Tarantula Release v1.9 - Tutorial

http://indian-sites.com/nostrumindia - Webpage.

I'm back once again with another tutorial. I'm targetting today "Tarantula" (a rather competent HTML editor), of course real web designers should never resort to using these sort of tools, handwritten HTML is the only way to go. Tarantula uses a registration number as the basis of its protection, so without further ado lets launch the program and begin reversing.

Naturally you should insert a registration name and key code. As usual I'm using CrackZ & 0123456789. A >bpx Hmemcpy and 11 or so presses of F12 will bring you to this very short deciding piece of code.

:004B6EBA MOV EAX, [EBP-08] <-- Name.
:004B6EBD POP EDX <-- Code.
:004B6EBE CALL 0050D040 <-- Important_function_as_you_might_expect.
:004B6EC3 SUB EAX, 00000001 <-- Final manipulation for EAX.
:004B6EC6 JAE 004B6FDF <-- Jump_above_or_equal_(bad).

This code should be fairly obvious, as you can see the important manipulations are performed beneath CALL 0050D040, of course you can just NOP away the JAE live in SoftICE and the program will launch, however that patch will not work permanently so whichever way you were planning on reversing this program your going to have to delve inside 0050D040 at some point.

The function works something like this. At the following code the user name length is checked, providing your name passes this check, the characters not used after your name will be moved to 20h. Whats actually really strange about this check is that the message box prevents you from entering more than 31 characters anyhow.

:0050D097 CALL 00403EC0 <-- Get length of user name.
:0050D09C CMP EAX, 1F <-- Compare with 1F (31 decimal).
:0050D09F JG 0050D0B7 <-- Jump_name_is_too_long.

Similarly, the same function will also be used to check the code length (13 being the maximum permitted). Remember also to position your hyphen in its correct position. The maths behind the routine is actually quite strong with some early shirling, this would in fact be something of a challenge to reverse completely, however the code below is where our real check occurs.

:0050D236 MOV EAX,[EBP-14]
:0050D239 ADD EAX, ESI <-- ESI holds first 4 characters of code (note the format).
:0050D23B XOR EDX, EDX <-- Clear EDX.
:0050D23D MOV DL, BYTE PTR [EBP-1D] <-- 5th character of code.
:0050D240 ADD EAX, EDX <-- Add 5th char.
:0050D242 XOR EDX, EDX <-- Clear EDX again.
:0050D244 MOV DL, BYTE PTR [EBP-1C] <-- 6th character of code.
:0050D247 ADD EAX, EDX <-- Add 6th char.
:0050D249 SUB EAX, [EBP-10] <-- This must result in a value ending with 00.
:0050D24C MOV ECX, 00000064 <-- ECX = 64h (100 decimal).
:0050D251 CDQ <-- Clear EDX with CDQ and prepare to store result.
:0050D252 IDIV ECX <-- Division by ECX.
:0050D254 MOV EAX, EDX <-- Move result to EAX.
:0050D256 TEST AL, AL <-- Test AX-low for 0.
:0050D258 JZ 0050D25F <-- Good_jump.
:0050D25F CMP EDI, DWORD PTR [EBP-14] <-- 2nd Check.
:0050D262 JNZ 0050D268 <-- Bad_jump.

By working out some simple arithmetic I was able to quickly generate a code which produced a good result for the TEST AL,AL check, however I then encountered problems with the 2nd check which seems to use a value generated earlier in the protection. Unless you are particularly keen on reversing the maths then I advise patching, note the registration information is stored in the registry.

Patch