Jeff
"Sorry not a correct reg key"...FOUND!
Sun Nov 15 21:54:18 1998


Well;
having struggeled as a cracker I feel pretty good after
finding out some things that took me to certain conclusions and discoveries! This has been a blast!
But I gotta get a life! heheh


Question 3. If someone asked you to 'Patch' this program so that it became *FULLY* registered then where
would you patch it?. Explain why you think it's the 'best' place for the patch.

Okay
Here is Where I would patch this program and why:

If you followed my post about manipulating the registry which will pretty much be my answer to question #5;
(See question #5 for one way to unscrambel the code)
then you will be able to follow what I will now try to explain...

Having found values set for certain letters of the alphabet in a constant format I went back into to 32Dasm....and looked at some curious language that I had seen earlier in the week...

I've already posted some of what I found so I will skip that part.

But knowing that:
"ABCDEFGHIJKLMNOPQRSTUVWXYZ" ===
"IJKLMNO@ABCDEFGXYZ[]^_PQR

Note: T is a backslash; this board will not display a backslash...
also note that lower case is slightly different than upper case...and is not shown here.

Also The Sandman has brought it to my attention that a person with a name like

DC90021...

would need just a bit more work on the code sequence started...

Anyone see how this can be done? *grin*

Anyway; I blabber...

I went into 32dasm and brought up searchfind & typed in:

[gzzq fg| i kgzzmk| zmo cmq

Translated=

Sorry not a correct reg key

THIS IS ONE OF THE MISSING STRINGS WE WERE LOOKIN FOR!!!

This brought me to here: Do you see the scrambeled code at possible Stringdata Ref line?

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045C034(C)
|
:0045C28B 6A00 push 00000000
:0045C28D 8D55EC lea edx, dword ptr [ebp-14]

* Possible StringData Ref from Code Obj ->"[gzzq(fg|(i(kgzzmk|(zmo(cmq"
"Sorry not a correct reg key"

:0045C290 B870C54500 mov eax, 0045C570
:0045C295 E83A1A0000 call 0045DCD4
:0045C29A 8B45EC mov eax, dword ptr [ebp-14]
:0045C29D 668B0DB4C34500 mov cx, word ptr [0045C3B4]
:0045C2A4 B201 mov dl, 01
:0045C2A6 E8BDFDFDFF call 0043C068
:0045C2AB 8B45FC mov eax, dword ptr [ebp-04]
:0045C2AE C7805001000002000000 mov dword ptr [ebx+00000150], 00000002
:0045C2B8 803DEC6ED40000 cmp byte ptr [00D46EEC], 00
:0045C2BF 0F859F000000 jne 0045C364


This area was
Referenced by a conditional jump @ 0045c034.......

So I went to there by typing in 0045c034 into search & find:
It brought me to here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045BFEB(C)
|
:0045C02A 8B45FC mov eax, dword ptr [ebp-04]
:0045C02D E8E6F8FFFF call 0045B918
:0045C032 3C01 cmp al, 01
:0045C034 0F8551020000 jne 0045C28B
:0045C03A B201 mov dl, 01
:0045C03C A1E0C34300 mov eax, dword ptr [0043C3E0]
:0045C041 E82E05FEFF call 0043C574

Change the jne @0045c034___ 0F8551020000___jne 0045C28B to 84 to enable "always jump good or bad..."

This is done by typing:

e 0045c034 in the ice input window;
The cursor will jump to the data window and you can type over (0F8551020000) the 85 with the numeral 84;
click enter;
hit f-10 to execute
(?) I don't know...I do it that way...straighten me out guys...

bc * <--clear breakpoints (type bd 00; if you are coming back in for some reason; like this change did not work for you...)
then x;

Program reged; Thank you for reg...

Now I must be truthful and say that I did not arrive here by any Zen; I must have changed every jump in the program this last week, and I did find one that did register it that was NOT the above jump; but i forgot to bd 00 so that I could go back in and see what I had done, and after filling a notebook, I did not write that 'one' down!!! So I lost it and have not found it again.
But after seeing the code broken above I knew or felt that the conditonal jump above was a "good cracker" location to change...if it worked...heheh
It did.



Question 4. This program uses a 'simple' XOR method to 'encypt' the registration code before it saves this to the
System Registry file. Locate and identify the small routine that performs the task of 'encypting' the User's Name.
There's plenty of clues on this forum..)


Snipped from halifax___________________________________
The code area for this function was located at:

:0045C02D E8E6F8FFFF call 0045B918

If you follow 45b918 to 45b9c4 (in W32Dasm), you will come across the XORs

:0045B99E 81F389000000 xor ebx, 00000089 <-- XOR sum with 89
:0045B9A4 83F333 xor ebx, 00000033 <-- XOR new sum with 33
:0045B9A7 43 inc ebx <-- add 1 to sum
:0045B9A8 8D55F8 lea edx, dword ptr [ebp-08]
:0045B9AB 8B8610020000 mov eax, dword ptr [esi+00000210]
:0045B9B1 E8D23FFCFF call 0041F988
:0045B9B6 8B45F8 mov eax, dword ptr [ebp-08]
:0045B9B9 E876BAFAFF call 00407434
:0045B9BE 3BD8 cmp ebx, eax <-- ebx is name hex sum, eax is regcode in hex
:0045B9C0 7504 jne 0045B9C6 <-- if diferent, bye cracker
:0045B9C2 B301 mov bl, 01 <-- otherwise, reg this babe
:0045B9C4 EB02 jmp 0045B9C8

I do follow most of this, though, I doubt if I could fill in the explanations of the line #s as completely.
I also for some reason, although, I saw the proceedure building my name; had a problem getting a correct key value; using the MS calculator worked for me; but the above code kept giving me a different value that did NOT reg...........................................?

I did find this code where my name was being changed or converted; built; here...

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045B99C(C) |
:0045B983 8B55FC mov edx, dword ptr [ebp-04]
:0045B986 8A5402FF mov dl, byte ptr [edx+eax-01]
:0045B98A 80FA20 cmp dl, 20
:0045B98D 740B je 0045B99A
:0045B98F 8B4DFC mov ecx, dword ptr [ebp-04]
:0045B992 81E2FF000000 and edx, 000000FF
:0045B998 03DA add ebx, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045B98D(C) |
:0045B99A 40 inc eax
:0045B99B 4F dec edi
:0045B99C 75E5 jne 0045B983


Question 5. (Optional)
Explain how we can extract the 'key' to what letters & symbols the program assigns to the User's Name when it
saves this to the System Registry file. Once we have this 'key' we can write our own serial/registration codes
directly to the System Registrty file WITHOUT even going through the program itself!. (hint) If you can complete
question three then this question follows on from this.


Okay this one I'll paste in from my Reg manipulations post:
This will also explain how I unscrambeled the code for question #1 above.



For those that have already acomplished the first part of the project
you now know that by witnessing RegMons search and seek for a file called HKCU Software Noktasoftware
Uninstallmanager Reg <<<<---The Reg file is 'not found'.

For those having not gone into Regedit before

By opening Regedit and opening the above directories until you get to the UninstallManager folder you see this
data inside the Uninstall Manager folder:

ab [Default] [value not set]
ab Path "C:UM"

Now by right clicking in the left panel area; U will get a 'new' option
with 4 addttional options to choose from.

Key

String value
Binary value
Dword value

Choose string value:
A new line will be added; looks like this:

ab New Value #1 ""


While it is still highlighted click inside the box, & delete the words New value #1, now retype the new name that it
needs...Reg <<---

Now this new Reg file is what RegMon was looking for and did not find; but there is no value in it as yet; How
can we find this;

One way is to browse thru Dasm find some interesting jumps; pop ice; and hope the jumps changes and regs this
program for you. Then of coarse the data will be auto. filled in.

Without the two KEY letters that remain constant at the beginning of the data key I would never have found an
interesting (for me) finding.

I had changed a jump (later for that line #) and the program reged.YEA!
I noticed that my reg file (in registry) now looked like this:

ab Reg "I@Bi{" <<<-Jas my user name.


Thinking that if I entered the same info., that I had, once before, entered into the User and key box ... that it
would once agian be reged ... I typed
"Bi{"
into the Reg file, in registry,...I tried it.
Did not work. Great.

So I once again HAD to go back into Ice and find that jumps (*grin; is it one or two?*) and once again it said it
was reged and created this in my Registry Reg file:



This time I choose a different yet similar name

ab Reg "I@Bi{eif"<<<---jasman

Where is the pattern...

Well first;
It always begins with I@;
I@ turns out to be (I think anyway) the Authors Initials.

Notice above where my entry did not work... it is because I forgot to include the "I@"<<-this is not shown in the
'About box',when your name is added behind it.

This (accidental reging) is how I found this out; and more.

Seeing that Bi{ = Jas <<<- notice the upper case; and lower case;



AND that, ab Reg "I@Bi{eif"<<<---jasman...BOTH continued to reieve a 'constant' value for the 'jas' I knew at
this point that the code would not be randomly choosen.

So, I did a switch. I right clicked on Reg file; Clicked on 'Modify' and erased Bi{ from the data box;
and, I then typed in Jas in to the data box.
hit OKAY.

Now my Reg file looks like this:

ab Reg "I@Jas"

Now go back to and open the program;
click on the Help About ( 30 day Nag screen still present on mine)click okay; and you see this, in Noktasoftware
box...

This product is licensed to: Bi{

I then went back into reg and tried this same thing with several different names; and I kept acumulating more code
for each new letter I put into a new name; Comparing them to make sure they were 'constants'... and then it
occured to me...and I kept remembering a hint that the Sandman had told me that I did not follow at the time...
BUT I now SAW it,(Are you *grinning* Sandman?)
and so, I did this...

Clicking on the Modify option I now filled the data in with this:

ab Reg "I@ABCDEFGHIJKLMNOPQRSTUVWXYZ"
I then went and opened the program and now in my about box I saw this:

This product is licensed to: IJKLMNO@ABCDEFGXYZ[]^_PQR

De code; De code:


......... A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
code-->I J K L M N O @ A B C D E F G X Y Z [ ] ^ _ P Q R

I now had all the info. I needed to Reg my name in the about box in full Caps...Or Your name.

J=B
A=I
S=[

ab Reg "I@BI["

This product is licensed to: JAS

:) :)

slightly different than my input ealier; hummm; oh yes these are all caps; may have to do it all over again for
LOWER case letters; (?)

As you can als0 see extrapolating from the code above
I@ = AH = The Authors initials...


We must GET RID of that Irritating 30 day Rag Screen also!

I have MANY times seen this string in DASM "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
AND ASLO in lower case...does this mean that this info above might work in other programs?

Hope this has been imformative;

Jeff