|
Getting Code Quick 2000 Password Quick! Letting the Built-In KeyGen Do Its Work |
||
| Date 4/18/01 |
by Sojourner Publisged by Tsehp Oct 2001 |
|
|
There is a crack, a crack in everything. That's how
the light gets in.
|
||
| Rating |
(x)Beginner ( )Intermediate
( )Advanced ( )Expert
|
This one was quite simple to register.
|
|
Code Quick 2000 is a program to help you learn and improve morse code skills. That's it in a nutshell.
|
|
w32dasm 8.x--your choice of flavors - vb enhanced
hex editor needed- UltraEdit 7.xx or whatever you want to use----None Needed!!
|
|
Just go to this site and then download what you need.
|
|
What to do - Register this babe!
|
|
Hello all. This tutorial is requested by a reader, so hear we go. After downloading your prog, install it wherever you desire, then do a quick disassembly. Be sure to restart your system as required before you try to run it. This will register everything you need. Did I tell you this was a vb based prog? Oh, nevermind. With the vb enhanced w32dasm, it won't make any difference anyway. I began by setting breakpoints after the program was running for the vbaStrCmp and vbaLenBstr. There were 7 hits for different vbaStrCmp calls. I'll just list them since they take up too much real estate.
1.00673774-----month
2. 006737F6 ---day
3. 00673874 ---year
4. 0067393D --last name
5. 006739C5 --middle initial
6. 0067A4D --first name
7. 00673B10 --input serial
Now, in actuality,you can register the prog by very simply going to 00676EF3 and falling through. It will accept whatever you give it. I did that the very first time when I didn't understand what the protection scheme was doing. You can try all different sorts of things if you want. Please be aware that there are two files in the Windows directory that you must delete if you want to re-register your program. These files are given to you, but in a secretive way from within the program. You honestly have to be looking for them. There are no windows registry settings written to indicate that you are registered. The files to delete are: WinSysU.cac and WinTfrc.clz
* Reference To: MSVBVM50.__vbaFreeVarList, Ord:0000h
|
:00676EB4 FF15DC927000 Call dword ptr [007092DC]
:00676EBA 83C41C add esp, 0000001C
:00676EBD 6683BDE4FCFFFF00 cmp word ptr [ebp+FFFFFCE4], 0000
:00676EC5 B904000280 mov ecx, 80020004
:00676ECA B80A000000 mov eax, 0000000A
:00676ECF 898DF4FDFFFF mov dword ptr [ebp+FFFFFDF4], ecx
:00676ED5 8985ECFDFFFF mov dword ptr [ebp+FFFFFDEC], eax
:00676EDB 898D04FEFFFF mov dword ptr [ebp+FFFFFE04], ecx
:00676EE1 8985FCFDFFFF mov dword ptr [ebp+FFFFFDFC], eax
:00676EE7 898D14FEFFFF mov dword ptr [ebp+FFFFFE14], ecx
:00676EED 89850CFEFFFF mov dword ptr [ebp+FFFFFE0C], eax
:00676EF3 0F84310B0000 je 00677A2A <--HERE
:00676EF9 8D952CFDFFFF lea edx, dword ptr [ebp+FFFFFD2C]
:00676EFF 8D8D1CFEFFFF lea ecx, dword ptr [ebp+FFFFFE1C]
* Possible StringData Ref from Code Obj ->"Password
Verified"
|
:00676F05 C78534FDFFFF381C4400 mov dword ptr [ebp+FFFFFD34], 00441C38
:00676F0F C7852CFDFFFF08000000 mov dword ptr [ebp+FFFFFD2C], 00000008
//////////////////////////////////////////////////our jump to
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00676EF3(C)
|
:00677A2A 8D952CFDFFFF lea edx, dword ptr [ebp+FFFFFD2C]
:00677A30 8D8D1CFEFFFF lea ecx, dword ptr [ebp+FFFFFE1C]
* Possible StringData Ref from Code Obj ->"Invalid
Password"
|
:00677A36 C78534FDFFFFC81C4400 mov dword ptr [ebp+FFFFFD34], 00441CC8
:00677A40 C7852CFDFFFF08000000 mov dword ptr [ebp+FFFFFD2C], 00000008
Back to work. You will need to fill in all the requested info. The date is automatically picked up by the prog. Run through your registration process a time or two to follow the registers and what they're doing. You'll find that ebp+FFFFFE5C is an important holding area for data. This location translates to ebp-000001A4. How did I arrive at that? You have to subtract FFFFFE5C (hex) from 100000000 (hex) to come to that conclusion, which = 1A4 (hex). Then you take the register, ebp, attach the minus sign (-) and then then answer (1A4).You may add the leading zeroes for reference. Now you can go to ebp-000001A4 and see what's happening there. Everything mentioned above at the vbaStrCmp calls will list itself in this holding area, in the order I listed above, as well. Did I mention to be sure to set the vbaLenBStr call breakpoints. One in particular becomes important to us, at 0067452B.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0067450A(C)
|
:00674524 8B855CFEFFFF mov eax, dword ptr [ebp+FFFFFE5C]
:0067452A 50 push eax
* Reference To: MSVBVM50.__vbaLenBstr, Ord:0000h
|
:0067452B FF15D0927000 Call dword ptr [007092D0]
:00674531 8D8D2CFDFFFF lea ecx, dword ptr [ebp+FFFFFD2C]
:00674537 898524FDFFFF mov dword ptr [ebp+FFFFFD24], eax
:0067453D 8D951CFDFFFF lea edx, dword ptr [ebp+FFFFFD1C]
:00674543 51 push ecx
:00674544 8D850CFDFFFF lea eax, dword ptr [ebp+FFFFFD0C]
:0067454A 52 push edx
:0067454B 8D8D98FCFFFF lea ecx, dword ptr [ebp+FFFFFC98]
:00674551 50 push eax
:00674552 8D95A8FCFFFF lea edx, dword ptr [ebp+FFFFFCA8]
:00674558 51 push ecx
:00674559 8D45C8 lea eax, dword ptr [ebp-38]
:0067455C 52 push edx
Interestingly enough, when we get here and have look around inside of the eax register we will see the info we need, but it may come as a surpirse that it isn't the actual set of numbers we thought we needed. What we end up seeing is the translated "Initialization Code" that is based on whatever "Serial Number" we placed in the box. It will probably be based on a variant of "RiverineXxxxxxxxxx". I had several differnet ones revealed under differing circumstances. So leave the serial alone which you input and go back and replace your initialization code with what is revealed here. Now you will be registered and happy ever after.
j .--- o--- m -- a .- m -- a .- m -- e . i .. s ... t - e . r .-.
|
|
This was a simple, fun lesson, which revealed yet another turn in the protection process. Until later. If you have any questions please feel free to contact me at jomamameister@yahoo.com
|
|