2Likes
LinkBack URL
About LinkBacks
HOW TO: Extract a working serial out of an App
Most of us download Application releases on a regular basis, but yet some of us fail to realize some of the hard work that went into making these. (ya know, the work that went into patching it BEFORE it even hit toplevels and torrent sites.)
the reason im writing this tutorial is to provide some insight as to what happens behind the scenes before we actually get a working release.
what we will be doing here is extracting a "working" serial from an old version of an old application.
i hope that at least some of you will find this intersting as i did the very first time i learned how it worked.
TOOLS USED
-----------
OllyDbg 1.09d or 1.10
Target
------
Power Archiver 9.26
go to oldversion.com and grab version 9.26
shall we begin?
1. Install PowerArchiver.
the firt time you run it a dialog box should come up saying this is an evaluation version, please register or something along those lines.
you should have a choice of options, either clicking I agree or to use it as an evaluation version or to enter the registeration information that you recieved when you purchased it.
we are going to choose "Enter Registraion Code".
click it and enter any name you want and any serial into it.
for the purpose of illustration I will use supertorrz for the name and 12345678 for the registration code.
click OK and you should recieve an error saying "Incorrect registration information"
so write that error down. it is not neccessary to write the whole thing just "Incorrect registration information" will be fine.
2. Close powerarchiver all the way and Open up OllyDbg. Go to File-->Open and find
POWERARC.EXE and open it.
you should now be looking at a screen similar to mine. (dont worry if it doesnt look exactly the same cause it proabbly wont due to the custom colors and highlights i have setup on mine) (Example below)
ive labeled "in red" the names of the various windows for your convience.
now what your going to do is Right Click in the Code Window (See example above) and click Search For-->All Referenced Text Strings.
in the next window that pops up scroll all the way to the top and left click (highlight) the first line. now right click anywhere in that window and click "Search for text", also Uncheck the Case Sensitve box. now in the search box type "incorrect registration information" and hit enter or ok.
After you hit ok you should see the line highlighted that says [UNICODE "Incorrect registration information.\rPlease try entering the code you have recieved]....etc"
press enter again with that line highlighted and you should end up with this next screen below..
ok now scroll up a bit in the code window approx 38 lines up, not too far till you find the following..
now the addresses you see will be different than mine but the push,mov EDX, mov EAX will be the same.Code:006519BD > \55 push ebp 006519BE . 8B55 F4 mov edx,dword ptr ss:[ebp-C] 006519C1 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
compare the picture below to the code above to get a better understanding.
ok so highlight this line
now press F2 to set a breakpoint.Code:006519C1 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
what this did was it told the debugger to stop running and pause at the line of code you selected.
k now press F9 to run the program. (If any exceptions occur press Shift+F9 until the program pops up and runs). be aware that powerarchver may not popup in front of everything, it may be behind the olly window, just click in the start bar to make it popup cause its probably minimized.now be sure to keep OllyDbg open and go to PowerArchiver and click "Enter Registration Code" and enter any name for the username, ill be using supertorrz, just be sure to remember whatever name you type in.
enter 123456 as the registration code and click OK.
Olly should immeditly pop up, if it didnt then you did something wrong :( [most likely didnt set the break point]....
but anyhow if it popped up, congrats things are moving along smoothly.
now take a look in the Registers window in Olly and you will see that the Register EDX contains the serial we entered "123456". so what we are going to do is set a breakpoint on it so when the program goes to access it to compare it to the real serial it will break and there in plain text we will see the REAL serial to which it is being compared to.
So then all we have to do is write that number down close olly and reopen the program normally and enter the same name and then the REAL serial that we just Extracted.
k so now...
what you are going to do is higlight the EDX register by left clicking it in the REGISTERS window.
Then Right click what you just highlighted and click "Follow In Dump". Now take a look at the Hex Dump Window.
You should see you User-entered serial. in our case "12345678" or in hex "31 32 33 34 35 36 37 38". So what you need to do is highlight the first 4 bytes of our user entered serial in our hex dump window.
These bytes being "31 32 33 34" then right-click the highlighted bytes and click Breakpoint----->Hardware, On Access,------->DWORD. Now what that did was tell Olly to break when it accesses our serial again.
The next time this serial will be accessesd is then it is compared to the REAL serial generated by PowerArchiver. That being said we will see what the REAL serial for our user-entered name will be. (SEE FIGURE BELOW)
Okay.... do now you have your breakpoint set. now all you have to do is press F9 and olly should then again break. and what do we have in our register window....well we have our user-entered serial in ESI which is "12345678" and whats that right below it???....it looks like its the REAL serial that the program is checking OUR serial against. it is stored in EDI which contains "3CA0521A".... write this number down. yours will probably be different especially if you used a different name than supertorrz.
Have that written down..??? GOOD. now exit Olly and open PowerArchiver by itself..no Olly
this time. now click Enter Registration Code and enter the name that you used when u fished
out a serial. and use the serial that we fished out for the registration code. and click OK....YES!!! REGISTRATION ACCEPTED....congratulations you now successfully broke through PowerArchiver's protection scheme.
Disclaimer
This article/post is for educational purposes only. neither supertorrz nor TorrentInvites or their ISP's cannot be held responsible if you use any of the information or programs on this site for illegal reversing purposes or if using programs or techniques provided on this site cause any damage whatsoever. The usage of this information constitutes the acceptance and understanding of these terms and conditions!
Reply With Quote
Originally Posted by staffrodore
