Make your own free website on Tripod.com
 
August  2001
"Melody v1.52"
Win32 Program
Win32 Code Reversing
 
by Bengaly
 
 
Code Reversing Tutorial
Program Details
Program Name:Melody  v1.52
Program Type: Image Viewing Utile
Program Location: [ here ]
Program Size: 435 kb

 

Tools Required:
W32Dasm  - Win'95/98 Dissasembler 
Softice V4.X -  De-Bugger 
Resource Builder  - Vc++ or Rb
Level
Easy ( X )  Medium (   )  Hard (   )  Pro (   )
"We Are Feeling The Crack Just Before We Crack It, That What Makes Us Good Crackers"


 Cracking A Win32 Image Utility
('Very Bad Protection, Lame Sniff Out, Easy KeyGen')

Written By Bengaly



 
Introduction
                       Melody can used to play  WAV, MPEG, MIDI, MOD files or to play
                       audio CD disks. The navigation of files and disks is simple, 2
                       mouse buttons are used:
                       One click by the left button opens a disk or folder, and also starts
                       playing a song. Clicking the right button in any place takes you up
                       one level of the folder tree, up to the list of drives.
                       Double-click is not used and you do not need to search for the exit
                       button from the current folder.
                                                                About this protection

This program is registered by selecting the '?' button, then the 'Register Your Copy Now' button.
User name:
Registration Code:

On successful registration the program will save your User/serial in the registry:
HKEY_CURRENT_UDER/Software/LightTek/Melodic/
User: Bengaly
Name: It will transform the serial into HEX in the registry

If u want to use this software please Buy it only 10$, the program is very good, Please support It!

The Essay

Hello and welcome to my 30th Tutorial :=).

Today we are going to Register a small program i have found on the net!
I must say the programmers Implemented a very weak Protection into the main code, you will see why.
Since we are going to Dig the Serial I will explain the algo and where is the Actual serial is generated.
Although there are allot of types of programs every one of them still use this lame way: CMP ->JNZ (JNE) :-)
Enough talking..there is no point to me to keep talk as you all know how to crack such type of easy protections,

We load the program and go straight to the '?' then the 'Register Your Copy Now' button.
We are welcomed by a Serial/Name input Box, now fill in the info u wish to.

Name: bengaly
Serial: 12121212
Press OK button, you will greet by a Bad_Boy messageBox saying we entered a wrong serial number for our name.
A first thing we should do is to Write down the Bad Message we got : "Invalid Registration Name Or Code, Try Again"
After we wrote the message, we open Win32Dasm and first Dissasemble our Target.
After Quick dissasemble open the Strn-Ref and search for our message text..found? good we are here:

Start Adress: 0044734F
 XOR                ESI,ESI  ; Clear Register
 MOV               EAX,DWORD PTR [EBP-008h]  ; EAX = Our Fake Name
 CALL              00403BC4            ; This call gets our name lenght
 TEST               EAX,EAX               ; Test our lengh
 JLE                  00447370              ; Jump if Lower
 MOV               EDX,000000001h   ;EDX=1 <=form here i can see it's a counter
 MOV               ECX,DWORD PTR [EBP-008h]        ; ECX= Our Fake Name
 MOVZX          ECX,BYTE PTR [EDX+ECX-001h]  ; ECX= 1 char of our name
 ADD                ESI,ECX       ; ESI+ECX
 INC                 EDX             ; increase counter by 1 (next char of our name) 
 DEC                EAX               ; EAX=Our fake name lenght -1
 JNZ                 00447362       ; Has the counter finished? (finished to count all name chars?)
 MOV               DWORD PTR [EBP-014h],ESI  ; Esi moves to memory (in ebp-014)
 FILD               DWORD PTR [EBP-014h]         ; puts an integer on the FPU stack. ( Not imported ) 
 CALL              004029C8     ;EAX=ESI
 MOV               EDX,EAX    ;EDX=EAX
 SHL                 EAX,007h    ; EAX<<07h
 ADD                EAX,EDX    ; EAX+EDX
 MOV                ESI,EAX     ; ESI=EAX
 CMP                ESI,DWORD PTR [EBP-004h]   ;Compare our Real Serial  (ESI) with EBP-004
 JNZ                  00447456        ; Jump Not Equale (BAD MESSAGE)
End Adress: 00447387

As you see i have cleaned up the code so it will be more easy to understand (but i have not deleted code)
OK you now see the whole code for the algo and where the serial compared :-)
Unlike other apps, this program does not use a CALL to generate the vakid serial, so we can see
That the serial generation is basicly created in this code snippest above.
Our fisrt mission is to dig out a valid serial, and than we will wrote our KeyGenerator.

Open Melody and goto the registration field, fill in your data mine was:

Name:bengaly
Reg Code:121221

Load out WinCE (SoftICE) and Set a breakPoint on Hmemcpy system function: BPX HMEMCPY <enter>
Exit from Wince and press the OK button..Wince will pop and we will be at the first
Memory copy instruction..
Press F5 to read the second Text box and again we will be pop at meanless code..
Now press F12 untill you will be in some of the program's code (no metter where).
Now we know from the code snippest of use that the whole algo/compare start at adress 0044734F
So PRESS BC* to clear the hmemcpy function breakpoint, and set a new one : BPX 44734F <enter>
Now we Press F5 to read the adress, and WinICE will be poped at the XOR ESI,ESI as described
In the code snippest above.
What left us to do is to trace the instruction and pay attentions to the Register that are being
Changed every instruction.
After you will pass the loop wich is bassed on your name lenght you will land on the CMP instruction
Seen above, now 'D ESI' wont work because we are dealing with an Integer number and therefor
We can't dump the location, so let see what esi holds: ' ? ESI ' will show us what esi holds, in my case:
 
:?ESI
000173E2  0000095202  "sâ" 

Job Done.
 
Coding the  keyGen

Now that we know where the real serial is compared, a good look up in the algo will make us
Understand how The serial is being Calculated.
 
 
XOR                ESI,ESI  ; Clear Register
 MOV               EAX,DWORD PTR [EBP-008h]  ; X no need , we move the name in the keygen already
 CALL              00403BC4            ; This call gets our name lenght X as well no needed
 TEST               EAX,EAX               ; Test our lengh X no need to check the lenght again
 JLE                  00447370              ; Jump if Lower X no need to jump
 MOV               EDX,000000001h   ;EDX=1 <=form here i can see it's a counter
 MOV               ECX,DWORD PTR [EBP-008h]        ; ECX= Our Fake Name
 MOVZX          ECX,BYTE PTR [EDX+ECX-001h]  ; ECX= 1 char of our name
 ADD                ESI,ECX       ; ESI+ECX
 INC                 EDX             ; increase counter by 1 (next char of our name) 
 DEC                EAX               ; EAX=Our fake name lenght -1
 JNZ                 00447362       ; Has the counter finished? (finished to count all name chars?)
 MOV               DWORD PTR [EBP-014h],ESI  ; Esi moves to memory (in ebp-014)
 FILD               DWORD PTR [EBP-014h]         ; puts an integer on the FPU stack. ( Not imported ) 
 CALL              004029C8     ;EAX=ESI  ; Change the call to eax=esi
 MOV               EDX,EAX    ;EDX=EAX
 SHL                 EAX,007h    ; EAX<<07h
 ADD                EAX,EDX    ; EAX+EDX
 MOV                ESI,EAX     ; ESI=EAX
 CMP                ESI,DWORD PTR [EBP-004h]   ;Compare our Real Serial  (ESI) with EBP-004 ;X no need 

Let us now rip everything into valid code in our win32asm file:
 
invoke lstrlen, addr Entered
XOR       EDX,EDX
XOR       ESI,ESI 
MOV       EDX,00000001
loop1: 
lea       ECX,Entered 
MOVZX     ECX,BYTE PTR [edx+Entered-01]
ADD       ESI,ECX 
INC       EDX 
DEC       EAX 
JNZ       loop1 
MOV       EAX,ESI 
MOV       EDX,EAX 
SHL       EAX,07 
ADD       EAX,EDX 
MOV       ESI,EAX 
invoke wsprintf, addr MyS, addr ToDecimal, esi 
invoke SetDlgItemText, hwnd, 107, addr MyS 

No need to add the whole asm file, becasue everyone has it own style of asm creation code, so i will leave you
Only with ready algo

Job Done.
 
Oh And..

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers then your wasting your time, try searching elsewhere on the Web under Warez, Cracks and etc.

+SandMan...
 
Greetings

I would like to say thank you to all who has supported me, and helped me through my cracking days:
 
 
 +ORC
For his Great Essays And Skills
+SandMan
For his awesome Tutorials
CoDe_InSiDe
For Helping Me in Cracking & Hosting
FusS
For Helping Me in Win32Asm
Muad`D1b
For Helping Me in Win32Asm
                                 gogamoga For helping me in Win32Asm