Win32 Code Reversing
Program Name:BlowFish v2.2
Program Type: Encryption Utile
Program Location: [ here ]
Program Size: 253 kb
W32Dasm - Win'95/98 Dissasembler
Softice V4.X - De-Bugger
Hex-Edior - Any (optional)
||"A Crack will never die as long as the Cracker still lives"|
Cracking A Win32 Web
('Simple Protection, Simple Sniff Out')
Written by Bengaly
BlowFish 2000 is a small, easy to use, file encryption utility. Simply drag and drop files and folders to quickly protect your sensitive documents, and then enter an encryption key to encode and decode the files you want to protect from prying eyes. You can also select files to be encrypted using the MS Windows Explorer right-click method.
Drag and Drop Files.
Files and folders can be quickly selected for encryption and decoding by simply dragging them to the desired file list windows.
MS Windows Explorer Encryption
Files can also be quickly encrypted and decoding directly from the MS Windows File Explorer.
Simply select the files to be processed and then right-click your mouse to display a pop-up context menu. Specify either Encrypt with BlowFish or Decrypt with BlowFish on the Send To menu.
|About this protection|
This program is registered by selecting the 'Help' button, then
the 'Register' button.
On successful registration the program will save your User/serial in
HKEY_CURRENT_UDER/Software/Software By Design/BlowFish 2000/Registration
Name: 3404118051 <-- This is Generated by the program! (it will transform the serial into HEX : cae6b823)
if u want to use this software please Buy it, it's on 25$ the program is very good, please support it!
Hello and welcome to my 28'th Tutorial.
Software By Design has allot of software
on their page that uses the same Protection, but only the
Serial generator is diff...Not so hard to keygen as well...
OK so let us begin this essay.
Run BlowFish..enter the Help->Register...
We will see the Info Boxes we need to Fill Out.
So let's fill them.
User Name: Bengaly
Now we will Open Soft-Ice In order to trace
the whole thing.
Ok...Open Up Sice (CTRL+D), Fill in 'BPX GETDLGITEMTEXTA'
Now We will exit Sice...type F5 Or X Or Ctrl+D again.
Click the OK button and Sice Pop.
ECX=80008790 EDX=80008DE0 ESI=0042A3D0
EDI=0042A402 EBP=00000F3C ESP=0066F7E0 EIP=004106A1 o d I S z a P c
CS=0177 DS=017F SS=017F ES=017F FS=12D7 GS=0000
0177:0041069B CALL [USER32!GetDlgItemTextA]
0177:004106A1 POP EDI ; We Land Here
0177:004106A2 POP ESI
0177:004106A3 MOV EAX,00000001
0177:004106A8 POP EBX
Hm..this is weird..only some pops and a
Mov 000001 to eax [wich means flag - register?)
The only thing Left to do is to go over the RET instruction cuz there is nothing to do here.
Press F10 until u pass the RET instruction, and you will be in this code snippest:
0177:00408A12 CALL 00410670
0177:00408A17 LEA EDI,[ESI+32] ;move it to EDI
0177:00408A1A PUSH 32 ; save 32 "2"
0177:00408A1C PUSH EDI ; save it
0177:00408A1D PUSH 66 ;save 66 "3"
0177:00408A1F PUSH EBP ;save EBP
0177:00408A20 CALL 00410670 ;call API
0177:00408A25 LEA EAX,[ESP+30] ;mov it to EAX
0177:00408A29 PUSH 00000100 ; max 256 chars
0177:00408A2E PUSH EAX ;save
0177:00408A2F PUSH 67 ;save 67 "g"
0177:00408A31 PUSH EBP ;save EBP
0177:00408A32 CALL 00410670 ;call API
0177:00408A37 LEA ECX,[ESP+40] ;get fake serial
0177:00408A3B PUSH ECX ;save it
0177:00408A3C CALL 00411AF5 ;eax=fake serial
0177:00408A41 PUSH ESI ;name&origanization
0177:00408A42 MOV EBX,EAX ;ebx=fake serial
0177:00408A44 CALL 00410600 ;Not inportant
0177:00408A49 ADD ESP,38 ;fake serial+38
0177:00408A4C CMP EAX,0119A792 ;compare
0177:00408A51 JNZ 00408A6B ;not equal jump <---|
0177:00408A53 MOV EBX,[KERNEL32!lstrcpy] |
0177:00408A59 PUSH 0041CD4C |
0177:00408A5E PUSH ESI |
0177:00408A5F CALL EBX |
0177:00408A61 PUSH 0041CD3C |
0177:00408A66 PUSH EDI |
0177:00408A67 CALL EBX |
0177:00408A69 JMP 00408A72 |
0177:00408A6B CMP EAX,0D5FCE3C ;we land here <---|
0177:00408A70 JNZ 00408A7E ;not euqal<-|
0177:00408A72 PUSH EDI |
0177:00408A73 PUSH ESI |
0177:00408A74 CALL 00410030 |
0177:00408A79 ADD ESP,08 |
0177:00408A7C MOV EBX,EAX |
0177:00408A7E PUSH EDI ;we land here<---|
0177:00408A7F PUSH ESI ;save esi
0177:00408A80 CALL 00410030 ;call Algo?
0177:00408A85 ADD ESP,08 ;esp + 8
0177:00408A88 CMP EBX,EAX ;Fake Vs Real Serial
0177:00408A8A POP EDI ;pop information
0177:00408A8B JZ 00408AAA ;jump not equal
Not so Hard To understand, But you will
find your self landing in the memory area where the
Fake serial is compared with the generated serial!
While on the CMP type '? EAX' & '? EBX' You see the Compare??
? EBX = '1234567890' (Fake)
? EAX = '3404118051' (Real serial)
By the way we use here the '?' because
the program convert the serial into Dec and not Hex therefore
We can't use "D" command to dump the memory address .
I must say, although "software for design"
has made alot of sharwares, They didn't changed the
Protection System, only the generator.
So this tutorial refers to all Sharware by them!. ;D
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers then your wasting your time, try searching elsewhere on the Web under Warez, Cracks and etc.
I would like to say thank you to all who has supported me, and helped
me through my cracking days:
||For his Great Essays And Skills|
||For his awesome Tutorials|
||For Help Me in Cracking & Hosting|
||For Help Me in W32Asm|
||For Being A Good Friend|
Have Fun :D
Essay by: Bengaly