Make your own free website on Tripod.com
 
July 2001
"BlowFish v2.2"
Win32 Program
Win32 Code Reversing
 
by Bengaly
 
 
Code Reversing For Beginners 
Program Details
Program Name:BlowFish v2.2
Program Type: Encryption Utile
Program Location: [ here ]
Program Size: 253 kb

 

Tools Required:
W32Dasm  - Win'95/98 Dissasembler
Softice V4.X -  Debugger 
Hex-Edior - Any (optional)
Level
Easy ( X )  Medium (   )  Hard (   )  Pro (   )
"A Crack will never die as long as the Cracker still lives"


 Cracking A Win32 Web Utility
('Simple Protection, Simple Sniff Out')
Written by Bengaly


Introduction

BlowFish 2000 is a small, easy to use, file encryption utility. Simply drag and drop files and folders to quickly  protect your sensitive documents, and then enter an encryption key to encode and decode the files you want to  protect from prying eyes. You can also select files to be encrypted using the MS Windows Explorer right-click  method.
Drag and Drop Files.
Files and folders can be quickly selected for encryption and decoding by simply dragging them to the desired file  list windows.

MS Windows Explorer Encryption
Files can also be quickly encrypted and decoding directly from the MS Windows File Explorer.
Simply select the  files to be processed and then right-click your mouse to display a pop-up context menu. Specify either  Encrypt  with BlowFish  or  Decrypt with BlowFish  on the Send To menu.

                                                                About this protection

This program is registered by selecting the 'Help' button, then the 'Register' button.
User name:
Organization:
Registration:

On successful registration the program will save your User/serial in the registry:
HKEY_CURRENT_UDER/Software/Software By Design/BlowFish 2000/Registration
Code: Bengaly
User: ThunderCats
Name: 3404118051       <-- This is Generated by the program! (it will transform the serial into HEX : cae6b823)

if u want to use this software please Buy it, it's on 25$ the program is very good, please support it!

The Essay

Hello and welcome to my 28'th Tutorial.

Software By Design has allot of software on their page that uses the same Protection, but only the
Serial generator is diff...Not so hard to keygen as well...
OK so let us begin this essay.

Run BlowFish..enter the Help->Register...
We will see the Info Boxes we need to Fill Out.
So let's fill them.

User Name: Bengaly
Organization: ThunderCats
Registration: 1234567890

Now we will Open Soft-Ice In order to trace the whole thing.
Ok...Open Up Sice (CTRL+D), Fill in 'BPX GETDLGITEMTEXTA'
Now We will exit Sice...type F5 Or X Or Ctrl+D again.
Click the OK button and Sice Pop.

EAX=00000007   EBX=00000032   ECX=80008790   EDX=80008DE0   ESI=0042A3D0
EDI=0042A402   EBP=00000F3C   ESP=0066F7E0   EIP=004106A1   o d I S z a P c
CS=0177   DS=017F   SS=017F   ES=017F   FS=12D7   GS=0000
======================================================================PROT32
0177:0041069B  CALL      [USER32!GetDlgItemTextA]
0177:004106A1  POP       EDI      ; We Land Here
0177:004106A2  POP       ESI
0177:004106A3  MOV       EAX,00000001
0177:004106A8  POP       EBX
0177:004106A9  RET
0177:004106AA  NOP
0177:004106AB  NOP
0177:004106AC  NOP
0177:004106AD  NOP
===============================================================================

Hm..this is weird..only some pops and a Mov 000001 to eax [wich means flag - register?)
The only thing Left to do is to go over the RET instruction cuz there is nothing to do here.
Press F10 until u pass the RET instruction, and you will be in this code snippest:

0177:00408A12  CALL      00410670   ;call API
0177:00408A17  LEA       EDI,[ESI+32] ;move it to EDI
0177:00408A1A  PUSH      32    ; save 32 "2"
0177:00408A1C  PUSH      EDI   ; save it
0177:00408A1D  PUSH      66    ;save 66 "3"
0177:00408A1F  PUSH      EBP   ;save EBP
0177:00408A20  CALL      00410670 ;call API
0177:00408A25  LEA       EAX,[ESP+30] ;mov it to EAX
0177:00408A29  PUSH      00000100  ; max 256 chars
0177:00408A2E  PUSH      EAX      ;save
0177:00408A2F  PUSH      67       ;save 67 "g"
0177:00408A31  PUSH      EBP      ;save EBP
0177:00408A32  CALL      00410670 ;call API
0177:00408A37  LEA       ECX,[ESP+40] ;get fake serial
0177:00408A3B  PUSH      ECX        ;save it
0177:00408A3C  CALL      00411AF5  ;eax=fake serial
0177:00408A41  PUSH      ESI ;name&origanization
0177:00408A42  MOV       EBX,EAX ;ebx=fake serial
0177:00408A44  CALL      00410600 ;Not inportant
0177:00408A49  ADD       ESP,38   ;fake serial+38
0177:00408A4C  CMP       EAX,0119A792  ;compare
0177:00408A51  JNZ       00408A6B  ;not equal jump  <---|
0177:00408A53  MOV       EBX,[KERNEL32!lstrcpy]         |
0177:00408A59  PUSH      0041CD4C                       |
0177:00408A5E  PUSH      ESI                            |
0177:00408A5F  CALL      EBX                            |
0177:00408A61  PUSH      0041CD3C                       |
0177:00408A66  PUSH      EDI                            |
0177:00408A67  CALL      EBX                            |
0177:00408A69  JMP       00408A72                       |
0177:00408A6B  CMP       EAX,0D5FCE3C ;we land here <---|
0177:00408A70  JNZ       00408A7E ;not euqal<-|
0177:00408A72  PUSH      EDI                  |
0177:00408A73  PUSH      ESI                  |
0177:00408A74  CALL      00410030             |
0177:00408A79  ADD       ESP,08               |
0177:00408A7C  MOV       EBX,EAX              |
0177:00408A7E  PUSH      EDI ;we land here<---|
0177:00408A7F  PUSH      ESI    ;save esi
0177:00408A80  CALL      00410030   ;call Algo?
0177:00408A85  ADD       ESP,08     ;esp + 8
0177:00408A88  CMP       EBX,EAX ;Fake Vs Real Serial
0177:00408A8A  POP       EDI   ;pop information
0177:00408A8B  JZ        00408AAA ;jump not equal

Not so Hard To understand, But you will find your self landing in the memory area where the
Fake serial is compared with the generated serial!
While on the CMP type '? EAX' & '? EBX' You see the Compare??
? EBX = '1234567890' (Fake)
? EAX = '3404118051' (Real serial)

By the way  we use here the '?' because the program convert the serial into Dec and not Hex therefore
We can't use "D" command to dump the memory address .

I must say, although "software for design" has made alot of sharwares, They didn't changed the
Protection System, only the generator.
So this tutorial refers to all Sharware by  them!. ;D
 
 
Oh And..

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers then your wasting your time, try searching elsewhere on the Web under Warez, Cracks and etc.

+SandMan...
 
Greetings

I would like to say thank you to all who has supported me, and helped me through my cracking days:
 
 
 +ORC 
For his Great Essays And Skills
+SandMan
For his awesome Tutorials
CoDe_InSiDe
For Help Me in Cracking & Hosting
FusS
For Help Me in W32Asm
BLAcKgH0sT
For Being A Good Friend