During all the page of this tutorial step by step explanation is making in order to show how take the right serial and how manipulate code to take serial directly from the program, also at the end of this tut a simple VB60 keygen is builded for this application.

Load the executable into Olly and execute it (press F9):

Fig. 3 Executable main window.

You can look on the caption the “This is a trial version” text, this means that program is into trial mode then we have to make some work to force registration.
Go to the Help menu and select Register.. submenu, a new window appear (figure 5):

Fig. 4 Select the registration menu.

 
Fig 5 Registration window.

Now write your name and fake registration number (write a simple registration code, it will be useful when you made the debugging step and must recognize when and where serial is readed and stored), for example:

Fig. 6 Fake registration data.

When you press the Register button an error message arise:

Fig. 7 Error message.

Go into the OllyDbg code window, press F12 to stop OllyDbg, and look into the stack just before the first error message (scroll down into the stack window):

Fig. 8 Snipped of the stack.

Press CTRL+G (or right click and select Go To -> Expression) then write 004347DE:

Fig. 9 MessageBox snippet code.

Well, return address from this section is 004118A0 (look at figure 8), then press again CTRL+G and write this address, you land into this nice piece of code:

Fig. 10

To choose the good boy section you must backtrace until you reach the 0041188D address, look at the left there is an entry mark, this means a jump from some location to this point, to find the address just click on this address and show on the panel window:

Fig. 11 Find how the conditional jump is.

Now go to the 0041181F address, just right click on panel:

Fig. 12 Go to the to the conditional jump.

Well, obviously you can jump directly because this is clear if you see figure 8, but i like to explain this in a detailed manner because can be useful from general point of view.
Now place a breakpoint on the 0041181D address because, after this test, zero flag can be changed end conditional jump executed or not, in our case conditional jump is executed when EAX value is different from EBP value.
Run program (press F9) and then insert name and fake number again, OllyDbg break on 0041181D:

Fig. 13 OllyDbg break on our breakpoint.

look into the register window:

Fig. 14 Register window during the breakpoint.

you have:

   EAX = 0x499602D2
   EBP = 0x0026A8F9

try to convert EBP value into the equivalent number coded in base 10:

   EBP = (2533625)10

Then try to insert the name and the new EBP converted value into the registration window:

Fig. 15 Write now the hypothetical right serial.

Then press the Register button:

Fig. 16 Wow, registration success!

Registration was successfully (this is what’s program tell us…), press OK:

Fig. 17 Main window after registration message.

Uhm … nothing has changed, then you can restart the program in order to show if registration take effect, press the close button and again the registration form is showed.

Fig. 18 When you try to close the program the registration form is showed again.

Uhm … place again your name and hypothetical serial and the press Register …, OllyDbg break in our breakpoint on 0041181D, press F9 and program tell us to quit and restart to take registration effect.

Close OllyDbg, run the executable and show the caption for the main window:

Fig. 19 Close OllyDbg and run the executable.

Well done cracker, program was been registered without patching it, i think, about this, which is similar to CrackMe instead than a real program, but can be useful exercise make some stuff around this application for example a keygenerator.

Keygenerator means find the routine which make the serial check and then reverse it in order to find how the serial is generated or checked.
There is many methods to do serial protection, some came only from the user name, other with ID from our PC and can be made using hash table or other complex algorithm. Better techniques make nothing compare from calculated serial and entered serial but mainly make a check calculus, in this mode the right serial isn't showed, poor technique make calculus of right serial and then put it in clear form into some register or memory location or stack before compare it with the entered serial. In this tutorial the last techique is employed and how you can see this is a very poor method.

Serial generation is made first and late compared with serial entered by user, serial algorithm is very simple and code reside from 004117D9 to 004117FF addresses.

----------------------------------
Searching the generation routine
----------------------------------

To find this place you must make some backtracing from check code (CMP EBP,EAX) which is on 0041181D.
When you make the registration check OllyDbg stop on 0041181D breakpoint, now you can see on the registry window (right section of code window) EBP with the right value, then scroll up trough the code until you reach the first call into 0041180A address. Put a breakpoint inside this call and make another registration check, our purpose is check if the EBP register keep the right value or not before execute the call. When you have do the registration check, EPB value in registry window is correct, then serial calculation should be before this call. Now scroll up again through the code, we can't find other call or jump instruction far to this code section, but you can look a nice assignement:

004117FF . 8DAC8A 155E01>LEA EBP,DWORD PTR DS:[EDX+ECX*4+15E15]

Well this is the first EBP assignement which keep on EBP the right serial, this is made with EDX, ECX and a fixed value equal to 0015E15, this register is updated some address before, now you can easily recognize the serial generation algorithm:

1- there is a loop on each character from the name string, EAX is the pointer, and inside this is made the first
    calculus, sum of each character ASCII code (MOVSX EBP... and ADD EDX,EBP instruction).
2- this sum, which is stored in EDX, is moved in EAX and then a new calculus is made. We've SHL EAX,6
    instruction, which is equivalent to multiply by 2^6=64.
3- EAX is added with EDX (ADD EAX,EDX)
4- ECX is updated with EAX+EAX*8
5- Then final value for EPB is updated, we have EBP = EDX+ECX*4+0x0015E15 (N.B. 0x0015E15 = 89621 in
     base 10)

Fig. 20 Serial generation routine.

Below there is a simple VB60 source code to make your personal simple keygenerator for this application:

  
Fig. 21 Serial generation routine coded in VB60.

If you like make the keygeneration in VC++.NET language there is a snippet of the main routine:

Fig. 22 Serial generation routine coded in VC++.NET

At each keypressing the OnEnChangeEditname routine is called, first you can check if there are valid char on the name field (no more check is made for sake of simplicity, only a null string check is given), then there is the loop calculation on each character of the name typed into the Name Edit Control, next calculation is just explained during the code analysis.

Fig. 23 Form for the keygenerator.

Program came with very simple protection, then this is like a big CrackMe with some useful stuff about MP3 isn’t it? ;-)

This is a very simple tut, just for our brain relax between hard manual unpack and other interesting stuff, but i hope this can be useful to better understand simple code analysis and backtracing with OllyDbg and to make some think about serial protection method.

Remember, if you plan to use this software you must purchase the product in order to support the author to develop other good software.

Any suggest, correction or criticism is welcome, if you need help about this tutorial or other stuff you can reach me on ARTeam forum.

[MAIN TEAM]
| Nilrem | Ferrari | MaDMAn_H3rCuL3s | EJ12N | Kruger | Shub-Nigurrath | Jdog45 | Teerayoot | R@Dier |

[TRIAL MEMBERS]
| ThunderPwr | Eggi |

 

ThunderPwr