|Description||Multiactive ecBuilder Pro v4.0 is a tool to create and manage a professional e-commerce website. Naturally if the powers that be get their way we'll be swamped with these types of programs and these types of sites (no thanks).|
|Protection Type||Serial Number validated using various criteria.|
|Target Name||Multiactive ecBuilder Pro v4.0 (a snip at only £295).|
|Webpage||http://www.ecbuilder.com or December 1999's PC Direct CD-ROM.|
The trend towards e-commerce is of course a relentless one, every day in the main bourses of the world new "internet" companies start up and have their share prices ramped up beyond all proportion, in fact most of these businesses are loss-making (some don't even make or sell a physical product), yet the mindless capitalist losers continue to throw their ill-gotten millions into these ventures (let us hope the bubble will burst horridly for them - I fear it maybe later rather than sooner though).
ecBuilder Pro is an attempt to join the bandwagon. Its protection is a single serial number with validation criteria, don't try and break it from the Wise Installation, its just not worth the effort :-). You are asked to insert a single * Product Serial Number which will be validated. A quick search through the disassembly listing will find you this very obvious code :-
:0042DCBC CALL 0040C7FB <-- Call great protection scheme. :0042DCC1 TEST EAX, EAX <-- Result in EAX. :0042DCC3 JZ 0042DCDB <-- Good serial number jump. :0042DCC9 PUSH 52D1 <-- Resource ID of bad message box text.
Too simple by far, take your HEX editor and patch it as you see fit. Yet we are I suppose compelled to look how the program determines validity and here the program doesn't do a bad job. Using SoftICE you'll probably need to bpr and bpm copies of your fake serial before finding the real action or you could try a little assumption :-), see how that input box looks as if it should take 14 decimal numbers (search for 0000000E in the disassembly). The insight you'll need here is that the first 5 digits of any valid serial number must be 01951 so fix that before setting a bpx for 40CC32.
:0040CC32 XOR EDI, EDI <-- Character pointer.. :0040CC6C MOV AL, BYTE PTR [EAX+EDI] <-- Pointer to serial number. :0040CC6E CMP AL, 30h <-- Is it below '0'. :0040CC71 JL 0040CC7C <-- Ignore. :0040CC73 CMP AL, 39h <-- Is it above '9'. :0040CC75 JG 0040CC7C <-- Ignore. :0040CC83 SUB AL, 30h <-- Sub away 30h.
This is quite an interesting little loop here :-
1st stage :- End digit of serial number moved to 30h so 01951123456789 becomes 01951123456780.
2nd stage :- Serial number is reversed to become 08765432115910.
3rd stage :- Ignore letters or in the case of numbers write back -30h i.e. 00 08 07 06 05 04 03 02 01 01 05 09 01 00.
The loop above I first thought just threw out letters, it seems however that the program settles for ignoring them where as numbers will be stripped of 30h and copied back to memory. The loop from 40CCA0 to 40CCB3 sums up the odd positions in the serial number and stores the result in ESI (using the example above this result is 16h) . The next loop from 40CCB3 to 40CCD1 takes the even positions, adds 6, multiplies by 2 and adds 2 before subtracting 6h from that result until it is less than or equal to 6 in value, this will then be added to the running total in ESI (30h).
ESI is divided by 0Ah with the remainder then being subtracted from 0Ah, in this instance the result is 2h which is then divided again by 0Ah taking again the remainder, this will be added to 30h to give 32h which will be checked against the last digit of the serial number which was set to '0' at the very start of this scheme. All you need to do therefore is fix the last digit checksum to '2' and our serial number will be valid, so '01951123456782' is accepted.
I was intending to convert this into a key generator, you probably could quite easily (there isn't that much point), just prompt the user for his favourite 8 digit key, prefix with 01951 (reverse it) and then calculate the good checksum. I said earlier that I thought letters would be rejected by the scheme and I have just proved this is so, although the code above appears only to ignore them.