http://www.epsoft.com - Webpage
tw200.zip - (2.14Mb).
TimeWizard is an interesting program to study because of its serial # key generation routine, its not an overly complex generator and the good serial # does get echoed into memory, but the purpose of this tutorial is understanding the mechanism not just finding the good serial and registering.
So, a quick look at the disassembler, you should find see that bad numbers finish at 004059B2. So lets launch the program. In the Help Menu, select Register Now, lets input some details in the boxes, here I use CrackZ & 12121212. You should find that GetWindowTextA serves well as a breakpoint.
In Softice you shouldn't have to trace very far until you hit this code.
:0040593B MOV ECX,[ESI+5C] <-- Place name in ECX.
:0040593E XOR EAX,EAX <-- EAX=0.
:00405940 MOV [EBP-04],EBX
:00405943 MOV EDX,[ECX-08] <-- Move length of name into EDX.
:00405946 CMP EDX,EAX <-- Compare name length with 0.
:00405948 JLE 00405953 <-- Jump only if we've reached the end of the name.
:0040594A MOVSX EDI, BYTE PTR [ECX+EAX] <-- Move EDI to value of the 1st name character.
:0040594E ADD EBX,EDI <-- Add it to EBX (which was 0 at the start).
:00405950 INC EAX <-- Move to next letter.
:00405951 JMP 00405946 <-- Loop till end of name reached i.e. JLE 00405953 jumps.
So here's what happens with my example name, CrackZ, we get each of the letters
ASCII values and sum them into EBX before the JLE jumps.
CrackZ = 43 + 72 + 61 + 63 + 6B + 5A = 574.
The next significant lines of code are as follows:
:00405953 LEA EDI,[EBX*8+00000000] <-- EDI holds 574 * 8 = 4592.
:0040595D SUB EDI,EBX <-- 4592 - 574 = 4018.
:00405964 ADD EDI,05 <-- Add 5 decimal = 4023 (numeric part of code).
Several functions are then called, and if you trace them you can find that
one of them is responsible for adding the prefix TW2 to the value calculated above, then we reach this:
:0040599A MOV EAX,[ESI+60] <-- Serial # entered in EAX.
:0040599D MOV ECX,[EBP-14] <-- Good code.
:004059A0 PUSH EAX
:004059A1 PUSH ECX <-- Push EAX/ECX to stack.
:004059A2 CALL 004039B0 <-- Compare good code with entered code.
:004059A7 ADD ESP,08 <-- Tidy stack.
:004059AA TEST EAX,EAX <-- Test EAX=0.
:004059AC JZ 004059F3 <-- Jump_good_buyer.
So all this protection actually does is sum up the values of the name, multiply that value by 8, then subtract the original value and add 5 decimal (equivalent to multiplying by 7 and adding 5). I've attached the key generator I wrote in C to this tutorial, its a fairly obvious modification to the MemoryAnalyst code. You'll find that the good code is written out to the registry (HKEY_USERS\.Default\Software\EPSOFT\TimeWizard\USER).
I have taken the decision to remove the registration information that was here after a request by the program author, if you use his software don't be a lamer, pay him the modest registration fee.