3.00 Beta 3"
|by N i X e|
|Code Reversing For Beginners|
Easy ( X ) Medium ( )
Hard ( ) Pro ( )
|Solving the puzzle|
Have you ever downloaded a program that you wanted to make a backup copy of only to realize that it was too large to fit onto a single floppy disk? Have you ever tried to email someone a large program only to have it not get there because of restrications that certain email servers make on the size of emails? Have you ever wanted to distibute files from your internet site but they are so large that people get frustrated trying to download them, having their connections lost and being forced to start over?
If you answered yes to any of the questions above, then AxMan is the program for you!
AxMan is a 32-bit windows application that
will split any file into pieces. These pieces can then be later restored
to recover the original file. AxMan offers many features and customizations
so that it can suit each user's individual needs.
This shareware will end up registered if you enter a name, a company, and a reg key number
I could not find name/reg key in the in
windows registry or anywhere else...?
Try to run AxMan and enter something in
the registration screen.
Notice the 'Invalid Registration Information.' message! Write it down.
Create a deadlisting in W32Dasm and find
the 'Invalid..' message. Look at the code surrounding our 'Invalid...'
string reference. Just below is a 'Thank you for registering...' message.
Yes, were are indeed close to the 'check valid serial' function!
Just 5 lines above the bad guy msg we see a 'call 00405370' followed by a 'test al,al'. It's a very common thing for shareware programs to have a function that evaluate the serial and return with eax=0 if invalid reg key and eax=1 if valid reg key.
Here is the W32Dasm deadlisting from the 'Thank you for registering...' message and a few lines up:
:0040596E 8B442404 mov eax, dword ptr [esp+04] ; our entered reg key :00405972 8B4C2408 mov ecx, dword ptr [esp+08] ; our entered company :00405976 8B54240C mov edx, dword ptr [esp+0C] ; our entered name :0040597A 50 push eax ; save reg key on stack :0040597B 51 push ecx ; save company on stack :0040597C 52 push edx ; save name on stack :0040597D 8D4C241C lea ecx, dword ptr [esp+1C] :00405981 C644242803 mov [esp+28], 03 :00405986 E8E5F9FFFF call 00405370 ; check reg key :0040598B 84C0 test al, al ; if al = 0 the we are bad... :0040598D 6A30 push 00000030 :0040598F 7513 jne 004059A4 * Possible StringData Ref from Data Obj ->"AxMan - Error 400" :00405991 6804764100 push 00417604 * Possible StringData Ref from Data Obj ->"Invalid Registration Information" ; the bad guy string :00405996 68E0754100 push 004175E0 :0040599B 8BCE mov ecx, esi * Reference To: MFC42.Ordinal:1080, Ord:1080h :0040599D E884A30000 Call 0040FD26 :004059A2 EB4E jmp 004059F2 * Referenced by a (U)nconditional or (C)onditional Jump at Address: 0040598F(C) * Possible StringData Ref from Data Obj ->"AxMan" :004059A4 6830714100 push 00417130 * Possible StringData Ref from Data Obj ->"Thank you for registering your " ; the good guy string ->"copy of AxMan"
Now we need to find a breakpoint for SoftIce.
We could break at the 'call 00405370' but it is better to break some lines
before... the push statements saves parameters for the function on the
stack. If some of the parameters are our name or serial we can be pretty
sure that it is the 'check valid serial' function!
Let's therefore use the breakpoint :0040596E (bpx 0040596E)
So, let's fire up SoftIce. Enter some registration
info and set the breakpoint. After SoftIces breaks display the pushed registers
(? eax) and what they point at (d eax). Just before the call our name,
company and reg key are pushed onto the stack. This confirm our theory.
Trace into the 'call 00405370' (F8) and start tracing over the lines in this function (F10). Display registers/memory contents for each value pushed onto the stack and all values that change after a call (registers which change after a call will change color in SoftIce).
Here is what the 'check valid serial' looks
like in W32Dasm's deadlisting:
* Referenced by a CALL at Addresses: 00403166, :00405986, :0040DA72 :00405370 8B542408 mov edx, dword ptr [esp+08] :00405374 83EC18 sub esp, 00000018 :00405377 8D442400 lea eax, dword ptr [esp] :0040537B 53 push ebx :0040537C 56 push esi :0040537D 50 push eax :0040537E 8B442428 mov eax, dword ptr [esp+28] ; our entered name :00405382 52 push edx :00405383 50 push eax ; save name on stack :00405384 E857000000 call 004053E0 :00405389 8B74242C mov esi, dword ptr [esp+2C] ; our entered reg key :0040538D 8D442408 lea eax, dword ptr [esp+08] ; the REAL reg key!!! (something like 123-456-789) . . . :004053D3 C20C00 ret 000C
Use SoftIce to display the memory after
'mov esi, dword ptr [esp+2C]' (d esi). That's our entered reg key.
Try to display the memory after 'lea eax, dword ptr [esp+08]' (d eax). That's the REAL reg key displayed as a string!!!
The call to 004053E0 must have generated the real serial. But we don't really care because now we have the real serial number for our name!
Allmost to easy, eh?
This protection system is very, very easy to crack. I only took me 15 minutes - 10 minutes disassembling and studing the code - 5 minutes debugging and writing down memory contents!
If you are going to develop a serial check
then PLEASE DON'T compare the serials unencrypted! Calculate a value for
each serial and compare them instead.
Greetings/thanks to The Sandman,
Razzia, Volatility, Eternal Bliss, and all other tutorial writers!
I wont even bother explaining you that
you should BUY this target program if you intend to use it for a longer
period than the allowed one.