#1
|
|||
|
|||
[ARMADILLO] 1 serial & 1 key - need input
I have successfully unpacked TheaterTek 2.06 which was packed with Armadillo.
The activation process is as follows: A Window pops open asking for the 1st serial#. In this box the cancel button is active.... however the OK button is ghosted out. If you enter in a valid serial# the OK button will become active. There is a check for a valid serial# within this routine as it is running waiting for input. I am trying to reverse this to help generate a valid serial# and then generate a valid key to make a keygen. (might change my mind if I can make a simple crack). I can bypass this window and make the program think it has a valid serial #. It tests EAX,EAX. If EAX=1 it's good. This routine is called about 6 times within the program (search all commands w/Olly). I modified the routine to output EAX=1 everytime. The program will now bypass the serial window and continue on. You can then see that it generates a unique number based on your system (Armadillo crap). The 2nd step of the activation is that you get a 9 (I believe... xxxx-xxxx) code which is used to create/check against a new key you enter in. The key is in the format: xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx. The OK box is RED meaning you have to enter in a valid code. Once you enter in a valid code, it will turn GREEN. There are other checks inside the program. Because the program is dumped the armaccess.dll functions are not there. There are at least 3 routines I can see.... VerifyKey, InstallKey, and UpdateEnvironment. Every time these routines are called they will exit with AL=0 which the program looks for AL=1. I can modify the routine but it's still not enough. I can get the program to run and play a DVD. However there is another problem. There is no audio for DVD playback. If a valid key is installed it will play the audio. The serial is not important for this function. There is another check somewhere or it isn't a check just a side affect of dumping the program. This is why I am looking into a keygen. I have a valid one for reference don't want to add it in the code so that it is blacklisted. If anyone has any input as to how I can get inside the routines (inside the windows checking in realtime if they are valid or not). I'm stuck on PeekMessage. I found the loop.... I was hoping to set a bp so that when a key was entered it would break. But can't find it "yet". Please help. -Malt |
#2
|
|||
|
|||
Well I found the solution to the 1st serial #. The Serial window actually uses the same routine that checks the serial# if it is from the registry.
Serial must be 17 chars (11h). If it is 17 chars then start check @ 44F70C 0044F70C MOV DL,BYTE PTR DS:[ESI+D] 0044F70F MOV AL,BYTE PTR DS:[ESI+10] 0044F712 MOV EDI,DWORD PTR DS:[<&msvcrt.atol>] ; msvcrt.atol 0044F718 LEA ECX,DWORD PTR SS:[ESP+14] 0044F71C PUSH ECX 0044F71D MOV BYTE PTR SS:[ESP+18],DL 0044F721 MOV BYTE PTR SS:[ESP+19],AL 0044F725 MOV BYTE PTR SS:[ESP+1A],0 0044F72A CALL EDI 0044F72C MOV DL,BYTE PTR DS:[ESI+8] 0044F72F MOV CL,BYTE PTR DS:[ESI+A] 0044F732 MOV BYTE PTR SS:[ESP+18],DL 0044F736 MOV DL,BYTE PTR DS:[ESI+B] 0044F739 MOV DWORD PTR SS:[ESP+10],EAX 0044F73D MOV AL,BYTE PTR DS:[ESI+F] 0044F740 MOV BYTE PTR SS:[ESP+1B],DL 0044F744 MOV BYTE PTR SS:[ESP+19],AL 0044F748 MOV AL,BYTE PTR DS:[ESI+5] 0044F74B MOV BYTE PTR SS:[ESP+1A],CL 0044F74F MOV CL,BYTE PTR DS:[ESI+6] 0044F752 LEA EDX,DWORD PTR SS:[ESP+18] 0044F756 PUSH EDX 0044F757 MOV BYTE PTR SS:[ESP+20],AL 0044F75B MOV BYTE PTR SS:[ESP+21],CL 0044F75F MOV BYTE PTR SS:[ESP+22],0 0044F764 CALL EDI 0044F766 ADD ESP,8 0044F769 XOR ECX,ECX 0044F76B MOV EAX,ESI 0044F76D MOV EDX,0D J1: 0044F772 MOVSX EDI,BYTE PTR DS:[EAX] 0044F775 ADD ECX,EDI 0044F777 INC EAX 0044F778 DEC EDX 0044F779 JNZ SHORT 0044F772 (J1) 0044F77B MOVSX EAX,BYTE PTR DS:[ESI+E] 0044F77F MOVSX EDX,BYTE PTR DS:[ESI+F] 0044F783 ADD EDX,EAX 0044F785 ADD EDX,ECX 0044F787 MOVSX ECX,BYTE PTR DS:[ESI+7] 0044F78B SHL EDX,3 0044F78E OR EDX,ECX 0044F790 MOVSX ECX,BYTE PTR DS:[ESI+6] 0044F794 IMUL EDX,ECX 0044F797 OR EDX,EAX 0044F799 MOVSX EAX,BYTE PTR DS:[ESI+5] 0044F79D SUB EDX,EAX 0044F79F MOV DWORD PTR SS:[ESP+10],EDX 0044F7A3 FILD DWORD PTR SS:[ESP+10] 0044F7A7 FLD QWORD PTR DS:[489620] 0044F7AD CALL <JMP.&msvcrt._CIfmod> 0044F7B2 FILD DWORD PTR SS:[ESP+C] 0044F7B6 FCOMPP 0044F7B8 FSTSW AX 0044F7BA TEST AH,40 0044F7BD JNZ SHORT 0044F7CD (J2).... TAKE THIS JUMP IF VALID SERIAL 0044F7BF POP EDI 0044F7C0 POP ESI 0044F7C1 XOR EAX,EAX 0044F7C3 POP EBP 0044F7C4 ADD ESP,108 0044F7CA RETN 4 J2: 0044F7CD POP EDI 0044F7CE POP ESI 0044F7CF MOV EAX,1 ....... must be 1 = valid serial 0044F7D4 POP EBP 0044F7D5 ADD ESP,108 0044F7DB RETN 4 Now onto the key window.... Program is actually written in VB.... go figure. Still need some ideas. Thanks |
#3
|
|||
|
|||
The serial check looks straightforward. First the serial is rearranged and parts are changed into integers. Next a hash is made of the rearranged serial. Then a division with a magic number at 489620 is performed and the result determines if the serial is valid.
Since you have a valid serial, you can use a debugger to step thru the code and see the results of each instruction. Then use a bad serial to see how the results differ. From the two different results you should be able to see how to reverse the procedure and create a keygen. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Flushing input stream | Kerlingen | General Discussion | 12 | 03-29-2012 20:34 |