Here are my essays in revised form. They are gear more towards the
newbies of assembly, with somewhat better written notes.
An Essay by sYmbol
KeyLBE32.DLL, why would you use this to protect your program?
(x) Intermediate
Introduction
This little dll uses two values (Dword in length or 8 characters long in
otherwords) which are created by the dll. You are then presented these
and asked for a reg code. Hmmm, all I can say is 'Thanks for the hint!'.
Tools Required
None
Target History
No longer included. For those of you who know what target uses
KeyLBE32.DLL here is an explanation.
Essay
The KeyLBE32.DLL creates two values, Code Entry and Computer Number,
which it uses to create a valid reg code. It then writes the code into a
.lic file. Below you will find the code which I did not comment very
well since it is all math.
10007810 8B54240C mov edx, dword ptr [esp+0C]<--- Computer Number
10007814 53 push ebx
10007815 56 push esi
10007816 57 push edi
10007817 8B7C241C mov edi, dword ptr [esp+1C]
1000781B 83C734 add edi, 00000034<--- EDI is always B8
1000781E 83FA01 cmp edx, 00000001<--- Checks if the
Computer Number is greater than 1
10007821 7D05 jge 10007828
10007823 BA01000000 mov edx, 00000001<--- Replaces with 1 if it is not
10007828 8B4C2414 mov ecx, dword ptr [esp+14]<--- The Code "Entry.class" tppabs="http://fravia.org/Entry.class"
1000782C 8BD9 mov ebx, ecx
Equation Section 1
1000782E 81E3001F0000 and ebx, 00001F00<---A binary comparision. See footnote 1
10007834 C1EB08 shr ebx, 08<---Shift right. See footnote 2
10007837 8D045B lea eax, dword ptr [ebx+2*ebx]
1000783A 8D34C0 lea esi, dword ptr [eax+8*eax]
1000783D 8BC1 mov eax, ecx
Equation Section 2
1000783F 2500E00700 and eax, 0007E000
10007844 8D1CF6 lea ebx, dword ptr [esi+8*esi]
10007847 C1E80D shr eax, 0D
1000784A 05BC070000 add eax, 000007BC
1000784F 8BF0 mov esi, eax
10007851 C1E004 shl eax, 04<---Shift left. See footnote 3
10007854 03C6 add eax, esi
10007856 8D1C83 lea ebx, dword ptr [ebx+4*eax]
10007859 8BC1 mov eax, ecx
Equation Section 3
1000785B 2500007800 and eax, 00780000
10007860 C1E813 shr eax, 13
10007863 8BF0 mov esi, eax
10007865 C1E005 shl eax, 05
10007868 03C6 add eax, esi
1000786A 8D34C3 lea esi, dword ptr [ebx+8*eax]
1000786D 8BC1 mov eax, ecx
Equation Section 4
1000786F 250000807F and eax, 7F800000
10007874 81E1FF000000 and ecx, 000000FF
1000787A C1E80F shr eax, 0F
1000787D 03C1 add eax, ecx
1000787F 8D0440 lea eax, dword ptr [eax+2*eax]
10007882 2BC7 sub eax, edi
10007884 8D1CF8 lea ebx, dword ptr [eax+8*edi]
10007887 B801000000 mov eax, 00000001
1000788C 8D0C53 lea ecx, dword ptr [ebx+2*edx]
1000788F 8BD6 mov edx, esi
10007891 C1E205 shl edx, 05
10007894 2BD6 sub edx, esi
10007896 8D3C0A lea edi, dword ptr [edx+ecx]
10007899 8D147500000000 lea edx, dword ptr [2*esi+00000000]
100078A0 8B4C2410 mov ecx, dword ptr [esp+10]
100078A4 8BF7 mov esi, edi
100078A6 81E6FFFFFF7F and esi, 7FFFFFFF
100078AC 3BF1 cmp esi, ecx<--- Is ESI, your entered code,
equal to the valid code?
100078AE 740A je 100078BA<--- Hip Hip Horay!
Sooo, if your Code entry were: 1342547B and your Computer Number were
22DD89DA, EDX was > 1 then your key would be 45FF1CB9
Or if EDX < 1 as in Code entry: 1342547B and your Computer Number was
EFFAEFFF, EDX was < 1 then your key would be 440907
Footnote 1
AND Function: For those of you beginning in the world of assembly the
AND statement is a binary comparison. Let's take the number 5 and 6 for
example. If I were to say 5 and 6 it means you convert both numbers to
binary and compare them.
Binary table 8|4|2|1
Number 5= 0|1|0|1
Number 6= 0|1|1|0
Now were are comparing DIFFERENCES when using the AND statement. A 0 and
1 would give a 0 while a 0 and 0 give a 0. The only time you get 1 is
when you have a 1 and a 1. SO! with 5 and 6 you get 4.
Binary table 8|4|2|1
Number 5= 0|1|0|1
Number 6= 0|1|1|0
--------------------
New Value 0|1|0|0
This is universal through all numbers. If you have a hex number it get's
converted to binary, same for decimal or octdecimal. That little thing
call 'Calculator' that comes with Windows. Great tool for this stuff!
Footnote 2
SHR Function: This is a logical function. It shifts, too the right, the
value of the 'count' ?!?!What?!!? Let's take the hex value 10 for
example. a SHR 10,1 gives a result of 8. This table may explain this
better.
SHR dest,count
Count Table
These are hex values---->1---2<----These are decimal values
2---4
3---8
4---16
5---32
When you SHR you take your dest and do a, unsigned, divide by the count
number. So a SHR 10,2 would result in 4 (10 in hex is 16 in decimal.
16/4 is 4)
Footnote 3
SHL Function: This is a logical funtion. It shifts, too the left, the
value of the 'count'. Any ideas yet? Instead of division you multiple.
Using the same table from above you get get your answers. A SHL 10,1
gives 20 (10*2) while SHL 20,2 gives 80 (20*4)
What do SHR and SHL mean to me? The reverse? Well, besides understand
the code "better.class" tppabs="http://fravia.org/better.class" SHL, SHR are used to chop off or add bits to a value and
then stick that value in the register.
Final Notes:
The main problem with this protection scheme is that the make of
Keyleb32.DLL gave us too many clues! Just as programs that say 'Invalid
reg code' when you enter the wrong reg code give you too many clues.
I've run into main programs that do nothing or say 'Thanks!' regardless
of a valid or invalid code entry. As well, note to programmers, do not
give the reverser a straight line to your equations! If this equation
had several calls in it, say to do this or do that most people would get
confused or tired. Run that cracker around abit and see if they stay in
the game.
Ob Duh
I wont even bother explaining you that you should BUY the target
programs if you intend to use them for a longer period than the allowed
one. Should you want to STEAL software instead, you don't need to crack
the protection schemes at all: you'll find it on most Warez sites,
complete and already regged, farewell.
An essay by sYmbol
A much too simple protection scheme! Variety is the spice of life!
Rating: (X)Intermediate
Introduction:
This 'target' is a program which can perform individually scheduled
backups of your data. It can backup to a local drive, removable drive or
network drive.
Tools Needed
None!
Essay
This program uses a registration key that must be 14 characters long.
The way it creates it's key is interesting and, unfortunately for the
programmer, not hidden very well. The first 4 characters dictates how
many licenses your reg key gives you and the remaining 10 characters are
the reg key itself. The formula uses the first 4 characters plus your
registration name to create the reg key. The assembly below is the
routine which creates your reg key.
00460D4E 33C0 xor eax, eax
00460D50 55 push ebp
00460D51 68410E4600 push 00460E41
00460D56 64FF30 push dword ptr fs:[eax]
00460D59 648920 mov dword ptr fs:[eax], esp
00460D5C 8B1D90BC4700 mov ebx, dword ptr [0047BC90]<--- Move in magic
number. 7ECA
00460D62 8B45FC mov eax, dword ptr [ebp-04]<--- 1st 4 characters in
reg key and your name
into EAX
00460D65 E8D22EFAFF call 00403C3C<---Routine to calculate the length of
your name + the first 4 characters
of the reg key
00460D6A 85C0 test eax, eax
00460D6C 7E4E jle 00460DBC
00460D6E 8945E8 mov dword ptr [ebp-18], eax
00460D71 C745F401000000 mov [ebp-0C], 00000001
00460D78 33C0 xor eax, eax
00460D7A 55 push ebp
00460D7B 68A50D4600 push 00460DA5
00460D80 64FF30 push dword ptr fs:[eax]
00460D83 648920 mov dword ptr fs:[eax], esp
00460D86 8B45FC mov eax, dword ptr [ebp-04]<--- 1st 4 characters in
reg key and your name
00460D89 8B55F4 mov edx, dword ptr [ebp-0C]
00460D8C 0FB64410FF movzx eax, byte ptr [eax+edx-01]<--- Moves character's
(at the pointer) Hex
value at into EAX░
00460D91 F7EB imul ebx<--- multiples character value by in EBX with
EDX as an overflow. See footnote 1
00460D93 030590BC4700 add eax, dword ptr [0047BC90]<--- Adds 7ECA to the
result in eax
00460D99 8BD8 mov ebx, eax
00460D9B 33C0 xor eax, eax
00460D9D 5A pop edx
00460D9E 59 pop ecx
00460D9F 59 pop ecx
00460DA0 648910 mov dword ptr fs:[eax], edx
00460DA3 EB0F jmp 00460DB4
00460DA5 E93A24FAFF jmp 004031E4
00460DAA BBE7030000 mov ebx, 000003E7
00460DAF E8D426FAFF call 00403488
00460DB4 FF45F4 inc [ebp-0C]
00460DB7 FF4DE8 dec [ebp-18]
00460DBA 75BC jne 00460D78<--- Loop until all characters in the
Name: are run through
After all of the calculations are done the string is formatted as such:
Use the value in EAX
XXXX-YYYY-ZZZZ
Where XXXX is the number of licenses you recieve. The way it calulates
this is taking the value in XXXX and subtracting 237 from it. So a value
of 0238 in XXXX will result in 1 license. While the upper limit FFFF
gives you 64968 licenses.
For instance, a reg key for sYmbol with 1 license is 0238-0F0D-4A6A
While a reg key for sYmbol with 64968 licenses is FFFF-D789-D14A
Footnote 1<--- to Newbies!
IMUL function: This simply takes two values and multiplies them. BUT! If
your value exceeds a DW (double word) then overflow is carried into the
EDX register. MUL is similar to IMUL save the overflow.
Final Notes:
This program uses too SIMPLE of an equation to create a valid reg key.
All you need is to know how to multiply and you are set. Some advice to
the programer. Instead of using all of the letters in the users name,
use what would seem like random letters from the person's name. For
instance: sYmbol, only take the charaters which their ascii values are
odd or prime or even. Your choice! Perhaps doing more than just
multiplying! Or hiding your magic 'constant' value better. Say with a
call that creates the magic value and instead of writing equation
results to the registers put it in an obscure memory location.
Ob Duh.
I wont even bother explaining you that you should BUY the target
programs if you intend to use them for a longer period than the allowed
one. Should you want to STEAL software instead, you don't need to crack
the protection schemes at all: you'll find it on most Warez sites,
complete and already regged, farewell.