http://www.gttech.com/qstart.htm - Webpage.
qs32.zip - (523k).
I've written this particular tutorial to illustrate a common technique used by lazy software programmers or those who think they can fool people by not writing a decent protection scheme. Start QStart (here I'm using the 32-bit version), you'll easily locate the registration option so place in a number and >bpx Hmemcpy. You should now hit F12 about 11 times, remember that the first code you hit inside the program will be stack heavy (i.e. pop ... then ret, this can be safely skipped).
You should easily trace to this code:
:0043A7B9 MOV EAX,[EBP-14] <-- Code entered.
:0043A7BC CALL 0040387C <-- Gets length of code entered, check for 0.
:0043A7C1 CMP EBX,01
:0043A7C4 JNZ 0043A7D3 <-- Will not matter.
Now I'll warn you, just prepare yourself for some really severe boredom. You'll
have to step all of the code that follows with F10, because it doesn't return
again. Your going to trace through several loops, the first of which will use
EBX as a counter and will loop the length of your code - 1, just watch EBX
increment as you step through. After this loop prepare for more looping and
some fairly tedious maths, the program will actually generate several codes
from your input which will of course never be verified (they are left lying
easily in registers). Just stick it out with F10.
Finally you'll get to the real protection (check out the disassembly String Reference) and maybe the several functions before to observe the generation:
:0043AC35 MOV EDX,[EBP-00B8] <-- Nice guy code.
:0043AC3B POP EAX <-- Code entered.
:0043AC3C CALL 00403788 <-- Real compare.
:0043AC41 JNZ 0043AC50 <-- Jump_away_bad_guy.
So what we have here is a junking program which at the end merely hides a
hard-coded in registration code. One must ask why the author didn't actually
use his own maths and compare the value generated from the good user input with
a hard coded in default, this would have meant at least very tedious maths. In
some respects I suppose this program could have confused a reverser, a bpm on the input
would fail almost certainly and I counted at least 6 functions to check that
there was indeed an input, the looping may also have confused some.
Patching this program is fairly simple (although maybe not necessary), I would suggest modifying an instruction inside the CALL 00403788, but no-opping away the JNZ 0043AC50 would also work, better still just distribute the good code and let people treat this scheme with the contempt it deserves, and note that the author used the same code for the 16-bit version (you just can't help some programmers).
QStart v3.2b
Registration: Hex19571975