MemoryAnalyst v1.01 / TimeWizard 2.0 - Tutorial - Webpage ( (165k) & (2.14Mb)).

Another day and another tutorial. I found this small application at the same site as TimeWizard 95 and I just thought I'd analyse its serial # mechanism just to see if the authors were lazy. In fact, there are remarkable similarities between the 2 algorithms although this one is a little weaker in calculation but stronger in its location. Lets take a look and try the register option, insert some details into the dialog boxes and set some SoftICE breakpoints, >bpx GetWindowTextA does it for me, now step a little to this code:

:00401BD9 PUSH 0043B298 <-- Pushes MA to stack.
:00401BDE LEA ECX,[EBP-08]
:00401BE1 CALL 0041AAC3 <-- Junk.
:00401BE6 XOR ECX,ECX <-- Clean up ECX.
:00401BE8 MOV EAX,[ESI+5C] <-- Name entered.
:00401BEB MOV BYTE PTR [EBP-04],01
:00401BEF MOV EDX,[EAX-08] <-- Length of name in EDX.
:00401BF2 CMP ECX,EDX <-- Compare length of name with 0.
:00401BF4 JGE 00401BFF <-- Loop. Jump when ECX = the name length.
:00401BF6 MOVSX EBX,BYTE PTR [ECX+EAX] <-- Load first letter of name value in EBX.
:00401BFA ADD EDI,EBX <-- Store in EDI.
:00401BFC INC ECX <-- Increment ECX to next letter.
:00401BFD JMP 00401BF2 <-- Repeat_loop.

So the first part of this code adds together all of the name's ASCII characters and places the result in EDI. CrackZ = 574. Then we proceed to multiply that value by 3 and that forms the numeric part of the code.

:00401BFF LEA EDI,[EDI*2+EDI] <-- EDI = 3 x 574 = 1722.
:00401C38 CALL 0041AD2B <-- Add MA prefix and create good serial #.
:00401C3D MOV EAX,[EBP-14] <-- Serial # entered in EAX.
:00401C40 MOV ECX,[EBP-18] <-- Good serial # in ECX.
:00401C43 PUSH EAX
:00401C44 PUSH ECX <-- Save them to the stack.
:00401C45 CALL 00407920 <-- Compare them.
:00401C4A ADD ESP,08 <-- Stack tidy.
:00401C4D TEST EAX,EAX <-- Test EAX=0.
:00401C4F JZ 00401C9F <-- Jump_nice_buyer.

So, all this program actually does is add together the ASCII values of the name, multiply by 3 and then prefix that value with MA (Memory Analyst maybe). Creating a key generator for this application should be pretty simple.

TimeWizard is the other program at this site, again the serial # key generation routine is not an overly complex affair :-).

So, a quick look at the disassembler, you should find see that bad numbers finish at 004059B2. So lets launch the program. In the Help Menu, select Register Now, lets input some details in the boxes, here I use CrackZ & 12121212. You should find that GetWindowTextA serves well as a breakpoint.

In SoftICE you shouldn't have to trace very far until you hit this code.

:0040593B MOV ECX,[ESI+5C] <-- Place name in ECX.
:0040593E XOR EAX,EAX <-- EAX=0.
:00405940 MOV [EBP-04],EBX
:00405943 MOV EDX,[ECX-08] <-- Move length of name into EDX.
:00405946 CMP EDX,EAX <-- Compare name length with 0.
:00405948 JLE 00405953 <-- Jump only if we've reached the end of the name.
:0040594A MOVSX EDI, BYTE PTR [ECX+EAX] <-- Move EDI to value of the 1st name character.
:0040594E ADD EBX,EDI <-- Add it to EBX (which was 0 at the start).
:00405950 INC EAX <-- Move to next letter.
:00405951 JMP 00405946 <-- Loop till end of name reached i.e. JLE 00405953 jumps.

So here's what happens with my example name, CrackZ, we get each of the letters ASCII values and sum them into EBX before the JLE jumps.

CrackZ = 43 + 72 + 61 + 63 + 6B + 5A = 574.

The next significant lines of code are as follows:

:00405953 LEA EDI,[EBX*8+00000000] <-- EDI holds 574 * 8 = 4592.
:0040595D SUB EDI,EBX <-- 4592 - 574 = 4018.
:00405964 ADD EDI,05 <-- Add 5 decimal = 4023 (numeric part of code).

Several functions are then called, and if you trace them you can find that one of them is responsible for adding the prefix TW2 to the value calculated above, then we reach this:

:0040599A MOV EAX,[ESI+60] <-- Serial # entered in EAX.
:0040599D MOV ECX,[EBP-14] <-- Good code.
:004059A0 PUSH EAX
:004059A1 PUSH ECX <-- Push EAX/ECX to stack.
:004059A2 CALL 004039B0 <-- Compare good code with entered code.
:004059A7 ADD ESP,08 <-- Tidy stack.
:004059AA TEST EAX,EAX <-- Test EAX=0.
:004059AC JZ 004059F3 <-- Jump_good_buyer.

So all this protection actually does is sum up the values of the name, multiply that value by 8, then subtract the original value and add 5 decimal (equivalent to multiplying by 7 and adding 5). You'll find that the good code is written out to the registry (HKEY_USERS\.Default\Software\EPSOFT\TimeWizard\USER). I have taken the decision to remove the registration information that was here after a request by the program author, if you use his software don't be a lamer, pay him the modest registration fee.

Return to Key Generators

© 1998, 1999, 2000 CrackZ. 12th May 1998.