home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
+Sandman
/
NetZip65025.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
13KB
|
275 lines
Hi,
I have got NetZip Deluxe 6.5. The URL is
ftp://ftp.download.com/pub/win95/utilities/NetZIP.exe
The author of this software plays a funny trick.
I will try to explain this trick.This essay is quite long.Please forgive me
for my poor English.
You know that your serial number should be 8 chars long. Here is the check(in
Evalware.dll):
(I have removed some stupid comments made by W32Dasm)
:100017B0 8B542404 mov edx, dword ptr [esp+04]
:100017B4 53 push ebx
:100017B5 8BD9 mov ebx, ecx
:100017B7 57 push edi
:100017B8 8BFA mov edi, edx
:100017BA 83C9FF or ecx, FFFFFFFF
:100017BD 33C0 xor eax, eax
:100017BF F2 repnz
:100017C0 AE scasb
:100017C1 F7D1 not ecx
:100017C3 49 dec ecx
:100017C4 83F908 cmp ecx, 00000008;Check the length
:100017C7 7405 je 100017CE
:100017C9 5F pop edi
:100017CA 5B pop ebx
:100017CB C20400 ret 0004
:100017CE 8BFA mov edi, edx
:100017D0 83C9FF or ecx, FFFFFFFF
:100017D3 33C0 xor eax, eax
:100017D5 56 push esi
:100017D6 F2 repnz
:100017D7 AE scasb
:100017D8 F7D1 not ecx
:100017DA 2BF9 sub edi, ecx
:100017DC 8BC1 mov eax, ecx
:100017DE 8BF7 mov esi, edi
:100017E0 8BFB mov edi, ebx
:100017E2 C1E902 shr ecx, 02
:100017E5 F3 repz
:100017E6 A5 movsd
:100017E7 8BC8 mov ecx, eax
:100017E9 83E103 and ecx, 00000003
:100017EC F3 repz
:100017ED A4 movsb
:100017EE 8BCB mov ecx, ebx
:100017F0 E83B010000 call 10001930 ; SubroutineA
After checking the length of you serial,it calls a subroutine at 10001930 to
process your serial(Let's call this subroutine SubroutineA).I use "19740907"
as my fake serial number.The output of SubroutineA is a 8-byte array.
For me this array is:
char OutputArray[8]={ 0x39,0x31,0x3F,0x3C,0x38,0x31,0x38,0x07};
Then it will check OutputArray[2]:
:100017F5 8A4B0B mov cl, byte ptr [ebx+0B]
:100017F8 33C0 xor eax, eax
:100017FA 80E10F and cl, 0F
:100017FD 5E pop esi
:100017FE 80F90A cmp cl, 0A
:10001801 5F pop edi
:10001802 0F94C0 sete al ;Good guy if cl==0A
:10001805 5B pop ebx
:10001806 C20400 ret 0004
In order to let it return 1,I have to change my serial from "19740907" to
"19T40908".This time the array is { 0x36,0x3E,0x2A,0x33,0x37,0x3E,0x37,0x08}.
The body of SubroutineA is here(Easy to understand):
:10001930 51 push ecx
:10001931 53 push ebx
:10001932 8A5C2407 mov bl, byte ptr [esp+07];
:10001936 BA07000000 mov edx, 00000007 ;index of array
:1000193B 8A040A mov al, byte ptr [edx+ecx];get a char
:1000193E 3C60 cmp al, 60
:10001940 7604 jbe 10001946
:10001942 04C3 add al, C3
:10001944 EB26 jmp 1000196C
:10001946 3C40 cmp al, 40
:10001948 7608 jbe 10001952
:1000194A 3C5B cmp al, 5B
:1000194C 7304 jnb 10001952
:1000194E 04C9 add al, C9
:10001950 EB1A jmp 1000196C
:10001952 3C2F cmp al, 2F
:10001954 7608 jbe 1000195E
:10001956 3C3A cmp al, 3A
:10001958 7304 jnb 1000195E
:1000195A 04D0 add al, D0
:1000195C EB0E jmp 1000196C
:1000195E 3C2B cmp al, 2B
:10001960 7504 jne 10001966
:10001962 B03E mov al, 3E
:10001964 EB06 jmp 1000196C
:10001966 3C2D cmp al, 2D
:10001968 7524 jne 1000198E
:1000196A B03F mov al, 3F
:1000196C 83FA07 cmp edx, 00000007 ;The last char ?
:1000196F 7509 jne 1000197A
:10001971 8AD8 mov bl, al
:10001973 F6D3 not bl
:10001975 80E33F and bl, 3F
:10001978 EB02 jmp 1000197C
:1000197A 32C3 xor al, bl
:1000197C 88440A09 mov byte ptr [edx+ecx+09], al ;Save the result
:10001980 4A dec edx
:10001981 83FAFF cmp edx, FFFFFFFF
:10001984 7FB5 jg 1000193B ;continue the loop
:10001986 B801000000 mov eax, 00000001
:1000198B 5B pop ebx
:1000198C 59 pop ecx
:1000198D C3 ret
:1000198E 33C0 xor eax, eax
:10001990 5B pop ebx
:10001991 59 pop ecx
:10001992 C3 ret
Then it will save your fake serial to windows registry. But the names of keys
in windows registry are determined by OutputArray[0]. This is very important !
Here is the code:
:10001B5E 8A4609 mov al, byte ptr [esi+09] ;get OutputArray[0]
:10001B61 8D4C2410 lea ecx, dword ptr [esp+10]
:10001B65 83E03F and eax, 0000003F ; OutputArray[0] & 0x3F
:10001B68 C644242001 mov [esp+20], 01
:10001B6D 50 push eax
* Possible StringData Ref from Data Obj ->"%ddata" ;generate key name
|
:10001B6E 68ACF00110 push 1001F0AC
:10001B73 51 push ecx
:10001B74 E82FB70000 call 1000D2A8
:10001B79 8A5609 mov dl, byte ptr [esi+09] ;OutputArray[0]
:10001B7C 83C40C add esp, 0000000C
:10001B7F 83E23F and edx, 0000003F ;OutputArray[0] & 0x3F
:10001B82 8D44240C lea eax, dword ptr [esp+0C]
:10001B86 52 push edx
* Possible StringData Ref from Data Obj ->"%durl" ;generate key name
|
:10001B87 68A4F00110 push 1001F0A4
:10001B8C 50 push eax
:10001B8D E816B70000 call 1000D2A8
:10001B92 83C40C add esp, 0000000C
:10001B95 8BCE mov ecx, esi
:10001B97 E834FDFFFF call 100018D0
:10001B9C 8D4C2414 lea ecx, dword ptr [esp+14]
:10001BA0 8D542408 lea edx, dword ptr [esp+08]
:10001BA4 51 push ecx
:10001BA5 52 push edx
:10001BA6 6A00 push 00000000
:10001BA8 683F000F00 push 000F003F
:10001BAD 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Application Global Data"
|
:10001BAF 68B4F00110 push 1001F0B4
:10001BB4 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"sbi"
|
:10001BB6 68A0F00110 push 1001F0A0
:10001BBB 6800000080 push 80000000
* Reference To: ADVAPI32.RegCreateKeyExA, Ord:011Bh
|
:10001BC0 FF1534750210 Call dword ptr [10027534]
:10001BC6 8B442410 mov eax, dword ptr [esp+10]
:10001BCA 8B4C2408 mov ecx, dword ptr [esp+08]
* Reference To: ADVAPI32.RegSetValueExA, Ord:0141h
|
:10001BCE 8B3D38750210 mov edi, dword ptr [10027538]
:10001BD4 6A08 push 00000008
:10001BD6 56 push esi
:10001BD7 6A01 push 00000001
:10001BD9 6A00 push 00000000
:10001BDB 50 push eax
:10001BDC 51 push ecx
:10001BDD FFD7 call edi
:10001BDF 8B7614 mov esi, dword ptr [esi+14]
:10001BE2 8B44240C mov eax, dword ptr [esp+0C]
:10001BE6 8B4C2408 mov ecx, dword ptr [esp+08]
:10001BEA 8B56F8 mov edx, dword ptr [esi-08]
:10001BED 52 push edx
:10001BEE 56 push esi
:10001BEF 6A01 push 00000001
:10001BF1 6A00 push 00000000
:10001BF3 50 push eax
:10001BF4 51 push ecx
:10001BF5 FFD7 call edi
:10001BF7 8B542408 mov edx, dword ptr [esp+08]
:10001BFB 52 push edx
* Reference To: ADVAPI32.RegCloseKey, Ord:0117h
|
:10001BFC FF1530750210 Call dword ptr [10027530]
For my fake serial,OutputArray[0] is 0x36.
0x36 & 0x3F = 0x36 (54 in decimal format)
So the keys in windows registry are:
\HKEY_CLASSES_ROOT\sbi\54data (my fake serial)
\HKEY_CLASSES_ROOT\sbi\54url (empty )
This puzzled me. How does it read my serial when it starts ? It doesn't know
the registry key name because the registry key name is determined by my fake
serial !
I use Regmon to see what registry keys it reads when it starts.I find that
it always uses
\HKEY_CLASSES_ROOT\sbi\11data and
\HKEY_CLASSES_ROOT\sbi\11url.
That means 54 should be 11 ! This is the trick !!!
In other words,the following requirement should be met:
OutputArray[0] & 0x3F = 11
I have used
bpx RegQueryValueExA if *(esp->8)=='11da' do "db esp+14"
as a breakpoint,and traced my fake serial,but nothing new found(If you find
something useful,please let me know. My mail is happynetguy@163.net).
So far we can figure out the correct serial.
I have found another subroutine which can produces the serial providing
that its input is OutputArray[ ]. Let's call it SubroutineB.
serial number ----> SubroutineA -----> OutputArray[ ]
OutputArray[ ] ----> SubRoutineB ----->serial number
OK, with SubroutineB we can write a key maker now.
Here is the body of SubroutineB:
:100018D0 56 push esi
:100018D1 8BF1 mov esi, ecx
:100018D3 BA07000000 mov edx, 00000007
:100018D8 8A4E10 mov cl, byte ptr [esi+10]
:100018DB F6D1 not cl
:100018DD 80E13F and cl, 3F
:100018E0 8A443209 mov al, byte ptr [edx+esi+09]
:100018E4 83FA07 cmp edx, 00000007
:100018E7 7402 je 100018EB
:100018E9 32C1 xor al, cl
:100018EB 3C0A cmp al, 0A
:100018ED 7304 jnb 100018F3
:100018EF 0430 add al, 30
:100018F1 EB26 jmp 10001919
:100018F3 3C09 cmp al, 09
:100018F5 7608 jbe 100018FF
:100018F7 3C24 cmp al, 24
:100018F9 7304 jnb 100018FF
:100018FB 0437 add al, 37
:100018FD EB1A jmp 10001919
:100018FF 3C23 cmp al, 23
:10001901 7608 jbe 1000190B
:10001903 3C3E cmp al, 3E
:10001905 7306 jnb 1000190D
:10001907 043D add al, 3D
:10001909 EB0E jmp 10001919
:1000190B 3C3E cmp al, 3E
:1000190D 7504 jne 10001913
:1000190F B02B mov al, 2B
:10001911 EB06 jmp 10001919
:10001913 3C3F cmp al, 3F
:10001915 7502 jne 10001919
:10001917 B02D mov al, 2D
:10001919 880432 mov byte ptr [edx+esi], al
:1000191C 4A dec edx
:1000191D 83FAFF cmp edx, FFFFFFFF
:10001920 7FBE jg 100018E0
:10001922 5E pop esi
:10001923 C3 ret
That's all.Thank you.