KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Code Inside / Tut7.txt < prev next >

Wrap

Text File | 2001-09-21 | 17.9 KB | 303 lines

*************************************************************************************************************************************************************************************************** Quintessential CD V1.27 *************************************************************************************************************************************************************************************************** Author: Quinnware Protection: Name / Serial URL: http://www.quinnware.com/downloads/qcd_127.exe Tools: SoftICE 4.05 ---> Intro... Welcome to my next tutorial about "Quintessential CD V1.27". I'll show you now how to Sniff the Serial :) ---> Let's Begin... Open the program and right click on top of the program, then select "QCD Info..." and then select the tab "Register". Fill in your Name and a Serial I've used: Name: CoDe_InSiDe Serial: 1234567890 As you'll notice now the button "Register Now!" isn't enabled hmm... So it will only be enabled when we enter the right Serial, let's try some breakpoints. Get into SoftICE (CTRL+D) and type "bpx GetDlgItemTextA" and press enter, then get out of SoftICE (CTRL+D) and type one more Character in the Serial box and SoftICE will popup. Ok, now type "BC *" to disable the breakpoint and press (F11) or (F12) to get to the program code. Now you'll see this: --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :00412D02 8D4C240C lea ecx, dword ptr [esp+0C] <--- HERE WE LAND AFTER THE BREAK !!! :00412D06 6A0A push 0000000A <--- Push maximum string length to copy from the entered Serial :00412D08 51 push ecx * Possible Reference to Dialog: DialogID_00B3, CONTROL_ID:044D, "" | :00412D09 684D040000 push 0000044D :00412D0E 56 push esi :00412D0F FFD7 call edi <--- Call GetDlgItemTextA :00412D11 8D542418 lea edx, dword ptr [esp+18] <--- Point EDX to our Name :00412D15 52 push edx :00412D16 E815C1FFFF call 0040EE30 <--- And here's the Algo !!! :00412D1B 83C404 add esp, 00000004 :00412D1E 8BF8 mov edi, eax :00412D20 8D44240C lea eax, dword ptr [esp+0C] <--- Point EAX to our "Fake" Serial :00412D24 50 push eax :00412D25 E846BDFFFF call 0040EA70 <--- Here it makes our "Fake" Serial in "Unreadable Characters", i'll get to this later --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so let's get into the CALL 0040EE30 to see the Algo :) And first you'll see this: --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :0040EE30 8B542404 mov edx, dword ptr [esp+04] <--- Move the offset for our Name in EDX :0040EE34 53 push ebx :0040EE35 56 push esi :0040EE36 57 push edi :0040EE37 85D2 test edx, edx <--- Test if EDX is 00 :0040EE39 7470 je 0040EEAB <--- If equal we jump to the end, else continue :0040EE3B 8BFA mov edi, edx <--- Move EDX to EDI :0040EE3D 83C9FF or ecx, FFFFFFFF <--- Prepare ECX for counting :0040EE40 33C0 xor eax, eax <--- XOR EAX which is now 00 :0040EE42 F2AE repnz scasb <--- Let the count begin :) :0040EE44 F7D1 not ecx <--- NOT ECX (Kind of like reverse the value) :0040EE46 49 dec ecx <--- ECX -1 (to make the length correct) :0040EE47 83F906 cmp ecx, 00000006 <--- CMP ECX with 00000006 :0040EE4A 725F jb 0040EEAB <--- If below jump to the end, else continue --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- So in here it looks if the length of your entered Name is more then 5 Characters, because it checks for 00000006 if below we jump to the end and fail, if its equal or more we continue. Let's see what's next: --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :0040EE4C 8A0A mov cl, byte ptr [edx] <--- Move first Char in CL :0040EE4E 33F6 xor esi, esi <--- XOR ESI which is now 00 :0040EE50 33FF xor edi, edi <--- XOR EDI which is now 00 :0040EE52 B801000000 mov eax, 00000001 <--- Move 00000001 in EAX :0040EE57 84C9 test cl, cl <--- Test if CL is 00 (Are we at the end of our Name ?) :0040EE59 7424 je 0040EE7F <--- If so we jump and get to the next stuff, else we continue to make the Serial * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040EE7D(C) | :0040EE5B 85D2 test edx, edx <--- Test if EDX is 00 :0040EE5D 7420 je 0040EE7F <--- If so we jump and get to the next stuff, else we continue to make the Serial :0040EE5F 8A0A mov cl, byte ptr [edx] <--- Move first Char in CL :0040EE61 80F920 cmp cl, 20 <--- Compare CL with 20 (Space) :0040EE64 7411 je 0040EE77 <--- If its equal jump and take the next Char, else continue :0040EE66 0FBEC9 movsx ecx, cl <--- Move CL in ECX :0040EE69 8BD8 mov ebx, eax <--- Move EAX to EBX :0040EE6B 8D0440 lea eax, dword ptr [eax+2*eax] <--- Move EAX+2*EAX in EAX (in the beginning EAX is 00000001, so it will then be 1+2*1 = 3 in EAX) :0040EE6E 0FAFD9 imul ebx, ecx <--- Multiply ECX with EBX :0040EE71 03DE add ebx, esi <--- ADD ESI in EBX :0040EE73 03FB add edi, ebx <--- ADD EBX in EDI :0040EE75 03F1 add esi, ecx <--- ADD ECX in ESI * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040EE64(C) | :0040EE77 8A4A01 mov cl, byte ptr [edx+01] <--- Put the next Char in CL :0040EE7A 42 inc edx <--- EDX +1 :0040EE7B 84C9 test cl, cl <--- Test if CL is 00 (Are we at the end of our Name ?) :0040EE7D 75DC jne 0040EE5B <--- If not we repeat the loop, if equal we continue --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- So this is the Algo, not very big :) Ok, it goes like this: My Name "CoDe_InSiDe" Move first Char in CL <--- Which is "C" (Hex = 43) Compare CL (43) with 20 (Space) If equal, jump and take the next char, else continue Move EAX to EBX <--- EBX now holds 00000001 Move EAX+2*EAX in EAX <--- In the beginning EAX holds 00000001, so now it'll have 1+2*1 = 00000003 in EAX Multiply ECX with EBX <--- 43 * 1 = 43 ADD ESI in EBX <--- ESI holds 00 so nothing changes in the beginning ADD EBX in EDI <--- EDI now holds 00000043 ADD ECX in ESI <--- ESI now holds 00000043 Move second Char in CL <--- Which is "o" (Hex = 6F) Increase EDX <--- EDX +1 Test if CL is 00 <--- Are we at the end of our Name ? If so we continue, if not we repeat this loop And so on... i hope you get this its not very hard :) Let's see the final part: --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040EE59(C), :0040EE5D(C) | :0040EE7F 33D2 xor edx, edx <--- XOR EDX which is now 00 :0040EE81 B9FFFF0000 mov ecx, 0000FFFF <--- Move 0000FFFF in ECX :0040EE86 F7F1 div ecx <--- Divide ECX :0040EE88 8BC7 mov eax, edi <--- Move EDI in EAX :0040EE8A BFFFFF0000 mov edi, 0000FFFF <--- Move 0000FFFF in EDI :0040EE8F 8BCA mov ecx, edx <--- Move EDX in ECX :0040EE91 99 cdq <--- If the value in EAX is equal to or less then 7FFFFFFF, the value in EDX will be set to 00000000, otherwise to FFFFFFFF :0040EE92 F7FF idiv edi <--- Divide EDI :0040EE94 8BC6 mov eax, esi <--- Move ESI in EAX :0040EE96 BEFF000000 mov esi, 000000FF <--- Move 000000FF in ESI :0040EE9B C1E210 shl edx, 10 <--- Shift EDX left with 10 :0040EE9E 0BCA or ecx, edx <--- OR EDX with ECX :0040EEA0 99 cdq <--- If the value in EAX is equal to or less then 7FFFFFFF, the value in EDX will be set to 00000000, otherwise to FFFFFFFF :0040EEA1 F7FE idiv esi <--- Divide ESI :0040EEA3 0BCA or ecx, edx <--- OR EDX with ECX :0040EEA5 8BC1 mov eax, ecx <--- Move ECX in EAX :0040EEA7 5F pop edi :0040EEA8 5E pop esi :0040EEA9 5B pop ebx :0040EEAA C3 ret --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This is harder to explain, hehe :) But its actually also pretty easy if you trace through it, so im not going to explain this :) But we have the Serial now so let's see what comes next when were going over this ret and return to the main code. Remember where i said "Here it makes our "Fake" Serial "Unreadable", i'll get to this later" <--- Step in the CALL 0040EA70 and you'll see this: --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :0040EA70 53 push ebx :0040EA71 56 push esi :0040EA72 8B74240C mov esi, dword ptr [esp+0C] <--- Move the offset of our "Fake" Serial in ESI :0040EA76 57 push edi :0040EA77 85F6 test esi, esi <--- Test if ESI is 00 :0040EA79 746B je 0040EAE6 <--- If so we jump to the end and fail, else continue :0040EA7B 6A08 push 00000008 * Possible StringData Ref from Data Obj ->"ffffffff" | :0040EA7D 6820014300 push 00430120 :0040EA82 56 push esi :0040EA83 E828D40100 call 0042BEB0 <--- In here it Compares "ffffffff" with our "Fake" Serial, if its the same it XORs EAX and we fail, if not we continue :0040EA88 83C40C add esp, 0000000C :0040EA8B 85C0 test eax, eax <--- Test if EAX is 00 (If your "Fake" Serial was "ffffffff") :0040EA8D 7457 je 0040EAE6 <--- If equal we jump and we fail, else continue --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so in here it checks if we entered "ffffffff" as our Serial, if so it XORs EAX and we fail, if not we continue. Let's see what's next: --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :0040EA8F 56 push esi :0040EA90 E89BD20100 call 0042BD30 <--- In here it makes all LETTERS (if we entered letters) lowercase and makes it 8 Characters. :0040EA95 8BFE mov edi, esi <--- Move ESI in EDI :0040EA97 83C9FF or ecx, FFFFFFFF <--- Prepare ECX for counting :0040EA9A 33C0 xor eax, eax <--- XOR EAX which is now 00 :0040EA9C 83C404 add esp, 00000004 :0040EA9F F2AE repnz scasb <--- Let the count begin :) :0040EAA1 F7D1 not ecx <--- NOT ECX (kind of reverse the value) :0040EAA3 49 dec ecx <--- ECX -1 (to make the length correct) :0040EAA4 85C9 test ecx, ecx <--- Test if ECX is 00 :0040EAA6 7E40 jle 0040EAE8 <--- If equal or lower we jump and fail, else continue --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Well, in the CALL 0042BD30 it makes the letters (if we entered them) lowercase and makes it 8 Characters, and then it checks if we indeed entered something as our Serial :) Let's see what's next: --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :0040EAA8 8BF9 mov edi, ecx <--- Move ECX in EDI :0040EAAA 8BD9 mov ebx, ecx <--- Move ECX in EBX * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040EAE0(C) | :0040EAAC 8D57FF lea edx, dword ptr [edi-01] :0040EAAF B901000000 mov ecx, 00000001 <--- Move 00000001 in ECX :0040EAB4 85D2 test edx, edx <--- Test if EDX is 00 :0040EAB6 7E06 jle 0040EABE <--- if equal or lower we jump, else continue * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040EABC(C) | :0040EAB8 C1E104 shl ecx, 04 <--- Shift ECX to the left with 04 :0040EABB 4A dec edx <--- EDX -1 :0040EABC 75FA jne 0040EAB8 <--- if EDX is 00 we continue, else we repeat this little loop * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040EAB6(C) | :0040EABE 8A16 mov dl, byte ptr [esi] <--- Move first Char of our "Fake" Serial in DL :0040EAC0 80FA61 cmp dl, 61 <--- Compare DL with 61 (a) :0040EAC3 7C08 jl 0040EACD <--- Jump if lower, else continue :0040EAC5 0FBED2 movsx edx, dl <--- Move DL in EDX :0040EAC8 83EA57 sub edx, 00000057 <--- EDX -57 :0040EACB EB0B jmp 0040EAD8 <--- Jump and skip 4 instructions * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040EAC3(C) | :0040EACD 80FA30 cmp dl, 30 <--- Compare DL with 30 (0) :0040EAD0 7C0B jl 0040EADD <--- Jump if lower, else continue :0040EAD2 0FBED2 movsx edx, dl <--- Mov DL in EDX :0040EAD5 83EA30 sub edx, 00000030 <--- EDX -30 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040EACB(U) | :0040EAD8 0FAFD1 imul edx, ecx <--- Multiply ECX with EDX :0040EADB 03C2 add eax, edx <--- ADD EDX in EAX * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040EAD0(C) | :0040EADD 46 inc esi <--- ESI +1 :0040EADE 4F dec edi <--- EDI -1 :0040EADF 4B dec ebx <--- EBX -1 :0040EAE0 75CA jne 0040EAAC <--- Repeat the whole loop if EBX isn't 00, else continue :0040EAE2 5F pop edi :0040EAE3 5E pop esi :0040EAE4 5B pop ebx :0040EAE5 C3 ret --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so what it actually does here is it puts the "Fake" Serial we entered (The Serial was cut to 8 Chars) into the Register EAX <--- That's what i meant by Unreadable Characters :) So now our "Fake" Serial is within the Register EAX, now when you get over the "ret" we return to the main code and you'll see this piece: --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :00412D2A 83C404 add esp, 00000004 :00412D2D 3BF8 cmp edi, eax <--- CMP EAX with EDI :00412D2F 750D jne 00412D3E <--- If not equal we jump and fail, if equal we continue and get the Good Guy message --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- And here it just Compares EAX (our "Fake" Serial put in the Register) with EDI (our "Real" Serial). That's it, now for my Name it was: Name: CoDe_InSiDe Serial: 739AB3FD This was very easy now you can make a KeyGen if you want and if you can do that :) Mail me if you got any questions or just something to say :) Email: code.inside@home.nl ---> Greetings... Everybody at TrickSoft (www.TrickSoft.net) Everybody at Cracking4Newbies (www.Cracking4Newbies.com) And You... Don't trust the outside, trust the InSiDe !!! Cya... CoDe_InSiDe