MP3 Explorer 2.30 Keygenerator

Screen area 1024x768 pixels

Reverse Engineering Lab	+=widY@cL 2011=+	from newbie to another
Tools : W32dasm 8.93 - Softice 3.24	MP3 Explorer 2.3.0 Key Generator	Project Info : Release 10th - 03 April 1999

Author	: Pierre LEVY
Homepage	: http://ourworld.compuserve.com/homepages/pierre_levy/

The Essay

Goto the registration dialog and we're asked to enter :

E-mail address :
Registration key :

Enter Pirate Copy as ' E-mail address ' and 0101010 as Registration key ... #bOOm# ... bad message pops up : " Registration info are not correct ! Please try again. " as you wish ! ... disassemble mp3 explorer.exe and double click on bad message text in SDR window and we land here :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00401964(C)

* Possible Reference to String Resource ID=00154: "Registration info are not correct ! Please try again."

let's check this referenced address ... aah here it is :

0040195D	E8DE510000	call 00406B40	; heh .. looks like a call to keygen routine !
00401962	85C0	test eax, eax	; if eax=0 then sets the zero flag ..
00401964	0F8485000000	je 004019EF	; jump to hell if zero flag set

Notes:
If we entered the correct code then we'll return from the call with eax=1 -> ands 1 with 1 will result 1 -> zero flag not set
If we entered the wrong code then we'll return from the call with eax=0 -> ands 0 with 0 will result 0 -> zero flag is set

Now leave Win32dasm at once ... enter the reg dialog again .. put our entry .. enter sice .. set BPX GetWindowTextA (our trap) .. hit [OK] .. bOOm .. kick F11 once to get the caller .. aah we're in mp3explorer code now .. set BPX 00406B40 ... X [ENTER] .. bOOm ... keep tracing ... snip ... snip .. snip .. AHA ! :

00406B92	8B7AF8	mov edi, [edx-08]	; copy name length to edi (B)
00406B95	83FF04	cmp edi, 04	; compare name length with 4
00406B98	7D35	jge 00406BCF	; minimal name length is 4 !
00406BCF	85FF	test edi, edi	; if edi=0 then sets the zero flag
00406BD1	7E18	jle 00406BEB	; if zero flag is set (Z=1) then beggar off
00406BD3	8B442420	mov eax, [esp+20]	; copy name to eax
00406BD7	0FBE0C06	movsx ecx, byte ptr [eax+esi]	; get one char from eax (name) into ecx
00406BDB	51	push ecx	; save ecx for later use
00406BDC	E82F130100	call 00417F10	; this call convert lowercase to uppercase (the result in eax)
			; also tells us that we can use any char in name
00406BE1	83C404	add esp, 04	; correct stack
00406BE4	03E8	add ebp, eax	; ebp=ebp+eax (the result from this iteration save in ebp)
00406BE6	46	inc esi	; esi=esi+1
00406BE7	3BF7	cmp esi, edi	; are we done ?!
00406BE9	7CE8	jl 00406BD3	; no ? then loop again
00406BEB	8B4C240C	mov ecx, [esp+0C]	; ecx=18A92h=101010 (our dummy code)
00406BEF	BAC0D40100	mov edx, 0001D4C0	; edx=1D4C0 ( a constant value from Pierre)
00406BF4	2BD5	sub edx, ebp	; edx=edx-ebp

That was it ! .. a very simple algorithm ! edx hold the correct registration code .. now take a look at these next codes ...

00406BF6	33C0	xor eax, eax	; zero eax
00406BF8	3BCA	cmp ecx, edx	; compare dummy code with the correct code
			; the zero flag is set (Z=1) if and only if ecx = edx
00406BFA	8D4C2420	lea ecx, [esp+20]	;
00406BFE	0F94C0	sete al	; sete same as setz. set al value (boolean) if equal / zero (Z=1)
			; if we enter the correct code then al value will set to 1 else al / eax still zero
00406C01	8BF0	mov esi, eax	; in this case esi = eax = 0 ('coz we enter the wrong code)
00406C22	8BC6	mov eax, esi	; eax = esi = 0 ... we'll return from this call with eax=0 !!

But as you can see if we entered the correct code then we'll return from the call with eax=1.

Heii .. are you thinkin somethin ?! ... yep we can have more fun here ! .. in this case (weak protection schemes), we can also modifies (patching) the codes so we'll return from the call with eax=1 ... here is some variations :

- 00406BFE 0F94C0 sete al CHANGE TO 0F95C0 setne al (set if not zero)
now you can enter any entry to make it registered ... BUT ... please don't enter the correct code !

- 00406C22 8BC6 mov eax, esi CHANGE TO B001 mov al, 1
with this method we'll always be a good buyer no matter what we entered

And on succcesfull registration the program stores the license data in mp3 explorer.ini located in windows directory.

[User settings]
RegisteredEmail=Pirate Copy
RegistrationKey=???

Well .. hope there's something you can learn from this tut ... wait for my next project ! ..

Source code

// written in BC++ 5.2
// compile with bcc name.cpp or bcc32 name.cpp

#include <iostream.h>
#include <stdio.h>
#include <conio.h>
#include <ctype.h>
#include <stdlib.h>

void main()
{
   char name[255],ecx=0,eax;
   int esi=0,ebp=0,edi;

   clrscr();
   cout << " Keygenerator for MP3 Explorer 230 bY widY@cL 2011\n";
   cout << " Copyright (C) wOrLd cRaCkinG linK '99\n\n";
   cout << " Enter name (minimal 4 char) : ";gets(name);

   edi=strlen(name);
   if (edi < 4) exit(0);

   while (esi < edi)
   {
      eax=toupper(name[ecx]);
      ebp=ebp+eax;
      esi++;ecx++;
   }

   cout << " Registration key             : " << (0x1D4C0 - ebp) << endl;
   getch();
}

Final Notes

let me know if you have any comments/suggestions/critics (dot)