|
|
... how 2 think like a programmer ... |
| 0 1 0 1 0 1 0 | Name : Photoline.exe - Type : Image application Size : 2,412,544 bytes | 0 1 0 1 0 1 0 |
| Reversing Engineering Lab | Tools Used : Softice V3.24 - W32dasm 8.93 - Hiew 6.01 |
... from newbie to another ... |
| Photoline 5.06 |
| Author | : Bad G÷gging Computerinsel GmbH. |
| : support@pl32.com |
| Homepage | : http://www.pl32.com |
Intro |
| Hi guys ... you are now reading my fourth tutorial ... sorry if there's any grammatical errors .. hope you'll understand this piece ... thiz time we're dealing with programs written in Visual C++ ... let's rock !! ... |
| Overview |
| PhotoLine 32 is a powerful image editing application. Besides its image editing capabilities PhotoLine 32 also has all the functions of a pixel and vector painting software. Due to numerous import and export drivers and its batch capabilities it fulfills the requirements of an image file format converter. The combination of batch conversion and a powerful macro action recorder results in an extremely powerful automation tool.PhotoLine 32 has especially been developed for Windows 95/98 and Windows NT and therefore supports OLE2 as well. |
| Protection system |
| Registration is by selecting
Options - Register. We're asked to enter : Registration : [ ] [ ] The registration code is based on what you type in first entry. 1. Deep within your System Registry it uses the following branch to store it's license data.
HKEY_CURRENT_USER\Software\Computerinsel\PhotoLine\Settings |
| The essay |
| ... Click on Options -
Register ... fill out the boxes with the following entry as example : Registration : [ 7171717 ] [ 01010 ] ... [OK] ... #bOOm# .. " Error : You entered a false serial number " ... what now ?! ... let's see what can we get from 'dead listings' ... fire up W32Dasm and disassemble photoline.exe ... wait... ^%$& wait.... !!@#$% .... waiittt ..... done !! , click REFS - STRING DATA REFERENCE, look down for the message .... NONE !!? ... hmm ... i think Bad G÷gging has read CrackZ's protection tips no.3 ??! ... that's alright guys .... this is would be fun ... let's check for another 'unique' text ... snip ... snip ,,, aha ! ... '"Serialnumber500" ... double click on the text ... heeii there's 3 of them : 1. * Possible StringData Ref from Data Obj
->"SerialNumber500" ... for me these looks like a value name in registry .. run regedit .. 'n goto HKCU\Software\Computerinsel\PhotoLine\Settings ... you'll see value "SerialNumber500"="7171717 1010" ... we can attack this programs by setting breakpoint using RegQueryValueExA function just before we run it.... but i'd like to try an easier way .... now enter reg again .. fill out the entry with our example key .. DO NOT push [OK] yet ... CTRL+D (to get in Sice)... BPX HMEMCPY [ENTER] ... X [ENTER] ... [OK] ... #bOOm# ... F12 11 times (to get in photoline code) ... set BPX at 3 address above : BC* [ENTER] ... #bOOm# ... we're back to photoline ... move your mouse a little bit ... #bOOm# ... Break due to BPX # ... :50F012 ... heii we break in our 3'rd breakpoint .... i don't like thiz ... leave Sice (X [ENTER]) ... click on ? - About Photoline ... #bOOm# ... Break due to BPX # ... :4DA804 ... aaah .. now let's analyze the code ... keep tracing ... untill we get the following code:
... we're here now ...
... we're jump to 4DA97A ....
... hmm ... those 3 checks routine above looks very interesting for me ! ... thiz time i'd like to give you an alternative solution ( READ : Re-Coding ) for this prot scheme 'n i think thiz would be more fair (at least for me) rather than examine the keygen routine ... clear all breakpoints 'n set BPX at 004DA985 ... enter reg again with "512000" in 1'st entry 'n enter any number in 2'nd entry ... Registration : [ 512000 ] [7171717] .. [OK] ... #bOOm# .. we land here :
... Interesting ?! .... NO ???? .... 7D000h - 7DFFFh = 512000 - 516095 ... enter reg again : Registration : [ 516095 ] [7171717] .. [OK] ... #bOOm# .. we land here :
... Got it ?! ... YEAH I can see it now !! ... as long as we enter a value from 512000 to 516095 in the first entry then EAX register at 4DA985 will have a value :0007DXXX ... now let's continue executing the next code ...
... heii ... it was registered ...
... Load up photoline.exe into your
favorite Hex-Editor. ... enter reg screen with any value from 512000 to 516095 in 1'st entry... you can type any number in 2'nd entry or leave it blank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Final notes |
| ... that's all for now ... any comment/suggestions/critics ?! ... just let me know ! ... int 21h ,,, |
| Greetz : |
| SandMan,CrackZ,tKC/All PC members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG, ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne , Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy, nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin [Vandals], v√lt√_δ, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR. Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R. DeYoung, Hugo Perez, lownoise, Hayras, YOU ..... |
| Special Thanks: |
| Bad G÷gging ... for giving me a challenge ... you forced me to improve my skills a little bit. |
| Written / Design bY | : widYa-cL 2011 |
| Page Created | : 01 March 1999 |