Results 1 to 6 of 6
  1. #1
    Junior Member
    Join Date
    May 2016
    Posts
    2

    Basic Reverse-Engineering Explained

    Disclaimer

    I do not condone the illegal modification of proprietary software in order to circumvent mechanisms put in place to preserve the integrity of copyrighted materials; nor do I wish to breach the DMCA. With that said, information should still flow freely and knowledge, regardless of how taboo, should be shared among a community of intellectual peers. I am not liable for anything the user-base of this community may do with the supplied knowledge.

    Reverse engineering is an art; not a mere means to an end, but the first step to achieving digital awareness in a world of secrets. A man who finds an unlocked door may see the truth for a moment, but a man who can craft his own keys will see the truth for eternity.

    EDIT; This post has been modified as of Tuesday, May 18th, 2010. Almost all technical information remains the same. Reviewing this post after several years, I decided it was time to fix some glaring grammar and punctuation mistakes. I like to think I replaced them with much less noticeable mistakes.

    I have added information, and fixed many mistakes. I will continue to fix mistakes as I feel like it.

    The original method I explained is also highly inefficient, but this was written back in 2004. Just keep your eyes peeled for updates and minor fixes if anyone still follows this post.

    Tracing The Algorithm

    We will be reviewing a security mechanism known as offline serial authentication. This method, while a commonplace, falls victim to a few key elements:

    A) It assumes that the person with a unique serial number is a paying customer and should have full access to the software.

    B) It also assumes the serial number has been issued, to that individual, by the developers of said software.

    C) It verifies information in a environment that is under the end-users control.

    If you would like to use a serial authentication system in your application, you should look into verifying each serial number against an online database. You can check them against a whitelist or blacklist, depending on the amount of work one would like to put in.

    Whitelist Filtering: This will allow you allow/disallow access to your application based on what serial numbers you know are valid. I personally like this method, because it only requires me to keep track of data I am already sending to my customers and I can also attach each serial number to a unique account, Internet Protocol address, and other identifying bits of data to minimize the risk of this serial number being shared across the Internet.

  2. #2
    Junior Member
    Join Date
    May 2016
    Posts
    0

    Basic Reverse-Engineering Explained

    As you can see in the string references above we can go to different vital parts of this application, such as; when the application accepts a serial, rejects a serial, and the variable used to store information.

    We will take a look at the variable (%X) string, and as expected nothing much is in that function except for a few pushes, however, if we scroll up just a little bit we see the following:

    Code:
    * Reference To: USER32.SendMessageA, Ord:01C0h
    |
    :004010DC E8DE000000 Call 004011BF
    :004010E1 83F803 cmp eax, 00000003
    :004010E4 0F8C93000000 jl 0040117D
    :004010EA 8BD0 mov edx, eax
    :004010EC 33C9 xor ecx, ecx
    :004010EE 33DB xor ebx, ebx


    We take note of this function because of the reference to the SendMessage API. In this specific application it is used to grab information that we entered into the program. Here is a description of the following function(s):

    Code:
    :004010E1 83F803 cmp eax, 00000003
    :004010E4 0F8C93000000 jl 0040117D


    The section of code above will take the information we entered into the name field of the program and check its length. If the length is less than the decimal value three (3) the program will simply start from the beginning until we enter a name that has a length greater than the decimal value of three (3).

    Code:
    :004010EA 8BD0 mov edx, eax
    :004010EC 33C9 xor ecx, ecx
    :004010EE 33DB xor ebx, ebx


    This section of code above will move eax into edx, and then xor ecx and ebx against themselves to reset the registers to the value of zero (0). Now scroll down just a bit, and you will see the following:

  3. #3

    Basic Reverse-Engineering Explained

    We take eax (which has the hex value of the character), xor it by the hex value 00031337, add what we have in eax by the value DEADBEEF, multiply the value of eax by the value of 00000666, subtract the value of eax by the hex value 1BADBAB3, shift three places to the left, and last we xor the current value of eax by D34DD00D. Then we store the answer to all of the calculations into ebx so at the end of the loop ebx will hold a valid serial number.


    The Loop

    Code:
    :00401116 41 inc ecx
    :00401117 3BD1 cmp edx, ecx
    :00401119 75D5 jne 004010F0


    Ecx is incremented by one (1), and then compared against edx (which holds the length of the name that we entered. For example, if we entered "CAT" this value would be three (3)). If ecx is not equal to edx we continue to cycle the loop.

    That basically means ecx will gain + 1 each loop, and when ecx is equal to the length of character(s) in the name it will stop the loop because the serial number has been created.




    Keygen Description

    Now we have successfully figured out how the program generates the serial and the mathematics behind it. So now we can create a keygen for it.

    If you are proficient in assembly, you can basically just take all of the mathematical operations in that code, and slightly modify it to get a fully working keygen, but if you use another language to write the keygen you will just have to simply apply the mathematics. Here is a description of how the keygen should operate in plain English.


    * Take the input for a username

    * Take each character of that name, and get it's ASCII value, and then convert that into Hex. (By each character I simply mean one character at a time, for example, "Troopa" would be taken apart each loop like "T" - "R" - "O" - "O" - "P" - "A"). Then simply apply the mathematics to the current string.

    * Xor the current string in the loop by the hex value 00031337, add that value by DEADBEEF, multiply that value by 00000666, subtract that value by the hex value 1BADBAB3, shift three places to the left of the string, and last we xor the current value of the string by D34DD00D. Then we store the answer to all of the calculations into a new variable each loop so at the end of our loop that variable holds a valid serial number.


  4. #4

    Basic Reverse-Engineering Explained

    Well actually this is pertinent to security because of the way things are supposedly secure in the protection routine, by people studying and reversing things like this, software companies will have to make more secure, harder, etc. algorithms. Second of all cracking is nothing bad... it has nothing to do with using Sub7 like you might be used to using... . Reverse-engineering is an art as some professional reversers would say... 0mega, as Troopa said, this has nothing to do with hacking, or warez... can't you read?. It's not that hard to understand really. That all... .

  5. #5

    Basic Reverse-Engineering Explained

    Speaking as a software developer...


    Troopa is indeed walking a VERY fine line here, as no matter what the rationale we ARE talking about circumventing software protection systems. In the U.S. it could be construed as a violation of the DMCA just to discuss this subject.

    That said...

    Troopa's information would be invaluable to a developer seeking to harden his or her work against casual cracking. Of course there's really no such thing as truly uncrackable, but if you have an idea HOW cracks are made you can take steps to make it harder TO make one for a given application.


    Developers are not taking nearly as many steps to protect their goods against being cracked as they should, and as a result end up having to raise their license prices to compensate for the loss. Learning how to break your own apps from a cracker is the best thing you can possibly do as a developer.

    I've sat at the virtual feet of many a cracker in my day - before starting a software company of my own I was an op in several major warez channels on IRC, so I had access to EVERYTHING I could ever want - and it's helped me tremendously ever since with my own coding projects. Of my last three software releases, one took ten months to crack and the other two remain uncracked since 2001, all because I had learned a cracker's mentality when it came to security and approached protection with the mindset of "how would I best attack this." If more developers were to do so we'd provide a challenge worthy of the genuine code poets in the cracking universe AND keep our products from being so heavily bootlegged by the myriads of amateurs.


    So, FWIW, if Troopa is willing to disclose the methods behind the madness I for one am grateful. There's a lot to learn from your own weaknesses.

  6. #6
    Administrator
    Join Date
    May 2015
    Posts
    1,143
    Speaking as a software developer...


    Troopa is indeed walking a VERY fine line here, as no matter what the rationale we ARE talking about circumventing software protection systems. In the U.S. it could be construed as a violation of the DMCA just to discuss this subject.

    That said...

    Troopa's information would be invaluable to a developer seeking to harden his or her work against casual cracking. Of course there's really no such thing as truly uncrackable, but if you have an idea HOW cracks are made you can take steps to make it harder TO make one for a given application.


    Developers are not taking nearly as many steps to protect their goods against being cracked as they should, and as a result end up having to raise their license prices to compensate for the loss. Learning how to break your own apps from a cracker is the best thing you can possibly do as a developer.

    I've sat at the virtual feet of many a cracker in my day - before starting a software company of my own I was an op in several major warez channels on IRC, so I had access to EVERYTHING I could ever want - and it's helped me tremendously ever since with my own coding projects. Of my last three software releases, one took ten months to crack and the other two remain uncracked since 2001, all because I had learned a cracker's mentality when it came to security and approached protection with the mindset of "how would I best attack this." If more developers were to do so we'd provide a challenge worthy of the genuine code poets in the cracking universe AND keep our products from being so heavily bootlegged by the myriads of amateurs.


    So, FWIW, if Troopa is willing to disclose the methods behind the madness I for one am grateful. There's a lot to learn from your own weaknesses.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •