Task 3, Q. 2 and 3 calculation and compare Saturday, 06-Feb-99 12:47:45
The serial generation for our name "Pirate Copy" "Pirate copy" will generate a different serial (Remember the number is dependent upon the case of the "Name".) There is a lot of manipulation of the name, and our name in the real sense is only used at the beginning. After that we will not be able to recognize it if we get lost. So I have detailed the description below rather heavily. The key is generated from the name in two steps. First it is converted to 00, 01 strings which are multiplied, moved around and manipulated in a long process. Second these strings are converted by dividing and manipulating them to produce the hexcode for our serial key. I have not commented on the individual loops as they are short and you should be able to follow it. It may be helpful to print out the listing from 4093B2 to 4095A6 (about 4 pages) and 41C136 to 41C14C This will make it easier to follow. So here goes. First loop is at 4093B2 - 4093C9 004093BB 8A0401 mov al, byte ptr [ecx+eax] Our name Pirate Copy is moved letter by letter 004093C5 30441DB6 xor byte ptr [ebp+ebx-4A], al (This is where it is stored) This is looped the whole length of our input Name However after 8 times it starts to over-write itself Therefore loop 1-8 will put "Pirate C" into [ebp+ebx-4A] Now 4093C2 will cause ebx to become 0 (and ebx 00000007) and start to over-write the name It will take the new value of the next letter ( o = 6F and it will xor it with the value of the first location P = 50 and put the new value 3F at the first location ) The next letter is manipulated like this with the second letter etc. And so we have at [ebp+ebx-4A] 3F 19 0B 61 74 65 20 43 (Notice the length is 8 bytes) Loop 2 is at 4093DD - 4093CF Our name is made into 00, or 01 and stored 004093EB 889C3DDDFEFFFF mov byte ptr [ebp+edi-00000123], bl Each letter is manipulated 8 times So after 8 times the first letter which was 3F has become 01 01 01 01 01 01 00 00 at [ebp+edi-00000123] Do it again with 2 nd letter which becomes 01 00 00 01 01 00 00 00 The bytes are not overwritten but consecutive When all the letters have been gone through we have. 01 01 01 01 01 01 00 00 - 01 00 00 01 01 00 00 00 01 01 00 01 00 00 00 00 - 01 00 00 00 00 01 01 00 00 00 01 00 01 01 01 00 - 01 00 01 00 00 01 01 00 00 00 00 00 00 01 00 00 - 01 01 00 00 00 00 01 00 At 409412 this is moved to [ebp - 009B] < ==This location is important keep track of it. 0040940F 6A40 push 00000040 :00409411 F3 repz :00409412 A5 movsd Loop 3 Call 409153 move these 40h bytes to [ebp 43] At this call the bytes are shifted around according to what is at [edi+esi] 0040917A 0FB60437 movzx eax, byte ptr [edi+esi] 7 th location becomes 1 st, 15 th becomes 2 nd 23 becomes 3 rd etc and the result put in [ebp - 009B] Now we have. 00 00 00 01 01 01 00 01 - 01 01 00 00 01 00 00 00 01 00 00 00 01 01 00 00 - 01 01 01 01 00 01 00 01 00 00 00 00 00 00 00 00 - 01 00 00 01 01 01 01 00 01 01 01 00 00 00 00 00 - 01 00 01 00 00 00 00 01 Now this is moved to [ebp-37] and shifted around again at 40945D So now we have 00 00 00 00 00 00 00 00 - 01 00 00 01 01 01 01 00 01 01 01 00 00 00 00 00 - 01 00 01 00 00 00 01 01 00 00 00 00 00 00 00 00 - 01 00 00 01 01 01 01 00 01 01 01 00 00 00 00 00 - 01 00 01 00 00 00 01 01 Loop 4 is at 409482 - 4094A8 This changes the last two lines Location [ebp-009B] now looks like this 00 00 00 00 00 00 00 00 - 01 00 00 01 01 01 01 00 01 01 01 00 00 00 00 00 - 01 00 01 00 00 00 01 01 01 01 00 01 00 01 00 00 - 01 01 01 01 01 00 00 00 00 00 01 00 00 01 01 01 - 01 00 01 00 00 00 00 01 Some of the routines (loops)are nested within other loops The program now jumps back to 4094F3 and runs the routines again several times to 4094AF When all of the loops above are done then we have at Location [ebp-009B] 10 00 00 01 00 01 00 00 - 01 00 00 01 01 00 01 00 00 01 00 00 00 01 00 00 - 00 01 01 01 00 00 00 00 01 01 01 00 00 01 01 01 - 00 01 01 00 00 00 00 01 01 00 00 00 01 01 01 00 - 00 00 00 00 00 01 01 00 4094BF now another Call to 409153 4091D5 again (each time it changes the 00, 01's) Finally we have at Location [ebp-009B] 01 01 00 01 00 00 00 00 - 00 01 01 00 01 01 01 00 00 00 00 01 01 01 00 01 - 01 00 01 00 00 00 00 01 00 00 01 00 00 01 01 00 - 00 00 00 00 00 01 00 01 Now for the calculation part Well start with a new loop 1 at 409504 - 4095C1 This loop runs 4 times and every time picks up a byte at [ebp-009B] (byte 1, 2 nd loop byte 2, etc.) 409509 picks up the byte. At the bottom of the loop dl will have a value (in this case 0D) At 40952C 37 is added to this value giving us 44 Then the call at 41C136 where the 44 is stored at [ecx+eax] 0041C149 881401 mov byte ptr [ecx+eax], dl This is the first letter of our serial. Now the second loop 40953D - 409556 This loop also runs 4 times and picks up byte 5,6,7,and 8 Now al = 30 At 409568 we again go to 41C136 and dl picks up the 30 and deposits in our serial location. So 2 nd serial # = 0 Not done yet jump back to 4094F5 Then the whole routine is done again and again until we have the full serial D06E1DA1260D6605 for Pirate Copy That is how we get our serial. Hope I haven't made any mistakes in my typing. Now for the check if our serial is right This takes place from 40B719 - 40B7A9 (this not a loop) 0040B735 FF75E8 push [ebp-18] < == the fake serial is pushed :0040B738 FF31 push dword ptr [ecx] < == The real serial is pushed :0040B73A E881150000 call 0040CCC0 < == here it is checked :0040CCCE 8B4C2410 mov ecx, dword ptr [esp+10] < == Fake serial :0040CCD2 8B542414 mov edx, dword ptr [esp+14] < == Real serial * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040CCF0(C) | :0040CCD6 8A01 mov al, byte ptr [ecx] < == First # of fake serial :0040CCD8 3A02 cmp al, byte ptr [edx] < == First # of real serial :0040CCDA 751E jne 0040CCFA < == if wrong make eax 01 and return :0040CCDC 0AC0 or al, al :0040CCDE 7412 je 0040CCF2 :0040CCE0 8A4101 mov al, byte ptr [ecx+01] < == second # of fake serial :0040CCE3 3A4201 cmp al, byte ptr [edx+01] < == second # of real serial :0040CCE6 7512 jne 0040CCFA < == if wrong make eax 01 and return :0040CCE8 83C102 add ecx, 00000002 :0040CCEB 83C202 add edx, 00000002 :0040CCEE 0AC0 or al, al :0040CCF0 75E4 jne 0040CCD6 < == if right loop and do again till whole serial checked or until wrong. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040CCDE(C) | :0040CCF2 33C0 xor eax, eax < == if serial right eax = 00 :0040CCF4 5E pop esi :0040CCF5 5B pop ebx :0040CCF6 83C404 add esp, 00000004 :0040CCF9 C3 ret Princess Princess |
Princess: Princess' tread Project 6 (03-Feb-99 18:51:42) |
|
Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.