Tutorial #3


tARGET pROGRAM:                   QControl 1.01

pROTECTION:                           Registration Number

cURE:                                       Registration Number and KeyGen

uRL:                                         http://www.andtechnologies.com/

pROGRAM sIZE:                        1.01 Mb

tOOLS uSED:                            - SoftICE 4.01

- Delphi 3.0

dESCRIPTION:                          Qcontrol is a Win32 program which allows you to manage print queues/jobs on microsoft Windows and Novell NetWare

networks. You can access all printers/queues from a central, browsable administration point which you can quickly navigate, and you don't need to install drivers on your desktop in order to be able to manage jobs on all of your printers.

cOMPILED bY:                          Watcom C++

rEGISTRATION fEE:                   $195


 Hi Again! I hope you will enjoy my third TuT and helps you learn more!

 

ĥĤĴ| Register The Program

 `ŻŻŻ'ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ'ŻŻŻŻ´

First

- Install the program.

- Run it ! Now, Go Utility/Register and put your company name and a fake registration number.

I entred:  Company Name:

                        tBS '99

           Registration Number:

                        11223344

 

DO NOT PRESS OK YET!!!, Press CTRL-D, Type bpx GetDlgItemTextA to break when that function is called. CTRL-D again or F5 to return to QC. Click on " oK ". Bang! now we should look at the funny SI window, press F12 two times and trace with F10 a bit till you land here...

 

 

:0041013D 0FB705483B4300      movzx eax, word ptr [00433B48]      <-- Calculat & Put Bt of our company name in EAX

:00410144 8945F0              mov dword ptr [ebp-10], eax         <-- Put Bt in EBP-10

:00410147 C745F400000000      mov [ebp-0C], 00000000              <-- Emptying the place for the serial

:0041014E C705245B4300483B4300mov dword ptr [00435B24], 00433B48  <-- Useless

:00410158 A1245B4300          mov eax, dword ptr [00435B24]       <-- Put our company name in EAX

:0041015D 803800              cmp byte ptr [eax], 00              <-- Check if we entered nothing or if we are at the end of the company name

:00410160 7416                jz 00410178                         <-- if equal jump

:00410162 A1245B4300          mov eax, dword ptr [00435B24]       <-- Useless (repetition with line 00410158)

:00410167 0FB600              movzx eax, byte ptr [eax]           <-- Put the 1st char in EAX 't'

:0041016A 6BC049              imul eax,eax,49                     <-- Multiplies EAX with 49h

:0041016D 0145F4              add dword ptr [ebp-0C], eax         <-- Put & add the result in EBP-0C

:00410170 FF05245B4300        inc dword ptr [00435B24]            <-- Increment position of the company name to 'B'

:00410176 EBE0                jmp 00410158                        <-- Just redo it (there is no condition)

:00410178 8B45F4              mov eax, dword ptr [ebp-0C]         <-- Put the result of the total multiplication of our company name in EAX

:0041017B 0FAF45F0            imul eax, dword ptr [ebp-10]        <-- Multiplies again, this time with 'Bt' and put the real serial in EAX

:0041017F 8945F4              mov dword ptr [ebp-0C], eax         <-- Put the real serial in EBP-0C

:00410182 8B45F4              mov eax, dword ptr [ebp-0C]         <-- Useless (repetition again Arghh!!)

:00410185 50                  push eax                            <-- Save the real serial into the stack

 

 

After this code there are some pushs & movs so let's us suppose the line 0041017B is the last one in the serial creation routine, so do a ? EAX and write down the decimal one "middle part

214F4928  0558844200  "!OI("

this

 

Go to QC, type it! :( what's wrong with that, Hmmm !!! think a little bit, let's try the Hex numbers

214F4928  0558844200  "!OI("

     this

 

Go to QC, type it! Yeah!! it's says 'thank you for registering', you've just cracked it.

(note that the letters in the serial must be Capital ones)

 

Wow! You see that is very easy protection, this TuT is to show you a little of how to use intuition when reverse-engineering a program. It might be wise to periodically check on the decimal or hex values that the registers hold. But anyway there is another job for us is the DeathBlow.

 

in line    00410167 EAX               <= 116                         // t is 116 dec                ;EAX=116

            0041016A EAX               <= 116 * 73                  // 49h is 73 dec              ;EAX=8468

            0041016D EBP-0C          <= EBP-0C + 8468         // EBP-0C = 0                ;EBP-0C=8468

            00410170 Inc by 1 to reach B

            00410176 redo

 

 

repeat it until the end of the company name                       // EBP-0C = 32850

in line 0041017B EAX=32850 * EBP-10                               // EBP-10 = Bt             ;Bt is 17012 dec  ;EAX=558844200

 

so if we convert it to hex, it will look like this 214F4928

Now! we have all the rules to make a KeyGen. Here is my source code for delphi but before...

                

 

1ĝ) Create a form

2ĝ) Create two edit boxes, 1st for Company name and the 2nd for the registration number

3ĝ) Click on the 1st edit box in the form

4ĝ) Go to events in Object Inspector

5ĝ) Dbl Click on the right side of OnKeyUp , you should be between begin and end, right! please if not try again!

6ĝ) Copy/paste this code

7ĝ) Delete the first begin wish came after: procedure TOKBottomDlg.Edit1KeyUp(Sender: TObject; var Key: word; Shift: TShiftState);

 

So, there is no button, Esc to quit and for the Reg Num just type what do you want!


 

The KeyGen:

`ŻŻŻ'ŻŻŻŻŻŻŻ´

 

----------------------Cut Here--------------------------------------------------------------------------------------------

 

var

  CNValue      : LongInt;

  CNValue1     : LongInt;

  Serial       : LongInt;

  L,position   : Byte;

 

 

  begin

        if key<>vk_escape then                                                                // Detect if any key was pressed except the Escape key

        begin

        L:=length(edit1.text);                                                                     // What's the length of our company name

        if l=0 then edit2.text:='Please Enter Your Company Name'            // If equal to 0 then write a message

        else                                                                                              // Else continue

        begin

        CNValue1:=0;

        position:=1;

 

            While position <= L do

               begin

                  CNValue:= Ord(edit1.text[position])* $49;

              CNValue1:=CNValue1+CNValue;

              position:=position+1;

           end;

 

           CNValue:= Ord(Edit1.Text[2]);                                                 // This four lines reverse the 1st two chars

           Serial:=CNValue * 256;                                                            // of the Company Name,

           CNValue:= Ord(Edit1.Text[1]);                                                 // and convert them

           Serial:=Serial + CNValue;                                                         // to Decimal Value

           Serial:=CNValue1 * Serial;

           edit2.text:=inttohex((Serial),8);                                                   // Prints the serial in hex format with eight Digits

 

      end;

      end

      else close;                                                                                       // If Esc key was pressed then Quit

----------------------Cut Here-----------------------------------------------------------------------------------------------


 

ĥĤĴ| Ending:

`ŻŻŻŻŻŻŻŻŻŻŻ´

Well, that's that. I hope you could follow it all, For any comments or if there's anything that I didn't explain too well then don't hesitate to mail me at: tBS@iquebec.com.

 

 

 

Greetingz to:

tKC , Northpole , Styx2000 , WaVeR`, DyNoBrEmO , Ivanopulo , rEd , schUmU , DaVinci , Nitallica , LagPRO , Socko , Fli7e , DnNuke, TDVFR ,

MonoMeow.