May 2001

"Melody V 1.52"
Win Code Reversing
by Hoof Arted 
Code Reversing For Beginners 
Program Details
Program Name: Melody_Setup.exe
Program Type: Audio Playback Utility
Program Location: Here 
Program Size: 501 K 


Tools Used:

OllyDbg 1.03 - Debugger

Windows Calculator - My math sux



Easy ( X )  Medium (   )  Hard (    )  Pro (    ) 

    Melody v 1.52

Written by Hoof Arted (Hoof's Workshop)


I don't know what this application can and cannot be used for but I want to use it in this tutorial to demonstrate various Name & Serial calculation techniques. I seldom want the applications that I crack as this does not create desperation to crack something. Besides, if you really need / want it, then someone else also needs it and there will already be a crack out there. This is just for learning and I do not expect anyone to be using this to crack the software because they need it. Have fun. 

About this protection system
Not very much to this protection scheme but I want to illustrate the need to use the same Fake Name and Serial and how these can be spotted while you are cracking. Knowing a bit about HEX and the ASCII table cannot be missed. There is no file protection / compression at all. 
The Essay 

Download the target and lets get started.

Install the application and run it. It is quite refreshing to see an application that does not conform to the usual windowz style of appearance. They have spent some time on this application, pity that they did not do the same on their serial generation. Maybe they enjoy writing the app as much as we enjoy cracking them ? Oh well, enough of that. Click the question mark to open the About box and click the "Register your copy now!" button. Enter a Name and Serial (I use "Hoof Arted" and "77777777" My lucky sevens) and press enter. Click OK and a message box pops saying "Invalide (sic) registration name or code." Now we know what we need to do to make this baby ours.

Close the app and fire up Ollydbg. Open and analyse the app. Press F9 to run it and go back to the registration screen. Enter your Name and serial again but do not press the OK yet. We know what the message is when we get it wrong so now we need to find it in Ollydbg. Now, in Olly, press Alt+E to open the modules window. Select the exe module and right click the highlighted line and select "View resource strings". Strange, the string we want is not there. I have noticed that Ollydbg does not show all possible string so we will need to do a little searching. In the main Olly window, highlight the very first line of code @401000 (Searches are done top down) Right click and select "Search for" and select "Binary string". In the ASCII field, enter the word "Invalide" and click OK.

Olly should jump to and highlight the line 447504. Kewl, so it is here, but where is it used? Right click the line and select "Find references to" and then "selected address". A window appears showing where this is used. Right click on the top line, there are only two, and select "follow in disassembler". In the main window, place a breakpoint at line 447456 by pressing F2. We need to find the code that calls this section of the app so right click again and again select "Find references" and "selected address". Two lines are shown. One is the line we were just at the other is a JNZ. Interesting. Right click the JNZ and show it in the disassembler. 447387 is highlighted. We are not interested in this line, the one above it is what catches my eye. Set a breakpoint on the line

00447384 |. 3B75 FC CMP ESI,[LOCAL.1]

and set a breakpoint on the line just after the CALL.

0044737B |. 8BD0 MOV EDX,EAX

Back in the Melody app, click the OK button. We stop at out first breakpoint. Have a look the the register. For me, EAX = 39C. Interesting. This looks like the number that it is working with. Press F9 to continue running and we stop and the next breakpoint. The app is comparing two codes. For me it is 4A2CB7 and 1D19C. I recognize the first number. It is my serial, 77777777 in HEX. (Get to know your serial well). Ok, so that should mean that if we convert 1D19C to decimal, then that is our true serial. Job done..... well not really. The reason we are doing this is to learn how it works, not steal their software.

I have a suspicion that the actual serial calculation is worked in the 5 lines that we have just run through. For me, EAX = 39C. This is the HEX total, if you added all the characters in my username together. 

This is how the code is created :

0044737B |. 8BD0 MOV EDX,EAX ;Copy EAX to EDX
0044737D |. C1E0 07 SHL EAX,7 ;Multiply by 100
00447380 |. 03C2 ADD EAX,EDX ;Add username total to EAX
00447382 |. 8BF0 MOV ESI,EAX
00447384 |. 3B75 FC CMP ESI,[LOCAL.1] ; Compare them.

For some of you the SHL (Shift Left) command might be a little hard to get at first but it is really easy. This command is the bit level manipulation of numbers and can be used to speed up calculation. To demonstrate, if you used the username of "1", your EAX value will be 31. In your calculator, enter the hex value 31. Multiply this by 100h and you will see that the result you have it the same as that of EAX after the line 44737D has executed. The SHL, SHR, ROR and ROL commands can be confusing. There are many tutorials out there what will provide more info on this. 

The Crack 
There is none.
Final Notes 
I hope that I have not gone too fast. I know that there are many things to learn when you first get started. Keep at it. It takes time. 

Thanks to The Sandman (Hope this has not pissed you off too much), and the OllyDbg crew. 

Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

Essay by:          Hoof Arted (Hoof's Workshop)
Page Created: 04 May 2001