------------------------ A lame tute by C_DKnight ^^^^^^^^^^^^^^^^^^^^^^^^ Target: Classify 98 1.04 Toolz: SICE, W32Dasm Level: 1 Protection: Serial URL: www.trellian.com/classify Some words before we start W00p, it seems like we got some time to do this little crack before South Park's on TV. Let us be hasty this time :) But let's get to the biznezz shall we.. I fill the reg boxes with this stuff: Name: C_DKnight Serial: 22446688 I try my favorite breakpoints of which GetDlgItemTextA seems to be the correct one BPX GetDlgItemTextA -> breaks twice coz of two reg boxes As always we're more interested on the second break than the first one (coz usually the serial is calc'ed during the second break, and the first break gets just the name)... NOTE! This is a pretty long code listing - yet easy to understand - so if you don't feel like cracking right now quit and come back later. Get some refreshments, c00l out your brains whatever Also I know the code below is very messy.. but I hope you can get the important parts out :0040EEAC FFD6 call esi <-- this calls GetDlgItemTextA :0040EEAE 8D442410 lea eax, dword ptr [esp+10] <-- you are here (your serial in [esp+10] :0040EEB2 6A52 push 00000052 :0040EEB4 50 push eax :0040EEB5 E806EB0000 call 0041D9C0 :0040EEBA 59 pop ecx :0040EEBB BEE0DB4200 mov esi, 0042DBE0 :0040EEC0 85C0 test eax, eax :0040EEC2 59 pop ecx :0040EEC3 742E je 0040EEF3 <-- this'll jump This is the usual start.. trace on til u get here: :0040EF17 E828080000 call 0040F744 <-- this is actually the call we're interested in :0040EF1C 83C410 add esp, 00000010 <-- tidy up stack :0040EF1F 85C0 test eax, eax <-- test if valid reg :0040EF21 7544 jne 0040EF67 <-- nope, it aint Very common piece of code. Call to serial calculation/checking. After it's done test it (test eax,eax) and jump (jne 0040EF67) according to the test. But the main interest is of course in behind the call which we have to trace: (I cut some code from the beginning) :0040F763 803E43 cmp byte ptr [esi], 43 <-- compare 43h (C) to first char :0040F766 7512 jne 0040F77A <-- jump if they dont match :0040F768 807E0145 cmp byte ptr [esi+01], 45 <-- compare 45h (E) to second char :0040F76C 750C jne 0040F77A <-- jump if they dont match :0040F76E C70560A4420001000000 mov dword ptr [0042A460], 00000001 <-- set flag for succesful start :) :0040F778 EB07 jmp 0040F781 Ok. This a little piece of the serial (in fact the beginning of it). First the routine will compare your serial's first char to 43 (43h = C) and jumps away if it doesnt' match. Another compare followed immediately but this time compare the second char to 45h = E. When the two checks are passed succesfully, flag is set and you'll jump out of the routine. You will jump here if the values matched: :0040F781 803E43 cmp byte ptr [esi], 43 <-- confirm :0040F784 0F850D010000 jne 0040F897 :0040F78A 8A4601 mov al, byte ptr [esi+01] <-- some more :0040F78D 3C57 cmp al, 57 <-- stuff :0040F78F 7408 je 0040F799 <-- which we :0040F791 3C45 cmp al, 45 <-- dont care about :0040F793 0F85FE000000 jne 0040F897 :0040F799 6A2D push 0000002D <-- push "-" :0040F79B 56 push esi <-- push the serial onto stack :0040F79C E85FE60000 call 0041DE00 <-- do some checks :0040F7A1 59 pop ecx :0040F7A2 59 pop ecx :0040F7A3 85C0 test eax, eax <-- check :0040F7A5 56 push esi :0040F7A6 0F84EC000000 je 0040F898 <-- yes good serial so far Ok, here goes another call at 40F79C which we're interested in. Notice push 2D.. But trace the call now: *Again some pieces cut* :0041DE12 8A450C mov al, byte ptr [ebp+0C] <-- [ebp+0C] holds "-", move it to al :0041DE15 FD std :0041DE16 F2 repnz :0041DE17 AE scasb :0041DE18 47 inc edi :0041DE19 3807 cmp byte ptr [edi], al <-- compare al to [edi] :0041DE1B 7404 je 0041DE21 <-- jump if the values match :0041DE1D 33C0 xor eax, eax :0041DE1F EB02 jmp 0041DE23 As you can see the cmp syntax: compare al (-) to [edi] (C) If the values match (there has to be "-" in the serial after CE: CE-1234567890 eg.) you'll arrive here shortly: :0040F81D 8B5508 mov edx, dword ptr [ebp+08] <-- name to edx 1. :0040F820 8A0A mov cl, byte ptr [edx] <-- the current char to cl 2. :0040F822 84C9 test cl, cl <-- test if it matches 3. :0040F824 7412 je 0040F838 <-- nope, dont jump 4. :0040F826 33C0 xor eax, eax <-- zero out eax 5. :0040F828 80C10C add cl, 0C <-- add 12 to the current char 6. :0040F82B 304C05F8 xor byte ptr [ebp+eax-08], cl <-- xor 0 with [ebp+eax-8] 7. :0040F82F 40 inc eax <-- increase counter 8. :0040F830 83F804 cmp eax, 00000004 <-- all done? 9. :0040F833 7CF6 jl 0040F82B <-- not yet, loop 10. :0040F836 EBE8 jmp 0040F820 <-- loop back to start (40F820) 11. This is the essential point when considering the serial, because it's generated here. Works somehow like this: 1. Move the name to edx 2. Move the current character (1st, 2nd, 3rd etc.) from your name to cl 3. Test if it's same with some other character 4. No it's not (in our case), go on 5. Zero out EAX -> means EAX becomes 0 6. add 0Ch (12 in decimal) to the current char (which is in cl) eg. -> 43 (C) + 12 = 55 7. Xor the character (55 eg.) with the value in [ebp+eax-08] 8. Increase counter (first number done, second done, third done etc.) by one 9. Compare 4 to EAX (EAX is the counter) 10. If EAX is less than 4, jump back to 40F82B and go thru this routine until EAX is 4 11. Move onto next character until all characters in your name are xor'ed. This is how the xoring happens with my name (C_DKnight) 1. BD A1 BC B5 <-- this is the starting value in [ebp+eax-8] 2. F2 EE F3 FA <-- you'll get these values after xoring C 3. 99 85 98 91 <-- these after _ 4. C9 D5 C8 C1 <-- with D 5. 9E 82 9F 96 <-- K 6. E4 F8 E5 EC <-- etc. 7. 91 8D 90 99 8. E2 FE E3 EA 9. 96 8A 97 9E = 16 0A 17 1E -> reverse this = 1E170A16 Yeah, this is the serial generation routine. See it for yourself to fully understand it. You have to figure out the correct serial yourself.. but I can give ya few hints: 1. You should find out the correct serial is 10 chars long 2. Remember to add CE- in the beginning.. Final Notes: Not a moment too early I could say, South Park's on TV any minute now and we're finished with this tute. I think I learnt alot from this app and I suggest you SHOULD TRACE IT TOO, not just read my notes. I guarantee you'll understand it much better than you do by looking at the code listing. This in fact my first tute in which I show the serial generation, yet i don't know if its correct but I'm satisfied with it :) if you feel/know I made a mistake somewhere plz let me know -C_DKnight, c_dknight@iobox.com I'd like to greet all my friends: AB4DS, r!SC, Dead-Mike, NrOC, Warezpup, Hutch, [yAtEs], [E_BLiss], [LaZaRuS], Doufas, SeKt0r, nchanta, Icecream, |Xmen|, LordOfLA, F0dder, Predator, aCiDHaC, ACiD BuRN, X-Calibre, DnNuke, noos, nu, Thesmurf, defiler, Sinn0r, ^tCM^, Norika, cTT, Weazel, MisterE, Dawai, RevX, Maybird, BlackBird, FireWorx, SheeP14o, extasy_, KaOsAuS, _zoltan, Torn@do, ByteBurn, Miscreant, croc, Br4t, [ViKiNg], N|Te, Phrekie, =Metal=, B|aze, Moredhel, Seffren, Dafoe, Speedsta, Rad|cal, [Daze], VisionZ, KaKTuZ, Stilgreen, Kwazy Wabbit plus everyone else at #cdrinfo, #cracking4newbies and other chans.. and of course those whom I forgot, my deepest apologies