Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-17-2005, 11:28
Maltese
 
Posts: n/a
[ARMADILLO] 1 serial & 1 key - need input

I have successfully unpacked TheaterTek 2.06 which was packed with Armadillo.

The activation process is as follows:

A Window pops open asking for the 1st serial#. In this box the cancel button is active.... however the OK button is ghosted out. If you enter in a valid serial# the OK button will become active. There is a check for a valid serial# within this routine as it is running waiting for input.

I am trying to reverse this to help generate a valid serial# and then generate a valid key to make a keygen. (might change my mind if I can make a simple crack).

I can bypass this window and make the program think it has a valid serial #. It tests EAX,EAX. If EAX=1 it's good. This routine is called about 6 times within the program (search all commands w/Olly). I modified the routine to output EAX=1 everytime.

The program will now bypass the serial window and continue on.

You can then see that it generates a unique number based on your system (Armadillo crap).

The 2nd step of the activation is that you get a 9 (I believe... xxxx-xxxx) code which is used to create/check against a new key you enter in. The key is in the format: xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx. The OK box is RED meaning you have to enter in a valid code. Once you enter in a valid code, it will turn GREEN.

There are other checks inside the program. Because the program is dumped the armaccess.dll functions are not there. There are at least 3 routines I can see.... VerifyKey, InstallKey, and UpdateEnvironment. Every time these routines are called they will exit with AL=0 which the program looks for AL=1. I can modify the routine but it's still not enough.

I can get the program to run and play a DVD. However there is another problem. There is no audio for DVD playback. If a valid key is installed it will play the audio. The serial is not important for this function. There is another check somewhere or it isn't a check just a side affect of dumping the program.

This is why I am looking into a keygen. I have a valid one for reference don't want to add it in the code so that it is blacklisted.

If anyone has any input as to how I can get inside the routines (inside the windows checking in realtime if they are valid or not). I'm stuck on PeekMessage. I found the loop.... I was hoping to set a bp so that when a key was entered it would break. But can't find it "yet".

Please help.

-Malt
Reply With Quote
  #2  
Old 02-17-2005, 13:14
Maltese
 
Posts: n/a
Well I found the solution to the 1st serial #. The Serial window actually uses the same routine that checks the serial# if it is from the registry.

Serial must be 17 chars (11h). If it is 17 chars then start check @ 44F70C

0044F70C MOV DL,BYTE PTR DS:[ESI+D]
0044F70F MOV AL,BYTE PTR DS:[ESI+10]
0044F712 MOV EDI,DWORD PTR DS:[<&msvcrt.atol>] ; msvcrt.atol
0044F718 LEA ECX,DWORD PTR SS:[ESP+14]
0044F71C PUSH ECX
0044F71D MOV BYTE PTR SS:[ESP+18],DL
0044F721 MOV BYTE PTR SS:[ESP+19],AL
0044F725 MOV BYTE PTR SS:[ESP+1A],0
0044F72A CALL EDI
0044F72C MOV DL,BYTE PTR DS:[ESI+8]
0044F72F MOV CL,BYTE PTR DS:[ESI+A]
0044F732 MOV BYTE PTR SS:[ESP+18],DL
0044F736 MOV DL,BYTE PTR DS:[ESI+B]
0044F739 MOV DWORD PTR SS:[ESP+10],EAX
0044F73D MOV AL,BYTE PTR DS:[ESI+F]
0044F740 MOV BYTE PTR SS:[ESP+1B],DL
0044F744 MOV BYTE PTR SS:[ESP+19],AL
0044F748 MOV AL,BYTE PTR DS:[ESI+5]
0044F74B MOV BYTE PTR SS:[ESP+1A],CL
0044F74F MOV CL,BYTE PTR DS:[ESI+6]
0044F752 LEA EDX,DWORD PTR SS:[ESP+18]
0044F756 PUSH EDX
0044F757 MOV BYTE PTR SS:[ESP+20],AL
0044F75B MOV BYTE PTR SS:[ESP+21],CL
0044F75F MOV BYTE PTR SS:[ESP+22],0
0044F764 CALL EDI
0044F766 ADD ESP,8
0044F769 XOR ECX,ECX
0044F76B MOV EAX,ESI
0044F76D MOV EDX,0D
J1:
0044F772 MOVSX EDI,BYTE PTR DS:[EAX]
0044F775 ADD ECX,EDI
0044F777 INC EAX
0044F778 DEC EDX
0044F779 JNZ SHORT 0044F772 (J1)

0044F77B MOVSX EAX,BYTE PTR DS:[ESI+E]
0044F77F MOVSX EDX,BYTE PTR DS:[ESI+F]
0044F783 ADD EDX,EAX
0044F785 ADD EDX,ECX
0044F787 MOVSX ECX,BYTE PTR DS:[ESI+7]
0044F78B SHL EDX,3
0044F78E OR EDX,ECX
0044F790 MOVSX ECX,BYTE PTR DS:[ESI+6]
0044F794 IMUL EDX,ECX
0044F797 OR EDX,EAX
0044F799 MOVSX EAX,BYTE PTR DS:[ESI+5]
0044F79D SUB EDX,EAX
0044F79F MOV DWORD PTR SS:[ESP+10],EDX
0044F7A3 FILD DWORD PTR SS:[ESP+10]
0044F7A7 FLD QWORD PTR DS:[489620]
0044F7AD CALL <JMP.&msvcrt._CIfmod>
0044F7B2 FILD DWORD PTR SS:[ESP+C]
0044F7B6 FCOMPP
0044F7B8 FSTSW AX
0044F7BA TEST AH,40
0044F7BD JNZ SHORT 0044F7CD (J2).... TAKE THIS JUMP IF VALID SERIAL
0044F7BF POP EDI
0044F7C0 POP ESI
0044F7C1 XOR EAX,EAX
0044F7C3 POP EBP
0044F7C4 ADD ESP,108
0044F7CA RETN 4
J2:
0044F7CD POP EDI
0044F7CE POP ESI
0044F7CF MOV EAX,1 ....... must be 1 = valid serial
0044F7D4 POP EBP
0044F7D5 ADD ESP,108
0044F7DB RETN 4

Now onto the key window....

Program is actually written in VB.... go figure.

Still need some ideas.

Thanks
Reply With Quote
  #3  
Old 02-18-2005, 00:58
jsteed
 
Posts: n/a
The serial check looks straightforward. First the serial is rearranged and parts are changed into integers. Next a hash is made of the rearranged serial. Then a division with a magic number at 489620 is performed and the result determines if the serial is valid.

Since you have a valid serial, you can use a debugger to step thru the code and see the results of each instruction. Then use a bad serial to see how the results differ.

From the two different results you should be able to see how to reverse the procedure and create a keygen.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Flushing input stream Kerlingen General Discussion 12 03-29-2012 20:34


All times are GMT +8. The time now is 21:09.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )