More and more programs use cryptographic algorithms for their serial calculation. Although they generally use strong public algorithms and/or hashes main weakness of these are how they implement. In this essay I will try to show you that how strong serial algorithm can be cracked just in minute if you know where and how to look.

Program is AudioSphere. All programs from this company use same algorithm as far as I know. Previous version has been keygenned. These guys are monitoring crack sites and update their software. Also some of their programs has built-in CRC check i.e. George's Notes. These programs are written in Delphi so tracing and understanding code can be hard sometimes.So you should have Dede and/or IDA to understand the code better. OK lets try to register it.

Go to register dialog and enter dummy serial. Trace the code.You will see that program changes entered values. Lets say that it take hash of it and store for later use. Program writes both hashed name and serial to registry for future checks. So it is better to close program and put breakpoint to registry.

Program reads rName and rKey value from SOFTWARE\Svetlana Software\AudioSphere . So putting

bpx RegQueryValueExA IF *(ESP->8) == 'rKey' DO "D ESP->14;"  

will do the job. When you rerun program you will break two times. When it breaks secondly you will see again same hash function to get original serial back. After that you will see below code.

		mov	edx, offset aAusp2471492081 ; "AUSP2471-4920818318240628-66436089"
		call	LStrCmp
		jz	loc_48C61A
		lea	ecx, [ebp+var_30]
		mov	eax, [ebp+var_4]
		mov	edx, [eax+454h]
		mov	eax, [ebp+var_4]
		call	sub_485760
		mov	eax, [ebp+var_30]
		mov	edx, offset aAusp0765983246 ; "AUSP0765-9832461809369656-14032654"
		call	LStrCmp
		jz	short loc_48C61A
		lea	ecx, [ebp+var_34]
		mov	eax, [ebp+var_4]
		mov	edx, [eax+454h]
		mov	eax, [ebp+var_4]
		call	sub_485760
		mov	eax, [ebp+var_34]
		mov	edx, offset aAusp5902329790 ; "AUSP5902-3297905884364589-44425670"
		call	LStrCmp

Program checks our key with blacklisted ones.So we know the serial format now.I entered a bogus serial in this format i.e. AUSP0123-123456789012345-12345678 We keep tracing.In order to decrease tracing time you can put bpm to serial you entered.You will see below code after a while.

MOV       EAX,[EBP-10] ; Here our serial is at eax
CALL      004914D8

So I traced this call.I don't want to paste long code here.This call cut my serial to two pieces and called another proc at 44DB38.I traced this call and at first call in this proc I saw this

		push	ebx
		add	esp, 0FFFFFFF0h
		mov	ebx, eax
		mov	[esp+10h+var_10], 67452301h
		mov	[ESP+10h+var_C], 0EFCDAB89h
		mov	[ESP+10h+var_8], 98BADCFEh
		mov	[ESP+10h+var_4], 10325476h
		lea	edx, [ebx+7Ch]
		mov	eax, ESP
		mov	ecx, 4
		call	Move_int

This values are the constants of MD5 and MD4.I supposed that it is taking MD5 hash of our half of serial.In order to test it after returning this call I checked return value form this call.It was d1c40a23337b9c55905e64ddfa460305 . It was exactly the MD5 of AUSP0123-12345678 string.So after tracing this call you will see that it compares this hash with the ones from exe.So if program can find same hash from buffer it is correct one and it does same MD5 and search operation for second part of serial.

This buffer has 300-350 hash.Bruteforcing first part can be done I guess.Because first part has fixed string AUSP. I have coded a bruteforcer which scans AUSP0000-00000000 to AUSP0000-99999999 in 13-15 minutes with PIII 450.If you want to write bruteforcer I suggest you to use SSLeay implementation of MD5 which has the optimization of this and that article. If anyone want to search no need to search AUSP0000 to AUSP00251 :)

However we don't need to bruteforce if we want to just register this app.As I said before program cuts serial to two pieces and take hashes of it and compare with buffer.So we can cut blacklisted serials and divide them to two and make combinations.So we have 10 more valid serials which aren't banned.I mean yet :)

It is also possible to find another string which is not in the format of AUSP####-######## has same hash as in the buffer.However program also check whether it starts with AUSP.NotesByGeorge doesn't have this property.So maybe it can be exploited.

Greetings:All helpful guys at RCE and Win32ASM boards,tE for his IToDecf proc, RudeBoy for his MD5 implementation and my old friends at PNC and PGC.