Requirements :
Numega Softice 4.05
IDA/W32DASM
Some asm Knowledge
Information :
Target: TempClean v3.0
Author: hEYWIRE
Download : http://alvilim.virtualave.net
About:
The purpose of this Tutorial is to offer help to anyone wishing to study the art of Reverse Code Engineering. Breaking protection systems in programs is an intellectual challenge, it should NOT be used to steal software. REMEMBER, I do my cracks/keygens as a hobby and challenge, so please, if you like the utility you crack and keep using it, support the author and pay for it! . Peace hEYWIRE
Program Info:
TempClean cleans temporary directories or search for temporary files across your hard disk so there is no need for you to think about trash that can fill up your disk. You can easy add WINDOWS/TEMP, Internet cache, Document history or any other directories you want and let TempClean clean them on every Windows start so you don't have to think about it.
Registering :
Ok here we go, IM just going to list for you what to doScan target to see if its packed/Encrypted with your favorite PE identifier (Not in this case) Enter in registering details
Ok now break into SoftICE , you now know its written in Delphi. Ok so you know what Breakpoint to set ‘BPX hmemcpy’ break out of SoftICE and hit the OK button. SoftICE will break, hit F5 again, and F12 till you get into the programs code. Ok do a search for you NICK and but a BPX on it in memory. Hit F5 and SoftICE will break, and now the fun starts. You should land here:
|
0167:0055EAA2 |
MOV |
EDX,00000001 ;counter for loop |
|
0167:0055EAA7 |
MOV |
ECX,[EBP-04] |
|
0167:0055EAAA |
MOVZX |
ECX,BYTE PTR [EDX+ECX-01] ;Get first character of you NICK |
|
0167:0055EAAF |
ADD |
EBX,ECX ;Add it to ECX |
|
0167:0055EAB1 |
INC |
EDX |
|
0167:0055EAB2 |
DEC |
EAX |
|
0167:0055EAB3 |
JNZ |
0055EAA7 ;All characters ? |
|
0167:0055EAB5 |
IMUL |
EAX,EBX,00126AC0 ;Multiply sum of all characters by |
|
0167:0055EABB |
MOV |
EBX,EAX ; 126AC0 |
|
0167:0055EABD |
LEA |
EAX,[EBP-10] |
|
0167:0055EAC0 |
PUSH |
EAX |
|
0167:0055EAC1 |
LEA |
EDX,[EBP-14] |
|
0167:0055EAC4 |
MOV |
EAX,EBX |
|
0167:0055EAC6 |
CALL |
00508020 |
|
0167:0055EACB |
MOV |
EAX,[EBP-14] |
|
0167:0055EACE |
MOV |
ECX,00000003 |
|
0167:0055EAD3 |
MOV |
EDX,00000001 |
|
0167:0055EAD8 |
CALL |
00503E24 |
|
0167:0055EADD |
PUSH |
DWORD PTR [EBP-10] |
|
0167:0055EAE0 |
LEA |
EAX,[EBP-18] |
OK so all the above peace of code does is this:
Get sum off all characters
Multiply it by 126AC0 (1206976)
Get first 6 numbers
So the number for our NICK ends up in EAX, you can try this number and see if it’s a valued serial number. But guess what its not.
Ok so on with the traceing till we land here:
|
0167:00507DF5 |
MOV |
EDX,ESI |
|
0167:00507DF7 |
MOV |
ESI,[EDI] |
|
0167:00507DF9 |
TEST |
EBX,EBX |
|
0167:00507DFB |
JZ |
00507E12 |
|
0167:00507DFD |
MOV |
AL,[EDX] ; AL = first character of you NICK |
|
0167:00507DFF |
CMP |
AL,61 |
|
0167:00507E01 |
JB |
00507E09 |
|
0167:00507E03 |
CMP |
AL,7A |
|
0167:00507E05 |
JA |
00507E09 |
|
0167:00507E07 |
SUB |
AL,20 |
|
0167:00507E09 |
MOV |
[ESI],AL |
|
0167:00507E0B |
INC |
EDX |
|
0167:00507E0C |
INC |
ESI |
|
0167:00507E0D |
DEC |
EBX |
|
0167:00507E0E |
TEST |
EBX,EBX |
|
0167:00507E10 |
JNZ |
00507DFD |
Ok so the above peace of code checks the FIRST character of your NICK to see it’s a valued character and to see if it’s a CAPAITL letter. If not it then takes 20h (32) away to make it a CAPAITL letter. So the program is going to use this letter somewhere in the Serial number. Let’s keep traceing. Trace till you land here:
|
0167:00508A70 |
DIV |
ECX |
|
0167:00508A72 |
ADD |
DL,30 ;All are Self explanatory |
|
0167:00508A75 |
CMP |
DL,3A |
|
0167:00508A78 |
JB |
00508A7D |
|
0167:00508A7A |
ADD |
DL,07 |
|
0167:00508A7D |
DEC |
ESI |
|
0167:00508A7E |
MOV |
[ESI],DL |
|
0167:00508A80 |
OR |
EAX,EAX |
|
0167:00508A82 |
JNZ |
00508A6E |
The peace of code above is very simple to understand so ill just move on quickly. Just incase you don’t know what its doing here it is. All its doing is checking the fourth number of you serial number against the letter it took from your NICK. Follow it in SoftICE and you‘ll get to see how it works. Ok so lets set a break point somewhere on the above peace of code, just incase we don’t have the full serial number yet. So type in the number you got for your Nick and replace the fourth number with the Capital letter of you NICK’S first character. Make sense? Try it. No good! Ok keep traceing watching out for the registers and any calls that might bee interesting. Trace till you land here:
|
0167:00503C6C |
TEST |
EDX,EDX |
|
0167:00503C6E |
JZ |
00503CD1 |
|
0167:00503C70 |
TEST |
ECX,ECX |
|
0167:00503C72 |
JZ |
005039F8 |
|
0167:00503C78 |
CMP |
EDX,[EAX] ; Interesting CMP |
|
0167:00503C7A |
JZ |
00503CD8 |
|
0167:00503C7C |
CMP |
ECX,[EAX] ; and another |
|
0167:00503C7E |
JZ |
00503C8E |
Ok the above peace of code compares the first 3 numbers of your dummy serial number against EDX, which is equal to TC3. So now lets check the serial number we have. It should be in this style.
TC3-XXXLXXX
X = number
L = First letter of you NICK in UPPERCASE
Try the serial number now. And that’s it. It’s a tricky enough program, but just watch out for the registers and even in the Data window you might see a valued serial number if you get to the CMP with TC3. To make a keygen for this program you really only have to study one part.Now go try it!
Final Notes :
That’s it for this Tutorial, hope you learned something, if there is any spelling mistake or grammar errors then forgive me, IM only human. Just a short note, REMEMBER, I do my cracks/keygens as a hobby and challenge, so please, if you like the utility you crack and keep using it, support the author and pay for it! Peace hEYWIRE