Requirements :
W32DASM
Some asm knowlege
Information :
Target: Windows LockUp v1.4
Author: hEYWIRE
Download : http://www.softheap.com/wlock.html
About:
The purpose of this Tutorial is to offer help to anyone wishing to study the art of Reverse Code Engineering. Breaking protection systems in programs is an intellectual challenge, it should NOT be used to steal software. REMEMBER, I do my cracks/keygens as a hobby and challenge, so please, if you like the utility you crack and keep using it, support the author and pay for it! . Peace hEYWIRE
Registering :
Ok here we go, IM just going to list for you what to do
Scan target to see if its packed/Encrypted with your favorite PE
identifier (Not in this case)
Disassemble the program and find any strings that could be helpfully
Find the call to generate serial number.
Set a break point on it in SoftICE and enter in registering details.
Hit ok and SoftICE should break. Keep traceing till you land here:
|
:0040AE8E 3C61 |
cmp al, 61 ; Compare al (letter) to a |
|
:0040AE90 7C04 |
jl 0040AE96 |
|
:0040AE92 3C7A |
cmp al, 7A ;Compare al (letter) to z |
|
:0040AE94 7E08 |
jle 0040AE9E |
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040AE90(C) | |
|
|
:0040AE96 3C41 |
cmp al, 41 ;Compare al (letter) to A |
|
:0040AE98 7C13 |
jl 0040AEAD |
|
:0040AE9A 3C5A |
cmp al, 5A ;Compare al (letter) to Z |
|
:0040AE9C 7F0F |
jg 0040AEAD |
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040AE94(C) | |
|
|
:0040AE9E BFFF000000 |
mov edi, 000000FF ;Move FFh = 255dec |
|
:0040AEA3 0FBEC0 |
movsx eax, al ;Move letter into eax |
|
:0040AEA6 2BF9 |
sub edi, ecx ;edi = 255 – ecx |
|
:0040AEA8 0FAFF8 |
imul edi, eax ;edi = 254 * eax |
|
:0040AEAB 03D7 |
add edx, edi ;edx + edi (edi= 406C15h) |
|
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040AE98(C), :0040AE9C(C) | |
|
|
:0040AEAD 8A443101 |
mov al, byte ptr [ecx+esi+01] |
|
:0040AEB1 41 |
inc ecx |
|
:0040AEB2 84C0 |
test al, al |
|
:0040AEB4 75D8 |
jne 0040AE8E ;All characters |
|
:0040AEB6 5F |
pop edi |
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040AE8B(C) | |
|
|
:0040AEB7 B800010000 |
mov eax, 00000100 |
|
:0040AEBC 53 |
push ebx |
|
:0040AEBD 2BC1 |
sub eax, ecx ;eax - number of letters |
|
:0040AEBF 8D4C2408 |
lea ecx, dword ptr [esp+08] |
|
:0040AEC3 0FAFC2 |
imul eax, edx ;eax * edx |
|
:0040AEC6 50 |
push eax |
OK so all the above code does is this:
Multiply ASCII value of character by 255 - character position
On FIRST LOOP ONLY add 4221973 to ASCII value * 255 - character
position
Keeps doing this till all characters
Multiply the total by 255 - Number of characters
That’s all there is to this program, if you don’t fully understand how the serial number is generated then follow the program in SoftICE you will understand it a lot quicker.
Final Notes :
That’s it for this Tutorial, hope you learned something, if there is any spelling mistake or grammar errors then forgive me, IM only human. Just a short note, REMEMBER, I do my cracks/keygens as a hobby and challenge, so please, if you like the utility you crack and keep using it, support the author and pay for it! Peace hEYWIRE