|
|
Win32 Code Reversing |
|
|
|
|
|
|
Program Name:Melody v1.52 Program Type: Image Viewing Utile Program Location: [ here ] Program Size: 435 kb
|
||
W32Dasm - Win'95/98 Dissasembler Softice V4.X - De-Bugger Resource Builder - Vc++ or Rb |
||
|
|
"We Are Feeling The Crack Just Before We Crack It, That What Makes Us Good Crackers" |
Cracking A Win32 Image
Utility
('Very Bad Protection, Lame Sniff Out,
Easy KeyGen')
Written By Bengaly
|
Melody can used to play WAV, MPEG, MIDI, MOD files or to play
audio CD disks. The navigation of files and disks is simple, 2
mouse buttons are used:
One click by the left button opens a disk or folder, and also starts
playing a song. Clicking the right button in any place takes you up
one level of the folder tree, up to the list of drives.
Double-click is not used and you do not need to search for the exit
button from the current folder.
About this protection |
This program is registered by selecting the '?' button, then
the 'Register Your Copy Now' button.
User name:
Registration Code:
On successful registration the program will save your User/serial in
the registry:
HKEY_CURRENT_UDER/Software/LightTek/Melodic/
User: Bengaly
Name: It will transform the serial into
HEX
in the registry
If u want to use this software please Buy it only 10$, the program is very good, Please support It!
|
Hello and welcome to my 30th Tutorial :=).
Today we are going to Register a small
program i have found on the net!
I must say the programmers Implemented
a very weak Protection into the main code, you will see why.
Since we are going to Dig the Serial I
will explain the algo and where is the Actual serial is generated.
Although there are allot of types of programs
every one of them still use this lame way: CMP ->JNZ (JNE) :-)
Enough talking..there is no point to me
to keep talk as you all know how to crack such type of easy protections,
We load the program and go straight to
the '?' then the 'Register Your Copy Now' button.
We are welcomed by a Serial/Name input
Box, now fill in the info u wish to.
Name: bengaly
Serial: 12121212
Press OK button, you will greet by a Bad_Boy
messageBox saying we entered a wrong serial number for our name.
A first thing we should do is to Write
down the Bad Message we got : "Invalid Registration
Name Or Code, Try Again"
After we wrote the message, we open Win32Dasm
and first Dissasemble our Target.
After Quick dissasemble open the Strn-Ref
and search for our message text..found? good we are here:
Start Adress: 0044734F
XOR
ESI,ESI ; Clear Register
MOV EAX,DWORD PTR [EBP-008h] ; EAX = Our Fake Name CALL 00403BC4 ; This call gets our name lenght TEST EAX,EAX ; Test our lengh JLE 00447370 ; Jump if Lower MOV EDX,000000001h ;EDX=1 <=form here i can see it's a counter MOV ECX,DWORD PTR [EBP-008h] ; ECX= Our Fake Name MOVZX ECX,BYTE PTR [EDX+ECX-001h] ; ECX= 1 char of our name ADD ESI,ECX ; ESI+ECX INC EDX ; increase counter by 1 (next char of our name) DEC EAX ; EAX=Our fake name lenght -1 JNZ 00447362 ; Has the counter finished? (finished to count all name chars?) MOV DWORD PTR [EBP-014h],ESI ; Esi moves to memory (in ebp-014) FILD DWORD PTR [EBP-014h] ; puts an integer on the FPU stack. ( Not imported ) CALL 004029C8 ;EAX=ESI MOV EDX,EAX ;EDX=EAX SHL EAX,007h ; EAX<<07h ADD EAX,EDX ; EAX+EDX MOV ESI,EAX ; ESI=EAX CMP ESI,DWORD PTR [EBP-004h] ;Compare our Real Serial (ESI) with EBP-004 JNZ 00447456 ; Jump Not Equale (BAD MESSAGE) |
As you see i have cleaned up the code so
it will be more easy to understand (but i have not deleted code)
OK you now see the whole code for the
algo and where the serial compared :-)
Unlike other apps, this program does not
use a CALL to generate the vakid serial, so we can see
That the serial generation is basicly
created in this code snippest above.
Our fisrt mission is to dig out a valid
serial, and than we will wrote our KeyGenerator.
Open Melody and goto the registration field, fill in your data mine was:
Name:bengaly
Reg Code:121221
Load out WinCE (SoftICE) and Set a breakPoint
on Hmemcpy system function: BPX HMEMCPY <enter>
Exit from Wince and press the OK button..Wince
will pop and we will be at the first
Memory copy instruction..
Press F5 to read the second Text box and
again we will be pop at meanless code..
Now press F12 untill you will be in some
of the program's code (no metter where).
Now we know from the code snippest of
use that the whole algo/compare start at adress 0044734F
So PRESS BC* to
clear the hmemcpy function breakpoint, and set a new one : BPX 44734F <enter>
Now we Press F5 to read the adress, and
WinICE will be poped at the XOR ESI,ESI as described
In the code snippest above.
What left us to do is to trace the instruction
and pay attentions to the Register that are being
Changed every instruction.
After you will pass the loop wich is bassed
on your name lenght you will land on the CMP instruction
Seen above, now 'D ESI' wont work because
we are dealing with an Integer number and therefor
We can't dump the location, so let see
what esi holds: ' ? ESI ' will show
us what esi holds, in my case:
:?ESI
000173E2 0000095202 "sâ" |
Job Done.
|
Now that we know where the real serial is compared,
a good look up in the algo will make us
Understand how The serial is being Calculated.
XOR
ESI,ESI ; Clear Register
MOV EAX,DWORD PTR [EBP-008h] ; X no need , we move the name in the keygen already CALL 00403BC4 ; This call gets our name lenght X as well no needed TEST EAX,EAX ; Test our lengh X no need to check the lenght again JLE 00447370 ; Jump if Lower X no need to jump MOV EDX,000000001h ;EDX=1 <=form here i can see it's a counter MOV ECX,DWORD PTR [EBP-008h] ; ECX= Our Fake Name MOVZX ECX,BYTE PTR [EDX+ECX-001h] ; ECX= 1 char of our name ADD ESI,ECX ; ESI+ECX INC EDX ; increase counter by 1 (next char of our name) DEC EAX ; EAX=Our fake name lenght -1 JNZ 00447362 ; Has the counter finished? (finished to count all name chars?) MOV DWORD PTR [EBP-014h],ESI ; Esi moves to memory (in ebp-014) FILD DWORD PTR [EBP-014h] ; puts an integer on the FPU stack. ( Not imported ) CALL 004029C8 ;EAX=ESI ; Change the call to eax=esi MOV EDX,EAX ;EDX=EAX SHL EAX,007h ; EAX<<07h ADD EAX,EDX ; EAX+EDX MOV ESI,EAX ; ESI=EAX CMP ESI,DWORD PTR [EBP-004h] ;Compare our Real Serial (ESI) with EBP-004 ;X no need |
Let us now rip everything into valid code
in our win32asm file:
invoke lstrlen, addr Entered
XOR EDX,EDX XOR ESI,ESI MOV EDX,00000001 loop1: lea ECX,Entered MOVZX ECX,BYTE PTR [edx+Entered-01] ADD ESI,ECX INC EDX DEC EAX JNZ loop1 MOV EAX,ESI MOV EDX,EAX SHL EAX,07 ADD EAX,EDX MOV ESI,EAX invoke wsprintf, addr MyS, addr ToDecimal, esi invoke SetDlgItemText, hwnd, 107, addr MyS |
No need to add the whole asm file, becasue
everyone has it own style of asm creation code, so i will leave you
Only with ready algo
Job Done.
|
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers then your wasting your time, try searching elsewhere on the Web under Warez, Cracks and etc.
+SandMan...
|
I would like to say thank you to all who has supported me, and helped
me through my cracking days:
|
For his Great Essays And Skills |
|
For his awesome Tutorials |
|
For Helping Me in Cracking & Hosting |
|
For Helping Me in Win32Asm |
|
For Helping Me in Win32Asm |
gogamoga | For helping me in Win32Asm |