ARJShell 1.3 - Tutorial (by flag eRRatum)

Target : ARJShell 1.3
Download : Shareware-Version available from several Forums of CompuServe Inc. i.e. GO WINSHARE.
Size : Less than 500k.

Description

ARJShell is a program which makes it easy to archive files with the MS-DOS Compression-Utility ARJ. Instead of typing in the command and options of ARJ at the DOS-Prompt, you can activate an ARJ-option by marking a checkbox or selecting a radio-button (very useful). This software is useful for those who love ARJ, but its expensive at 20$. I think more and more programmers nowadays are getting greedy.

First thing to do, run ARJShell, Click on Preferences, click on Register, then fill it with bogus details, i.e. UserName : CRACKZ , User-ID : 123454323 , put a bpx on hmemcpy, click on OK, kick to SoftICE, press F5 once, to let the program read your User-ID, and F12 until you reach this code.

:00438044 MOV EAX,[EBP-08] <-- UserName.
:00438047 POP EDX <-- Fake User-ID.
:00438048 CALL 0043C6DC <-- Check User-ID.
:0043804D MOV EDX,[0043EAF8]
:00438053 MOV [EDX],AL
:00438055 MOV EAX,[0043EAF8]
:0043805A CMP BYTE PTR [EAX],00 <-- Check if OK.
:0043805D JZ 004380E5 <-- Yes, then jump good, else.....
:00438063 LEA EDX,[EBP-04]
:004380A4 CALL 0043354C
:004380A9 MOV EAX,[0043EBB8]
:004380AE MOV EDX,00438194 <-- Invalid Code.
:004380B3 CALL 00406E4C
:004380B8 PUSH 40
:004380BA CALL USER32!MessageBeep <-- Show mean dialog.

Let's trace into the call.

:0043C70C XOR EBX,EBX <-- Clear EBX.
:0043C70E LEA ECX,[EBP-0C]
:0043C711 MOV EDX,[EBP-04] <-- UserName.
:0043C714 MOV EAX,221D1758 <-- Magic value (used later).
:0043C719 CALL 004338B4 <-- Create Real User-ID from UserName.
:0043C71E MOV EDX,[EBP-0C] <-- REAL User-ID.
:0043C721 MOV EAX,[EBP-08] <-- Fake User-ID.
:0043C724 CALL 00403B84 <-- Compare.
:0043C729 JNZ 0043C72D <-- Jump bad.
:0043C72B MOV BL,01 <-- Move good flag.
:0043C72D XOR EAX,EAX
:0043C747 RET

Well, until now you could already fetch the REAL User-ID, but it's no fun for such a greedy programmer like him :) , Let's destroy the whole story ! Trace into the call (F8) :

:004338DB XOR ESI,ESI <-- Clear ESI.
:004338DD MOV EAX,[EBP-08] <-- UserName.
:004338E0 CALL 00403A74 <-- Get Length (Length()).
:004338E5 MOV EBX,EAX <-- Store in EBX.
:004338E7 TEST EBX,EBX <-- Was length = 0 ?.
:004338E9 JLE 00433901 <-- Beggar off if yes.
:004338EB MOV EAX,00000001 <-- Counter.
:004338F0 MOV EDX,[EBP-08] <-- UserName.
:004338F3 MOVZX EDX,BYTE PTR [EAX+EDX-01] <-- Get byte from UserName.
:004338F8 IMUL EDX,EAX <-- Multiply it with counter.
:004338FB ADD ESI,EDX <-- Collect in ESI.
:004338FD INC EAX <-- Increase counter.
:004338FE DEC EBX <-- Decrease length.
:004338FF JNZ 00338F0 <-- Name done yet ?.
:00433901 IMUL EAX,ESI,01BAAFFE <-- EAX=ESI * 01BAAFFE.
:00433907 CDQ <-- EDX = -1 if EAX is negative, otherwise 0.
:00433908 XOR EAX,EDX <-- XOR it With EDX.
:0043390A SUB EAX,EDX
:0043390C MOV ESI,EAX

From 433907 until 43390C the function of the code is to return the absolute integer value, this means if you have -5, it will become 5, this is similar to the abs() function in Pascal and C.

:0043390E CMP ESI,77359400
:00433914 JL 0043391C
:00433916 SUB ESI,77359400
:0043391C CMP ESI,3B9ACA00
:00433922 JL 0043392A
:00433924 SUB ESI,3B9ACA00
:0043392A XOR ESI,[EBP-04] <-- EBP-4 = pointer to our magic number.
:0043392D CMP ESI,77359400
:00433933 JL 0043393B
:00433935 SUB ESI,77359400
:0043393B CMP ESI,3B9ACA00
:00433941 JL 00433949
:00433943 SUB ESI,3B9ACA00

The above code is just another stupid routine in the User-ID generating function.

:0043394B MOV EAX,ESI <-- Store result in EAX.
:0043394D CALL 00406960 <-- Integer to String Conversion.
:00433952 MOV EAX,[EDI] <-- Result in EAX.
:00433954 CALL 00403A74 <-- Length of "not finished yet" UserID.
:00433959 MOV EBX,EAX <-- in EBX.
:0043395B SUB EBX,08 <-- Subtract 8.
:0043395E JG 00433972 <-- Jump if greater than 0.
:00433960 DEC EBX
:00433961 MOV ECX,[EDI]
:00433963 MOV EAX,EDI
:00433965 MOV EDX,004339A0 <-- String "0".
:0043396A CALL 00403AC0 <-- Add 0 in front of the UserID.
:0043396F INC EBX
:00433970 JNZ 0433961

So, the code from 433952-433970 is checking whether the length of your UserID has reached 8 yet, if not it keeps adding 0 in front of it. Well it should be easy to understand now, or at least a newbie could learn something new from it.


Key Generators Return to Main Index


© 1998, 1999, 2000 Hosted by CrackZ. flag eRRatum 23rd March 1999.