GodeZip v2.0 - Tutorial

"Well here's another good essay by Ordoc, this time he's chosen to explain a pretty basic key generation algorithm, variations of which are used by many lazy shareware authors. I would advise when reversing to always try and reconstruct in your mind the high level statements behind these algorithms. If anyone would care to produce a key generator I'll happily add it to this essay". "Slightly edited by CrackZ".

godzipv2.zip - (320k).

Welcome to my second tutorial, it will be a bit more in depth than my first. This programmer must have been on crack as you will see in a second. Also this is a wierd protection because the registration code compare loop isn't inside a call (this probably indicates that the programmer didn't declare a dedicated function for his protection - CrackZ).

First run GodeZip. Now your saying "theres no Help/About". Like I said the programmer is on crack. Click the upper left icon of GodeZip. Goto "About" and another box will pop up, then click the ".click." button to register. Enter your license number and your corresponding code (they both have to be 7 digits [I used 1234567 and 7654321]). Now before you click OK, Ctrl+D into SoftICE and set a breakpoint on GetDlgItemTextA (bpx GetDlgItemTextA).

Ctrl+D back to the program. Click OK. Like magic your back in SoftICE. Hit Ctrl+D again since there are two dialog boxes for input and the second one is the one we are interested in. You need to be in GodeZip!Code, are you? YES!. Hit F11 to get into the code. Now you should see something like this:

:004022B1 CMP BYTE PTR [00431311], 44 <-- Check to see if Reg. Code starts with D.
:004022B8 SETE AL <-- Flag AL if it is.
:004022BB MOVZX EDX, AL <-- Store flag in EDX.
:004022BE CMP BYTE PTR [00431308], 47 <-- Check to see if License # starts with G.
:004022C5 SETE AL <-- Flag AL again.
:004022C8 AND EAX, 000000FF <-- Polish EAX.
:004022CD AND EDX, EAX <-- (Logic result which is probably checked - CrackZ).
:004022CF MOVSX ECX, BYTE PTR [00431317]
:004022D6 MOVSX EAX, BYTE PTR [00431309]

OK, first off, those two cmp's look suspicous. Lets display the pointers (ptr).

d 431311

Well well look at that its our Reg Code (Corresponding Code). At the end of that cmp there is a 44 which is hex for D. So that means our reg code needs to start with a 'D'. Next display the second ptr.

d 431308

It is our license number. At the end of that cmp there is a 47 which is hex for G. So that means or License # needs to start with a 'G'. So far we have found two very important things in the code at the beginning. The License # must start with 'G' and the Reg Code must start with a 'D'. So clear your breakpoints and re-enter your code. (G1234567 and D7654321). The next partI will only explain the important parts of the code since there is quite a lot.

Hit F10 to step through the code (about 7 times) till you get to:

:004022CF MOVSX ECX, BYTE PTR [00431317] <-- Move number from your reg code into ECX.
:004022D6 MOVSX EAX, BYTE PTR [00431309] <-- Move number from your license # into EAX.
:004022DD ADD EAX, 1E <-- Add 1Eh (30 dec) to the current number in EAX.

If you display 431317 (d 431317) you will see your bogus registration number. Look at the first number on the line where you displayed 431317. In my case it was '2'. So remember that and step past ADD EAX, 1E. Now do ? EAX. You will get a letter. In my case this letter was 'O'. So Substitute 'O' for '2' in your registration code. Mine is now 76543O1. Continue stepping to:

:004022EC MOVSX ECX, BYTE PTR [00431316] <-- Another position.
:004022F3 MOVSX EAX, BYTE PTR [0043130A] <-- and another.
:004022FA ADD EAX, 17 <-- Tedious relation.

Now repeat the above steps. Using this new ptr [00431316]. Get the number of thereg code it is using. Step pass the ADD and do ? eax to get the corresponding letter to the corresponding number in your code. Keep doing this process until you reach:

:00402398 TEST EAX, EDX <-- Here's where the check is (CrackZ).
:0040239A JZ 004023D0 <-- Deciding jump.

Now clear your breakpoints and enter your code. Mine was DKRHTIOE. Congratulations on cracking this WinZip clone. Now delete it and never use it again because it is so lame! (the protection of course *smile*). This program is very easy to write a keygen for so go ahead and try it :).

Below I have listed the code thats important for generating your correct registration code to help you with a key generator (seems like its just a simple relation - CrackZ).

:004022CF MOVSX ECX, BYTE PTR [00431317]
:004022D6 MOVSX EAX, BYTE PTR [00431309]
:004022DD ADD EAX, 1E

:004022EC MOVSX ECX, BYTE PTR [00431316]
:004022F3 MOVSX EAX, BYTE PTR [0043130A]
:004022FA ADD EAX, 17

:00402309 MOVSX ECX, BYTE PTR [00431313]
:00402310 MOVSX EAX, BYTE PTR [0043130B]
:00402317 ADD EAX, 1F

:00402326 MOVSX ECX, BYTE PTR [00431318]
:0040232D MOVSX EAX, BYTE PTR [0043130C]
:00402334 ADD EAX, 11

:00402343 MOVSX ECX, BYTE PTR [00431314]
:0040234A MOVSX EAX, BYTE PTR [0043130D]
:00402351 ADD EAX, 13

:00402360 MOVSX ECX, BYTE PTR [00431312]
:00402367 MOVSX EAX, BYTE PTR [0043130E]
:0040236E ADD EAX, 15

:0040237D MOVSX ECX, BYTE PTR [00431315]
:00402384 MOVSX EAX, BYTE PTR [0043130F]
:0040238B ADD EAX, 1D

You have finished reading another tutorial courtesy of CrackZ's Reverse Engineering Page.
Find a quick way back to more documents with these links.

Return to Main Index, Key Generators.
© 1998 Hosted by CrackZ. Ordoc 9th January 1999.