- Webpage (swolf306.exe - (867k)).
Greetings dear readers. Once again I'm back with another tutorial for this particularly useful program (especially if you run a website like me). Well you should know the drill by now, start up SubmitWolf Pro, you'll probably need to create a new project before you can select Help/Register. Enter some details in the dialog boxes and trace using SoftICE to the following code. I recommend >bpx Hmemcpy and 8-9 F12's.
:004071A8 LEA EAX,[EBP-100] <-- Name.
:004071AE PUSH EAX <-- Serial and name now pushed for next function.
:004071AF CALL 0040FF0A <-- Check code.
:004071B5 TEST EAX,EAX <-- Test EAX=0.
:004071B8 JNZ 004071A3 <-- Jump_good_code.
Prior to reaching this you probably traced twice over CALL 00401222 which acts as an elementary length checker. Merely reversing the obvious JNZ will not permanently register the program, so you'll need to trace the function CALL 0040FF0A, here are some of the key code highlights before we construct a key generator.
:0040FF29 CMP [EAX],50 <-- Compare first character
of code with P.
:0040FF2C JNZ 0040FF40 <-- Jump_away_bad_code.
:0040FF2E CMP [EAX+01],57 <-- Compare 2nd character with W.
:0040FF32 JNZ 0040FF40 <-- Jump_away_bad_code.
:0040FF6C CALL 00413050 <-- Check 4rth character was a '-'.
Well I'll stop here for just a few seconds. The program checks firstly that the first 2 characters of the code are PW, interestingly if the first letter is an S then the program decides that the code is for a previous version. CALL 00413050 is very interesting and potentially confusing but the satisfactory return is for the 4rth character to be a -, the 3rd character is not checked per se so a number will suffice, however it does have a critical bearing on the last 6 digits which are computed.
Rather than list more code, you should continue stepping and prepare for a series of loops all using ESI as a counter. I recommend when you perform an analysis such as this that you trace carefully and make notes (my example user name is CrackZ), I'll give you my rough notes here as an example or maybe you should devise your own technique.
Part 1 - Inserted Password (PW0- as first 4 are known
P + 3 = 53h loaded in DL.
1st 4 letters of name "Crac" multiplied with 53h (results - B9h, F6h, 73h, 19h).
then, W + 3 = 5Ah loaded in DL, multiplied with results from above (results - 0Ah, 7Ch, 6Eh, CAh).
0 + 3 = 33h loaded in DL and multiplied again (results - FEh, B4h, EAh, 3Eh).
Part 2 - Result now XOR'ed with complete name.
Each name letter + 3 then XOR'ed with results. First letter uses results from part 1 to start the loop. After looping the entire name CrackZ result is FCh, B6h, E8h, 3Ch.
Transfer into register EAX - 3CE8B6FCh, check smaller than 9999 dec, if not load ECX with F423Fh (999999 dec) and IDIV by 10dec until smaller, decimal value of result (18F2Ch) is last 6 digits.
The result will then be checked beneath function CALL 00414000. If the code is good, EAX is returned as 0 and the subsequent INC EAX instruction will ensure EAX is 1 (the SBB having no effect). The function returns allowing our good code to proceed because EAX is not zero as required. Patching SubmitWolf would probably be a pain because the entire protection routine would need serious re-writing.