http://www.lightlink.com/ym - Webpage.
chkfl15a.zip - (175k).
Welcome readers to another tutorial, the producing of a key generator seems for some reason beyond the ability of many good reversers, in fact there is usually nothing particularly complex about the process especially if the good code is left in a register. CHKFILES is another one of these common programs that performs an on-the-fly calculation of your good code by manipulating the user name.
So lets start, locate the register option and insert a name and code, I used >bpx Hmemcpy, and pressed F12 7 times to gain an entry into the program at address 004011FA, I then stepped with F10 to the following code:
:00401275 LEA ECX,[EBP-20] <-- Name.
:00401278 PUSH ECX <-- Stack it for function.
:00401279 CALL 004010D2 <-- Calculate good code.
:0040127E POP ECX <-- Pop name from stack.
:0040127F CMP EAX,[EBP-04] <-- Compare good_code with code_entered.
:00401282 JZ 004012A4 <-- Jump_good_guy.
Once again it is just far too easy for even the casual reverser to type >? EAX and note the correct code, anyhow lets trace 004010D2 with F8 and examine the following code snippets which I've taken directly from the program.
:004010EB CMP EBX,00000014 <-- Check name for 14h (20 dec).
:004010EE JLE 004010F4 <-- Jump_less.
:004010F4 CMP EBX,00000014 <-- Check name for 14h (20 dec) again.
:004010F7 JGE 00401103 <-- Jump_name_was_exactly_20.
:004010F9 MOV BYTE PTR [ESI+EBX],20 <-- Character after name moved to 20h (space).
:004010FD INC EBX <-- Counter.
:004010FE CMP EBX,00000014 <-- Check counter for 14h.
:00401101 JL 004010F9 <-- Loop.
Well, I'll explain whats happening here, firstly the name is loaded into ESI
and the name length in EBX, then the program will first check that the name is
less than 20 in length, and then whether the name is precisely 20. If the name
is not 20 all of the characters immediately after the name (up to the 20th) will
be moved to 20h, this will then be used in the next part of the algorithm.
:00401103 MOV EDX,21FB2D32
:00401108 MOV EAX,6B7C1929 <-- Hard-coded in constants.
:0040110D XOR EBX,EBX <-- EBX=0.
:0040110F XOR ECX,ECX <-- ECX=0.
:00401111 MOV CL, BYTE PTR [ESI+EBX] <-- Character pointer, i.e. 1st letter of name.
:00401114 IMUL ECX,EAX
:00401117 ADD EDX,ECX
:00401119 ADD EAX,EAX
:0040111B ADD EAX,1E470621 <-- Maths of key generator.
:00401120 INC EBX <-- Loop counter.
:00401121 CMP EBX,00000014 <-- Compare with 14h (20 dec).
:00401124 JL 0040110F <-- Loop name + space characters.
So we see how the program calculates the good code, it is now just a case of
converting this code into a key generator, remember that if the name is
precisely 20 characters then the program must jump immediately to the main
calculation routine. I've attached the key generator
I wrote quickly for this program, you should of course attempt to write your own before
examining my code, but note how most is just copied directly from the program.
As a final note you might wish to examine the file chkfiles.ser after registering, had you run File Monitor you may have had the opportunity to study a rather poor 'missing file' protection.