http://www.flores.nl - Webpage (trayexpl.zip - (183k)).
Well, this is my first tutorial, I hope you'll enjoy it and learn something from it. The program we are going to reverse engineer is TrayExplorer v1.0 (TrayExplorer.exe) from Flores Software. It's a program like the standard explorer in Windows only it's minimized to the tray (very handy). The tools I used: Softice 3.22, W32Dasm, RegMon and Tasm.
So let's start reversing the program. When you start the program it shows you a nagscreen telling you to register, also a Register button will appear. Note that the program shows your username already. The only thing you have to do is fill in a registration number. Where does the program get the username?. So start RegMon, set the filter to TrayExplorer and start the program. The program gets the name from the registry key HKLM/Software/Microsoft/Windows/CurrentVersion/RegisteredOwner.
After this the username is transformed immediately into the right registration key. Now let's fill in a bogus registration number..... a messagebox "Wrong registration code entered." appears. So lets examine a dead listing in W32Dasm and search for the message box text (its at address 004441E6). So lets trace up the code until we find this:
* Possible StringData Ref from Code Obj ->"Enter
your registration code:"
:0044418C MOV EDX, 00444250
:00444191 CALL 004367FC
:00444196 TEST AL,AL <-- Check for a registration key.
:00444198 JZ 00444208 <-- Yes, then jump to 00444208
:0044419A MOV EAX,EBX
:0044419C CALL 00443FA8 <-- Trace this call.
So lets fire up Softice, and set a >bpx cs:0044419C, and then trace into this call with F8. Examine the following code.
:00443FA8 * Referenced by a CALL at Addresses: :00443F33,
:00444018 , :0044419C
:00443FCC MOV EAX, DWORD PTR [EBP-04] <-- "TrayExplorer" with our username added to the end.
:00443FCF CALL 00443E9C <-- Do the calculation.
:00443FD4 MOV EBX,EAX
:00443FD6 XOR EAX,EAX <-- Clean up EAX.
Let's now trace into the call at 00443FCF with F8.
:00443EA4 MOV EAX, DWORD PTR [EBP-04] <-- move "TrayExplorerUsername"
:00443EA7 CALL 00403CCC
:00443EAC XOR EAX,EAX <-- EAX=0.
:00443EBA MOV EAX, DWORD PTR [EBP-04] <-- move "TrayExplorerUsername" in EAX again.
:00443EBD CALL 00443E2C <-- More calculations.
:00443EC2 ADD EAX, 0002E75A <-- After the call EAX is returned with a value and 2E75A is added.
:00443EC7 LEA EAX, DWORD PTR [EAX+8*EAX] <-- Multiply EAX by 9.
:00443ECA SUB EAX, 000D9CBB <-- Subtract D9CBB from EAX.
:00443ECF MOV EBX,EAX <-- Save good result in EBX.
At this stage, EBX now contains our calculated serial. The call at 00443EBD calculates the sum of the ASCII values of each character in "TrayExplorerUsername" and places it in EAX.
T r a y E x p l o r e r C r a c k Z
54 72 61 79 45 78 70 6C 6F 72 65 72
We then add 2E75A to EAX, multiply by 9 and subtract D9CBB et voila.