shexun.htm)是计算机技术与语音技术的完美结合。由于采用了先进的数码录音技术，录音电话机 (http://www.googlejk.cn/lydhj.htm)配以功能强大、可靠的软件，并借助大容量计算机硬盘作为存储介质，电话录音设备 (http://www.googlejk.cn/dhlysb.htm)完全突破了传统的声讯电话录音概念。通过声讯电话录音系统可实现自动记录主叫号码和 被叫号码，数码录音电话 (http://www.googlejk.cn/smlydh.htm)同时对多路语音通道录音或监听，自动备份，以及灵活的录音查询方式。电话语音卡 (http://www.googlejk.cn/dhyyk.htm)系统可以按客户需求自动对硬盘进行维护，从而保证系统的不间断、稳定工作

it posted by soft auto poster