If this tutorial helped you to learn sth new please let me know ---> iwy@friko.onet.pl
So let's start the show. Run Mirc32.exe and choose Register... from Help menu. We enter random data, for example:
Full Name: Iwan'98
Registration Code: 34343434
As we can notice, standard breakpoints on GetWindowTextA or GetDlgItemTextA don't work. What can we do then? As usually there are quite a few solutions.
In my last tutorial (Teleport Pro) I suggested you to try breakpoint on HMEMCPY (who did try? ;-)). Let's do it then. We do Ctrl+D and:
BPX HMEMCPY
We go back to win, press Register and... we are back in SoftIce. We get out once more (we are intereseted in the Registration Code, right?) and F11 to get to the Mirc code. But we're not in the Mirc code yet! Of course we have to go futher. So put your finger on F10 and press it untill you get there (it may be a few dozen of presses). Stop as soon as you are in the Mirc code. How do we know we are there? We should know it if you have read my previous tut.
---------------------------
Newbies Note!
Notice that when using bpx on HMEMPY usually just before it you go through KERNEL32!_FREQASM.
---------------------------
OK. We can see sth like that:
:0043D1B5 PUSH 004D1E70
:0043D1BA PUSH 004D1BB4
:0043D1BF CALL 0048E608
Let's chech what goes to the stack.
D 4D1E70
Our serial.
D 4D1BB4
Our name.
It's useful to remember these addresses.
So we probably are in the right place to start our analysis :-)
We get into call at 0043D1BF and after a few F10 we see:
:0048E606 MOV ESI,[EBP+0C]
:0048E611 MOV EBX,[EBP+08]
:0048E614 PUSH EBX
:0048E615 CALL 004B39C8
Hmm, maybe we wonder what goes into ESI after 0048E606?
Let's chech it.
D EBP+0C
There is nothing important in the data window but... remember when we lately read from right to left? The first line in the data windows starts like this:
:0087F9F8 70 1E 4D 00 ....etc.
Remember where was our serial? At 004D1E70. Let's read these numbers from the data window 'from the other side'. Kewl, we've got our serial's address!
You can analyse MOV EBX,[EBP+08] the same way.
---------------------------
Newbies Note!
To make life easier you could just type
D *(EBP+C)
to get same. Cool, ha?
---------------------------
OK, we F8 into CALL 0044B39C8. Notice that before this call the value from EBX was send to the stack (our name).
---------------------------
Newbies Note!
Usually when there is FFFFFFFF in the ECX registry the procedure counts a number of signs in our serial or name.
---------------------------
We get (F10) to RET and go back from the procedure. As we can see there is 7 in EAX. Correct! Iwan'98 has exactly 7 signs.
Further we see:
:0048E61B CMP EAX,05
:0048E61B JAE 0048E624
The number of signs is compared to 5 and then jump in the line below 'lets go' only when it's equal or greater than it. We met this demand. Ok, let's get some more:
:0048E626 CALL 0048E528
Besides PUSHing our name and serial we see:
:0048E534 PUSH 2D
What is it 2D? If you are not familiar with hex numbers do:
? 2D
It's a dash ('-'). There is a CALL two lines later. We find sth like this:
:004B3989 MOV EDI,EDX
:004B398B MOV AL,(EBP+0C]
:004B398E REPNZ SCASB
:004B3990 JNZ 00483998
Our serial is in EDI and '-' goes to AL (so there is 2D in EAX). I the dash is not found in the serial, the jump sends us ultimately to 'Bad_Boy_Go_Away'.
Well, we know now that there MUST be a dash in our serial! At a moment we have to stop the code analysis. We go back to the register window (disable bpx before it!: BD 0 ;-)).
We correct our fake serial from 34343434 to 3434-5656. Back in SoftIce we enable (BE 0) our breakpoint. What next? We do everything we did before till we get to :004B3990 (if you where smart enough you breakpointed this line earlier :-)).
This time the jump won't be executed so we can analyse Mirc code further.
:004B3992 LEA EAX,[EDI-01]
One part of our serial goes to EAX. We go through RET and we find:
:0048E550 CALL 004B8D5C
and later
:0048E577 CALL 004B39C8
I leave a detailed analysis of these two CALLs for persistent ones ;-) I suggest only two things:
1. The first CALL checks whether the signs in our serial are in the range <0;9>, 2. The second one counts a number of signs in our name once more :-) (???).
Starting at
0048E594 MOVZX ESI,BYTE PTR [ECX]
a real serial is calculated (actually a first part of it). You must patiently go through this piece of code.
We see:
:0048E5B0 CMP EBX,[EBP-04]
What a nice compare :-) Let's check what we can find at [EBP-04]
D EBP-4
You already know the 'right-to-left-reading' In the data window we see:
:0087F9CC 6A 0D 00 ....
so we check:
? 0D6A
Actually if you have learned sth from my tutorial you'd rather do:
D *(EBP-4)
Did you? Good boy ;-)
Kewl, it's our serial (till the dash). How do you think, what is it comared to?
? EBX
Yes, it's the first part of the REAL serial :)). Write it down!
There is a jump one line below:
: 0048E5B3 JZ 0048E5B9
At a moment Mirc doesn't feel like jumping at the address. Why? Well, the comapison above didn't give ZERO (because both sides weren't equal).
---------------------------
Newbies Note!
The compare instruction (CMP) subtrackts one value from the other. If the values are equal the result is ZERO and a Z(ero) flag is set.
---------------------------
OK, let's get back to the code. To execute this jump we could go back to the registration window and change the serial's part we already know. Do it if you wish! I prefer a faster solution. At:
:0048E5AE JZ 0048E5B9
we change the Z(ero) flag:
R FL Z
Now Mirc is willing to co-operate ;-) Kewl.
Right after that jump we see a piece of code that looks pretty familiar. Starting at :0048E5CD the second part of our serial is being calculated. You have to be patient once more (patience in an important feature of a good reverser!) till:
:0048E5F0 CMP EBX,[EBP-08]
I guess you know what it means. Just check:
D *(EBP-8)
It's time to end up our game.
? EBX
Yeap, that's the 2nd part of the REAL serial!
Now the Mirc protection mechanism is as clear as Moskovskaia vodka ;-) If either sth was not understandable or this tutorial helped you to improve your knowledge about revers engineering please let me know.
