January 1999

"AxMan 3.00 Beta 3"
'memory echo' 
Code Reversing 
by   N i X e 
Code Reversing For Beginners

Program Details
Program Name: axman300b3.zip
Program Type: File utility
Program Location: Here
Program Size: 1.32 Mb

Tools Used:
Softice - Win'95 Debugger
W32Dasm - Win'95 Disassembler


Easy ( X )  Medium ( )  Hard ( )  Pro ( )

Solving the puzzle

Have you ever downloaded a program that you wanted to make a backup copy of only to realize that it was too large to fit onto a single floppy disk? Have you ever tried to email someone a large program only to have it not get there because of restrications that certain email servers make on the size of emails? Have you ever wanted to distibute files from your internet site but they are so large that people get frustrated trying to download them, having their connections lost and being forced to start over?

If you answered yes to any of the questions above, then AxMan is the program for you!

AxMan is a 32-bit windows application that will split any file into pieces. These pieces can then be later restored to recover the original file. AxMan offers many features and customizations so that it can suit each user's individual needs.
About this protection system

This shareware will end up registered if you enter a name, a company, and a reg key number

I could not find name/reg key in the in windows registry or anywhere else...?
The Essay

Try to run AxMan and enter something in the registration screen.
Notice the 'Invalid Registration Information.' message! Write it down.

Create a deadlisting in W32Dasm and find the 'Invalid..' message. Look at the code surrounding our 'Invalid...' string reference. Just below is a 'Thank you for registering...' message. Yes, were are indeed close to the 'check valid serial' function!
Just 5 lines above the bad guy msg we see a 'call 00405370' followed by a 'test al,al'. It's a very common thing for shareware programs to have a function that evaluate the serial and return with eax=0 if invalid reg key and eax=1 if valid reg key.

Here is the W32Dasm deadlisting from the 'Thank you for registering...' message and a few lines up:

:0040596E 8B442404                mov eax, dword ptr [esp+04]   ; our entered reg key
:00405972 8B4C2408                mov ecx, dword ptr [esp+08]   ; our entered company
:00405976 8B54240C                mov edx, dword ptr [esp+0C]   ; our entered name
:0040597A 50                      push eax                      ; save reg key on stack
:0040597B 51                      push ecx                      ; save company on stack
:0040597C 52                      push edx                      ; save name on stack
:0040597D 8D4C241C                lea ecx, dword ptr [esp+1C]
:00405981 C644242803              mov [esp+28], 03
:00405986 E8E5F9FFFF              call 00405370                 ; check reg key
:0040598B 84C0                    test al, al                   ; if al = 0 the we are bad...
:0040598D 6A30                    push 00000030
:0040598F 7513                    jne 004059A4
* Possible StringData Ref from Data Obj ->"AxMan - Error 400"
:00405991 6804764100              push 00417604
* Possible StringData Ref from Data Obj ->"Invalid Registration Information" ; the bad guy string
:00405996 68E0754100              push 004175E0
:0040599B 8BCE                    mov ecx, esi
* Reference To: MFC42.Ordinal:1080, Ord:1080h
:0040599D E884A30000              Call 0040FD26
:004059A2 EB4E                    jmp 004059F2
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 0040598F(C)
* Possible StringData Ref from Data Obj ->"AxMan"
:004059A4 6830714100              push 00417130
* Possible StringData Ref from Data Obj ->"Thank you for registering your " ; the good guy string
                                        ->"copy of AxMan"

Now we need to find a breakpoint for SoftIce. We could break at the 'call 00405370' but it is better to break some lines before... the push statements saves parameters for the function on the stack. If some of the parameters are our name or serial we can be pretty sure that it is the 'check valid serial' function!
Let's therefore use the breakpoint :0040596E (bpx 0040596E)

So, let's fire up SoftIce. Enter some registration info and set the breakpoint. After SoftIces breaks display the pushed registers (? eax) and what they point at (d eax). Just before the call our name, company and reg key are pushed onto the stack. This confirm our theory.
Trace into the 'call 00405370' (F8) and start tracing over the lines in this function (F10). Display registers/memory contents for each value pushed onto the stack and all values that change after a call (registers which change after a call will change color in SoftIce).

Here is what the 'check valid serial' looks like in W32Dasm's deadlisting:

* Referenced by a CALL at Addresses: 00403166, :00405986, :0040DA72   
:00405370 8B542408                mov edx, dword ptr [esp+08]
:00405374 83EC18                  sub esp, 00000018
:00405377 8D442400                lea eax, dword ptr [esp]
:0040537B 53                      push ebx
:0040537C 56                      push esi
:0040537D 50                      push eax
:0040537E 8B442428                mov eax, dword ptr [esp+28]   ; our entered name
:00405382 52                      push edx                      
:00405383 50                      push eax                      ; save name on stack
:00405384 E857000000              call 004053E0
:00405389 8B74242C                mov esi, dword ptr [esp+2C]   ; our entered reg key
:0040538D 8D442408                lea eax, dword ptr [esp+08]   ; the REAL reg key!!! (something like 123-456-789) 
:004053D3 C20C00                  ret 000C

Use SoftIce to display the memory after 'mov esi, dword ptr [esp+2C]' (d esi). That's our entered reg key.
Try to display the memory after 'lea eax, dword ptr [esp+08]' (d eax). That's the REAL reg key displayed as a string!!!
The call to 004053E0 must have generated the real serial. But we don't really care because now we have the real serial number for our name!

Allmost to easy, eh?
Final Notes

This protection system is very, very easy to crack. I only took me 15 minutes - 10 minutes disassembling and studing the code - 5 minutes debugging and writing down memory contents!

If you are going to develop a serial check then PLEASE DON'T compare the serials unencrypted! Calculate a value for each serial and compare them instead.

Greetings/thanks to The Sandman, Razzia, Volatility, Eternal Bliss, and all other tutorial writers!
Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one.