Cracking BlowFish v2.2

July 2001	"BlowFish v2.2"	Win32 Program Win32 Code Reversing
	by Bengaly
	Code Reversing For Beginners
	Program Details Program Name:BlowFish v2.2 Program Type: Encryption Utile Program Location: [ here ] Program Size: 253 kb
	Tools Required: W32Dasm - Win'95/98 Dissasembler Softice V4.X - De-Bugger Hex-Edior - Any (optional)
Level	Easy ( X ) Medium ( ) Hard ( ) Pro ( )	"A Crack will never die as long as the Cracker still lives"

Cracking A Win32 Web Utility
('Simple Protection, Simple Sniff Out')
Written by Bengaly

Introduction

BlowFish 2000 is a small, easy to use, file encryption utility. Simply drag and drop files and folders to quickly protect your sensitive documents, and then enter an encryption key to encode and decode the files you want to protect from prying eyes. You can also select files to be encrypted using the MS Windows Explorer right-click method.
Drag and Drop Files.
Files and folders can be quickly selected for encryption and decoding by simply dragging them to the desired file list windows.
MS Windows Explorer Encryption
Files can also be quickly encrypted and decoding directly from the MS Windows File Explorer.
Simply select the files to be processed and then right-click your mouse to display a pop-up context menu. Specify either Encrypt with BlowFish or Decrypt with BlowFish on the Send To menu.

About this protection

This program is registered by selecting the 'Help' button, then the 'Register' button.
User name:
Organization:
Registration:

On successful registration the program will save your User/serial in the registry:
HKEY_CURRENT_UDER/Software/Software By Design/BlowFish 2000/Registration
Code: Bengaly
User: ThunderCats
Name: 3404118051 <-- This is Generated by the program! (it will transform the serial into HEX : cae6b823)

if u want to use this software please Buy it, it's on 25$ the program is very good, please support it!

The Essay

Hello and welcome to my 28'th Tutorial.

Software By Design has allot of software on their page that uses the same Protection, but only the
Serial generator is diff...Not so hard to keygen as well...
OK so let us begin this essay.

Run BlowFish..enter the Help->Register...
We will see the Info Boxes we need to Fill Out.
So let's fill them.

User Name: Bengaly
Organization: ThunderCats
Registration: 1234567890

Now we will Open Soft-Ice In order to trace the whole thing.
Ok...Open Up Sice (CTRL+D), Fill in 'BPX GETDLGITEMTEXTA'
Now We will exit Sice...type F5 Or X Or Ctrl+D again.
Click the OK button and Sice Pop.

EAX=00000007   EBX=00000032   ECX=80008790   EDX=80008DE0   ESI=0042A3D0
EDI=0042A402   EBP=00000F3C   ESP=0066F7E0   EIP=004106A1   o d I S z a P c
CS=0177   DS=017F   SS=017F   ES=017F   FS=12D7   GS=0000
======================================================================PROT32
0177:0041069B CALL      [USER32!GetDlgItemTextA]
0177:004106A1 POP       EDI      ; We Land Here
0177:004106A2 POP       ESI
0177:004106A3 MOV       EAX,00000001
0177:004106A8 POP       EBX
0177:004106A9 RET
0177:004106AA NOP
0177:004106AB NOP
0177:004106AC NOP
0177:004106AD NOP
===============================================================================

Hm..this is weird..only some pops and a Mov 000001 to eax [wich means flag - register?)
The only thing Left to do is to go over the RET instruction cuz there is nothing to do here.
Press F10 until u pass the RET instruction, and you will be in this code snippest:

0177:00408A12 CALL      00410670   ;call API
0177:00408A17 LEA       EDI,[ESI+32] ;move it to EDI
0177:00408A1A PUSH      32    ; save 32 "2"
0177:00408A1C PUSH      EDI   ; save it
0177:00408A1D PUSH      66    ;save 66 "3"
0177:00408A1F PUSH      EBP   ;save EBP
0177:00408A20 CALL      00410670 ;call API
0177:00408A25 LEA       EAX,[ESP+30] ;mov it to EAX
0177:00408A29 PUSH      00000100 ; max 256 chars
0177:00408A2E PUSH      EAX      ;save
0177:00408A2F PUSH      67       ;save 67 "g"
0177:00408A31 PUSH      EBP      ;save EBP
0177:00408A32 CALL      00410670 ;call API
0177:00408A37 LEA       ECX,[ESP+40] ;get fake serial
0177:00408A3B PUSH      ECX        ;save it
0177:00408A3C CALL      00411AF5 ;eax=fake serial
0177:00408A41 PUSH      ESI ;name&origanization
0177:00408A42 MOV       EBX,EAX ;ebx=fake serial
0177:00408A44 CALL      00410600 ;Not inportant
0177:00408A49 ADD       ESP,38   ;fake serial+38
0177:00408A4C CMP       EAX,0119A792 ;compare
0177:00408A51 JNZ       00408A6B ;not equal jump <---|
0177:00408A53 MOV       EBX,[KERNEL32!lstrcpy]         |
0177:00408A59 PUSH      0041CD4C                       |
0177:00408A5E PUSH      ESI                            |
0177:00408A5F CALL      EBX                            |
0177:00408A61 PUSH      0041CD3C                       |
0177:00408A66 PUSH      EDI                            |
0177:00408A67 CALL      EBX                            |
0177:00408A69 JMP       00408A72                       |
0177:00408A6B CMP       EAX,0D5FCE3C ;we land here <---|
0177:00408A70 JNZ       00408A7E ;not euqal<-|
0177:00408A72 PUSH      EDI                  |
0177:00408A73 PUSH      ESI                  |
0177:00408A74 CALL      00410030             |
0177:00408A79 ADD       ESP,08               |
0177:00408A7C MOV       EBX,EAX              |
0177:00408A7E PUSH      EDI ;we land here<---|
0177:00408A7F PUSH      ESI    ;save esi
0177:00408A80 CALL      00410030   ;call Algo?
0177:00408A85 ADD       ESP,08     ;esp + 8
0177:00408A88 CMP       EBX,EAX ;Fake Vs Real Serial
0177:00408A8A POP       EDI   ;pop information
0177:00408A8B JZ        00408AAA ;jump not equal

Not so Hard To understand, But you will find your self landing in the memory area where the
Fake serial is compared with the generated serial!
While on the CMP type '? EAX' & '? EBX' You see the Compare??
? EBX = '1234567890' (Fake)
? EAX = '3404118051' (Real serial)

By the way we use here the '?' because the program convert the serial into Dec and not Hex therefore
We can't use "D" command to dump the memory address .

I must say, although "software for design" has made alot of sharwares, They didn't changed the
Protection System, only the generator.
So this tutorial refers to all Sharware by them!. ;D

Oh And..

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers then your wasting your time, try searching elsewhere on the Web under Warez, Cracks and etc.

+SandMan...

Greetings

I would like to say thank you to all who has supported me, and helped me through my cracking days:

+ORC For his Great Essays And Skills

+SandMan For his awesome Tutorials

CoDe_InSiDe For Help Me in Cracking & Hosting

FusS For Help Me in W32Asm

BLAcKgH0sT For Being A Good Friend

All my Corrent tutorials can be found on this Url: Here

Have Fun :D

Essay by: Bengaly

+ORC	For his Great Essays And Skills
+SandMan	For his awesome Tutorials
CoDe_InSiDe	For Help Me in Cracking & Hosting
FusS	For Help Me in W32Asm
BLAcKgH0sT	For Being A Good Friend