Wnboost 98 1.24 Keygenerator

0 1 0 1 0 1 0		0 1 0 1 0 1 0
Reverse Engineering Lab		Reverse Engineering Lab
Tools : Softice 3.24 - W32Dasm 8.93		from newbie to another

Screen area 1024x768 pixels

mY fuTure grOup ... frOm tHE ouTer gaLaxY

Winboost 98 1.24 Key Generator

Author

: Magellass Corp.

Email

: winboost98@kagi.com

Homepage

: http://www.magellass.com

Intro

Hi guys .. you are now reading my 9th tutorial .. this time we're gonna discuss about making keygenerator .. mind me for my bad English ... hope you can understand this piece and help you in anyway ... let's rock !

Overview

WinBoost 98 is a special utility to configure and personalize Windows 98/95 looks and feels. Using easy to use graphical user interface you can configure hundreds of Windows 98/95 hidden settings, from the Start Menu, Desktop, Accessories, Windows Explorer, to Internet Explorer. This is something you cannot do on the regular operations. In addition, you will get hundreds of selected Windows 98/95 Tips & Tricks to boost your Windows productivity and performance.

The Essay

This serial protection scheme is based on the User Name to generate a Registration Code. Needless to say, we can find the correct reg code easily but there's nothing we can learn from it .... so I'd like to have some fun here by making a keygenerator. Usually we can easily find the keygen routine just by taking a good look in deadlistings. First thing you need to know is the location of good/bad message at StringData Ref. Now let's disassemble wb98.exe and look for a good message ... and here it is :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004D1885(C)

* Possible StringData Ref from Code Obj ->"WinBoost 98 has been registered successfully."
:004D18AC B86C1D4D00 mov eax, 004D1D6C

scroll up a little bit from here .. you should see some serial numbers .. what's this ?! .. I simply don't care .. scroll up again .. heh this looks familiar for me :

004D175D	8B55F8	mov edx, dword ptr [ebp-08]	; hmm .. is it our name ?
004D1760	8B45FC	mov eax, dword ptr [ebp-04]	; reg code ?
004D1763	E8E0FEFFFF	call 004D1648	; and this must be a call to keygen routine ...
004D1768	8D55F0	lea edx, dword ptr [ebp-10]

.. enough playing in Win32dasm and fire up SoftICE .. let's have a live concert ! Generally we can always use HMEMCPY in order to break at the target file code. Now goto the registration dialog and use Pirate Copy as Reg Name and 0101010 as Reg Code.

[CTRL]+D
BPX HMEMCPY [ENTER]
X [ENTER]

[OK] .. *boom* .. press F12 untill we land in wb98 code .. then set breakpoint at 4D11648 .. X [ENTER] .. keep tracing .. snip .. snip .. STOP !! :

004D166A	8B45FC	mov eax, [ebp-04]	; eax contain user name
004D166D	E85227F3FF	call 00403DC4	; gets name length into eax
004D1672	8BC8	mov ecx, eax	; copy to ecx
004D1674	33DB	xor ebx, ebx	; zero ebx
004D1676	33C0	xor eax, eax	; zero eax
004D1678	8945F8	mov [ebp-08], eax	; copy eax to [ebp-08]
004D167B	33F6	xor esi, esi	; zero esi
004D167D	66B80100	mov ax, 0001	; ax=1
004D1681	66BA0200	mov dx, 0002	; dx=2
004D1685	6683F910	cmp cx, 0010	; compare cx (name length) with 10h (16)
004D1689	7E04	jle 004D168F	; if less or equal jump to 004D168F
004D168B	66B91000	mov cx, 0010	; else cx=10
004D168F	6685C9	test cx, cx	; is cx=0 ? (User Name blank)
004D1692	7446	je 004D16DA	; yes : exit keygen routine .. else: nope it
004D1694	0FBFF0	movsx esi, ax	; esi=ax=1 .. use as starting char position
004D1697	8B7DFC	mov edi, [ebp-04]	; ebp-04 (name) .. copy to edi
004D169A	0FB67437FF	movzx esi, byte ptr [esi+edi-01]	; esi contain one char from name (edi) with esi as char position
			; P i r a t e_C o p y
004D169F	03DE	add ebx, esi	; ebx=ebx+esi ( the result from this loop is save in ebx)
004D16A1	6683C002	add ax, 02	; ax=ax+2
004D16A5	663BC8	cmp cx, ax	; are we finished ?
004D16A8	7DEA	jge 004D1694	; no ? then loop again
004D16AA	0FBFC2	movsx eax, dx	; eax=dx=2 .. use as starting char position
004D16AD	8B75FC	mov esi, [ebp-04]	; now esi contain our name
004D16B0	0FB64406FF	movzx eax, byte ptr [eax+esi-01]	; eax contain one char from name (esi) with eax as char position
			; P i r a t e_C o p y
004D16B5	0145F8	add [ebp-08], eax	; ebp-08=ebp-08+eax ( the result from this loop is save in ebp-08)
004D16B8	6683C202	add dx, 02	; dx=dx+2
004D16BC	663BCA	cmp cx, dx	; are we done ?
004D16BF	7DE9	jge 004D16AA	; no ? loop again
004D16C1	8BC3	mov eax, ebx	; eax=ebx
004D16C3	F7E8	imul eax	*; eax=eaxeax**
004D16C5	6955F813270200	imul edx, [ebp-08], 00022713	*; edx=ebp-0822713**
004D16CC	8D940236E7CD00	lea edx, [eax+edx+00CDE736]	; edx=eax+edx+cde736
004D16D3	8BF2	mov esi, edx	; esi=edx
004D16D5	C1E603	shl esi, 03	*; esi=esi2^3**
004D16D8	2BF2	sub esi, edx	; esi=esi-edx ... step this code (F10) ... we'll see ESI=22238000
			; ? ESI ... 572751872 ... gotcha !

That's it ... take a few minutes to understand this block of codes and draw a flowchart in your mind ... then write it out .. heh damn easy ! ... here i have written one in C++. On succesful registration the program will store our license data in system registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers\Overlays
Ijn="00802322" ; our reg code in little endian ... DWORD 22238000h = 572751872

heh .. nice try don't u think ?! ... hope next time the author will hide it in deeper place !!! ...

WARNINGS ! :
this will be a garbage in your system registry when you uninstall the program and too many garbage will decrease your system performance ! ... do u like when someone put garbage in your home ? I HATE IT !

I REALLY DON'T GIVE A F%CKIN' CARE WHERE THE SETTINGS/FILES WAS STORED BY ALL AUTHOR'S SOFTWAREZ AS LONG AS THE UNINSTALL WILL REMOVE IT ALL CLEANLY !!! ... ANYWAY NO ONE CAN HIDE ANYTHING IN MY SYSTEM !!! ...

... it should put in here :

HKEY_LOCAL_MACHINE\Software\Magellass\WinBoost98
RegisteredOwner="Pirate Copy"

Keygenerator Source

// Written in Borland C++ 5.2
// Compile with bcc filename.cpp (smaller but slower) or bcc32 filename.cpp (faster but larger)
// huh how do make it faster and smaller !
#include <iostream.h>
#include <stdio.h>
#include <conio.h>
#include <stdlib.h>

void main(void)
{
   char  name[255];
   int   oddeven=0,sw=0,pos=0,x=0,cx,reg[2];
   long  edx,esi;

   clrscr();
   cout << " Keygenerator for Winboost 1.24 bY widYa@cL 2011\n";
   cout << " Copyright (C) wOrLd cRaCkinG linK '99\n\n";
   cout << " User Name         : ";gets(name);cx=strlen(name);

   if (cx == 0) exit(0);
   if (cx > 0x10) cx = 0x10;

   while (pos < cx || sw < 2)
   {
      if (pos >= cx)
      {
         reg[x]=oddeven;
     	  x+=1;sw+=1;oddeven=0;pos=1;
      }
      else
      {
         oddeven=oddeven+name[pos];
   	  pos+=2;
      }
   }

   reg[0]= reg[0]*reg[0];
   edx   = reg[1]*0x22713;
   edx   = reg[0]+edx+0xCDE736;
   esi   = edx;
   esi   = esi << 3;
   esi   = esi-edx;

   cout << " Registration Code : " << esi << endl;
   getch();
}

Final Notes

+Thanks+ 2 aLL my friends ouTThere for the responds though it always follow with 'softwarez links' ... hopefully i'll make another tuts (untill 99 tuts .. hurraah !)

... it was not only about breaking the protection ...
let me know if you have any comments /suggestions/critics

Special Thanks

Magellass Corp for giving me a challenge ... it forced me to improve my skills a little bit ...

GOD IS THE MOST GREAT

Written / Design bY	: widYa-cL 2011
Page CreaTed	: 25 March 1999