Reverse engineering software

Reverse Engineering Starcraft - Getting it to run in Ollydbg

2010-02-26T14:53:00.000-08:00

Reverse Engineering Starcraft - Getting it to run in Ollydbg

This is for the newer Starcraft on CD that requires a 26 digit key.

Hash of “StarCraft (Windows).exe” – the file on the CD
MD5 = 2833bac84adaa0dc1350614883d3440e
SHA1 = 3f15b9fd0ebd1ac2840bb01aa9eb2bd2baf5332e

Hash of “Installer.exe” – the file created in the temporary directory
MD5 = 05b29444d4649f2a709cc1b5c23490cb
SHA1 = 411ffcd2bfb19e32d4fcc93b0209ad8d22796606

Performed on a Windows 7 Ultimate virtual machine running in VMware Workstation 7.0.0 build-203739 using FCIV (to generate the MD5 and SHA1 hashes), PEID (to identify if any of the files are packed), Ollydbg (live analysis), and Ida Pro 5.5 (static analysis). Microsoft Visual Studio 2008 Professional Edition version 9.0.30729.1 SP with Windows SDK v7.0 used to create and compile C++ code.

Upon running “StarCraft (Windows).exe”, it creates a folder by first using the GetTempPath() function to determine where the system’s temporary folder is. It then calls GetTickCount(). The results from the first two functions are combined together with “%sBlizzard Installer Bootstrap - %08x\” before CreateDirectory() is called. The directory created will have the name of “Blizzard Installer Bootstrap – Some_Hexadecimal_Number”. The hexadecimal number is from the GetTickCount() function (this is to make a unique directory name). Running “Installer.exe” by itself will result in an error message. Further debugging of the “StarCraft (Windows).exe” has revealed it uses CreateProcess() to run “Installer.exe” with the argument “--path=Path_to_ StarCraft (Windows).exe” before terminating itself.

To get it running in Ollydbg without the need of the CD, copy “StarCraft (Windows).exe” (from the CD), “Installer.exe” (from the temporary folder), and “Installer Tome.mpq” (from the CD; make sure you have enough disk space since it is 652MB) to the same directory of your choosing. Run Ollydbg and press F3 to get the open file window. Browse to where you copied “Installer.exe” and select it (do not click “Open” yet). At the bottom of the open file window you will see “Arguments:”. Type in: --path="Path_to_ StarCraft (Windows).exe”. With only the double quotes around the path. You can now debug Installer.exe in Ollydbg.

The source code below is just for me to better understand what is going on when “Installer.exe” is executed (yeah I know it doesn't display correctly; and ).


#include 
#include 
using namespace std;
int main()
{
DWORD bufferLength;
/* This is how the temp directory is generated */
/* To find the location of the temp directory that the process is running
just access the Windows Task Manager and right-click the 'Installer' process
and select 'Open File Location' */
bufferLength = GetTempPath(0, NULL); //Since the length of the path is unknown
TCHAR *tempPath = new TCHAR[bufferLength];
GetTempPath(bufferLength, tempPath);
DWORD tickCount = GetTickCount(); //Number of milliseconds elapsed since
//machine was started.
wprintf(L"%sBlizzard Installer Bootstrap - %08x\\", tempPath, tickCount);
//CreateDirectory()
/* This is how the new process is created */
const DWORD FILE_NAME_LENGTH = 260; //Don't know why Blizzard chose this number
TCHAR *fileName = new TCHAR[FILE_NAME_LENGTH];
GetModuleFileName(NULL, fileName, FILE_NAME_LENGTH);
wprintf(L"%sBlizzard Installer Bootstrap - %08x\\ --path=\"%s\"", tempPath, tickCount, fileName);
//CreateProcess(NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, ?, ?, GetModuleHandle())
delete [] tempPath;
delete [] fileName;
return 0;
}

Thoughts on Starcraft 26 character algorithm

2010-01-24T00:31:00.000-08:00

I was actually working on it back in December 2009 and into the first 2 weeks of January 2010. So far I figured out how to get to run in Ollydbg (frustrating at first since I was single stepping each line) and was able to get my hands on Ida Pro to enable me to visualize to what code does the conditional jump take me to (powerful software which I barely know how to use). Anyway, it looks like there are 4 functions that make up the algorithm that checks the key. I only figured out 2 of the 4. Number 3 is driving me nuts and I don't want to look at Number 4 (both are long and tedious to single step through; Yes, I am aware that Ida Pro comes with a decompiler but that is not much help). I don't know for sure but I have a feeling that the algorithm is one-way, as in you can only check the key but not generate one like the older algorithm for the 13 digit key. I will probably post my findings so far (assembly code and C++ source code) before the end of February.

Analysis of Cisco Press CCNP ISCW Test software

2010-01-24T00:25:00.000-08:00

NOTE: I heard Cisco will be changing the requirements for the CCNP and ISCW won't be needed anymore.

Analysis of Cisco Press CCNP ISCW Test software

Target:

Cisco Press CCNP ISCW Test software that came on a CD included with the book: CCNP ISCW – Official Exam Certification Guide (ISBN-13:978-1-58720-150-9; ISBN-10:1-58720-150-X). Specifically, the register.exe file located in the directory that the software has installed.

Materials and Methods:

The program was analyzed on 32-bit Windows Vista Ultimate SP2 with the latest updates using Ollydbg 1.10 and PEiD 0.95. Microsoft’s FCIV was used to generate the MD5 and SHA1 hashes.

Introduction:

After installation of the software, executing it for the first time will generate a message box that asks the user to register the CD-ROM using the “Software Registration Wizard”. Clicking “Next” will lead to a screen with a very long EULA which most people don’t read. If one actually spent the time reading it, then it is apparent that the software is restricted to a single computer and that “the User is not able to transfer the license to another computer after registration through Boson’s unique copy protection”. If one hasn’t guessed the copy protection already, it is quite obvious after moving on to the next screen. The “copy protection” requires one to enter in a 9 digit serial number that came with the disc and activate via the Internet or telephone. The activation is how Boson reinforces the EULA and prevents people who bought the book and CD used from freely using the practice tests because it was already activated. In this post, I will discuss of circumventing such draconian restrictions.

Discussion:

PEiD will reveal that register.exe is not packed and is coded in MS Visual Basic 5.0/6.0. There are 3 flaws with the copy protection in place:

1. The “Unique Serial Number” is only unique in a sense if one is to contact Boson by Internet or telephone in order to activate the software. Circumvention allows for a 9 digit random number to be entered in. This number does not have any effect on the activation key, since the key is tied to the “Computer Unique Serial Number”, which is irrelevant due to patching or serial fishing.

2. The activation key can be serial fished from memory (hint – it has 3 dashes “-“ and can be seen in memory being compared with the invalid activation key entered). If activation is successful, the activation key is stored in a file with a “key” extension located in the directory that the program is installed in. It can be opened up with Notepad or Wordpad.

3. Patching 3 conditional jumps with NOPs is all it takes to crack the software (hint – the text string “SUCCESS” should appear in two places; all one needs to do is to look at the code above where the text string appears). It will accept any activation valid/invalid key (as long as the length is greater than or equal to 5, which can also be patched but let’s keep that to a minimum. My personal rule on patching is to do the least amount of patching that gets the program cracked) or activate the program if the Internet option is chosen even though the computer is not connected. This is the best method to use if one wants to activate on multiple computers by installing the software and using the patched register.exe file.

The MD5/SHA1 hashes for the original and patched register.exe files are:

SHA1 - 4e55ed937712c56b813c516d3f255d7c549f4e35

register_crack.exe – MD5 – 5eef0d991ff0f1a6cd29a38c8f8e5eff

SHA1 - 7a7e28cf18549072ea64829cebc68d70c0239b45

Conclusion:

I believe that this program is simple and easy enough for those who are beginning to reverse engineer software to be able to circumvent Boson’s “unique copy protection”, so that is why I will not go in depth or give step-by-step instructions of how to do it (plus it will make this a shorter post to read). The circumvention and learning is left up to you.

SmartVersion 1.00 - 2.00 Keygen C++ source code

2009-02-19T10:02:00.001-08:00

//The algorithm for SmartVersion is exactly the same as the one mentioned in
//WinImage, except for the fact that differect edition constant numbers are used.

// SmartVersion Keygen.cpp
// Generates working and valid keys for all versions 1.00 - 2.00

#include "stdafx.h"
#include <iomanip>

#include <iostream>
#include <stdlib.h>
#include <string>
#include <windows.h>

using namespace std;

const int LENGTH = 256; //Size of the character arrays

//Constants used in the generation of the raw serial number.
const int THREE_HEX = 0x3;

const int SEVEN_HEX = 0x7;
const int FOURTEEN_HEX = 0x0E;

const int TWENTYSEVEN_HEX = 0x27;
const int SERIAL_HEX = 0x47694C;

//Edition constant numbers for SmartVersion 1.00.  Will register version 2.00.
const int version100[] = {      0x12091999,
                                  0x31121999,
                                  0x2062000

         };

//Edition constant numbers for SmartVersion 2.00. Will NOT register version 1.00.
const int version200[] = {          0x13062004,
                                  0x21032004,

                                  0x28032004,
                                  0x5052005,
                                  0x29052005,
                                  0x1122004
                      };

//The "semiraw_serial" is produced after the raw serial and edition
//constant number are added together.  After this function is executed
//"semiraw_serial" will contain the actual serial key.
//This function will switch the 8/B in the semiraw serial to B/8 respectively.
void processSerial(TCHAR semiraw_serial[])
{
char al;

for(unsigned int i = 0; i < wcslen(semiraw_serial); i++)
{

 al = semiraw_serial[i];

 if(al == 0x0038)
 {

  al = al + 0x000A;
 }
 else if(al == 0x0042)
 {

  al = al + 0x00F6;
 }
 semiraw_serial[i] = al;
}
}

//This function will print the serial numbers for all versions
void PrintSerial(int raw_serial)
{
TCHAR temp[LENGTH];

printf("=========================================\n");
printf("version 1.00\n");
  for (int i = 0; i < 3; i++)
  {

 wsprintf(temp, TEXT ("%lX"), raw_serial + version100[i]);

 processSerial(temp);
 wprintf(L"Registration #: %s\n", temp);
  }

printf("=========================================\n");

  printf("version 2.00\n");
  for (int i = 0; i < 6; i++)
  {

 wsprintf(temp, TEXT ("%lX"), raw_serial + version200[i]);

 processSerial(temp);
 wprintf(L"Registration #: %s\n", temp);
  }
printf("=========================================\n");
}

int main()
{
int EAX = 0;
int EBX = FOURTEEN_HEX;

int EDX = 0;
int EDI = TWENTYSEVEN_HEX;

int serial = SERIAL_HEX;
int temp;

char name[LENGTH];

//Asks the user to type in the name to register the program
//with.
 printf("SmartVersion v1.00 - 2.00 Keygen\nName:");
gets(name);

//Algorithm that generates the raw serial number from the
//specified name.  The edition constant number needs to be added
//to the raw serial before being processed.
 for(unsigned int i = 0; i < strlen(name); i++)
{

 EAX = i;
 temp = EAX;
 EAX = temp / EBX;

 EDX = temp % EBX;

 if(EDX == 0)
 {

  EDI = TWENTYSEVEN_HEX;
 }

 EDX = toupper(name[i]);

 EAX = i + THREE_HEX;
 temp = EAX;

 EDX = EDX * EDI;
 serial = serial + EDX;


 EAX = temp / FOURTEEN_HEX;
 EDX = temp % FOURTEEN_HEX;


 if(EDX == 0)
 {
  EDI = EDI * SEVEN_HEX;
 }

 else
 {
  EDI = EDI * 3;
 }
}


  //Prints the generated serial numbers
 PrintSerial(serial);

return 0;
}

Analysis of WinImage 3.00 - 8.10

2009-02-19T09:38:00.000-08:00

Analysis of WinImage

Abstract:
The target audience are those who are just getting started in reverse engineering ("cracking") programs. Though, this is not a guide that will hand-hold you through the process. Instead, I hope enough information is provided so that my work can be replicated. I assume you, the reader, have some knowledge in Intel x86
assembly, in using a debugger, and had experience with some crackmes. I will explain the process of generating the valid keys for WinImage.

Keyword(s): algorithm, cracking, keygen, Ollydbg, WinImage

Purpose:
To reverse engineer and analyze how the serial registration algorithm works in WinImage in order to construct a key generator.

Materials and methods:
Ollydbg v1.10 was used to analyze WinImage 6.00.6000 in Windows XP running as a virtual machine in VMWare Workstation. Packer detection was done using PEiD v0.95. The key generator is written in C++ and compiled with Visual Studio 2008 on a computer system running Windows Server 2008 Standard x86-64.

Discussion:
The main executable, "winimage.exe", is not packed. To register the program, go to Options->Registering and enter in a random name and registration code to get the error message. The program was then closed before being opened under Ollydbg. The error message was searched for in the "referenced text string" option but could not be found. This method did work in programs like Starcraft or Winzip 7.0 SR-1 (both mentioned in previous blog postings), but for WinImage no. One can place a breakpoint on the MessageBox api using "bp MessageBoxA" and working backwards from the error message. Another method is to place a breakpoint on the GetDlgItemText api using "bp GetDlgItemTextA". This works because the program needs a way to get the inputted name and registration number from the dialog box. From there, it is necessary to trace through the code to see where the user inputted registration code is checked against the real code. The real code will appear if you look in the registers. The function "strcmp" is used to compare the codes. This comparison is done 6 times, since the code can specify an edition and/or version. A breakpoint on wsprintf can also be done ("bp wsprintfA") and if one looks above the code, one can see the serial algorithm.

Analysis of the algorithm:
The registration code is generated from a name after going through a two step process. The first step involves converting the alphabet characters in the name to uppercase. After such conversion, the hexadecimal values of each characters are put through multiplication and division before being added to 0x47694C to get the raw serial. This raw serial is then converted to a wide character string with the function, wsprintf, before being checked to see if any characters in are '8' or 'B'. If it detects such characters, 0x000A or 0x00F6 are added respectively to the hexadecimal value of the character. After the check, the serial (will be called 'semiraw') can be used to register the program and enable the standard edition features. However, it is possible to generate 5 other keys that are able to register the program. Other keys are generated by adding the semiraw key with an "edition constant number" (can't think of a better name to call it). From testing, it seems that different edition constant numbers produce keys that enabled certain editions (standard or professional) and were valid or invalid for certain versions of the program. I searched other versions of the program and was able to find a total of 10 unique edition constant numbers (5 for standard and 5 for professional). It is possible for a key to be valid for a wide range of WinImage version 3.00 to 8.10 if one uses the right edition constant number.

//Main algorithm from WinImage 6.00.6000
0043A24E |> 8BC1 /MOV EAX,ECX
0043A250 |. 6A 0E |PUSH 0E
0043A252 |. 99 |CDQ
0043A253 |. 5B |POP EBX; EBX = 0xE
0043A254 |. F7FB |IDIV EBX
0043A256 |. 85D2 |TEST EDX,EDX
0043A258 |. 75 03 |JNZ SHORT winimage.0043A25D
0043A25A |. 6A 27 |PUSH 27
0043A25C |. 5F |POP EDI; EDI = 0x27
0043A25D |> 0FB6540E 03 |MOVZX EDX,BYTE PTR DS:[ESI+ECX+3]
0043A262 |. 8D41 03 |LEA EAX,DWORD PTR DS:[ECX+3]
0043A265 |. 0FAFD7 |IMUL EDX,EDI; EDX = EDX * EDI
0043A268 |. 0155 FC |ADD DWORD PTR SS:[EBP-4],EDX
0043A26B |. 6A 0E |PUSH 0E
0043A26D |. 99 |CDQ
0043A26E |. 5B |POP EBX; EBX = 0xE
0043A26F |. F7FB |IDIV EBX
0043A271 |. 85D2 |TEST EDX,EDX
0043A273 |. 74 05 |JE SHORT winimage.0043A27A
0043A275 |. 8D3C7F |LEA EDI,DWORD PTR DS:[EDI+EDI*2]; EDI = EDI * 3
0043A278 |. EB 03 |JMP SHORT winimage.0043A27D
0043A27A |> 6BFF 07 |IMUL EDI,EDI,7; EDI = EDI * 7
0043A27D |> 41 |INC ECX
0043A27E |. 3B4D 08 |CMP ECX,DWORD PTR SS:[EBP+8]
0043A281 |.^7C CB \JL SHORT winimage.0043A24E

//How the serial number is processed from WinImage 6.00.6000
0043A295 |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; /<%lX>
0043A298 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; |
0043A29B |. 68 9CBA4400 PUSH winimage.0044BA9C ; |Format = "%lX"
0043A2A0 |. 50 PUSH EAX ; |s
0043A2A1 |. FF15 64FB4400 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA
0043A2A7 |. 8A45 F0 MOV AL,BYTE PTR SS:[EBP-10]
0043A2AA |. 83C4 0C ADD ESP,0C
0043A2AD |. 84C0 TEST AL,AL
0043A2AF |. 74 1E JE SHORT winimage.0043A2CF
0043A2B1 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0043A2B4 |. 2BCE SUB ECX,ESI
0043A2B6 |> 3C 38 /CMP AL,38
0043A2B8 |. 75 04 |JNZ SHORT winimage.0043A2BE
0043A2BA |. 04 0A |ADD AL,0A
0043A2BC |. EB 06 |JMP SHORT winimage.0043A2C4
0043A2BE |> 3C 42 |CMP AL,42
0043A2C0 |. 75 02 |JNZ SHORT winimage.0043A2C4
0043A2C2 |. 04 F6 |ADD AL,0F6
0043A2C4 |> 8806 |MOV BYTE PTR DS:[ESI],AL
0043A2C6 |. 8A4431 01 |MOV AL,BYTE PTR DS:[ECX+ESI+1]
0043A2CA |. 46 |INC ESI
0043A2CB |. 84C0 |TEST AL,AL
0043A2CD |.^75 E7 \JNZ SHORT winimage.0043A2B6

//Some of the edition constant numbers from 8.10
0041294D . 8D86 48190514 LEA EAX,DWORD PTR DS:[ESI+14051948]
0041296E . 8D86 54190617 LEA EAX,DWORD PTR DS:[ESI+17061954]
0041298F . 8D86 81190510 LEA EAX,DWORD PTR DS:[ESI+10051981]
004129AC . 8D86 95190104 LEA EAX,DWORD PTR DS:[ESI+4011995]
004129CD . 8D86 97190602 LEA EAX,DWORD PTR DS:[ESI+2061997]

Conclusion:
In my opinion, I think the level of difficulty reverse engineering this program is on par with Winzip 7.0 SR-1. The draft version of the keygen produced correct and defective registration codes for some names. After tracing, through I found out that I was dividing by the wrong number. Even after fixing that problem, the keygen was still producing some wrong codes. After more tracing, I found out that the serial numbers are processed
(as mentioned above). After figuring out how that was done, my focus was on how the other keys were generated. This involved more tracing over the code until figuring out what the edition constant numbers were. After coding the keygen, much time was spent testing and debugging it on all versions of WinImage from 3.00 to
the latest 8.10.8100. I know one can google the serial or crack for this program, but why do this and risk infecting your computer.

Keygen Source code:

// WinImage Keygen.cpp
// Generates working and valid keys for all versions 3.00 - 8.10
// of the standard and professional editions.

#include "stdafx.h"
#include <iomanip>

#include <iostream>
#include <stdlib.h>
#include <string>
#include <windows.h>

using namespace std;

const int LENGTH = 256; //Size of the character arrays

//Constants used in the generation of the raw serial number.
const int THREE_HEX = 0x3;

const int SEVEN_HEX = 0x7;
const int FOURTEEN_HEX = 0x0E;

const int TWENTYSEVEN_HEX = 0x27;
const int SERIAL_HEX = 0x47694C;

//Numbers that are added to the raw serial number before it is
//processed.  With the exception of the first one, the numbers
//are expressed in hexadecimal format.  The comments to the right
//of each of the numbers are the versions the program that the
//key generated will work on.
//The numbers will be called "edition constant numbers".
const int STANDARD_EDITION[] = {  0, //3.00 - 8.10.8100 not 
           //an edition constant number
        0x14051948, //3.00 - 8.10.8100

        0x17061954, //3.00 - 8.10.8100
        0x4011995,  //4.00.4000 - 8.10.8100
        0x21042002, //7.0.7000 - 8.10.8100 
        0x09112005, //8.0.8000 - 8.10.8100

          };

//This array is for displaying to the user the program version the
//generated key will work on.
const string SE_NOTES[] = { "3.00 - 8.10.8100", 
       "3.00 - 8.10.8100", 
       "3.00 - 8.10.8100", 
       "4.00.4000 - 8.10.8100", 
       "7.0.7000 - 8.10.8100",

       "8.0.8000 - 8.10.8100"
        };

//Numbers that are added to the raw serial number before it is
//processed.  With the exception of the first one, the numbers
//are expressed in hexadecimal format.  The comments to the right
//of each of the numbers are the versions the program that the
//key generated will work on.
//The numbers will be called "edition constant numbers".
const int PROFESSIONAL_EDITION[] = {0x10051981, //3.00 - 8.10.8100

         0x2061997,  //4.00.4000 - 8.10.8100
         0x16062004, //7.0.7000 - 8.10.8100
         0x13062004, //7.0.7000 - 8.10.8100
         0x24112005, //8.0.8000 - 8.10.8100

          };

//This array is for displaying to the user the program version the
//generated key will work on.
const string PE_NOTES[] = { "3.00 - 8.10.8100", 
       "4.00.4000 - 8.10.8100", 
       "7.0.7000 - 8.10.8100", 
       "7.0.7000 - 8.10.8100", 
       "8.0.8000 - 8.10.8100"

        };
//The "semiraw_serial" is produced after the raw serial and edition
//constant number are added together.  After this function is executed
//"semiraw_serial" will contain the actual serial key.
//This function will switch the 8/B in the semiraw serial to B/8 respectively.
void processSerial(TCHAR semiraw_serial[])
{
 char al;

 for(unsigned int i = 0; i < wcslen(semiraw_serial); i++)
 {

  al = semiraw_serial[i];

  if(al == 0x0038)
  {

   al = al + 0x000A;
  }
  else if(al == 0x0042)
  {

   al = al + 0x00F6;
  }
  semiraw_serial[i] = al;
 }
}

//This function will print the serial numbers for all editions and
//versions of WinImage.
void PrintSerial(int raw_serial)
{
 TCHAR temp[LENGTH];

 printf("=========================================\n");
 printf("STANDARD EDITION\n");
 for(int i = 0; i < 6; i++)
 {

  wsprintf(temp, TEXT ("%lX"), raw_serial + STANDARD_EDITION[i]);

  processSerial(temp);
  wprintf(L"Registration #: %s", temp);
  cout << setw(5 + (5 - wcslen(temp))) << "" << SE_NOTES[i] << endl;
 }

 printf("=========================================\n");

 printf("=========================================\n");
 printf("PROFESSIONAL EDITION\n");

 for(int i = 0; i < 5; i++)
 {

  wsprintf(temp, TEXT ("%lX"), raw_serial + PROFESSIONAL_EDITION[i]);

  processSerial(temp);
  wprintf(L"Registration #: %s", temp);
  cout << setw(5 + (5 - wcslen(temp))) << "" << PE_NOTES[i] << endl;
 }

 printf("=========================================\n");
}

int main()
{
 int EAX = 0;

 int EBX = FOURTEEN_HEX;
 int EDX = 0;

 int EDI = TWENTYSEVEN_HEX;
 int serial = SERIAL_HEX;

 int temp;

 char name[LENGTH];
 
 //Asks the user to type in the name to register the program
 //with.

 printf("WinImage 3.00 - 8.10 Keygen\nName:");
 gets(name);

 //Algorithm that generates the raw serial number from the
 //specified name.  The edition constant number needs to be added
 //to the raw serial before being processed.
 for(unsigned int i = 0; i < strlen(name); i++)
 {

  EAX = i;
  temp = EAX;
  EAX = temp / EBX;

  EDX = temp % EBX;
  
  if(EDX == 0)
  {

   EDI = TWENTYSEVEN_HEX;
  }

  EDX = toupper(name[i]);

  EAX = i + THREE_HEX;
  temp = EAX;

  EDX = EDX * EDI;
  serial = serial + EDX;

  
  EAX = temp / FOURTEEN_HEX;
  EDX = temp % FOURTEEN_HEX;

  
  if(EDX == 0)
  {
   EDI = EDI * SEVEN_HEX;
  }

  else
  {
   EDI = EDI * 3;
  }
 }

 
 PrintSerial(serial);

 return 0;
}

Analysis of iTunes Antidebug and Parental Controls

2008-09-30T10:15:00.000-07:00

Target: Apple Itunes 8.0.0.35
Filename: iTunes.exe
File MD5: 8b8ea6aff1e43b927e49228287f9711b

The antidebug features has not change that much since version 7.6.1.9. There are still the 3 IsDebuggerPresent API calls and 1 of them terminates iTunes if it detects a debugger. I still haven't figured out how the other two are called. Anyway, it still checks for the presence of SoftICE by querying the registry.
Here is the section of code that terminates iTunes if a debugger is detected:

004FC80E |. 74 08 JE SHORT iTunes.004FC818
004FC810 |. 6A 00 PUSH 0 ; /ExitCode = 0
004FC812 |. FF15 C863E200 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
004FC818 |> 8935 E0AB0701 MOV DWORD PTR DS:[107ABE0],ESI
004FC81E |> 5E POP ESI
004FC81F \. C3 RETN

To get around this, just change JE SHORT iTunes.004FC818 to JMP SHORT iTunes.004FC818 and save the file or you can use a plug in to hide Ollydbg from this type of detection technique. Anyway, it looks like iTunes could care less if it was patched since I was able to run the patch executable. Anyway, I was looking over iTunes to see what I can do with it and I found out a way to bypass the parental controls password check, however there is a catch (which I will explain later). Three jumps must be patched in order for this to work. I will list my method below in order for others to reproduce:

1. Search for the text "ParentalAuthDialog" and scroll down to see the code below.
2. NOP out the JNZ Short after the two loops.
3. After TEST AL, AL change JNZ to JMP

00717240 |. 68 2CA3E700 PUSH iTunes2.00E7A32C ; UNICODE "ParentalAuthDialog"
00717245 |. E8 1660D0FF CALL iTunes2.0041D260
0071724A |. 83C4 0C ADD ESP,0C
0071724D |. 66:3D 6500 CMP AX,65
.
. Boring code edited out
.
.
007172C0 |> C600 00 /MOV BYTE PTR DS:[EAX],0 ; Loop Begin
007172C3 |. 83C0 01 |ADD EAX,1 ; Body
007172C6 |. 83E9 01 |SUB ECX,1 ; Body
007172C9 |.^75 F5 \JNZ SHORT iTunes2.007172C0 ; Loop Condition
.
.
007172D7 |> C600 00 /MOV BYTE PTR DS:[EAX],0 ; Loop Begin
007172DA |. 83C0 01 |ADD EAX,1 ; Body
007172DD |. 83E9 01 |SUB ECX,1 ; Body
007172E0 |.^75 F5 \JNZ SHORT iTunes2.007172D7 ; Loop Condition
007172E2 |. 3BF7 CMP ESI,EDI
007172E4 75 16 JNZ SHORT iTunes2.007172FC ; NOP out this line of code
.
.
.
007172F3 |. 84C0 TEST AL,AL
007172F5 75 2F JNZ SHORT iTunes2.00717326 ; Change JNZ to JMP

4. Search for the API "LogonUserW" and after the CMP EAX, EBX instruction change the JNZ to JMP. You can search for this API on MSDN, but it is interesting that the password appears in plaintext here.

0062FD05 . FF15 3060E200 CALL DWORD PTR DS:[<&ADVAPI32.LogonUserW>; ADVAPI32.LogonUserW
0062FD0B . 3BC3 CMP EAX,EBX
0062FD0D 75 2F JNZ SHORT iTunes2.0062FD3E ; Change JNZ to JMP
0062FD0F . FF15 D465E200 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError

5. Save file.
The MD5 hash that I got for the patched file is 74721636e344bfe16d2a7860c82b7e7f

To unlock the parental controls, you type in an administrator account and any random password. Before the patch, one must know the correct password to lock/unlock the parental controls.

CAVEAT - In order for this bypass to be successful, one needs access to an administrator account to replace the original one in the Itunes folder (which may require social engineering). It seems that the parental controls can only be bypassed if you are logged in with an account with administrator privileges. I tried bypassing it from a limited account and it will not work. I may look into this matter later.

Numbers generated with Collatz Conjecture Calculator

2008-08-27T22:50:00.000-07:00

Okay so I couldn't help it but I ended up testing 9,223,372,036,854,775,807 and it worked, sort of. It looks like there is a problem with the number ending with 7. When I input the number ending with the 6 then it generates the rest as normal. 27670116110564327422 is suppose to come after the number ending with the 7 since it is odd so it had to be used in the equation 3n+1. Here is the list it generated:

9223372036854775807, 9223372036854775806, 4611686018427387903, 13835058055282163
710, 6917529027641081855, 2305843009213693950, 1152921504606846975, 345876451382
0540926, 1729382256910270463, 5188146770730811390, 2594073385365405695, 77822201
56096217086, 3891110078048108543, 11673330234144325630, 5836665117072162815, 175
09995351216488446, 8754997675608244223, 7818248953115181054, 3909124476557590527
, 11727373429672771582, 5863686714836385791, 17591060144509157374, 8795530072254
578687, 7939846143054184446, 3969923071527092223, 11909769214581276670, 59548846
07290638335, 17864653821871915006, 8932326910935957503, 8350236659098320894, 417
5118329549160447, 12525354988647481342, 6262677494323740671, 341288409261670398,
170644204630835199, 511932613892505598, 255966306946252799, 767898920838758398,
383949460419379199, 1151848381258137598, 575924190629068799, 172777257188720639
8, 863886285943603199, 2591658857830809598, 1295829428915404799, 388748828674621
4398, 1943744143373107199, 5831232430119321598, 2915616215059660799, 87468486451
78982398, 4373424322589491199, 13120272967768473598, 6560136483884236799, 123366
5377943158782, 616832688971579391, 1850498066914738174, 925249033457369087, 2775
747100372107262, 1387873550186053631, 4163620650558160894, 2081810325279080447,
6245430975837241342, 3122715487918620671, 9368146463755862014, 46840732318779310
07, 14052219695633793022, 7026109847816896511, 2631585469741137918, 131579273487
0568959, 3947378204611706878, 1973689102305853439, 5921067306917560318, 29605336
53458780159, 8881600960376340478, 4440800480188170239, 13322401440564510718, 666
1200720282255359, 1536858087137214462, 768429043568607231, 2305287130705821694,
1152643565352910847, 3457930696058732542, 1728965348029366271, 51868960440880988
14, 2593448022044049407, 7780344066132148222, 3890172033066074111, 1167051609919
8222334, 5835258049599111167, 17505774148797333502, 8752887074398666751, 7811917
149486448638, 3905958574743224319, 11717875724229672958, 5858937862114836479, 17
576813586344509438, 8788406793172254719, 7918476305807212542, 395923815290360627
1, 11877714458710818814, 5938857229355409407, 17816571688066228222, 890828584403
3114111, 8278113458389790718, 4139056729194895359, 12417170187584686078, 6208585
093792343039, 179011207667477502, 89505603833738751, 268516811501216254, 1342584
05750608127, 402775217251824382, 201387608625912191, 604162825877736574, 3020814
12938868287, 906244238816604862, 453122119408302431, 1359366358224907294, 679683
179112453647, 2039049537337360942, 1019524768668680471, 3058574306006041414, 152
9287153003020707, 4587861459009062122, 2293930729504531061, 6881792188513593184,
3440896094256796592, 1720448047128398296, 860224023564199148, 43011201178209957
4, 215056005891049787, 645168017673149362, 322584008836574681, 96775202650972404
4, 483876013254862022, 241938006627431011, 725814019882293034, 36290700994114651
7, 1088721029823439552, 544360514911719776, 272180257455859888, 1360901287279299
44, 68045064363964972, 34022532181982486, 17011266090991243, 51033798272973730,
25516899136486865, 76550697409460596, 38275348704730298, 19137674352365149, 5741
3023057095448, 28706511528547724, 14353255764273862, 7176627882136931, 215298836
46410794, 10764941823205397, 32294825469616192, 16147412734808096, 8073706367404
048, 4036853183702024, 2018426591851012, 1009213295925506, 504606647962753, 1513
819943888260, 756909971944130, 378454985972065, 1135364957916196, 56768247895809
8, 283841239479049, 851523718437148, 425761859218574, 212880929609287, 638642788
827862, 319321394413931, 957964183241794, 478982091620897, 1436946274862692, 718
473137431346, 359236568715673, 1077709706147020, 538854853073510, 26942742653675
5, 808282279610266, 404141139805133, 1212423419415400, 606211709707700, 30310585
4853850, 151552927426925, 454658782280776, 227329391140388, 113664695570194, 568
32347785097, 170497043355292, 85248521677646, 42624260838823, 127872782516470, 6
3936391258235, 191809173774706, 95904586887353, 287713760662060, 143856880331030
, 71928440165515, 215785320496546, 107892660248273, 323677980744820, 16183899037
2410, 80919495186205, 242758485558616, 121379242779308, 60689621389654, 30344810
694827, 91034432084482, 45517216042241, 136551648126724, 68275824063362, 3413791
2031681, 102413736095044, 51206868047522, 25603434023761, 76810302071284, 384051
51035642, 19202575517821, 57607726553464, 28803863276732, 14401931638366, 720096
5819183, 21602897457550, 10801448728775, 32404346186326, 16202173093163, 4860651
9279490, 24303259639745, 72909778919236, 36454889459618, 18227444729809, 5468233
4189428, 27341167094714, 13670583547357, 41011750642072, 20505875321036, 1025293
7660518, 5126468830259, 15379406490778, 7689703245389, 23069109736168, 115345548
68084, 5767277434042, 2883638717021, 8650916151064, 4325458075532, 2162729037766
, 1081364518883, 3244093556650, 1622046778325, 4866140334976, 2433070167488, 121
6535083744, 608267541872, 304133770936, 152066885468, 76033442734, 38016721367,
114050164102, 57025082051, 171075246154, 85537623077, 256612869232, 128306434616
, 64153217308, 32076608654, 16038304327, 48114912982, 24057456491, 72172369474,
36086184737, 108258554212, 54129277106, 27064638553, 81193915660, 40596957830, 2
0298478915, 60895436746, 30447718373, 91343155120, 45671577560, 22835788780, 114
17894390, 5708947195, 17126841586, 8563420793, 25690262380, 12845131190, 6422565
595, 19267696786, 9633848393, 28901545180, 14450772590, 7225386295, 21676158886,
10838079443, 32514238330, 16257119165, 48771357496, 24385678748, 12192839374, 6
096419687, 18289259062, 9144629531, 27433888594, 13716944297, 41150832892, 20575
416446, 10287708223, 30863124670, 15431562335, 46294687006, 23147343503, 6944203
0510, 34721015255, 104163045766, 52081522883, 156244568650, 78122284325, 2343668
52976, 117183426488, 58591713244, 29295856622, 14647928311, 43943784934, 2197189
2467, 65915677402, 32957838701, 98873516104, 49436758052, 24718379026, 123591895
13, 37077568540, 18538784270, 9269392135, 27808176406, 13904088203, 41712264610,
20856132305, 62568396916, 31284198458, 15642099229, 46926297688, 23463148844, 1
1731574422, 5865787211, 17597361634, 8798680817, 26396042452, 13198021226, 65990
10613, 19797031840, 9898515920, 4949257960, 2474628980, 1237314490, 618657245, 1
855971736, 927985868, 463992934, 231996467, 695989402, 347994701, 1043984104, 52
1992052, 260996026, 130498013, 391494040, 195747020, 97873510, 48936755, 1468102
66, 73405133, 220215400, 110107700, 55053850, 27526925, 82580776, 41290388, 2064
5194, 10322597, 30967792, 15483896, 7741948, 3870974, 1935487, 5806462, 2903231,
8709694, 4354847, 13064542, 6532271, 19596814, 9798407, 29395222, 14697611, 440
92834, 22046417, 66139252, 33069626, 16534813, 49604440, 24802220, 12401110, 620
0555, 18601666, 9300833, 27902500, 13951250, 6975625, 20926876, 10463438, 523171
9, 15695158, 7847579, 23542738, 11771369, 35314108, 17657054, 8828527, 26485582,
13242791, 39728374, 19864187, 59592562, 29796281, 89388844, 44694422, 22347211,
67041634, 33520817, 100562452, 50281226, 25140613, 75421840, 37710920, 18855460
, 9427730, 4713865, 14141596, 7070798, 3535399, 10606198, 5303099, 15909298, 795
4649, 23863948, 11931974, 5965987, 17897962, 8948981, 26846944, 13423472, 671173
6, 3355868, 1677934, 838967, 2516902, 1258451, 3775354, 1887677, 5663032, 283151
6, 1415758, 707879, 2123638, 1061819, 3185458, 1592729, 4778188, 2389094, 119454
7, 3583642, 1791821, 5375464, 2687732, 1343866, 671933, 2015800, 1007900, 503950
, 251975, 755926, 377963, 1133890, 566945, 1700836, 850418, 425209, 1275628, 637
814, 318907, 956722, 478361, 1435084, 717542, 358771, 1076314, 538157, 1614472,
807236, 403618, 201809, 605428, 302714, 151357, 454072, 227036, 113518, 56759, 1
70278, 85139, 255418, 127709, 383128, 191564, 95782, 47891, 143674, 71837, 21551
2, 107756, 53878, 26939, 80818, 40409, 121228, 60614, 30307, 90922, 45461, 13638
4, 68192, 34096, 17048, 8524, 4262, 2131, 6394, 3197, 9592, 4796, 2398, 1199, 35
98, 1799, 5398, 2699, 8098, 4049, 12148, 6074, 3037, 9112, 4556, 2278, 1139, 341
8, 1709, 5128, 2564, 1282, 641, 1924, 962, 481, 1444, 722, 361, 1084, 542, 271,
814, 407, 1222, 611, 1834, 917, 2752, 1376, 688, 344, 172, 86, 43, 130, 65, 196,
98, 49, 148, 74, 37, 112, 56, 28, 14, 7, 22, 11, 34, 17, 52, 26, 13, 40, 20, 10
, 5, 16, 8, 4, 2, 1

Collatz Conjecture Calculator

2008-08-27T22:34:00.000-07:00

I am taking a discrete mathematics course and just for fun I decided to code a program to calculate and display on the numbers from an integer that the user enters in. I couldn't believe it myself but the numbers I put in all end up going to 1. I tested using numbers as large as 2,147,483,647 and it would not give my computer any trouble in calculating. I am pretty sure it can use larger numbers since I code it to store the number in an "unsigned __int64". Anyway, here is the code:

#include "stdafx.h"
#include <iostream>
using namespace std;

int main()
{
unsigned __int64 n;

cout << "Collatz Conjecture Calculator v1.0\n";

cout << "Enter an integer greater than 1: ";
cin >> n;

cout << n << ", ";

while(n!=1)
{
if ( n % 2 == 0 )
{

n = n / 2;
}
else
{

n = 3 * n + 1;
}
cout << n << ", ";
}

return 0;
}

Winzip 7.0 SR-1 Keygen with both algorithms

2008-07-18T01:54:00.000-07:00

*Note* The keys generated from the code below has been tested to work up to Winzip 8.1 SR-1 (5266) . Beyond that, they used another algorithm that I don't have experience in reversing.

// keygen.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <stdio.h>

#include <iso646.h>
#include <iostream>
#include <string>
#include <vector>

using namespace std;

void algorithm(char a[256], int b, int c)
{

//Algorithm that generates the serial's FIRST 4 digits
unsigned __int16 EAX = 0;
unsigned __int16 ESI = 0;

unsigned __int16 ECX = 0;
int EDX;

int name_length = b;

for(int i = 0; i < name_length; i++)
{

ECX = a[i] * 256;
EDX = 8;

do
{
ESI = ECX;
ESI = ESI xor EAX;

if(ESI <= 32768)
{
EAX = 2 * EAX;

ECX = 2 * ECX;
EDX--;
}
else

{
EAX = EAX + EAX;
EAX = EAX xor 4129;

ECX = ECX * 2;
EDX--;
}
}
while(EDX > 0);
}

EAX = EAX + 99;

//Algorithm that generates the serial's LAST four digits
int EDI = 0;

for(int i = 0; i < name_length; i++)
{

EDI = EDI + (a[i] * i);
}

//Displays serial generated
if (c == 1)
{
//cout << '\n';

printf("Algorithm #1 Serial: %.4X" "%.4X",EAX,EDI);
}
else if (c == 2)
{

//Combines first and last parts of the serial number together
int first = 0;
int serial = 0;

first = EAX * 10000;
serial = first + EDI;

//Displays the serial number generated
if (serial > 99999999) //if the serial number is greater 8 digits
{
serial = serial / 10; // then divide it by 10 to make it 8 digits

}

cout << '\n';
printf("Algorithm #2 Serial: %u", serial);
}
}

void Name()
{
char name[256];
char name_lowercase[256];

int name_length = 0;

//Asks for the name that is to be registered
cout << "Name: ";

fflush( stdin );
gets(name);
name_length = strlen(name);

//Converts and saves the name to lowercase
for(int i = 0; i < name_length; i++)
{

name_lowercase[i] = tolower(name[i]);
}

algorithm(name,name_length, 1);

algorithm(name_lowercase,name_length, 2);

}
int main()
{
cout << "Winzip 7.0 SR-1 Keygen\nEither serial from algorithm #1 or 2 can be used to register this program.\n";

bool no_quit = true;
int a = 0;

Name();

do
{
cout << "\n\nGenerate another one? (yes=1/no=0)\n";

cin >> a;
if (a==1)
{
Name();
}

else no_quit=false;
}
while(no_quit);

return 0;
}

Winzip 2nd Algorithm C++ source

2008-07-18T01:52:00.000-07:00

// kg_2.cpp : Defines the entry point for the console application.

#include "stdafx.h"
#include <stdio.h>

#include <iso646.h>
#include <iostream>
#include <string>
#include <vector>

using namespace std;

int main()
{
char name[256];
int name_length;

cout << "Winzip 7.0 SR-1 Keygen v2.0\n";

//Request for name to be registered
cout << "Name: ";

gets(name);
name_length = strlen(name);

//Converts name into lowercase
for(int i = 0; i < name_length; i++)
{

name[i] = tolower(name[i]);
}

//Algorithm that generates the serial's FIRST 4 digits
unsigned __int16 EAX = 0;

unsigned __int16 ESI = 0;
unsigned __int16 ECX = 0;

int EDX;

for(int i = 0; i < name_length; i++)
{

ECX = name[i] * 256;
EDX = 8;

do
{
ESI = ECX;
ESI = ESI xor EAX;

if(ESI <= 32768)
{
EAX = 2 * EAX;

ECX = 2 * ECX;
EDX--;
}
else

{
EAX = EAX + EAX;
EAX = EAX xor 4129;

ECX = ECX * 2;
EDX--;

}
}
while(EDX > 0);
}

EAX = EAX + 99;

//Algorithm that generates the serial's LAST four digits
int EDI = 0;

for(int i = 0; i < name_length; i++)
{

EDI = EDI + (name[i] * i);
}

//Combines first and last parts of the serial number together

int first = 0;
int serial = 0;

first = EAX * 10000;
serial = first + EDI;

//Displays the serial number generated
if (serial > 99999999) //if the serial number is greater 8 digits
{
serial = serial / 10; // then divide it by 10 to make it 8 digits

}

printf("Serial: %u", serial);

return 0;
}

Quick Update

2008-07-17T15:41:00.000-07:00

It seem to me that the second algorithm in Winzip is almost the same as the one described in the previous post. However the differences are:

This algorithm converts all the letters in the name to lowercase before being used to generate the serial number (the serial number for TSA is the same for tsa).
The serial number, so far, consists only of numbers 0-9 (unlike the other one in which hexadecimal 0-9 and A-F was involved).

I made minor changes to the keygen but it seems to generate for some names, serial numbers that are greater than 8 digits long. I will post up the code sooner or later when I have the time.

Winzip 7.0 SR-1 (1285) Serial Number Algorithm Analysis

2008-07-17T00:58:00.000-07:00

Abstract: The purpose is to find, reverse engineer, and code a key generator for the algorithm that checks for the correct serial number that is associated with the entered name.

1. Materials: Ollydbg v1.10, ASCII lookup table, Visual C++ 2008 Express Edition.
2. Analysis:
If you have read my previous post, “Solution to br0ken’s CrackMe4”, then the first thing you should do for Winzip after loading it in Ollydbg is to run it and input a name and fake serial number in order to see what the error message is in order to search for the text string and reverse from there.
The error message is “Incomplete or incorrect information”. Tracing back from this is not futile because you will come across a line of code in which you will see that there are many calls to that line (which is not helpful). Unlike CrackMe4 where you can easily trace back, you will have to take a different approach with Winzip. Since the name and serial number are being entered into a dialog box, it must somehow use a function in order to get what was inputted. This function is called GetDlgItemTextA. To set a breakpoint on this function click Plugins-> 2 Command line-> Command line and type in bp GetDlgItemTextA and press enter. Now you can now run Winzip. If the program stops at a breakpoint before you have reached the window where you enter your registration information, then just keep on running the program. Now enter in your fake registration information and press OK. Olldbg should now break. Patience and a good observation is required for the next step in which you will be stepping through the code by pressing F8. Eventually you will see the text string for the error message show up in the EAX register. If you look up a bit then you should see a call above PUSH 28E. This one is important because it has a “>” next to it, which means it is a jump destination from 3 origins that are close by to each other, which happen to be in the block of code where you see your name and serial number being copied into memory. Somehow the check for the serial must be located as a call near the three jumps origins. You will trace into a call that is right before the last jump origin and trace through the code there.

00408044 |. E8 79160200 CALL WINZIP32.004296C2
00408049 |. 803D 28D94700 >CMP BYTE PTR DS:[47D928],0
00408050 |. 59 POP ECX
00408051 |. 74 5F JE SHORT WINZIP32.004080B2
00408053 |. 803D 58D94700 >CMP BYTE PTR DS:[47D958],0
0040805A |. 74 56 JE SHORT WINZIP32.004080B2
0040805C |. E8 EAFAFFFF CALL WINZIP32.00407B4B
00408061 |. 85C0 TEST EAX,EAX
00408063 |. 74 4D JE SHORT WINZIP32.004080B2
00408065 |. 53 PUSH EBX ; /Arg3
00408066 |. BB B80C4700 MOV EBX,WINZIP32.00470CB8 ; |ASCII "WinZip"
0040806B |. 68 F8EA4600 PUSH WINZIP32.0046EAF8 ; |Arg2 = 0046EAF8 ASCII "Name"
00408070 |. 53 PUSH EBX ; |Arg1 => 00470CB8 ASCII "WinZip"
00408071 |. E8 CEA70200 CALL WINZIP32.00432844 ; \WINZIP32.00432844
00408076 |. 83C4 0C ADD ESP,0C
00408079 |. 56 PUSH ESI ; /Arg3
0040807A |. 68 9CF44600 PUSH WINZIP32.0046F49C ; |Arg2 = 0046F49C ASCII "SN"
0040807F |. 53 PUSH EBX ; |Arg1
00408080 |. E8 BFA70200 CALL WINZIP32.00432844 ; \WINZIP32.00432844
00408085 |. 83C4 0C ADD ESP,0C
00408088 |. 68 D80C4700 PUSH WINZIP32.00470CD8 ; /Arg4 = 00470CD8 ASCII "winzip32.ini"
0040808D |. 6A 00 PUSH 0 ; |Arg3 = 00000000
0040808F |. 6A 00 PUSH 0 ; |Arg2 = 00000000
00408091 |. 68 04EB4600 PUSH WINZIP32.0046EB04 ; |Arg1 = 0046EB04 ASCII "rrs"
00408096 |. E8 90A70200 CALL WINZIP32.0043282B ; \WINZIP32.0043282B
0040809B |. A1 A0944700 MOV EAX,DWORD PTR DS:[4794A0]
004080A0 |. 83C4 10 ADD ESP,10
004080A3 |. 85C0 TEST EAX,EAX
004080A5 |. 74 07 JE SHORT WINZIP32.004080AE
004080A7 |. 50 PUSH EAX ; /hObject => D60A0217
004080A8 |. FF15 60804600 CALL DWORD PTR DS:[<&GDI32.DeleteObject>>; \DeleteObject
004080AE |> 6A 01 PUSH 1
004080B0 |. EB 31 JMP SHORT WINZIP32.004080E3
004080B2 |> E8 E5010000 CALL WINZIP32.0040829C
004080B7 |. 68 8E020000 PUSH 28E
004080BC |. E8 9B050200 CALL WINZIP32.0042865C
004080C1 |. 59 POP ECX
004080C2 |. 50 PUSH EAX ; /Arg3 = 0047F970 ASCII "Incomplete or incorrect information"
004080C3 |. 57 PUSH EDI ; |Arg2
004080C4 |. 6A 3D PUSH 3D ; |Arg1 = 0000003D
004080C6 |. E8 1CE70100 CALL WINZIP32.004267E7 ; \WINZIP32.004267E7

Eventually you will see your name and serial appear in the stack, now pay attention carefully since the valid serial number will soon appear as well. When it does, stop, and take note of the call that causes this to happen. You will have to trace into this call and single step through the code carefully, since it is the serial algorithm.

00407B4B /$ 55 PUSH EBP
00407B4C |. 8BEC MOV EBP,ESP
00407B4E |. 81EC 08020000 SUB ESP,208
00407B54 |. 53 PUSH EBX
00407B55 |. 56 PUSH ESI
00407B56 |. 33F6 XOR ESI,ESI
00407B58 |. 803D 28D94700 >CMP BYTE PTR DS:[47D928],0
00407B5F |. 57 PUSH EDI
00407B60 |. 0F84 A1000000 JE WINZIP32.00407C07
00407B66 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407B69 |. 50 PUSH EAX
00407B6A |. 68 60F44600 PUSH WINZIP32.0046F460 ; /Arg1 = 0046F460
00407B6F |. E8 4F9CFFFF CALL WINZIP32.004017C3 ; \WINZIP32.004017C3
00407B74 |. 59 POP ECX
00407B75 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
00407B7B |. 59 POP ECX
00407B7C |. BF 28D94700 MOV EDI,WINZIP32.0047D928 ; ASCII "TSA"
00407B81 |. 50 PUSH EAX
00407B82 |. 57 PUSH EDI ; /Arg1 => 0047D928 ASCII "TSA"
00407B83 |. E8 A9020000 CALL WINZIP32.00407E31 ; \WINZIP32.00407E31
00407B88 |. 59 POP ECX
00407B89 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
00407B8F |. 59 POP ECX
00407B90 |. 50 PUSH EAX
00407B91 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407B94 |. 50 PUSH EAX
00407B95 |. E8 66FD0400 CALL WINZIP32.00457900
00407B9A |. 59 POP ECX
00407B9B |. 59 POP ECX
00407B9C |. 6A 01 PUSH 1
00407B9E |. 85C0 TEST EAX,EAX
00407BA0 |. 5B POP EBX
00407BA1 |. 75 02 JNZ SHORT WINZIP32.00407BA5
00407BA3 |. 8BF3 MOV ESI,EBX
00407BA5 |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407BA8 |. 50 PUSH EAX
00407BA9 |. 68 70F44600 PUSH WINZIP32.0046F470 ; /Arg1 = 0046F470
00407BAE |. E8 109CFFFF CALL WINZIP32.004017C3 ; \WINZIP32.004017C3
00407BB3 |. 59 POP ECX
00407BB4 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407BB7 |. 59 POP ECX
00407BB8 |. 50 PUSH EAX
00407BB9 |. 57 PUSH EDI ; WINZIP32.0047D928
00407BBA |. E8 41FD0400 CALL WINZIP32.00457900
00407BBF |. 59 POP ECX
00407BC0 |. 85C0 TEST EAX,EAX
00407BC2 |. 59 POP ECX
00407BC3 |. 75 0C JNZ SHORT WINZIP32.00407BD1
00407BC5 |. FF15 C4814600 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount
00407BCB |. 84C3 TEST BL,AL
00407BCD |. 74 02 JE SHORT WINZIP32.00407BD1
00407BCF |. 8BF3 MOV ESI,EBX
00407BD1 |> 6A 14 PUSH 14
00407BD3 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407BD6 |. 6A 00 PUSH 0
00407BD8 |. 50 PUSH EAX
00407BD9 |. E8 72E50400 CALL WINZIP32.00456150
00407BDE |. 83C4 0C ADD ESP,0C
00407BE1 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
00407BE7 |. 68 C8000000 PUSH 0C8
00407BEC |. 6A 00 PUSH 0
00407BEE |. 50 PUSH EAX
00407BEF |. E8 5CE50400 CALL WINZIP32.00456150
00407BF4 |. 83C4 0C ADD ESP,0C
00407BF7 |. 85F6 TEST ESI,ESI
00407BF9 |. 74 13 JE SHORT WINZIP32.00407C0E
00407BFB |. E8 9C060000 CALL WINZIP32.0040829C
00407C00 |. 8325 7CB04700 >AND DWORD PTR DS:[47B07C],0
00407C07 |> 33C0 XOR EAX,EAX
00407C09 |. E9 B3000000 JMP WINZIP32.00407CC1
00407C0E |> 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00407C14 |. 50 PUSH EAX
00407C15 |. 57 PUSH EDI
00407C16 |. E8 AB000000 CALL WINZIP32.00407CC6
00407C1B |. 59 POP ECX
00407C1C |. BE 58D94700 MOV ESI,WINZIP32.0047D958 ; ASCII "123456789"
00407C21 |. 59 POP ECX
00407C22 |. 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00407C28 |. 56 PUSH ESI
00407C29 |. 50 PUSH EAX
00407C2A |. E8 D1FC0400 CALL WINZIP32.00457900
00407C2F |. F7D8 NEG EAX
00407C31 |. 1BC0 SBB EAX,EAX
00407C33 |. 59 POP ECX
00407C34 |. 40 INC EAX
00407C35 |. 59 POP ECX
00407C36 |. A3 7CB04700 MOV DWORD PTR DS:[47B07C],EAX
00407C3B |. 75 69 JNZ SHORT WINZIP32.00407CA6
00407C3D |. 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00407C43 |. 50 PUSH EAX
00407C44 |. 57 PUSH EDI
00407C45 |. E8 20010000 CALL WINZIP32.00407D6A
00407C4A |. 59 POP ECX
00407C4B |. 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00407C51 |. 59 POP ECX
00407C52 |. 56 PUSH ESI
00407C53 |. 50 PUSH EAX
00407C54 |. E8 A7FC0400 CALL WINZIP32.00457900
00407C59 |. F7D8 NEG EAX
00407C5B |. 1BC0 SBB EAX,EAX
00407C5D |. 59 POP ECX
00407C5E |. 40 INC EAX
00407C5F |. 59 POP ECX
00407C60 |. A3 7CB04700 MOV DWORD PTR DS:[47B07C],EAX
00407C65 |. 75 3F JNZ SHORT WINZIP32.00407CA6
00407C67 |. 8D85 C4FEFFFF LEA EAX,DWORD PTR SS:[EBP-13C]
00407C6D |. 6A 04 PUSH 4
00407C6F |. 50 PUSH EAX
00407C70 |. 56 PUSH ESI
00407C71 |. E8 EA040500 CALL WINZIP32.00458160
00407C76 |. 83C4 0C ADD ESP,0C
00407C79 |. 85C0 TEST EAX,EAX
00407C7B |. 75 22 JNZ SHORT WINZIP32.00407C9F
00407C7D |. 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00407C83 |. 6A 04 PUSH 4
00407C85 |. 50 PUSH EAX
00407C86 |. 68 5CD94700 PUSH WINZIP32.0047D95C ; ASCII "56789"
00407C8B |. E8 D0040500 CALL WINZIP32.00458160
00407C90 |. 83C4 0C ADD ESP,0C
00407C93 |. 85C0 TEST EAX,EAX
00407C95 |. 75 08 JNZ SHORT WINZIP32.00407C9F
00407C97 |. 891D 7CB04700 MOV DWORD PTR DS:[47B07C],EBX
00407C9D |. EB 07 JMP SHORT WINZIP32.00407CA6
00407C9F |> 8325 7CB04700 >AND DWORD PTR DS:[47B07C],0
00407CA6 |> 68 2C010000 PUSH 12C
00407CAB |. 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00407CB1 |. 6A 00 PUSH 0
00407CB3 |. 50 PUSH EAX
00407CB4 |. E8 97E40400 CALL WINZIP32.00456150
00407CB9 |. A1 7CB04700 MOV EAX,DWORD PTR DS:[47B07C]
00407CBE |. 83C4 0C ADD ESP,0C
00407CC1 |> 5F POP EDI
00407CC2 |. 5E POP ESI
00407CC3 |. 5B POP EBX
00407CC4 |. C9 LEAVE
00407CC5 \. C3 RETN

The call at 00407B4B will check if the name is “MuradMeraly” or “bcom”. It appears that these names are blacklisted. If you watch the stack carefully while tracing through this call, you will eventually see your name and fake serial number. After the call at 00407CC6, you will see the real serial number appear in the stack. Trace into this call because this is where the algorithm is (the important parts are in color).

00407CC6 /$ 55 PUSH EBP
00407CC7 |. 8BEC MOV EBP,ESP
00407CC9 |. 51 PUSH ECX
00407CCA |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00407CCD |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00407CD1 |. 53 PUSH EBX
00407CD2 |. 56 PUSH ESI
00407CD3 |. 8A11 MOV DL,BYTE PTR DS:[ECX]
00407CD5 |. 57 PUSH EDI
00407CD6 |. 33C0 XOR EAX,EAX
00407CD8 |. 8BF1 MOV ESI,ECX
00407CDA |. 33FF XOR EDI,EDI
00407CDC |> 84D2 /TEST DL,DL
00407CDE |. 74 13 |JE SHORT WINZIP32.00407CF3
00407CE0 |. 66:0FB6D2 |MOVZX DX,DL
00407CE4 |. 8BDF |MOV EBX,EDI
00407CE6 |. 0FAFDA |IMUL EBX,EDX
00407CE9 |. 015D FC |ADD DWORD PTR SS:[EBP-4],EBX
00407CEC |. 8A56 01 |MOV DL,BYTE PTR DS:[ESI+1]
00407CEF |. 47 |INC EDI
00407CF0 |. 46 |INC ESI
00407CF1 |.^EB E9 \JMP SHORT WINZIP32.00407CDC
00407CF3 |> C705 ECD34700 >MOV DWORD PTR DS:[47D3EC],1
00407CFD |. 8BF1 MOV ESI,ECX
00407CFF |. 8A09 MOV CL,BYTE PTR DS:[ECX]
00407D01 |> 84C9 /TEST CL,CL
00407D03 |. 74 19 |JE SHORT WINZIP32.00407D1E
00407D05 |. 66:0FB6C9 |MOVZX CX,CL
00407D09 |. 68 21100000 |PUSH 1021 ; /Arg3 = 00001021
00407D0E |. 51 |PUSH ECX ; |Arg2
00407D0F |. 50 |PUSH EAX ; |Arg1
00407D10 |. E8 2A000000 |CALL WINZIP32.00407D3F ; \WINZIP32.00407D3F
00407D15 |. 8A4E 01 |MOV CL,BYTE PTR DS:[ESI+1]
00407D18 |. 83C4 0C |ADD ESP,0C
00407D1B |. 46 |INC ESI
00407D1C |.^EB E3 \JMP SHORT WINZIP32.00407D01
00407D1E |> 0FB74D FC MOVZX ECX,WORD PTR SS:[EBP-4]
00407D22 |. 83C0 63 ADD EAX,63
00407D25 |. 51 PUSH ECX
00407D26 |. 0FB7C0 MOVZX EAX,AX
00407D29 |. 50 PUSH EAX
00407D2A |. 68 84F44600 PUSH WINZIP32.0046F484 ; ASCII "%04X%04X"
00407D2F |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
00407D32 |. E8 69E20400 CALL WINZIP32.00455FA0
00407D37 |. 83C4 10 ADD ESP,10
00407D3A |. 5F POP EDI
00407D3B |. 5E POP ESI
00407D3C |. 5B POP EBX
00407D3D |. C9 LEAVE
00407D3E \. C3 RETN

The first block will generate the last four digits of the serial number, while the last block will generate the first four digits of the serial number. The serial number is 8 characters long and consist of numbers 0-9 and letters A-F. The first block was quite simple in figuring out, but I was stumped on the second block for awhile before understanding it. Anyway, I will be posting the C++ source code of the key generator algorithm as a proof of my understanding.
Here are some names and serial numbers:
“a” = 7CEA0000
“TSA” = 816A00D5

3. Conclusion: I was able to find, reverse engineer the algorithm, and write a key generator in C++. Quite interestingly, it seems that the program also can be registered using a different serial number since 96400309 can also register the name TSA. I will look further into that for my next reverse engineering related post.

// Test.cpp : main project file.

#include "stdafx.h"
#include
#include
#include
#include
#include

using namespace std;

int main()
{
char name[256];
int serial = 0;
int a;

cout << "Winzip 7.0 SR-1 Keygen\n";

//Requests for name to be registered
cout << "Name: "; gets(name);
a = strlen(name);

//Algorithm that generates the serial's FIRST 4 digits
unsigned __int16 EAX = 0;
unsigned __int16 ESI = 0;
unsigned __int16 ECX = 0; int EDX;
for(int i = 0; i < a; i++)
{
ECX = name[i] * 256;
EDX = 8;
do
{
ESI = ECX;
ESI = ESI xor EAX;
if(ESI <= 32768)
{
EAX = 2 * EAX;
ECX = 2 * ECX;
EDX--;
}
else
{
EAX = EAX + EAX;
EAX = EAX xor 4129;
ECX = ECX * 2;
EDX--;
}
}
while(EDX > 0);
}
EAX = EAX + 99;

//Algorithm that generates the serial's LAST 4 digits
for(int i = 0; i < a; i++)
{
serial = serial + (name[i] * i);
}
//Displays serial generated
printf("Serial: %.4X" "%.4X",EAX,serial);
return 0;
}

Winzip 7.0 SR-1 Keygenned FINALLY!

2008-07-08T00:25:00.000-07:00

After two days I manage to create a keygen for the program. Serial fishing took less than 5 minutes, but analyzing the serial algorithm and also translating it from x86 assembly to C++ (using Visual Studio 2008 Express Edition) took a while. I will probably post details and source code later. Anyway, had I used unsigned _int16 instead of just int would have saved me lots of time. Great learning experience though.

Solution to br0ken’s CrackMe4

2008-07-02T22:10:00.000-07:00

1. Materials: Ollydbg v1.10, ASCII lookup table
2. Analysis:
Before running the program in Ollydbg, let’s first get a general idea of what we will be
doing. This crackme asks for a password from the user. If it is correct, then there is a
message that will tell us that it is valid. However if it is incorrect, then a different message
saying that it is wrong is shown (some programs I encountered won’t give any feedback).
Our goal would be to find the error or valid message and work backwards from there.
We are asked to write a program that brute forces the password; however I think that a
beginner in reverse engineering could learn a thing or two by analyzing how the program
checks for the correct password.
Open the program with Ollydbg, right-click and Search for -> All referenced text strings.
You should be able to easily spot out the good and bad message (respectively “That’s right!
Now write a small tut :)” and “Nope. . . try again.”). You can select either of the messages
and right-click and Follow in disassembler. You should see code that looks like this:

004013C8 |. 8D85 28FFFFFF LEA EAX,DWORD PTR SS:[EBP-D8] ; |||
004013CE |. 890424 MOV DWORD PTR SS:[ESP],EAX ; |||
004013D1 |. E8 8A060000 CALL ; ||\strlen
004013D6 |. 8985 78FDFFFF MOV DWORD PTR SS:[EBP-288],EAX ; ||
004013DC |. 8D85 28FFFFFF LEA EAX,DWORD PTR SS:[EBP-D8] ; ||
004013E2 |. 890424 MOV DWORD PTR SS:[ESP],EAX ; ||
004013E5 |. E8 76060000 CALL ; |\strlen
004013EA |. 83F8 06 CMP EAX,6 ; |
004013ED |. 0F85 BE000000 JNZ cm4.004014B1 ; |
004013F3 |. 0FB685 28FFFFF>MOVZX EAX,BYTE PTR SS:[EBP-D8] ; |
004013FA |. 34 34 XOR AL,34 ; |
004013FC |. 0FBEC0 MOVSX EAX,AL ; |
004013FF |. 8985 74FDFFFF MOV DWORD PTR SS:[EBP-28C],EAX ; |
00401405 |. 0FB685 29FFFFF>MOVZX EAX,BYTE PTR SS:[EBP-D7] ; |
0040140C |. 34 78 XOR AL,78 ; |
0040140E |. 0FBEC0 MOVSX EAX,AL ; |
00401411 |. 8985 70FDFFFF MOV DWORD PTR SS:[EBP-290],EAX ; |
00401417 |. 0FB685 2AFFFFF>MOVZX EAX,BYTE PTR SS:[EBP-D6] ; |
0040141E |. 34 12 XOR AL,12 ; |
00401420 |. 0FBEC0 MOVSX EAX,AL ; |
00401423 |. 8985 6CFDFFFF MOV DWORD PTR SS:[EBP-294],EAX ; |
00401429 |. 0FBE85 2BFFFFF>MOVSX EAX,BYTE PTR SS:[EBP-D5] ; |
00401430 |. 35 FE000000 XOR EAX,0FE ; |
00401435 |. 8985 68FDFFFF MOV DWORD PTR SS:[EBP-298],EAX ; |
0040143B |. 0FBE85 2CFFFFF>MOVSX EAX,BYTE PTR SS:[EBP-D4] ; |
00401442 |. 35 DB000000 XOR EAX,0DB ; |
00401447 |. 8985 64FDFFFF MOV DWORD PTR SS:[EBP-29C],EAX ; |
0040144D |. 0FB685 2DFFFFF>MOVZX EAX,BYTE PTR SS:[EBP-D3] ; |
00401454 |. 34 78 XOR AL,78 ; |
00401456 |. 0FBEC0 MOVSX EAX,AL ; |
00401459 |. 8985 60FDFFFF MOV DWORD PTR SS:[EBP-2A0],EAX ; |
0040145F |. 8B85 60FDFFFF MOV EAX,DWORD PTR SS:[EBP-2A0] ; |
00401465 |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX ; |
00401469 |. 8B85 64FDFFFF MOV EAX,DWORD PTR SS:[EBP-29C] ; |
0040146F |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX ; |
00401473 |. 8B85 68FDFFFF MOV EAX,DWORD PTR SS:[EBP-298] ; |
00401479 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX ; |
0040147D |. 8B85 6CFDFFFF MOV EAX,DWORD PTR SS:[EBP-294] ; |
00401483 |. 894424 10 MOV DWORD PTR SS:[ESP+10],EAX ; |
00401487 |. 8B85 70FDFFFF MOV EAX,DWORD PTR SS:[EBP-290] ; |
0040148D |. 894424 0C MOV DWORD PTR SS:[ESP+C],EAX ; |
00401491 |. 8B85 74FDFFFF MOV EAX,DWORD PTR SS:[EBP-28C] ; |
00401497 |. 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; |
0040149B |. C74424 04 4E32>MOV DWORD PTR SS:[ESP+4],cm4.0040324E ; |ASCII "%X%X%X%X%X%X"
004014A3 |. 8D85 58FEFFFF LEA EAX,DWORD PTR SS:[EBP-1A8] ; |
004014A9 |. 890424 MOV DWORD PTR SS:[ESP],EAX ; |
004014AC |. E8 2F060000 CALL ; \wsprintfA
004014B1 |> 8D85 88FDFFFF LEA EAX,DWORD PTR SS:[EBP-278] ; ||
004014B7 |. 8D95 58FEFFFF LEA EDX,DWORD PTR SS:[EBP-1A8] ; ||
004014BD |. 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; ||
004014C1 |. 891424 MOV DWORD PTR SS:[ESP],EDX ; ||
004014C4 |. E8 87050000 CALL ; |\strcmp
004014C9 |. 85C0 TEST EAX,EAX ; |
004014CB |. 75 0E JNZ SHORT cm4.004014DB ; |
004014CD |. C70424 5C32400>MOV DWORD PTR SS:[ESP],cm4.0040325C ; |ASCII "That's right! Now write a small tut :)"
004014D4 |. E8 A7050000 CALL ; \printf
004014D9 |. EB 0C JMP SHORT cm4.004014E7
004014DB |> C70424 8732400>MOV DWORD PTR SS:[ESP],cm4.00403287 ; |ASCII "Nope... try again."
004014E2 |. E8 99050000 CALL ; \printf
004014E7 |> E8 D4040000 CALL ; [_getch
004014EC |. B8 00000000 MOV EAX,0
004014F1 |. C9 LEAVE
004014F2 \. C3 RETN

The good message is highlighted in green, the bad one in red, code that will give you the
bad message have red font color, and important code are highlighted in yellow.
If you look at the beginning of the code, “strlen” should get your attention because this
will determine the length of your entered password and store it in EAX. The program will
then check whether if the password length is 6 characters or not (second yellow highlighted
code) and will jump if the password length is less or greater than 6. After passing that check,
the program will XOR every character in the entered password with the appropriate hex
values (34, 78, 12, FE, DB, and 78). So if you entered in “123456” then you will get:

Password| Hex values| After XORing
1 |34| 05
2| 78| 4A
3| 12| 21
4 | FE | CA
5 | DB| EE
6| 78 | 4E

The last two yellow highlighted code is where you will see the correct hash (don’t know
if that is the correct term to use) in EAX (which is 4D11628EBE1D) and entered password
hash in EDX (which is 054A21CAEE4E in this case). A comparison is then performed with
“strcmp”. If EDX doesn’t match EAX, then you will be shown the bad message (highlighted in
red). However since now you know the correct hash, you can get the password by XORing it
with the hex values I mentioned above.

Hashed password| Hex values| After XORing
4D| 34 | 79
11 |78 | 69
62 | 12| 70
8E| FE| 70
BE| DB | 65
1D| 78 |65

796970706565 is hex for yippee, which is the correct password.

3. Thoughts: Some programs I have encountered are generally similar with what we have seen in this crackme in which the good and bad serial numbers are compared with each other before a
jump is made if they are not the same. However, some are easy to fish since the valid serial will
appear in memory (unlike in this crackme).

NTS-Crackme3 solution

2008-07-01T22:10:00.000-07:00

1. Target: NTS-Crackme3
2. Objective: Fish the correct serial number.
3. Materials: Ollydbg 1.10, ASCII lookup table
4. Method:
First, open Crackme3.exe with Ollydbg. The next step to perform is to search for all referenced text strings. Why? Because usually the good/bad message will show up (most of the time). In this case you will see, “Serial is Correct!!!” Select that line, right click, and follow in disassembler. Scroll a little bit above and you will see the code that will check whether the inputted serial number is valid or not:

004013E7 . 83F8 08 CMP EAX,8
004013EA . 75 5D JNZ SHORT Crackme3.00401449
004013EC . 807C24 09 2D CMP BYTE PTR SS:[ESP+9],2D
004013F1 . 75 56 JNZ SHORT Crackme3.00401449
004013F3 . 0FBE4C24 04 MOVSX ECX,BYTE PTR SS:[ESP+4]
004013F8 . D1E1 SHL ECX,1
004013FA . 83F9 64 CMP ECX,64
004013FD . 75 4A JNZ SHORT Crackme3.00401449
004013FF . 8A4424 0B MOV AL,BYTE PTR SS:[ESP+B]
00401403 . 84C0 TEST AL,AL
00401405 . 74 42 JE SHORT Crackme3.00401449
00401407 . 807C24 08 2B CMP BYTE PTR SS:[ESP+8],2B
0040140C . 75 3B JNZ SHORT Crackme3.00401449
0040140E . 0FBE5424 05 MOVSX EDX,BYTE PTR SS:[ESP+5]
00401413 . 83C2 0A ADD EDX,0A
00401416 . 83FA 44 CMP EDX,44
00401419 . 75 2E JNZ SHORT Crackme3.00401449
0040141B . 0FBE4424 07 MOVSX EAX,BYTE PTR SS:[ESP+7]
00401420 . 83E8 2E SUB EAX,2E
00401423 . 75 24 JNZ SHORT Crackme3.00401449
00401425 . 807C24 0A 4D CMP BYTE PTR SS:[ESP+A],4D
0040142A . 75 1D JNZ SHORT Crackme3.00401449
0040142C . 0FBE4C24 06 MOVSX ECX,BYTE PTR SS:[ESP+6]
00401431 . 83C1 0A ADD ECX,0A
00401434 . 83F9 33 CMP ECX,33
00401437 . 75 10 JNZ SHORT Crackme3.00401449
00401439 . 6A 00 PUSH 0
0040143B . 6A 00 PUSH 0
0040143D . 68 20304000 PUSH Crackme3.00403020 ; ASCII "Serial is Correct!!!"
00401442 . 8BCE MOV ECX,ESI
00401444 . E8 0D020000 CALL
00401449 > 5E POP ESI
0040144A . 83C4 10 ADD ESP,10
0040144D . C3 RETN

The first line will check if the serial is 8 characters long. If it is under or over 8 then it will take you to that destination (highlighted in red) of the jump (red text). Now set a breakpoint at the instruction at 004013EC and press F9 to run the program. Type in 12345678 and press “Check”. It will break immediately. The instruction, “CMP BYTE PTR SS:[ESP+9],2D”, will compare the 6th digit (in this case “6”(36 in hex)) with the hex 2D (which is a “-“ if you look it up in your ASCII table) . Since what you typed in is incorrect you be taken to the bad destination.

Now type in 12345-78 and press “Check”. You will break but if you step over the code (pressing F8), you will see that you will not jump bad destination yet. The next 3 lines of code checks if the 1st digit is equal to 2. 1 is 31 in hex. The instruction, “SHL ECX,1”, will just multiply that number by 2. By working backwards you can figure out that 64 / 2 = 32 (which is hex for 2). The next 2 lines of code will not do anything of the last character in the serial number, so you can put any character or digit there. The next check will see if the 5th digit is a “+” (2B in hex) or not. The code after that checks the 2nd digit. By subtracting A from 44 you get 3A in hex (“:” ASCII). The next check will involve the 4th digit by subtracting 2E from it to get 0. This means that the character at the position must be 2E in hex to pass. 2E is hex for “.” Moving on, the next check will compare the 7th digit to “M”. Finally, the last code checks the 3rd digit. To get the correct digit, subtract A from 33 to get 29 in hex. 29 is equal to “)” in ASCII.

Putting it all together, the valid serial number is: 2:).+-MX (where X can be any number or character)

When all else fails try patching. . .

2008-06-11T01:52:00.000-07:00

I have been trying to serial fish Dope Wars 2.2 (yes I know a piece of shit software that installs GAIN spyware onto your computer but good thing I installed it within VMware) because I am bored but I cannot seem to find where the correct serial appears in memory, so instead of wasting my time searching I just NOPped a single instruction to get the desired effect. It still amazes me that all that separates one from having a registered software is a single jump instruction. BTW this program is pack with PC-Guard, which is not a big deal unpacking.

Bypass Windows Genuine Advantage validation when installing WMP11

2008-06-02T02:07:00.000-07:00

I wanted to upgrade the Windows media player on a new computer with a fresh install of Windows XP. Unfortunately, I got a message thanks to Windows Genuine Advantage which prevented me from completing the install.
Well duh! Tell me something that I don't know. I was going to give up at first but then I thought about using Ollydbg to see if I can bypass this. The installation file can be extracted with WinRAR or you can search the temp directory for it (be sure that you see the message to validate it and copy the folder; if you close it then the temp file will be deleted). Anyway, Windows Media Player version 11.0.5721.5145 is the target of this post.

Open the setup_wm.exe file in Ollydbg and search for the string "LegitCheck". You should be seeing this:

01033190 |. 68 CC200001 PUSH setup_wm.010020CC ; ASCII "LegitCheck"
01033195 |. 53 PUSH EBX
01033196 |. FFD6 CALL ESI
01033198 |. 3BC7 CMP EAX,EDI
0103319A |. 74 35 JE SHORT setup_wm.010331D1 ; Will give error message
0103319C |. FFD0 CALL EAX
0103319E |. 8BF0 MOV ESI,EAX
010331A0 |. 3BF7 CMP ESI,EDI
010331A2 |. 74 23 JE SHORT setup_wm.010331C7; If equal then the installation will proceed
010331A4 |. 83FE 06 CMP ESI,6
010331A7 |. 74 1E JE SHORT setup_wm.010331C7;
010331A9 |. 56 PUSH ESI
010331AA |. 68 A4200001 PUSH setup_wm.010020A4 ; ASCII "WGA check failed with error code %d.
"
010331AF |. 6A 02 PUSH 2
010331B1 |. E8 85B10200 CALL setup_wm.0105E33B
010331B6 |. 83C4 0C ADD ESP,0C
010331B9 |. 893D 2C140801 MOV DWORD PTR DS:[108142C],EDI
010331BF |. 8935 C8130801 MOV DWORD PTR DS:[10813C8],ESI
010331C5 |. EB 0A JMP SHORT setup_wm.010331D1
010331C7 |> C705 2C140801 >MOV DWORD PTR DS:[108142C],1
010331D1 |> 53 PUSH EBX ; /hLibModule
010331D2 |. FF15 50120001 CALL DWORD PTR DS:[<&KERNEL32.FreeLibrar>; \FreeLibrary
010331D8 |. 5E POP ESI
010331D9 |. EB 0A JMP SHORT setup_wm.010331E5
010331DB |> C705 2C140801 >MOV DWORD PTR DS:[108142C],1
010331E5 |> 68 88200001 PUSH setup_wm.01002088 ; /Arg2 = 01002088 ASCII " Validation completed.
"
010331EA |. 6A 04 PUSH 4 ; |Arg1 = 00000004
010331EC |. E8 10B10200 CALL setup_wm.0105E301 ; \setup_wm.0105E301
010331F1 |. 57 PUSH EDI ; /lParam
010331F2 |. 68 90990000 PUSH 9990 ; |wParam = 9990
010331F7 |. 68 11010000 PUSH 111 ; |Message = WM_COMMAND
010331FC |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
010331FF |. FF15 B8130001 CALL DWORD PTR DS:[<&USER32.SendMessageW>; \SendMessageW
01033205 |. FF15 18160001 CALL DWORD PTR DS:[<&ole32.CoUninitializ>; ole32.CoUninitialize
0103320B |. 5F POP EDI
0103320C |. 33C0 XOR EAX,EAX
0103320E |. 5B POP EBX
0103320F |. 5D POP EBP
01033210 \. C2 0400 RETN 4

The code in orange is where searching for "LegitCheck" should take you to. The 3 JEs in red are the crucial ones that need to be patched in order to get WMP11 to install on any Windows XP (legitimate or pirated). The code in lavender is the one that will stop the installation, while the one in light blue is where you get to proceed. Anyway JE SHORT setup_wm.010331D1 can be left normal or NOPped since my machine does not cause it to jump. The first JE SHORT setup_wm.010331C7 can be changed to JMP SHORT setup_wm.010331C7 so that it will always jump to the good portion of the code. You can patch the second one also but I don't think it is necessary. So far so much for the "Genuine Advantage". I was expecting something a bit more challenging. I have seen the cracks that bypass this check in which a LegitLibM.dll file is cracked in order to achieve the same result however, I don't see any reason why the DLL file has to be cracked if the setup_wm.exe file can be simply patched. It has been a great learning experience cracking this simple file and it never ceases to amaze me that for some programs all it takes is simply patching a single line of code to get it cracked.

Analysis of CVS's online job application personality test - Part 2

2008-04-28T12:44:00.001-07:00

From Part 1, if one looks closely and analyzes the questions asks then a correlation can be observed among some of the questions. I know my method for this is informal but I went through and read each and every single question, and grouped them according to the subjects I thought they were pertaining to (I know the formatting sucks despite typing it up in Word and copying and pasting to post but please bear with me).

Interacting with People

Listening

22. People who talk all the time are annoying

27. You love to listen to people talk about themselves

Gullibility

28. Many people cannot be trusted

56. You don't believe a lot of what people say

Image

09. You don't worry about making a good impression

29. You do some things that upset people

38. You don't care if you offend people

40. You always try not to hurt people's feelings

64. You don't care what people think of you

71. You are careful not to offend people

85. You do what you want, no matter what others think

99. People's feelings are sometimes hurt by what you say

“When they start push your buttons”

14. There are some people you really can't stand

15. People do a lot of things that make you angry

46. People do a lot of annoying things

55. You ignore people you don't like

61. You ignore people's small mistakes

20. When people make mistakes, you correct them

50. You can wait patiently for a long time

77. Slow people make you impatient

80. People are often mean to you

96. You could not deal with difficult people all day

Personal Characteristics

Introversion/Extraversion

01. You love to be with people

08. You like to talk a lot

16. You like to be in the middle of a big crowd

32. It's fun to go out to events with big crowds

41. You are a fairly private person

51. You are unsure of what to say when you meet someone

69. You are unsure of yourself with new people

73. You like to be alone

75. You chat with people you don't know

78. You would rather work on a team than by yourself

81. You do not like small talk

91. You do not like to meet new people

Aggressiveness/Submissiveness

11. You say whatever is on your mind

19. You agree with people more than you argue

34. You'd rather not compete very much

70. You give direct criticism when you need to

89. You criticize people when they deserve it

Organization

02. You like to plan things before you start to do them

44. You have to give up on some things that you start

33. Your stuff is often kind of messy

65. When you go someplace, you are never late

72. You could describe yourself as 'tidy'

“Pushing your buttons”

12. You get angry more often than nervous

                        18. It bothers you a long time when someone is unfair to you

21. You swear when you argue

42. When you are annoyed with something, you say so

45. You avoid arguments as much as possible

59. You don't act polite when you don't want to

60. You show it when you are in a bad mood

74. When someone treats you badly, you ignore it

92. You are not afraid to tell someone off

Empathy

10. You would rather not get involved in other people's problems

39. You are not interested in your friends' problems

49. You know when someone is in a bad mood, even if they don't show it

63. When your friends need help, they call you first

76. Other people's feelings are their own business

79. It is easy for you to feel what others are feeling

93. You try to sense what others are thinking and feeling

Decision making

04. You think of yourself as being very sensible

48. You hate to give up if you can't solve a hard problem

68. You make more sensible choices than careless one

98. You rarely act without thinking

Work Ethic

03. You are proud of the work you do at school or on a job

05. You are more relaxed than strict about finishing things on time

07. When you need to, you take it easy at work

17. Right now, you care more about having fun than being serious at school or work

26. You work best at a slow but steady speed

31. You were absent very few days from high school

37. You have always had good behavior in school or work

52. You like to take frequent breaks when working on something difficult

53. You finish your work no matter what

58. You got mostly good grades in high school

86. It is hard to really care about work when the job is boring

88. When you are done with your work, you look for more to do

90. You sometimes thought seriously about quitting high school

94. You don't work too hard because it doesn't pay off anyway

95. You do things carefully so you don't make mistakes

Emotional Stability

06. You change from feeling happy to sad without any reason

62. Your moods are steady from day to day

Remorse

25. You have no big worries

30. You have no big regrets about your past

54. You look back and feel bad about things you've done

Misc.

24. It bothers you when you have to obey a lot of rules

97. You do not like to take orders

87. You have friends, but don't like them to be too close

23. There's no use having close friends; they always let you down

13. You have confidence in yourself

36. You do not fake being polite

57. You keep calm when under stress

67. You are always cheerful

84. You are a friendly person

100. You are somewhat of a thrill-seeker

83. Any trouble you have is your own fault

66. You get mad at yourself when you make mistakes

82. You've done your share of troublemaking

43. Your friends and family approve of the things you do

47. It is maddening when the court lets guilty criminals go free

Analysis of CVS's online job application personality test - Part 1

2008-04-28T12:28:00.001-07:00

Corporations are souless and evil. I had to take a "personality test" when applying for the pharm tech position at CVS. The test ask 100 questions to determine whether you are a liar or not. Seriously! Some questions are asked two or three different ways in order to see if you are
inconsistent. Below are the questions in the order I got them:

01. You love to be with people
02. You like to plan things before you start to do them
03. You are proud of the work you do at school or on a job
04. You think of yourself as being very sensible
05. You are more relaxed than strict about finishing things on time
06. You change from feeling happy to sad without any reason
07. When you need to, you take it easy at work
08. You like to talk a lot
09. You don't worry about making a good impression
10. You would rather not get involved in other people's problems
11. You say whatever is on your mind
12. You get angry more often than nervous
13. You have confidence in yourself
14. There are some people you really can't stand
15. People do a lot of things that make you angry
16. You like to be in the middle of a big crowd
17. Right now, you care more about having fun than being serious at school or work
18. It bothers you a long time when someone is unfair to you
19. You agree with people more than you argue
20. When people make mistakes, you correct them
21. You swear when you argue
22. People who talk all the time are annoying
23. There's no use having close friends; they always let you down
24. It bothers you when you have to obey a lot of rules
25. You have no big worries
26. You work best at a slow but steady speed
27. You love to listen to people talk about themselves
28. Many people cannot be trusted
29. You do some things that upset people
30. You have no big regrets about your past
31. You were absent very few days from high school
32. It's fun to go out to events with big crowds
33. Your stuff is often kind of messy
34. You'd rather not compete very much
36. You do not fake being polite
37. You have always had good behavior in school or work
38. You don't care if you offend people
39. You are not interested in your friends' problems
40. You always try not to hurt people's feelings
41. You are a fairly private person
42. When you are annoyed with something, you say so
43. Your friends and family approve of the things you do
44. You have to give up on some things that you start
45. You avoid arguments as much as possible
46. People do a lot of annoying things
47. It is maddening when the court lets guilty criminals go free
48. You hate to give up if you can't solve a hard problem
49. You know when someone is in a bad mood, even if they don't show it
50. You can wait patiently for a long time
51. You are unsure of what to say when you meet someone
52. You like to take frequent breaks when working on something difficult
53. You finish your work no matter what
54. You look back and feel bad about things you've done
55. You ignore people you don't like
56. You don't believe a lot of what people say
57. You keep calm when under stress
58. You got mostly good grades in high school
59. You don't act polite when you don't want to
60. You show it when you are in a bad mood
61. You ignore people's small mistakes
62. Your moods are steady from day to day
63. When your friends need help, they call you first
64. You don't care what people think of you
65. When you go someplace, you are never late
66. You get mad at yourself when you make mistakes
67. You are always cheerful
68. You make more sensible choices than careless ones
69. You are unsure of yourself with new people
70. You give direct criticism when you need to
71. You are careful not to offend people
72. You could describe yourself as 'tidy'
73. You like to be alone
74. When someone treats you badly, you ignore it
75. You chat with people you don't know
76. Other people's feelings are their own business
77. Slow people make you impatient
78. You would rather work on a team than by yourself
79. It is easy for you to feel what others are feeling
80. People are often mean to you
81. You do not like small talk
82. You've done your share of troublemaking
83. Any trouble you have is your own fault
84. You are a friendly person
85. You do what you want, no matter what others think
86. It is hard to really care about work when the job is boring
87. You have friends, but don't like them to be too close
88. When you are done with your work, you look for more to do
89. You criticize people when they deserve it
90. You sometimes thought seriously about quitting high school
91. You do not like to meet new people
92. You are not afraid to tell someone off
93. You try to sense what others are thinking and feeling
94. You don't work too hard because it doesn't pay off anyway
95. You do things carefully so you don't make mistakes
96. You could not deal with difficult people all day
97. You do not like to take orders
98. You rarely act without thinking
99. People's feelings are sometimes hurt by what you say
100. You are somewhat of a thrill-seeker

Learning C++

2008-03-31T21:31:00.000-07:00

Today was my first day of class for cs. I am finally going to learn how to program in C++.
The professor was straightforward and stated that the class is probably going to be the
one of the hardest ones. I am glad I had some informal experience programming in
TI-BASIC and understanding Intel x86 assembly language before coming into this class.
Well I hope to do some C++ programming in lab tomorrow.

Anyway, today I prepared some Vietnamese coffee using Trung
Nguyen brand instead of the usual Cafe Du Monde. It was awesome!
The aroma was a unique one. I don't know how to put it but it was a
pleasant one and not strong (I think the smell had hints of vanilla or
hazelnut even though the ingredients did not list them). It was not bitter
but I should have used a coffee filter in my strainer because it was finely
ground up. I would probably by from this again.

Still learning to crack software. . .

2008-02-26T01:11:00.000-08:00

I was feeling a bit bored today so I decided to crack another program for practice. Browsing through Neowin, I found the perfect target: Acker DVD Audio Ripper 2.0.72. Anyway, I checked it through PEiD and Exeinfo and both said that it was unpacked (MS Visual C++ 6.0) so I thought it would be straight forward. Unfortunately I was wrong. I guess the code was packed because I did not see the OEP in Ollydbg. I just press F8 a couple of times until I stumbled upon the OEP by accident. I was like "Oh Shit!" because it happen all to quick. I went over the code before the OEP and I recall seeing 'SYSENTER' but I still don't understand what is going on. I tried dumping the progam at the OEP, but a message would come up pertaining to DEP protecting me from bad programs. While stepping through the code, I saw "Blowfish" near the area where I think the serial key is checked. I then decided to stop looking for the algorithm because the encryption is out of my league. Instead I decided to patch the program so that it would accept any serial number (whether valid or invalid). I was partially successful because it did change the behavior of the program (before entering the serial, I had a nag screen telling me that it was a trial when I press "Convert"; "Unregistered" was removed) but the effects were temporary. Closing the program and opening it up again would
take it back to being unregistered. I assume the program stores the serial number and checks if
it is valid or not when opening the program. Right now I cannot find that check unless there is something wrong with my assumption.

Getting Itunes to run in Ollydbg

2008-02-25T02:35:00.000-08:00

Target: Apple Itunes 7.6.1.9
Tools: Ollydbg, PEiD v0.94, Exeinfo PE v0.0.1.8, and brain :p

PEiD reports that the Itunes executable is not packed, while Exeinfo confirms that with the feedback of "MS Visual C++ v8.0/Visual Studio 2005". This just makes my job easier because I do not know how to unpack a file yet. Anyway, if one searches the APIs then they will find that there are 3 calls made to "IsDebuggerPresent" in Itunes. This means that Apple does not want others to reverse engineer Itunes using a debugger. If a debugger is detected then the program will close (those preventing further debugging).

However what is more interesting about Itunes is that it checks specifically for SoftICE (a cracker's favorite tool) by searching for the registry keys.

Now lets get down and dirty with some code:

IsDebuggerPresent references:
Address=004192F5
Disassembly=CALL DWORD PTR DS:[<&KERNEL32.IsDebuggerPresent>]
Destination=kernel32.IsDebuggerPresent

Address=011A4AFC
Disassembly=CALL DWORD PTR DS:[<&KERNEL32.IsDebuggerPresent>]
Destination=kernel32.IsDebuggerPresent

Address=011B0591
Disassembly=CALL DWORD PTR DS:[<&KERNEL32.IsDebuggerPresent>]
Destination=kernel32.IsDebuggerPresent
1st IsDebuggerPresent
004192E0 /$ E8 CBFDFFFF CALL iTunes.004190B0
004192E5 |. 84C0 TEST AL,AL
004192E7 |. 74 03 JE SHORT iTunes.004192EC
004192E9 |> B0 01 MOV AL,1
004192EB |. C3 RETN
004192EC |> E8 3FFEFFFF CALL iTunes.00419130
004192F1 |. 84C0 TEST AL,AL
004192F3 |.^75 F4 JNZ SHORT iTunes.004192E9
004192F5 |. FF15 C8451E01 CALL DWORD PTR DS:[<&KERNEL32.IsDebugger>; [IsDebuggerPresent
004192FB |. 85C0 TEST EAX,EAX
004192FD |. 0F95C0 SETNE AL
00419300 \. C3 RETN

2nd one
011A4A52 /$ 55 PUSH EBP
011A4A53 |. 8DAC24 58FDFFF>LEA EBP,DWORD PTR SS:[ESP-2A8]
011A4A5A |. 81EC 28030000 SUB ESP,328
011A4A60 |. A1 6CBE6301 MOV EAX,DWORD PTR DS:[163BE6C]
011A4A65 |. 33C5 XOR EAX,EBP
.
.
.
.
011A4AEF |. C745 80 0D0000>MOV DWORD PTR SS:[EBP-80],C000000D
011A4AF6 |. 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
011A4AF9 |. 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
011A4AFC |. FF15 C8451E01 CALL DWORD PTR DS:[<&KERNEL32.IsDebugger>; [IsDebuggerPresent

3rd one
011B04D8 /> 55 PUSH EBP
011B04D9 |. 8BEC MOV EBP,ESP
011B04DB |. 81EC 28030000 SUB ESP,328

011B052E |. 9C PUSHFD
011B052F |. 8F05 906D7401 POP DWORD PTR DS:[1746D90]
.
.
.
011B0591 |. FF15 C8451E01 CALL DWORD PTR DS:[<&KERNEL32.IsDebugger>; [IsDebuggerPresent

All of the calls to that API leads to this code:
IsDebuggerPresent API leads to this:
7C8130B3 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C8130B9 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
7C8130BC 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2]
7C8130C0 C3 RETN

This code basically sets EAX to 1 if Itunes is being debugged.

The "Main trunk":
004F9700 /$ 56 PUSH ESI
004F9701 |. FF15 C4431E01 CALL DWORD PTR DS:[<&KERNEL32.GetTickCount>] ; [GetTickCount
004F9707 |. 8BF0 MOV ESI,EAX
004F9709 |. A1 F8306501 MOV EAX,DWORD PTR DS:[16530F8]
004F970E |. 05 60EA0000 ADD EAX,0EA60
004F9713 |. 3BF0 CMP ESI,EAX
004F9715 |. 76 17 JBE SHORT iTunes.004F972E
004F9717 |. E8 C4FBF1FF CALL iTunes.004192E0
004F971C |. 84C0 TEST AL,AL
004F971E |. 74 08 JE SHORT iTunes.004F9728
004F9720 |. 6A 00 PUSH 0 ; /ExitCode = 0
004F9722 |. FF15 B8431E01 CALL DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; \ExitProcess
004F9728 |> 8935 F8306501 MOV DWORD PTR DS:[16530F8],ESI
004F972E |> 5E POP ESI
004F972F \. C3 RETN

This portion of code is where I see one of the three debug check is being used (I have not seen the other two being used actively yet) in which the call in bold refers to the first IsDebuggerPresent code listed. I believe Apple uses another check to see if the program is being debugged by using the "GetTickCount" API. I am able to get Itunes running more or less after NOPing the code at 004F9701 and the three IsDebuggerPresent calls. As for the SoftICE check:

Check for SoftICE registry keys
00419130 /$ 81EC A4040000 SUB ESP,4A4
00419136 |. A1 6CBE6301 MOV EAX,DWORD PTR DS:[163BE6C]
0041913B |. 33C4 XOR EAX,ESP
0041913D |. 898424 A004000>MOV DWORD PTR SS:[ESP+4A0],EAX
00419144 |. A1 CC802D01 MOV EAX,DWORD PTR DS:[12D80CC]
00419149 |. 53 PUSH EBX
0041914A |. 50 PUSH EAX
0041914B |. 8D5C24 48 LEA EBX,DWORD PTR SS:[ESP+48]
0041914F |. E8 CCFEFFFF CALL iTunes.00419020
00419154 |. 83C4 04 ADD ESP,4
00419157 |. 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
0041915B |. 51 PUSH ECX ; /pHandle
0041915C |. 6A 01 PUSH 1 ; |Access = KEY_QUERY_VALUE
0041915E |. 6A 00 PUSH 0 ; |Reserved = 0
00419160 |. 8BD3 MOV EDX,EBX ; |
00419162 |. 52 PUSH EDX ; |Subkey
00419163 |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00419168 |. FF15 0C401E01 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExW
0041916E |. 85C0 TEST EAX,EAX
00419170 |. 74 18 JE SHORT iTunes.0041918A

This first portion checks to see if the key (it has a folder icon) "Software/Numega/SoftICE/" is present. If it is not then the code does not jump to VA=0041918A, however I created a registry key that matches the one in the check and it jumps to the next portion of code listed below.

If registry key value pertaining to SoftICE is found then it will jump here:
0041918A |> A1 D0802D01 MOV EAX,DWORD PTR DS:[12D80D0]
0041918F |. 56 PUSH ESI
00419190 |. 50 PUSH EAX
00419191 |. 8D5C24 4C LEA EBX,DWORD PTR SS:[ESP+4C]
00419195 |. E8 86FEFFFF CALL iTunes.00419020
0041919A |. 83C4 04 ADD ESP,4
0041919D |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
004191A1 |. 51 PUSH ECX ; /pBufSize
004191A2 |. 8D9424 A402000>LEA EDX,DWORD PTR SS:[ESP+2A4] ; |
004191A9 |. 52 PUSH EDX ; |Buffer
004191AA |. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10] ; |
004191AE |. 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18] ; |
004191B2 |. 50 PUSH EAX ; |pValueType
004191B3 |. 6A 00 PUSH 0 ; |Reserved = NULL
004191B5 |. 8BCB MOV ECX,EBX ; |
004191B7 |. 51 PUSH ECX ; |ValueName
004191B8 |. 52 PUSH EDX ; |hKey
004191B9 |. C74424 24 0401>MOV DWORD PTR SS:[ESP+24],104 ; |
004191C1 |. FF15 10401E01 CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa>; \RegQueryValueExW
004191C7 |. 8BF0 MOV ESI,EAX
004191C9 |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004191CD |. 50 PUSH EAX ; /hKey
004191CE |. FF15 14401E01 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
004191D4 |. 85F6 TEST ESI,ESI
004191D6 |. 74 19 JE SHORT iTunes.004191F1
004191D8 |. 5E POP ESI
004191D9 |. 32C0 XOR AL,AL
004191DB |. 5B POP EBX
004191DC |. 8B8C24 A004000>MOV ECX,DWORD PTR SS:[ESP+4A0]
004191E3 |. 33CC XOR ECX,ESP
004191E5 |. E8 5589D800 CALL iTunes.011A1B3F
004191EA |. 81C4 A4040000 ADD ESP,4A4
004191F0 |. C3 RETN

I am not really sure what it does but I remember seeing "InstallDir" in one of the registers, so I guess this code looks to where it is installed. Of course, there is none so I did not get to explore what happens if SoftICE was present.

So far to run this version of Itunes in Ollydbg one must:
1 - NOP first call to "IsDebuggerPresent"
2 - NOP the "GetTickCount" in the "Main trunk" code
* I am not sure but I also changed CMP ESI,EAX to CMP ESI,ESI in the "Main trunk" code before figuring out the GetTickCount API.

How to Properly Leech Someone Else's Wireless Connection

2008-02-07T11:54:00.000-08:00

I guess this deserve its own entry. Anyway, just posting about Netstumbler brings back those memories of the days in which I would scan for unencrypted access points and connect to use the internet for free. Yeah I know it may be unethical and illegal but I honestly don't give a fuck. It is kind of pathetic reading news of the idiots that do get caught. It doesn't take a moron to figure out how to connect to an AP with a wireless enabled laptop. Anyway, I am not surprise when I connect to an unencrypted AP and was able to access the router settings page because the owner did not change the default password. What I discovered from going through the settings is that there is a DHCP client list where one can access and find out who's connected to the router. The computer name and MAC address of the wireless card of the users connected is shown in the list. This prompted me to think that leeching off someone's wireless may leave tracks. I developed a set of protocol to cover my tracks when connecting to an unencrypted AP.

1. Have a running firewall and latest updates and patches.
2. Change the computer name to something random (requires a restart).
3. Use Technitium MAC Address Changer to spoof or get a random mac address for the wireless adapter.
4. Connect to the unencrypted wireless AP and do not login to sites (email, financial, etc) or IM.
5. Disconnect from AP when done surfing and change the MAC and computer name again.

I believe this way will make it hard to trace (I am refraining from using "untraceable") .

Cracking Netstumbler

2008-02-07T11:17:00.000-08:00

I remember using Netstumbler when I first got my Toshiba laptop (may it rest in peace) back in 2004. What annoyed me was the fact that I could not connect to the internet while using it. I later found out that the Wireless Zero Configuration service is disabled on purpose so that "no one may accidentally connect to a legal access point while NetStumbler is running". Yes I am aware that this has been bypassed in "How-To: Hack NetStumbler 0.4.0 to Enable Wireless Zero Configuration" but I wanted to understand what was going on instead of just blindly following some instructions to hex edit Netstumbler. So used Ollydbg on NS and I eventually came across the code the turns off the service.

0041457B 74 1E JE SHORT NetStumb.0041459B
0041457D . 68 00000FA0 PUSH A00F0000
00414582 68 AC874300 PUSH NetStumb.004387AC ; ASCII "wzcsvc"
00414587 . 56 PUSH ESI
00414588 . FF15 24604300 CALL DWORD PTR DS:[<&ADVAPI32.OpenServiceA>] ; ADVAPI32.OpenServiceA
0041458E . 56 PUSH ESI
0041458F . 8985 78050000 MOV DWORD PTR SS:[EBP+578],EAX
00414595 . FF15 28604300 CALL DWORD PTR DS:[<&ADVAPI32.CloseServiceHandle>]; ADVAPI32.CloseServiceHandle
0041459B > 6A 04 PUSH 4

"Wzcsvc" refers to the "Wireless Zero Configuration SerViCe". The api, CloseServiceHandle, is a dead giveaway and a quick search on Microsoft reveals that this "Closes a handle to a service control manager or service object". So to prevent NS from closing it, all I did was to change the "JE" to "JMP". I was able to verify that the service was still running with NS however I was unable to test it since I do not have a wireless card.

Before: 0041457B JE SHORT NetStumb.0041459B
After: 0041457B JMP SHORT NetStumb.0041459B

RANT:
Netstumbler is a piece of shit. Kismet is better.

2008-02-04T20:34:00.000-08:00

Lately I have been trying to RE this game called Dopewars or Drugwars (forgot the exact title but it installs spyware onto the system). It is protected with PC-Guard and I was able to manually unpack it but I cannot find the serial algorithm yet.

Anyway, I really regret choosing biosci as my major (should've picked computer science). I guess I have to live with the choices I make. Wished I listened to my father closely and not let my mother influence the major I picked. He did warn me that with a bio degree that you can only be a lab tech. The job prospects don't look too good with a bio degree. I am thinking about going back to college to get a degree in computer science or electrical engineering (like father like son). I can't believe that I made the same mistake like my father.

Starcraft CD-key algorithm explained

2008-01-13T22:03:00.000-08:00

Fig. 1 - Invalid key

Fig. 2 - Valid key

Fig. 3 - Success!

Requirements:
1. Ollydbg
2. Starcraft CD v1.0
3. Knowledge of x86 assembly langauage and hexadecimal

I began by opening the INSTALL.EXE with Ollydbg (it took some time because of the size of the file). After setting some breakpoints and tracing through the code I eventually found the algorithm.
Here is the code with comments:

0040F8DE | >B8 03000000 MOV EAX,3
0040F8E3 | .33D2 XOR EDX,EDX

0040F8E5 |> 8A0C32 /MOV CL,BYTE PTR DS:[EDX+ESI]; Take left most unprocessed number.
0040F8E8 |. 80F9 30 |CMP CL,30; Checks if inputted character is a number
0040F8EB |. 7C 53 |JL SHORT INSTALL.0040F940; if not then give error message.
0040F8ED |. 80F9 39 |CMP CL,39
0040F8F0 |. 7F 4E |JG SHORT INSTALL.0040F940; Same as above.
0040F8F2 |. 0FBEC9 |MOVSX ECX,CL; Stores the number in ECX in hexadecimal.
0040F8F5 |. 8D3C00 |LEA EDI,DWORD PTR DS:[EAX+EAX]
0040F8F8 |. 83E9 30 |SUB ECX,30; Converts the number to decimal.
0040F8FB |. 33F9 |XOR EDI,ECX
0040F8FD |. 03C7 |ADD EAX,EDI
0040F8FF |. 42 |INC EDX
0040F900 |. 83FA 0C |CMP EDX,0C; Is EDX=12?
0040F903 |.^72 E0 \JB SHORT INSTALL.0040F8E5; Keep on doing this for the 12 numbers.
0040F905 |. 33D2 XOR EDX,EDX; EDX=0
0040F907 |. B9 0A000000 MOV ECX,0A; ECX=10
0040F90C |. F7F1 DIV ECX; EAX is divided by ECX and the remainder is put into DL.
0040F90E |. 0FBE46 0C MOVSX EAX,BYTE PTR DS:[ESI+C]; EAX=last number of CD-key
0040F912 |. 0FBED2 MOVSX EDX,DL; EDX=whatever DL was
0040F915 |. 83C2 30 ADD EDX,30; This converts the number in EDX into hex.
0040F918 |. 3BC2 CMP EAX,EDX; Is EAX=EDX?
0040F91A |. 74 1C JE SHORT INSTALL.0040F938; Go here if CD-key is valid.
0040F91C |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040F920 |. 51 PUSH ECX
0040F921 |. 68 59020000 PUSH 259
0040F926 |. 68 58020000 PUSH 258
0040F92B |. E8 A034FFFF CALL INSTALL.00402DD0

Example: Determine X to make 1111-11111-111X a valid key?
EAX0=3
ECXn= nth digit of serial number
EDIn=(EAXn-1 * 2) XOR ECXn
EAXn=EDIn + EAXn-1
n=1 EDI1=7, EAX1=A
n=2 EDI2=15, EAX2=1F
. . .
n=12 EDI12=12EBDD, EAX12=1C61CB
1C61CB (hex) = 1860043 (decimal). Divide by A (hex) or 10 (decimal)and the remainder is 3. So X=3. Valid key is 1111-11111-1113

Discussion:
Fortunately, the file is not packed (I am in the process of learning how to unpack). This program is an example of when serial fishing does not work. The key is 13 digits long (formatted as: XXXX-XXXXX-XXXX) with the first 12 digits starting from the left being used to determine the 13th digit. If the 13th digit is correct then installation proceeds else there is an error message. If one where to "lose" the CD-key, then it is possible to randomly put in the first 12 digits while trying all digits 0 through 9 for the 13th one.
For example:
1234-56789-1231 - incorrect!
1234-56789-1232 - incorrect!
1234-56789-1233 - incorrect!
1234-56789-1234 - correct! (this one is floating around on the Internet)
The algorithm is quite simple and I was able to calculate a valid key with nothing more than a piece of paper, pen, and trusty TI-36X Solar calculator. Sadly, I don't have much experience in programming or know any language like C++ but I bet someone reading this can quickly code a keygen.

UPDATE - 08JUNE2008
I took an introductory class on C++ programming but I am too tired at the moment to think of the a keygen code, instead I'll post the code in TI-89 BASIC which will ask you for the first 12 digits.

Draft
sckeygen()
Prgm
3->eax
0->edx
Request "serial: ", s
s->g
Lbl top
expr(left(g,1))->ecx
shift(g,1)->g
eax*2 xor ecx->edi
eax+edi->eax
edx+1->edx
If edx=12 Then
remain(eax,10)->a
Disp expr(s)*string(a)
Else
Goto top
EndIf
EndPrgm

The above keygen has some rough edges that still need to be smoothed out. The one below will randomly generate digits 1 through 12.

FINAL
sckeygen()
Prgm
3->eax
0->edx
""->s
For i,1,12
string(remain(rand(10),10))-&s>s
EndFor
s->g
Lbl top
expr(left(g,1))->ecx
shift(g,1)->g
eax*2 xor ecx->edi
eax+edi->eax
edx+1->edx
If edx=12 Then
remain(eax,10)->a
Disp mid(s,1,4)&"-"&mid(s,5,5)&"-"&mid(s,10,3)&string(a)
Else
Goto top
EndIf
EndPrgm

C++ Source code

// SC_keygen.cpp : main project file.

#include "stdafx.h"
#include <iostream>

#include <iso646.h>
#include <stdlib.h>
#include <ctime>
#include <vector>
using namespace std;

void generate(vector<int>& s, int& x, int& d)
{

 //Stores random digits 0-9 in a vector
 for (int i = 0; i < 12; i++)
 {

  s[i] = rand() % 10;
 }

 //Main algorithm
 for(int i = 0; i < 12; i++)
 {

  d = (2 * x) xor s[i];

  x = x + d;
 }
 x = x % 10;

 for(int i = 0; i < 12; i++)
 {

  if(i==4)
  {
   cout << '-' << s[i];
  }

  else if (i==9)
  {
   cout << '-' << s[i];
  }

  else cout<<s[i];
 }
 cout << x;
 x=3;

 d=0;
}
int main()
{
 srand(static_cast<int>(time(0)));

 vector<int> serial(12);
 int eax = 3;

 int edi = 0;
 int a;
 bool no_quit = true;

 
 cout << "Starcraft CD keygen\n";
 generate(serial,eax,edi);

 do
 {
  cout << "\nGenerate another one? (yes=1/no=0)";
        cin >> a;

  if (a==1) generate(serial,eax,edi);

  else no_quit=false;
 }
 while(no_quit);
    return 0;
}