//The algorithm for SmartVersion is exactly the same as the one mentioned in
//WinImage, except for the fact that differect edition constant numbers are used.
// SmartVersion Keygen.cpp
// Generates working and valid keys for all versions 1.00 - 2.00
#include "stdafx.h"
#include <iomanip>
#include <iostream>
#include <stdlib.h>
#include <string>
#include <windows.h>
using namespace std;
const int LENGTH = 256; //Size of the character arrays
//Constants used in the generation of the raw serial number.
const int THREE_HEX = 0x3;
const int SEVEN_HEX = 0x7;
const int FOURTEEN_HEX = 0x0E;
const int TWENTYSEVEN_HEX = 0x27;
const int SERIAL_HEX = 0x47694C;
//Edition constant numbers for SmartVersion 1.00. Will register version 2.00.
const int version100[] = { 0x12091999,
0x31121999,
0x2062000
};
//Edition constant numbers for SmartVersion 2.00. Will NOT register version 1.00.
const int version200[] = { 0x13062004,
0x21032004,
0x28032004,
0x5052005,
0x29052005,
0x1122004
};
//The "semiraw_serial" is produced after the raw serial and edition
//constant number are added together. After this function is executed
//"semiraw_serial" will contain the actual serial key.
//This function will switch the 8/B in the semiraw serial to B/8 respectively.
void processSerial(TCHAR semiraw_serial[])
{
char al;
for(unsigned int i = 0; i < wcslen(semiraw_serial); i++)
{
al = semiraw_serial[i];
if(al == 0x0038)
{
al = al + 0x000A;
}
else if(al == 0x0042)
{
al = al + 0x00F6;
}
semiraw_serial[i] = al;
}
}
//This function will print the serial numbers for all versions
void PrintSerial(int raw_serial)
{
TCHAR temp[LENGTH];
printf("=========================================\n");
printf("version 1.00\n");
for (int i = 0; i < 3; i++)
{
wsprintf(temp, TEXT ("%lX"), raw_serial + version100[i]);
processSerial(temp);
wprintf(L"Registration #: %s\n", temp);
}
printf("=========================================\n");
printf("version 2.00\n");
for (int i = 0; i < 6; i++)
{
wsprintf(temp, TEXT ("%lX"), raw_serial + version200[i]);
processSerial(temp);
wprintf(L"Registration #: %s\n", temp);
}
printf("=========================================\n");
}
int main()
{
int EAX = 0;
int EBX = FOURTEEN_HEX;
int EDX = 0;
int EDI = TWENTYSEVEN_HEX;
int serial = SERIAL_HEX;
int temp;
char name[LENGTH];
//Asks the user to type in the name to register the program
//with.
printf("SmartVersion v1.00 - 2.00 Keygen\nName:");
gets(name);
//Algorithm that generates the raw serial number from the
//specified name. The edition constant number needs to be added
//to the raw serial before being processed.
for(unsigned int i = 0; i < strlen(name); i++)
{
EAX = i;
temp = EAX;
EAX = temp / EBX;
EDX = temp % EBX;
if(EDX == 0)
{
EDI = TWENTYSEVEN_HEX;
}
EDX = toupper(name[i]);
EAX = i + THREE_HEX;
temp = EAX;
EDX = EDX * EDI;
serial = serial + EDX;
EAX = temp / FOURTEEN_HEX;
EDX = temp % FOURTEEN_HEX;
if(EDX == 0)
{
EDI = EDI * SEVEN_HEX;
}
else
{
EDI = EDI * 3;
}
}
//Prints the generated serial numbers
PrintSerial(serial);
return 0;
}
19 February 2009
SmartVersion 1.00 - 2.00 Keygen C++ source code
Analysis of WinImage 3.00 - 8.10
Analysis of WinImage
Abstract:
The target audience are those who are just getting started in reverse engineering ("cracking") programs. Though, this is not a guide that will hand-hold you through the process. Instead, I hope enough information is provided so that my work can be replicated. I assume you, the reader, have some knowledge in Intel x86
assembly, in using a debugger, and had experience with some crackmes. I will explain the process of generating the valid keys for WinImage.
Keyword(s): algorithm, cracking, keygen, Ollydbg, WinImage
Purpose:
To reverse engineer and analyze how the serial registration algorithm works in WinImage in order to construct a key generator.
Materials and methods:
Ollydbg v1.10 was used to analyze WinImage 6.00.6000 in Windows XP running as a virtual machine in VMWare Workstation. Packer detection was done using PEiD v0.95. The key generator is written in C++ and compiled with Visual Studio 2008 on a computer system running Windows Server 2008 Standard x86-64.
Discussion:
The main executable, "winimage.exe", is not packed. To register the program, go to Options->Registering and enter in a random name and registration code to get the error message. The program was then closed before being opened under Ollydbg. The error message was searched for in the "referenced text string" option but could not be found. This method did work in programs like Starcraft or Winzip 7.0 SR-1 (both mentioned in previous blog postings), but for WinImage no. One can place a breakpoint on the MessageBox api using "bp MessageBoxA" and working backwards from the error message. Another method is to place a breakpoint on the GetDlgItemText api using "bp GetDlgItemTextA". This works because the program needs a way to get the inputted name and registration number from the dialog box. From there, it is necessary to trace through the code to see where the user inputted registration code is checked against the real code. The real code will appear if you look in the registers. The function "strcmp" is used to compare the codes. This comparison is done 6 times, since the code can specify an edition and/or version. A breakpoint on wsprintf can also be done ("bp wsprintfA") and if one looks above the code, one can see the serial algorithm.
Analysis of the algorithm:
The registration code is generated from a name after going through a two step process. The first step involves converting the alphabet characters in the name to uppercase. After such conversion, the hexadecimal values of each characters are put through multiplication and division before being added to 0x47694C to get the raw serial. This raw serial is then converted to a wide character string with the function, wsprintf, before being checked to see if any characters in are '8' or 'B'. If it detects such characters, 0x000A or 0x00F6 are added respectively to the hexadecimal value of the character. After the check, the serial (will be called 'semiraw') can be used to register the program and enable the standard edition features. However, it is possible to generate 5 other keys that are able to register the program. Other keys are generated by adding the semiraw key with an "edition constant number" (can't think of a better name to call it). From testing, it seems that different edition constant numbers produce keys that enabled certain editions (standard or professional) and were valid or invalid for certain versions of the program. I searched other versions of the program and was able to find a total of 10 unique edition constant numbers (5 for standard and 5 for professional). It is possible for a key to be valid for a wide range of WinImage version 3.00 to 8.10 if one uses the right edition constant number.
//Main algorithm from WinImage 6.00.6000
0043A24E |> 8BC1 /MOV EAX,ECX
0043A250 |. 6A 0E |PUSH 0E
0043A252 |. 99 |CDQ
0043A253 |. 5B |POP EBX; EBX = 0xE
0043A254 |. F7FB |IDIV EBX
0043A256 |. 85D2 |TEST EDX,EDX
0043A258 |. 75 03 |JNZ SHORT winimage.0043A25D
0043A25A |. 6A 27 |PUSH 27
0043A25C |. 5F |POP EDI; EDI = 0x27
0043A25D |> 0FB6540E 03 |MOVZX EDX,BYTE PTR DS:[ESI+ECX+3]
0043A262 |. 8D41 03 |LEA EAX,DWORD PTR DS:[ECX+3]
0043A265 |. 0FAFD7 |IMUL EDX,EDI; EDX = EDX * EDI
0043A268 |. 0155 FC |ADD DWORD PTR SS:[EBP-4],EDX
0043A26B |. 6A 0E |PUSH 0E
0043A26D |. 99 |CDQ
0043A26E |. 5B |POP EBX; EBX = 0xE
0043A26F |. F7FB |IDIV EBX
0043A271 |. 85D2 |TEST EDX,EDX
0043A273 |. 74 05 |JE SHORT winimage.0043A27A
0043A275 |. 8D3C7F |LEA EDI,DWORD PTR DS:[EDI+EDI*2]; EDI = EDI * 3
0043A278 |. EB 03 |JMP SHORT winimage.0043A27D
0043A27A |> 6BFF 07 |IMUL EDI,EDI,7; EDI = EDI * 7
0043A27D |> 41 |INC ECX
0043A27E |. 3B4D 08 |CMP ECX,DWORD PTR SS:[EBP+8]
0043A281 |.^7C CB \JL SHORT winimage.0043A24E
//How the serial number is processed from WinImage 6.00.6000
0043A295 |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; /<%lX>
0043A298 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; |
0043A29B |. 68 9CBA4400 PUSH winimage.0044BA9C ; |Format = "%lX"
0043A2A0 |. 50 PUSH EAX ; |s
0043A2A1 |. FF15 64FB4400 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA
0043A2A7 |. 8A45 F0 MOV AL,BYTE PTR SS:[EBP-10]
0043A2AA |. 83C4 0C ADD ESP,0C
0043A2AD |. 84C0 TEST AL,AL
0043A2AF |. 74 1E JE SHORT winimage.0043A2CF
0043A2B1 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0043A2B4 |. 2BCE SUB ECX,ESI
0043A2B6 |> 3C 38 /CMP AL,38
0043A2B8 |. 75 04 |JNZ SHORT winimage.0043A2BE
0043A2BA |. 04 0A |ADD AL,0A
0043A2BC |. EB 06 |JMP SHORT winimage.0043A2C4
0043A2BE |> 3C 42 |CMP AL,42
0043A2C0 |. 75 02 |JNZ SHORT winimage.0043A2C4
0043A2C2 |. 04 F6 |ADD AL,0F6
0043A2C4 |> 8806 |MOV BYTE PTR DS:[ESI],AL
0043A2C6 |. 8A4431 01 |MOV AL,BYTE PTR DS:[ECX+ESI+1]
0043A2CA |. 46 |INC ESI
0043A2CB |. 84C0 |TEST AL,AL
0043A2CD |.^75 E7 \JNZ SHORT winimage.0043A2B6
//Some of the edition constant numbers from 8.10
0041294D . 8D86 48190514 LEA EAX,DWORD PTR DS:[ESI+14051948]
0041296E . 8D86 54190617 LEA EAX,DWORD PTR DS:[ESI+17061954]
0041298F . 8D86 81190510 LEA EAX,DWORD PTR DS:[ESI+10051981]
004129AC . 8D86 95190104 LEA EAX,DWORD PTR DS:[ESI+4011995]
004129CD . 8D86 97190602 LEA EAX,DWORD PTR DS:[ESI+2061997]
Conclusion:
In my opinion, I think the level of difficulty reverse engineering this program is on par with Winzip 7.0 SR-1. The draft version of the keygen produced correct and defective registration codes for some names. After tracing, through I found out that I was dividing by the wrong number. Even after fixing that problem, the keygen was still producing some wrong codes. After more tracing, I found out that the serial numbers are processed
(as mentioned above). After figuring out how that was done, my focus was on how the other keys were generated. This involved more tracing over the code until figuring out what the edition constant numbers were. After coding the keygen, much time was spent testing and debugging it on all versions of WinImage from 3.00 to
the latest 8.10.8100. I know one can google the serial or crack for this program, but why do this and risk infecting your computer.
Keygen Source code:
Abstract:
The target audience are those who are just getting started in reverse engineering ("cracking") programs. Though, this is not a guide that will hand-hold you through the process. Instead, I hope enough information is provided so that my work can be replicated. I assume you, the reader, have some knowledge in Intel x86
assembly, in using a debugger, and had experience with some crackmes. I will explain the process of generating the valid keys for WinImage.
Keyword(s): algorithm, cracking, keygen, Ollydbg, WinImage
Purpose:
To reverse engineer and analyze how the serial registration algorithm works in WinImage in order to construct a key generator.
Materials and methods:
Ollydbg v1.10 was used to analyze WinImage 6.00.6000 in Windows XP running as a virtual machine in VMWare Workstation. Packer detection was done using PEiD v0.95. The key generator is written in C++ and compiled with Visual Studio 2008 on a computer system running Windows Server 2008 Standard x86-64.
Discussion:
The main executable, "winimage.exe", is not packed. To register the program, go to Options->Registering and enter in a random name and registration code to get the error message. The program was then closed before being opened under Ollydbg. The error message was searched for in the "referenced text string" option but could not be found. This method did work in programs like Starcraft or Winzip 7.0 SR-1 (both mentioned in previous blog postings), but for WinImage no. One can place a breakpoint on the MessageBox api using "bp MessageBoxA" and working backwards from the error message. Another method is to place a breakpoint on the GetDlgItemText api using "bp GetDlgItemTextA". This works because the program needs a way to get the inputted name and registration number from the dialog box. From there, it is necessary to trace through the code to see where the user inputted registration code is checked against the real code. The real code will appear if you look in the registers. The function "strcmp" is used to compare the codes. This comparison is done 6 times, since the code can specify an edition and/or version. A breakpoint on wsprintf can also be done ("bp wsprintfA") and if one looks above the code, one can see the serial algorithm.
Analysis of the algorithm:
The registration code is generated from a name after going through a two step process. The first step involves converting the alphabet characters in the name to uppercase. After such conversion, the hexadecimal values of each characters are put through multiplication and division before being added to 0x47694C to get the raw serial. This raw serial is then converted to a wide character string with the function, wsprintf, before being checked to see if any characters in are '8' or 'B'. If it detects such characters, 0x000A or 0x00F6 are added respectively to the hexadecimal value of the character. After the check, the serial (will be called 'semiraw') can be used to register the program and enable the standard edition features. However, it is possible to generate 5 other keys that are able to register the program. Other keys are generated by adding the semiraw key with an "edition constant number" (can't think of a better name to call it). From testing, it seems that different edition constant numbers produce keys that enabled certain editions (standard or professional) and were valid or invalid for certain versions of the program. I searched other versions of the program and was able to find a total of 10 unique edition constant numbers (5 for standard and 5 for professional). It is possible for a key to be valid for a wide range of WinImage version 3.00 to 8.10 if one uses the right edition constant number.
//Main algorithm from WinImage 6.00.6000
0043A24E |> 8BC1 /MOV EAX,ECX
0043A250 |. 6A 0E |PUSH 0E
0043A252 |. 99 |CDQ
0043A253 |. 5B |POP EBX; EBX = 0xE
0043A254 |. F7FB |IDIV EBX
0043A256 |. 85D2 |TEST EDX,EDX
0043A258 |. 75 03 |JNZ SHORT winimage.0043A25D
0043A25A |. 6A 27 |PUSH 27
0043A25C |. 5F |POP EDI; EDI = 0x27
0043A25D |> 0FB6540E 03 |MOVZX EDX,BYTE PTR DS:[ESI+ECX+3]
0043A262 |. 8D41 03 |LEA EAX,DWORD PTR DS:[ECX+3]
0043A265 |. 0FAFD7 |IMUL EDX,EDI; EDX = EDX * EDI
0043A268 |. 0155 FC |ADD DWORD PTR SS:[EBP-4],EDX
0043A26B |. 6A 0E |PUSH 0E
0043A26D |. 99 |CDQ
0043A26E |. 5B |POP EBX; EBX = 0xE
0043A26F |. F7FB |IDIV EBX
0043A271 |. 85D2 |TEST EDX,EDX
0043A273 |. 74 05 |JE SHORT winimage.0043A27A
0043A275 |. 8D3C7F |LEA EDI,DWORD PTR DS:[EDI+EDI*2]; EDI = EDI * 3
0043A278 |. EB 03 |JMP SHORT winimage.0043A27D
0043A27A |> 6BFF 07 |IMUL EDI,EDI,7; EDI = EDI * 7
0043A27D |> 41 |INC ECX
0043A27E |. 3B4D 08 |CMP ECX,DWORD PTR SS:[EBP+8]
0043A281 |.^7C CB \JL SHORT winimage.0043A24E
//How the serial number is processed from WinImage 6.00.6000
0043A295 |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; /<%lX>
0043A298 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; |
0043A29B |. 68 9CBA4400 PUSH winimage.0044BA9C ; |Format = "%lX"
0043A2A0 |. 50 PUSH EAX ; |s
0043A2A1 |. FF15 64FB4400 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA
0043A2A7 |. 8A45 F0 MOV AL,BYTE PTR SS:[EBP-10]
0043A2AA |. 83C4 0C ADD ESP,0C
0043A2AD |. 84C0 TEST AL,AL
0043A2AF |. 74 1E JE SHORT winimage.0043A2CF
0043A2B1 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0043A2B4 |. 2BCE SUB ECX,ESI
0043A2B6 |> 3C 38 /CMP AL,38
0043A2B8 |. 75 04 |JNZ SHORT winimage.0043A2BE
0043A2BA |. 04 0A |ADD AL,0A
0043A2BC |. EB 06 |JMP SHORT winimage.0043A2C4
0043A2BE |> 3C 42 |CMP AL,42
0043A2C0 |. 75 02 |JNZ SHORT winimage.0043A2C4
0043A2C2 |. 04 F6 |ADD AL,0F6
0043A2C4 |> 8806 |MOV BYTE PTR DS:[ESI],AL
0043A2C6 |. 8A4431 01 |MOV AL,BYTE PTR DS:[ECX+ESI+1]
0043A2CA |. 46 |INC ESI
0043A2CB |. 84C0 |TEST AL,AL
0043A2CD |.^75 E7 \JNZ SHORT winimage.0043A2B6
//Some of the edition constant numbers from 8.10
0041294D . 8D86 48190514 LEA EAX,DWORD PTR DS:[ESI+14051948]
0041296E . 8D86 54190617 LEA EAX,DWORD PTR DS:[ESI+17061954]
0041298F . 8D86 81190510 LEA EAX,DWORD PTR DS:[ESI+10051981]
004129AC . 8D86 95190104 LEA EAX,DWORD PTR DS:[ESI+4011995]
004129CD . 8D86 97190602 LEA EAX,DWORD PTR DS:[ESI+2061997]
Conclusion:
In my opinion, I think the level of difficulty reverse engineering this program is on par with Winzip 7.0 SR-1. The draft version of the keygen produced correct and defective registration codes for some names. After tracing, through I found out that I was dividing by the wrong number. Even after fixing that problem, the keygen was still producing some wrong codes. After more tracing, I found out that the serial numbers are processed
(as mentioned above). After figuring out how that was done, my focus was on how the other keys were generated. This involved more tracing over the code until figuring out what the edition constant numbers were. After coding the keygen, much time was spent testing and debugging it on all versions of WinImage from 3.00 to
the latest 8.10.8100. I know one can google the serial or crack for this program, but why do this and risk infecting your computer.
Keygen Source code:
// WinImage Keygen.cpp
// Generates working and valid keys for all versions 3.00 - 8.10
// of the standard and professional editions.
#include "stdafx.h"
#include <iomanip>
#include <iostream>
#include <stdlib.h>
#include <string>
#include <windows.h>
using namespace std;
const int LENGTH = 256; //Size of the character arrays
//Constants used in the generation of the raw serial number.
const int THREE_HEX = 0x3;
const int SEVEN_HEX = 0x7;
const int FOURTEEN_HEX = 0x0E;
const int TWENTYSEVEN_HEX = 0x27;
const int SERIAL_HEX = 0x47694C;
//Numbers that are added to the raw serial number before it is
//processed. With the exception of the first one, the numbers
//are expressed in hexadecimal format. The comments to the right
//of each of the numbers are the versions the program that the
//key generated will work on.
//The numbers will be called "edition constant numbers".
const int STANDARD_EDITION[] = { 0, //3.00 - 8.10.8100 not
//an edition constant number
0x14051948, //3.00 - 8.10.8100
0x17061954, //3.00 - 8.10.8100
0x4011995, //4.00.4000 - 8.10.8100
0x21042002, //7.0.7000 - 8.10.8100
0x09112005, //8.0.8000 - 8.10.8100
};
//This array is for displaying to the user the program version the
//generated key will work on.
const string SE_NOTES[] = { "3.00 - 8.10.8100",
"3.00 - 8.10.8100",
"3.00 - 8.10.8100",
"4.00.4000 - 8.10.8100",
"7.0.7000 - 8.10.8100",
"8.0.8000 - 8.10.8100"
};
//Numbers that are added to the raw serial number before it is
//processed. With the exception of the first one, the numbers
//are expressed in hexadecimal format. The comments to the right
//of each of the numbers are the versions the program that the
//key generated will work on.
//The numbers will be called "edition constant numbers".
const int PROFESSIONAL_EDITION[] = {0x10051981, //3.00 - 8.10.8100
0x2061997, //4.00.4000 - 8.10.8100
0x16062004, //7.0.7000 - 8.10.8100
0x13062004, //7.0.7000 - 8.10.8100
0x24112005, //8.0.8000 - 8.10.8100
};
//This array is for displaying to the user the program version the
//generated key will work on.
const string PE_NOTES[] = { "3.00 - 8.10.8100",
"4.00.4000 - 8.10.8100",
"7.0.7000 - 8.10.8100",
"7.0.7000 - 8.10.8100",
"8.0.8000 - 8.10.8100"
};
//The "semiraw_serial" is produced after the raw serial and edition
//constant number are added together. After this function is executed
//"semiraw_serial" will contain the actual serial key.
//This function will switch the 8/B in the semiraw serial to B/8 respectively.
void processSerial(TCHAR semiraw_serial[])
{
char al;
for(unsigned int i = 0; i < wcslen(semiraw_serial); i++)
{
al = semiraw_serial[i];
if(al == 0x0038)
{
al = al + 0x000A;
}
else if(al == 0x0042)
{
al = al + 0x00F6;
}
semiraw_serial[i] = al;
}
}
//This function will print the serial numbers for all editions and
//versions of WinImage.
void PrintSerial(int raw_serial)
{
TCHAR temp[LENGTH];
printf("=========================================\n");
printf("STANDARD EDITION\n");
for(int i = 0; i < 6; i++)
{
wsprintf(temp, TEXT ("%lX"), raw_serial + STANDARD_EDITION[i]);
processSerial(temp);
wprintf(L"Registration #: %s", temp);
cout << setw(5 + (5 - wcslen(temp))) << "" << SE_NOTES[i] << endl;
}
printf("=========================================\n");
printf("=========================================\n");
printf("PROFESSIONAL EDITION\n");
for(int i = 0; i < 5; i++)
{
wsprintf(temp, TEXT ("%lX"), raw_serial + PROFESSIONAL_EDITION[i]);
processSerial(temp);
wprintf(L"Registration #: %s", temp);
cout << setw(5 + (5 - wcslen(temp))) << "" << PE_NOTES[i] << endl;
}
printf("=========================================\n");
}
int main()
{
int EAX = 0;
int EBX = FOURTEEN_HEX;
int EDX = 0;
int EDI = TWENTYSEVEN_HEX;
int serial = SERIAL_HEX;
int temp;
char name[LENGTH];
//Asks the user to type in the name to register the program
//with.
printf("WinImage 3.00 - 8.10 Keygen\nName:");
gets(name);
//Algorithm that generates the raw serial number from the
//specified name. The edition constant number needs to be added
//to the raw serial before being processed.
for(unsigned int i = 0; i < strlen(name); i++)
{
EAX = i;
temp = EAX;
EAX = temp / EBX;
EDX = temp % EBX;
if(EDX == 0)
{
EDI = TWENTYSEVEN_HEX;
}
EDX = toupper(name[i]);
EAX = i + THREE_HEX;
temp = EAX;
EDX = EDX * EDI;
serial = serial + EDX;
EAX = temp / FOURTEEN_HEX;
EDX = temp % FOURTEEN_HEX;
if(EDX == 0)
{
EDI = EDI * SEVEN_HEX;
}
else
{
EDI = EDI * 3;
}
}
PrintSerial(serial);
return 0;
}
30 September 2008
Analysis of iTunes Antidebug and Parental Controls
Target: Apple Itunes 8.0.0.35
Filename: iTunes.exe
File MD5: 8b8ea6aff1e43b927e49228287f9711b
The antidebug features has not change that much since version 7.6.1.9. There are still the 3 IsDebuggerPresent API calls and 1 of them terminates iTunes if it detects a debugger. I still haven't figured out how the other two are called. Anyway, it still checks for the presence of SoftICE by querying the registry.
Here is the section of code that terminates iTunes if a debugger is detected:
004FC80E |. 74 08 JE SHORT iTunes.004FC818
004FC810 |. 6A 00 PUSH 0 ; /ExitCode = 0
004FC812 |. FF15 C863E200 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
004FC818 |> 8935 E0AB0701 MOV DWORD PTR DS:[107ABE0],ESI
004FC81E |> 5E POP ESI
004FC81F \. C3 RETN
To get around this, just change JE SHORT iTunes.004FC818 to JMP SHORT iTunes.004FC818 and save the file or you can use a plug in to hide Ollydbg from this type of detection technique. Anyway, it looks like iTunes could care less if it was patched since I was able to run the patch executable. Anyway, I was looking over iTunes to see what I can do with it and I found out a way to bypass the parental controls password check, however there is a catch (which I will explain later). Three jumps must be patched in order for this to work. I will list my method below in order for others to reproduce:
1. Search for the text "ParentalAuthDialog" and scroll down to see the code below.
2. NOP out the JNZ Short after the two loops.
3. After TEST AL, AL change JNZ to JMP
00717240 |. 68 2CA3E700 PUSH iTunes2.00E7A32C ; UNICODE "ParentalAuthDialog"
00717245 |. E8 1660D0FF CALL iTunes2.0041D260
0071724A |. 83C4 0C ADD ESP,0C
0071724D |. 66:3D 6500 CMP AX,65
.
. Boring code edited out
.
.
007172C0 |> C600 00 /MOV BYTE PTR DS:[EAX],0 ; Loop Begin
007172C3 |. 83C0 01 |ADD EAX,1 ; Body
007172C6 |. 83E9 01 |SUB ECX,1 ; Body
007172C9 |.^75 F5 \JNZ SHORT iTunes2.007172C0 ; Loop Condition
.
.
007172D7 |> C600 00 /MOV BYTE PTR DS:[EAX],0 ; Loop Begin
007172DA |. 83C0 01 |ADD EAX,1 ; Body
007172DD |. 83E9 01 |SUB ECX,1 ; Body
007172E0 |.^75 F5 \JNZ SHORT iTunes2.007172D7 ; Loop Condition
007172E2 |. 3BF7 CMP ESI,EDI
007172E4 75 16 JNZ SHORT iTunes2.007172FC ; NOP out this line of code
.
.
.
007172F3 |. 84C0 TEST AL,AL
007172F5 75 2F JNZ SHORT iTunes2.00717326 ; Change JNZ to JMP
4. Search for the API "LogonUserW" and after the CMP EAX, EBX instruction change the JNZ to JMP. You can search for this API on MSDN, but it is interesting that the password appears in plaintext here.
0062FD05 . FF15 3060E200 CALL DWORD PTR DS:[<&ADVAPI32.LogonUserW>; ADVAPI32.LogonUserW
0062FD0B . 3BC3 CMP EAX,EBX
0062FD0D 75 2F JNZ SHORT iTunes2.0062FD3E ; Change JNZ to JMP
0062FD0F . FF15 D465E200 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError
5. Save file.
The MD5 hash that I got for the patched file is 74721636e344bfe16d2a7860c82b7e7f
To unlock the parental controls, you type in an administrator account and any random password. Before the patch, one must know the correct password to lock/unlock the parental controls.
CAVEAT - In order for this bypass to be successful, one needs access to an administrator account to replace the original one in the Itunes folder (which may require social engineering). It seems that the parental controls can only be bypassed if you are logged in with an account with administrator privileges. I tried bypassing it from a limited account and it will not work. I may look into this matter later.
Filename: iTunes.exe
File MD5: 8b8ea6aff1e43b927e49228287f9711b
The antidebug features has not change that much since version 7.6.1.9. There are still the 3 IsDebuggerPresent API calls and 1 of them terminates iTunes if it detects a debugger. I still haven't figured out how the other two are called. Anyway, it still checks for the presence of SoftICE by querying the registry.
Here is the section of code that terminates iTunes if a debugger is detected:
004FC80E |. 74 08 JE SHORT iTunes.004FC818
004FC810 |. 6A 00 PUSH 0 ; /ExitCode = 0
004FC812 |. FF15 C863E200 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
004FC818 |> 8935 E0AB0701 MOV DWORD PTR DS:[107ABE0],ESI
004FC81E |> 5E POP ESI
004FC81F \. C3 RETN
To get around this, just change JE SHORT iTunes.004FC818 to JMP SHORT iTunes.004FC818 and save the file or you can use a plug in to hide Ollydbg from this type of detection technique. Anyway, it looks like iTunes could care less if it was patched since I was able to run the patch executable. Anyway, I was looking over iTunes to see what I can do with it and I found out a way to bypass the parental controls password check, however there is a catch (which I will explain later). Three jumps must be patched in order for this to work. I will list my method below in order for others to reproduce:
1. Search for the text "ParentalAuthDialog" and scroll down to see the code below.
2. NOP out the JNZ Short after the two loops.
3. After TEST AL, AL change JNZ to JMP
00717240 |. 68 2CA3E700 PUSH iTunes2.00E7A32C ; UNICODE "ParentalAuthDialog"
00717245 |. E8 1660D0FF CALL iTunes2.0041D260
0071724A |. 83C4 0C ADD ESP,0C
0071724D |. 66:3D 6500 CMP AX,65
.
. Boring code edited out
.
.
007172C0 |> C600 00 /MOV BYTE PTR DS:[EAX],0 ; Loop Begin
007172C3 |. 83C0 01 |ADD EAX,1 ; Body
007172C6 |. 83E9 01 |SUB ECX,1 ; Body
007172C9 |.^75 F5 \JNZ SHORT iTunes2.007172C0 ; Loop Condition
.
.
007172D7 |> C600 00 /MOV BYTE PTR DS:[EAX],0 ; Loop Begin
007172DA |. 83C0 01 |ADD EAX,1 ; Body
007172DD |. 83E9 01 |SUB ECX,1 ; Body
007172E0 |.^75 F5 \JNZ SHORT iTunes2.007172D7 ; Loop Condition
007172E2 |. 3BF7 CMP ESI,EDI
007172E4 75 16 JNZ SHORT iTunes2.007172FC ; NOP out this line of code
.
.
.
007172F3 |. 84C0 TEST AL,AL
007172F5 75 2F JNZ SHORT iTunes2.00717326 ; Change JNZ to JMP
4. Search for the API "LogonUserW" and after the CMP EAX, EBX instruction change the JNZ to JMP. You can search for this API on MSDN, but it is interesting that the password appears in plaintext here.
0062FD05 . FF15 3060E200 CALL DWORD PTR DS:[<&ADVAPI32.LogonUserW>; ADVAPI32.LogonUserW
0062FD0B . 3BC3 CMP EAX,EBX
0062FD0D 75 2F JNZ SHORT iTunes2.0062FD3E ; Change JNZ to JMP
0062FD0F . FF15 D465E200 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError
5. Save file.
The MD5 hash that I got for the patched file is 74721636e344bfe16d2a7860c82b7e7f
To unlock the parental controls, you type in an administrator account and any random password. Before the patch, one must know the correct password to lock/unlock the parental controls.
CAVEAT - In order for this bypass to be successful, one needs access to an administrator account to replace the original one in the Itunes folder (which may require social engineering). It seems that the parental controls can only be bypassed if you are logged in with an account with administrator privileges. I tried bypassing it from a limited account and it will not work. I may look into this matter later.
27 August 2008
Numbers generated with Collatz Conjecture Calculator
Okay so I couldn't help it but I ended up testing 9,223,372,036,854,775,807 and it worked, sort of. It looks like there is a problem with the number ending with 7. When I input the number ending with the 6 then it generates the rest as normal. 27670116110564327422 is suppose to come after the number ending with the 7 since it is odd so it had to be used in the equation 3n+1. Here is the list it generated:
9223372036854775807, 9223372036854775806, 4611686018427387903, 13835058055282163
710, 6917529027641081855, 2305843009213693950, 1152921504606846975, 345876451382
0540926, 1729382256910270463, 5188146770730811390, 2594073385365405695, 77822201
56096217086, 3891110078048108543, 11673330234144325630, 5836665117072162815, 175
09995351216488446, 8754997675608244223, 7818248953115181054, 3909124476557590527
, 11727373429672771582, 5863686714836385791, 17591060144509157374, 8795530072254
578687, 7939846143054184446, 3969923071527092223, 11909769214581276670, 59548846
07290638335, 17864653821871915006, 8932326910935957503, 8350236659098320894, 417
5118329549160447, 12525354988647481342, 6262677494323740671, 341288409261670398,
170644204630835199, 511932613892505598, 255966306946252799, 767898920838758398,
383949460419379199, 1151848381258137598, 575924190629068799, 172777257188720639
8, 863886285943603199, 2591658857830809598, 1295829428915404799, 388748828674621
4398, 1943744143373107199, 5831232430119321598, 2915616215059660799, 87468486451
78982398, 4373424322589491199, 13120272967768473598, 6560136483884236799, 123366
5377943158782, 616832688971579391, 1850498066914738174, 925249033457369087, 2775
747100372107262, 1387873550186053631, 4163620650558160894, 2081810325279080447,
6245430975837241342, 3122715487918620671, 9368146463755862014, 46840732318779310
07, 14052219695633793022, 7026109847816896511, 2631585469741137918, 131579273487
0568959, 3947378204611706878, 1973689102305853439, 5921067306917560318, 29605336
53458780159, 8881600960376340478, 4440800480188170239, 13322401440564510718, 666
1200720282255359, 1536858087137214462, 768429043568607231, 2305287130705821694,
1152643565352910847, 3457930696058732542, 1728965348029366271, 51868960440880988
14, 2593448022044049407, 7780344066132148222, 3890172033066074111, 1167051609919
8222334, 5835258049599111167, 17505774148797333502, 8752887074398666751, 7811917
149486448638, 3905958574743224319, 11717875724229672958, 5858937862114836479, 17
576813586344509438, 8788406793172254719, 7918476305807212542, 395923815290360627
1, 11877714458710818814, 5938857229355409407, 17816571688066228222, 890828584403
3114111, 8278113458389790718, 4139056729194895359, 12417170187584686078, 6208585
093792343039, 179011207667477502, 89505603833738751, 268516811501216254, 1342584
05750608127, 402775217251824382, 201387608625912191, 604162825877736574, 3020814
12938868287, 906244238816604862, 453122119408302431, 1359366358224907294, 679683
179112453647, 2039049537337360942, 1019524768668680471, 3058574306006041414, 152
9287153003020707, 4587861459009062122, 2293930729504531061, 6881792188513593184,
3440896094256796592, 1720448047128398296, 860224023564199148, 43011201178209957
4, 215056005891049787, 645168017673149362, 322584008836574681, 96775202650972404
4, 483876013254862022, 241938006627431011, 725814019882293034, 36290700994114651
7, 1088721029823439552, 544360514911719776, 272180257455859888, 1360901287279299
44, 68045064363964972, 34022532181982486, 17011266090991243, 51033798272973730,
25516899136486865, 76550697409460596, 38275348704730298, 19137674352365149, 5741
3023057095448, 28706511528547724, 14353255764273862, 7176627882136931, 215298836
46410794, 10764941823205397, 32294825469616192, 16147412734808096, 8073706367404
048, 4036853183702024, 2018426591851012, 1009213295925506, 504606647962753, 1513
819943888260, 756909971944130, 378454985972065, 1135364957916196, 56768247895809
8, 283841239479049, 851523718437148, 425761859218574, 212880929609287, 638642788
827862, 319321394413931, 957964183241794, 478982091620897, 1436946274862692, 718
473137431346, 359236568715673, 1077709706147020, 538854853073510, 26942742653675
5, 808282279610266, 404141139805133, 1212423419415400, 606211709707700, 30310585
4853850, 151552927426925, 454658782280776, 227329391140388, 113664695570194, 568
32347785097, 170497043355292, 85248521677646, 42624260838823, 127872782516470, 6
3936391258235, 191809173774706, 95904586887353, 287713760662060, 143856880331030
, 71928440165515, 215785320496546, 107892660248273, 323677980744820, 16183899037
2410, 80919495186205, 242758485558616, 121379242779308, 60689621389654, 30344810
694827, 91034432084482, 45517216042241, 136551648126724, 68275824063362, 3413791
2031681, 102413736095044, 51206868047522, 25603434023761, 76810302071284, 384051
51035642, 19202575517821, 57607726553464, 28803863276732, 14401931638366, 720096
5819183, 21602897457550, 10801448728775, 32404346186326, 16202173093163, 4860651
9279490, 24303259639745, 72909778919236, 36454889459618, 18227444729809, 5468233
4189428, 27341167094714, 13670583547357, 41011750642072, 20505875321036, 1025293
7660518, 5126468830259, 15379406490778, 7689703245389, 23069109736168, 115345548
68084, 5767277434042, 2883638717021, 8650916151064, 4325458075532, 2162729037766
, 1081364518883, 3244093556650, 1622046778325, 4866140334976, 2433070167488, 121
6535083744, 608267541872, 304133770936, 152066885468, 76033442734, 38016721367,
114050164102, 57025082051, 171075246154, 85537623077, 256612869232, 128306434616
, 64153217308, 32076608654, 16038304327, 48114912982, 24057456491, 72172369474,
36086184737, 108258554212, 54129277106, 27064638553, 81193915660, 40596957830, 2
0298478915, 60895436746, 30447718373, 91343155120, 45671577560, 22835788780, 114
17894390, 5708947195, 17126841586, 8563420793, 25690262380, 12845131190, 6422565
595, 19267696786, 9633848393, 28901545180, 14450772590, 7225386295, 21676158886,
10838079443, 32514238330, 16257119165, 48771357496, 24385678748, 12192839374, 6
096419687, 18289259062, 9144629531, 27433888594, 13716944297, 41150832892, 20575
416446, 10287708223, 30863124670, 15431562335, 46294687006, 23147343503, 6944203
0510, 34721015255, 104163045766, 52081522883, 156244568650, 78122284325, 2343668
52976, 117183426488, 58591713244, 29295856622, 14647928311, 43943784934, 2197189
2467, 65915677402, 32957838701, 98873516104, 49436758052, 24718379026, 123591895
13, 37077568540, 18538784270, 9269392135, 27808176406, 13904088203, 41712264610,
20856132305, 62568396916, 31284198458, 15642099229, 46926297688, 23463148844, 1
1731574422, 5865787211, 17597361634, 8798680817, 26396042452, 13198021226, 65990
10613, 19797031840, 9898515920, 4949257960, 2474628980, 1237314490, 618657245, 1
855971736, 927985868, 463992934, 231996467, 695989402, 347994701, 1043984104, 52
1992052, 260996026, 130498013, 391494040, 195747020, 97873510, 48936755, 1468102
66, 73405133, 220215400, 110107700, 55053850, 27526925, 82580776, 41290388, 2064
5194, 10322597, 30967792, 15483896, 7741948, 3870974, 1935487, 5806462, 2903231,
8709694, 4354847, 13064542, 6532271, 19596814, 9798407, 29395222, 14697611, 440
92834, 22046417, 66139252, 33069626, 16534813, 49604440, 24802220, 12401110, 620
0555, 18601666, 9300833, 27902500, 13951250, 6975625, 20926876, 10463438, 523171
9, 15695158, 7847579, 23542738, 11771369, 35314108, 17657054, 8828527, 26485582,
13242791, 39728374, 19864187, 59592562, 29796281, 89388844, 44694422, 22347211,
67041634, 33520817, 100562452, 50281226, 25140613, 75421840, 37710920, 18855460
, 9427730, 4713865, 14141596, 7070798, 3535399, 10606198, 5303099, 15909298, 795
4649, 23863948, 11931974, 5965987, 17897962, 8948981, 26846944, 13423472, 671173
6, 3355868, 1677934, 838967, 2516902, 1258451, 3775354, 1887677, 5663032, 283151
6, 1415758, 707879, 2123638, 1061819, 3185458, 1592729, 4778188, 2389094, 119454
7, 3583642, 1791821, 5375464, 2687732, 1343866, 671933, 2015800, 1007900, 503950
, 251975, 755926, 377963, 1133890, 566945, 1700836, 850418, 425209, 1275628, 637
814, 318907, 956722, 478361, 1435084, 717542, 358771, 1076314, 538157, 1614472,
807236, 403618, 201809, 605428, 302714, 151357, 454072, 227036, 113518, 56759, 1
70278, 85139, 255418, 127709, 383128, 191564, 95782, 47891, 143674, 71837, 21551
2, 107756, 53878, 26939, 80818, 40409, 121228, 60614, 30307, 90922, 45461, 13638
4, 68192, 34096, 17048, 8524, 4262, 2131, 6394, 3197, 9592, 4796, 2398, 1199, 35
98, 1799, 5398, 2699, 8098, 4049, 12148, 6074, 3037, 9112, 4556, 2278, 1139, 341
8, 1709, 5128, 2564, 1282, 641, 1924, 962, 481, 1444, 722, 361, 1084, 542, 271,
814, 407, 1222, 611, 1834, 917, 2752, 1376, 688, 344, 172, 86, 43, 130, 65, 196,
98, 49, 148, 74, 37, 112, 56, 28, 14, 7, 22, 11, 34, 17, 52, 26, 13, 40, 20, 10
, 5, 16, 8, 4, 2, 1
9223372036854775807, 9223372036854775806, 4611686018427387903, 13835058055282163
710, 6917529027641081855, 2305843009213693950, 1152921504606846975, 345876451382
0540926, 1729382256910270463, 5188146770730811390, 2594073385365405695, 77822201
56096217086, 3891110078048108543, 11673330234144325630, 5836665117072162815, 175
09995351216488446, 8754997675608244223, 7818248953115181054, 3909124476557590527
, 11727373429672771582, 5863686714836385791, 17591060144509157374, 8795530072254
578687, 7939846143054184446, 3969923071527092223, 11909769214581276670, 59548846
07290638335, 17864653821871915006, 8932326910935957503, 8350236659098320894, 417
5118329549160447, 12525354988647481342, 6262677494323740671, 341288409261670398,
170644204630835199, 511932613892505598, 255966306946252799, 767898920838758398,
383949460419379199, 1151848381258137598, 575924190629068799, 172777257188720639
8, 863886285943603199, 2591658857830809598, 1295829428915404799, 388748828674621
4398, 1943744143373107199, 5831232430119321598, 2915616215059660799, 87468486451
78982398, 4373424322589491199, 13120272967768473598, 6560136483884236799, 123366
5377943158782, 616832688971579391, 1850498066914738174, 925249033457369087, 2775
747100372107262, 1387873550186053631, 4163620650558160894, 2081810325279080447,
6245430975837241342, 3122715487918620671, 9368146463755862014, 46840732318779310
07, 14052219695633793022, 7026109847816896511, 2631585469741137918, 131579273487
0568959, 3947378204611706878, 1973689102305853439, 5921067306917560318, 29605336
53458780159, 8881600960376340478, 4440800480188170239, 13322401440564510718, 666
1200720282255359, 1536858087137214462, 768429043568607231, 2305287130705821694,
1152643565352910847, 3457930696058732542, 1728965348029366271, 51868960440880988
14, 2593448022044049407, 7780344066132148222, 3890172033066074111, 1167051609919
8222334, 5835258049599111167, 17505774148797333502, 8752887074398666751, 7811917
149486448638, 3905958574743224319, 11717875724229672958, 5858937862114836479, 17
576813586344509438, 8788406793172254719, 7918476305807212542, 395923815290360627
1, 11877714458710818814, 5938857229355409407, 17816571688066228222, 890828584403
3114111, 8278113458389790718, 4139056729194895359, 12417170187584686078, 6208585
093792343039, 179011207667477502, 89505603833738751, 268516811501216254, 1342584
05750608127, 402775217251824382, 201387608625912191, 604162825877736574, 3020814
12938868287, 906244238816604862, 453122119408302431, 1359366358224907294, 679683
179112453647, 2039049537337360942, 1019524768668680471, 3058574306006041414, 152
9287153003020707, 4587861459009062122, 2293930729504531061, 6881792188513593184,
3440896094256796592, 1720448047128398296, 860224023564199148, 43011201178209957
4, 215056005891049787, 645168017673149362, 322584008836574681, 96775202650972404
4, 483876013254862022, 241938006627431011, 725814019882293034, 36290700994114651
7, 1088721029823439552, 544360514911719776, 272180257455859888, 1360901287279299
44, 68045064363964972, 34022532181982486, 17011266090991243, 51033798272973730,
25516899136486865, 76550697409460596, 38275348704730298, 19137674352365149, 5741
3023057095448, 28706511528547724, 14353255764273862, 7176627882136931, 215298836
46410794, 10764941823205397, 32294825469616192, 16147412734808096, 8073706367404
048, 4036853183702024, 2018426591851012, 1009213295925506, 504606647962753, 1513
819943888260, 756909971944130, 378454985972065, 1135364957916196, 56768247895809
8, 283841239479049, 851523718437148, 425761859218574, 212880929609287, 638642788
827862, 319321394413931, 957964183241794, 478982091620897, 1436946274862692, 718
473137431346, 359236568715673, 1077709706147020, 538854853073510, 26942742653675
5, 808282279610266, 404141139805133, 1212423419415400, 606211709707700, 30310585
4853850, 151552927426925, 454658782280776, 227329391140388, 113664695570194, 568
32347785097, 170497043355292, 85248521677646, 42624260838823, 127872782516470, 6
3936391258235, 191809173774706, 95904586887353, 287713760662060, 143856880331030
, 71928440165515, 215785320496546, 107892660248273, 323677980744820, 16183899037
2410, 80919495186205, 242758485558616, 121379242779308, 60689621389654, 30344810
694827, 91034432084482, 45517216042241, 136551648126724, 68275824063362, 3413791
2031681, 102413736095044, 51206868047522, 25603434023761, 76810302071284, 384051
51035642, 19202575517821, 57607726553464, 28803863276732, 14401931638366, 720096
5819183, 21602897457550, 10801448728775, 32404346186326, 16202173093163, 4860651
9279490, 24303259639745, 72909778919236, 36454889459618, 18227444729809, 5468233
4189428, 27341167094714, 13670583547357, 41011750642072, 20505875321036, 1025293
7660518, 5126468830259, 15379406490778, 7689703245389, 23069109736168, 115345548
68084, 5767277434042, 2883638717021, 8650916151064, 4325458075532, 2162729037766
, 1081364518883, 3244093556650, 1622046778325, 4866140334976, 2433070167488, 121
6535083744, 608267541872, 304133770936, 152066885468, 76033442734, 38016721367,
114050164102, 57025082051, 171075246154, 85537623077, 256612869232, 128306434616
, 64153217308, 32076608654, 16038304327, 48114912982, 24057456491, 72172369474,
36086184737, 108258554212, 54129277106, 27064638553, 81193915660, 40596957830, 2
0298478915, 60895436746, 30447718373, 91343155120, 45671577560, 22835788780, 114
17894390, 5708947195, 17126841586, 8563420793, 25690262380, 12845131190, 6422565
595, 19267696786, 9633848393, 28901545180, 14450772590, 7225386295, 21676158886,
10838079443, 32514238330, 16257119165, 48771357496, 24385678748, 12192839374, 6
096419687, 18289259062, 9144629531, 27433888594, 13716944297, 41150832892, 20575
416446, 10287708223, 30863124670, 15431562335, 46294687006, 23147343503, 6944203
0510, 34721015255, 104163045766, 52081522883, 156244568650, 78122284325, 2343668
52976, 117183426488, 58591713244, 29295856622, 14647928311, 43943784934, 2197189
2467, 65915677402, 32957838701, 98873516104, 49436758052, 24718379026, 123591895
13, 37077568540, 18538784270, 9269392135, 27808176406, 13904088203, 41712264610,
20856132305, 62568396916, 31284198458, 15642099229, 46926297688, 23463148844, 1
1731574422, 5865787211, 17597361634, 8798680817, 26396042452, 13198021226, 65990
10613, 19797031840, 9898515920, 4949257960, 2474628980, 1237314490, 618657245, 1
855971736, 927985868, 463992934, 231996467, 695989402, 347994701, 1043984104, 52
1992052, 260996026, 130498013, 391494040, 195747020, 97873510, 48936755, 1468102
66, 73405133, 220215400, 110107700, 55053850, 27526925, 82580776, 41290388, 2064
5194, 10322597, 30967792, 15483896, 7741948, 3870974, 1935487, 5806462, 2903231,
8709694, 4354847, 13064542, 6532271, 19596814, 9798407, 29395222, 14697611, 440
92834, 22046417, 66139252, 33069626, 16534813, 49604440, 24802220, 12401110, 620
0555, 18601666, 9300833, 27902500, 13951250, 6975625, 20926876, 10463438, 523171
9, 15695158, 7847579, 23542738, 11771369, 35314108, 17657054, 8828527, 26485582,
13242791, 39728374, 19864187, 59592562, 29796281, 89388844, 44694422, 22347211,
67041634, 33520817, 100562452, 50281226, 25140613, 75421840, 37710920, 18855460
, 9427730, 4713865, 14141596, 7070798, 3535399, 10606198, 5303099, 15909298, 795
4649, 23863948, 11931974, 5965987, 17897962, 8948981, 26846944, 13423472, 671173
6, 3355868, 1677934, 838967, 2516902, 1258451, 3775354, 1887677, 5663032, 283151
6, 1415758, 707879, 2123638, 1061819, 3185458, 1592729, 4778188, 2389094, 119454
7, 3583642, 1791821, 5375464, 2687732, 1343866, 671933, 2015800, 1007900, 503950
, 251975, 755926, 377963, 1133890, 566945, 1700836, 850418, 425209, 1275628, 637
814, 318907, 956722, 478361, 1435084, 717542, 358771, 1076314, 538157, 1614472,
807236, 403618, 201809, 605428, 302714, 151357, 454072, 227036, 113518, 56759, 1
70278, 85139, 255418, 127709, 383128, 191564, 95782, 47891, 143674, 71837, 21551
2, 107756, 53878, 26939, 80818, 40409, 121228, 60614, 30307, 90922, 45461, 13638
4, 68192, 34096, 17048, 8524, 4262, 2131, 6394, 3197, 9592, 4796, 2398, 1199, 35
98, 1799, 5398, 2699, 8098, 4049, 12148, 6074, 3037, 9112, 4556, 2278, 1139, 341
8, 1709, 5128, 2564, 1282, 641, 1924, 962, 481, 1444, 722, 361, 1084, 542, 271,
814, 407, 1222, 611, 1834, 917, 2752, 1376, 688, 344, 172, 86, 43, 130, 65, 196,
98, 49, 148, 74, 37, 112, 56, 28, 14, 7, 22, 11, 34, 17, 52, 26, 13, 40, 20, 10
, 5, 16, 8, 4, 2, 1
Collatz Conjecture Calculator
I am taking a discrete mathematics course and just for fun I decided to code a program to calculate and display on the numbers from an integer that the user enters in. I couldn't believe it myself but the numbers I put in all end up going to 1. I tested using numbers as large as 2,147,483,647 and it would not give my computer any trouble in calculating. I am pretty sure it can use larger numbers since I code it to store the number in an "unsigned __int64". Anyway, here is the code:
#include "stdafx.h"
#include <iostream>
using namespace std;
int main()
{
unsigned __int64 n;
cout << "Collatz Conjecture Calculator v1.0\n";
cout << "Enter an integer greater than 1: ";
cin >> n;
cout << n << ", ";
while(n!=1)
{
if ( n % 2 == 0 )
{
n = n / 2;
}
else
{
n = 3 * n + 1;
}
cout << n << ", ";
}
return 0;
}
18 July 2008
Winzip 7.0 SR-1 Keygen with both algorithms
*Note* The keys generated from the code below has been tested to work up to Winzip 8.1 SR-1 (5266) . Beyond that, they used another algorithm that I don't have experience in reversing.
// keygen.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include <iso646.h>
#include <iostream>
#include <string>
#include <vector>
using namespace std;
void algorithm(char a[256], int b, int c)
{
//Algorithm that generates the serial's FIRST 4 digits
unsigned __int16 EAX = 0;
unsigned __int16 ESI = 0;
unsigned __int16 ECX = 0;
int EDX;
int name_length = b;
for(int i = 0; i < name_length; i++)
{
ECX = a[i] * 256;
EDX = 8;
do
{
ESI = ECX;
ESI = ESI xor EAX;
if(ESI <= 32768)
{
EAX = 2 * EAX;
ECX = 2 * ECX;
EDX--;
}
else
{
EAX = EAX + EAX;
EAX = EAX xor 4129;
ECX = ECX * 2;
EDX--;
}
}
while(EDX > 0);
}
EAX = EAX + 99;
//Algorithm that generates the serial's LAST four digits
int EDI = 0;
for(int i = 0; i < name_length; i++)
{
EDI = EDI + (a[i] * i);
}
//Displays serial generated
if (c == 1)
{
//cout << '\n';
printf("Algorithm #1 Serial: %.4X" "%.4X",EAX,EDI);
}
else if (c == 2)
{
//Combines first and last parts of the serial number together
int first = 0;
int serial = 0;
first = EAX * 10000;
serial = first + EDI;
//Displays the serial number generated
if (serial > 99999999) //if the serial number is greater 8 digits
{
serial = serial / 10; // then divide it by 10 to make it 8 digits
}
cout << '\n';
printf("Algorithm #2 Serial: %u", serial);
}
}
void Name()
{
char name[256];
char name_lowercase[256];
int name_length = 0;
//Asks for the name that is to be registered
cout << "Name: ";
fflush( stdin );
gets(name);
name_length = strlen(name);
//Converts and saves the name to lowercase
for(int i = 0; i < name_length; i++)
{
name_lowercase[i] = tolower(name[i]);
}
algorithm(name,name_length, 1);
algorithm(name_lowercase,name_length, 2);
}
int main()
{
cout << "Winzip 7.0 SR-1 Keygen\nEither serial from algorithm #1 or 2 can be used to register this program.\n";
bool no_quit = true;
int a = 0;
Name();
do
{
cout << "\n\nGenerate another one? (yes=1/no=0)\n";
cin >> a;
if (a==1)
{
Name();
}
else no_quit=false;
}
while(no_quit);
return 0;
}
// keygen.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include <iso646.h>
#include <iostream>
#include <string>
#include <vector>
using namespace std;
void algorithm(char a[256], int b, int c)
{
//Algorithm that generates the serial's FIRST 4 digits
unsigned __int16 EAX = 0;
unsigned __int16 ESI = 0;
unsigned __int16 ECX = 0;
int EDX;
int name_length = b;
for(int i = 0; i < name_length; i++)
{
ECX = a[i] * 256;
EDX = 8;
do
{
ESI = ECX;
ESI = ESI xor EAX;
if(ESI <= 32768)
{
EAX = 2 * EAX;
ECX = 2 * ECX;
EDX--;
}
else
{
EAX = EAX + EAX;
EAX = EAX xor 4129;
ECX = ECX * 2;
EDX--;
}
}
while(EDX > 0);
}
EAX = EAX + 99;
//Algorithm that generates the serial's LAST four digits
int EDI = 0;
for(int i = 0; i < name_length; i++)
{
EDI = EDI + (a[i] * i);
}
//Displays serial generated
if (c == 1)
{
//cout << '\n';
printf("Algorithm #1 Serial: %.4X" "%.4X",EAX,EDI);
}
else if (c == 2)
{
//Combines first and last parts of the serial number together
int first = 0;
int serial = 0;
first = EAX * 10000;
serial = first + EDI;
//Displays the serial number generated
if (serial > 99999999) //if the serial number is greater 8 digits
{
serial = serial / 10; // then divide it by 10 to make it 8 digits
}
cout << '\n';
printf("Algorithm #2 Serial: %u", serial);
}
}
void Name()
{
char name[256];
char name_lowercase[256];
int name_length = 0;
//Asks for the name that is to be registered
cout << "Name: ";
fflush( stdin );
gets(name);
name_length = strlen(name);
//Converts and saves the name to lowercase
for(int i = 0; i < name_length; i++)
{
name_lowercase[i] = tolower(name[i]);
}
algorithm(name,name_length, 1);
algorithm(name_lowercase,name_length, 2);
}
int main()
{
cout << "Winzip 7.0 SR-1 Keygen\nEither serial from algorithm #1 or 2 can be used to register this program.\n";
bool no_quit = true;
int a = 0;
Name();
do
{
cout << "\n\nGenerate another one? (yes=1/no=0)\n";
cin >> a;
if (a==1)
{
Name();
}
else no_quit=false;
}
while(no_quit);
return 0;
}
Winzip 2nd Algorithm C++ source
// kg_2.cpp : Defines the entry point for the console application.
#include "stdafx.h"
#include <stdio.h>
#include <iso646.h>
#include <iostream>
#include <string>
#include <vector>
using namespace std;
int main()
{
char name[256];
int name_length;
cout << "Winzip 7.0 SR-1 Keygen v2.0\n";
//Request for name to be registered
cout << "Name: ";
gets(name);
name_length = strlen(name);
//Converts name into lowercase
for(int i = 0; i < name_length; i++)
{
name[i] = tolower(name[i]);
}
//Algorithm that generates the serial's FIRST 4 digits
unsigned __int16 EAX = 0;
unsigned __int16 ESI = 0;
unsigned __int16 ECX = 0;
int EDX;
for(int i = 0; i < name_length; i++)
{
ECX = name[i] * 256;
EDX = 8;
do
{
ESI = ECX;
ESI = ESI xor EAX;
if(ESI <= 32768)
{
EAX = 2 * EAX;
ECX = 2 * ECX;
EDX--;
}
else
{
EAX = EAX + EAX;
EAX = EAX xor 4129;
ECX = ECX * 2;
EDX--;
}
}
while(EDX > 0);
}
EAX = EAX + 99;
//Algorithm that generates the serial's LAST four digits
int EDI = 0;
for(int i = 0; i < name_length; i++)
{
EDI = EDI + (name[i] * i);
}
//Combines first and last parts of the serial number together
int first = 0;
int serial = 0;
first = EAX * 10000;
serial = first + EDI;
//Displays the serial number generated
if (serial > 99999999) //if the serial number is greater 8 digits
{
serial = serial / 10; // then divide it by 10 to make it 8 digits
}
printf("Serial: %u", serial);
return 0;
}
#include "stdafx.h"
#include <stdio.h>
#include <iso646.h>
#include <iostream>
#include <string>
#include <vector>
using namespace std;
int main()
{
char name[256];
int name_length;
cout << "Winzip 7.0 SR-1 Keygen v2.0\n";
//Request for name to be registered
cout << "Name: ";
gets(name);
name_length = strlen(name);
//Converts name into lowercase
for(int i = 0; i < name_length; i++)
{
name[i] = tolower(name[i]);
}
//Algorithm that generates the serial's FIRST 4 digits
unsigned __int16 EAX = 0;
unsigned __int16 ESI = 0;
unsigned __int16 ECX = 0;
int EDX;
for(int i = 0; i < name_length; i++)
{
ECX = name[i] * 256;
EDX = 8;
do
{
ESI = ECX;
ESI = ESI xor EAX;
if(ESI <= 32768)
{
EAX = 2 * EAX;
ECX = 2 * ECX;
EDX--;
}
else
{
EAX = EAX + EAX;
EAX = EAX xor 4129;
ECX = ECX * 2;
EDX--;
}
}
while(EDX > 0);
}
EAX = EAX + 99;
//Algorithm that generates the serial's LAST four digits
int EDI = 0;
for(int i = 0; i < name_length; i++)
{
EDI = EDI + (name[i] * i);
}
//Combines first and last parts of the serial number together
int first = 0;
int serial = 0;
first = EAX * 10000;
serial = first + EDI;
//Displays the serial number generated
if (serial > 99999999) //if the serial number is greater 8 digits
{
serial = serial / 10; // then divide it by 10 to make it 8 digits
}
printf("Serial: %u", serial);
return 0;
}
Subscribe to:
Posts (Atom)