Page 2 of 2 FirstFirst 12
Results 16 to 26 of 26

Thread: Copying keymaker ASM from Win32Dasm

  1. #16
    There a IDA to Ollydbg converter, but I've never seen anything that'll do the other way around. At least the IDA converter prevents you from accidentally tracing into routines like strcpy etc

  2. #17
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Originally posted by Fahr
    OK, since this has been called out to be one of the keygenning threads, I guess I'll dump all my questions here (of nobody objects, of course).

    As suggested I fired up IDA Pro and I'm getting the hang of it, except for 2 things;

    1) I can't seem to rename a var that's like this: [ebp+var_4]
    I can rename var_4, I can also rename ebp, but I can't seem to rename the combination of the 2...



    2) Is it just me, or is it impossible to actually DEBUG with IDA Pro? If it is, it's a function I'm missing dearly. It would be so nice to just be able to name the registers while running thru them and seeing their vars. This way I have to rebreak in SoftICE every time I want to know a new var. (or maybe I can break out of SoftICE without letting the debugged program resume, if so, please enlighten me)
    IDA 4.5, released this year, includes a live debugger. Previous versions are only disassemblers, so yes, if you need to see the actual contents of variables in real time, you need to have Sice running in the background. I have not seen IDA 4.5 debugger in action, so I cannot comment on its use and quality.




    And last, I am trying to get the hang of that piece of code of QMacro. I am gettin thru most of it, but I think my ASM knowledge is still too small
    Could someone please explain me what this snippet of code does?

    CODE:00403FA4 sub_403FA4 proc near ; CODE XREF: sub_41D144+16 p
    CODE:00403FA4 ; sub_422934+11 p ...

    Notice that the address 0043FA4 does not advance, so what you are seeing are comments added by IDA. This is a subroutine called from 41D144 and 422934, below.

    CODE:00403FA4 test eax, eax ; Eax=0?

    Notice that eax is used as a pointer in 403FA8. so in this step it is checking if the pointer is NULL. If so, we simply return by performing the conditional jump to EndSub at instruction 403FA6

    CODE:00403FA6 jz short EndSub ; If so, go to end sub
    CODE:00403FA8 mov edx, [eax-8]

    The dword pointed by eax-8 is loaded into edx

    CODE:00403FAB inc edx

    Then incremented


    CODE:00403FAC jle short EndSub

    If the contents of edx was FFFFFFFF, and gets incremented, turns into 00000000 which sets the Zero flag, and the carry flag. In such case, the conditional jump at 403FAC happens, meaning we do nothing else and jump to the end of the suroutine



    CODE:00403FAE lock inc dword ptr [eax-8]

    Now, the increment we did at 403FAB happened to A COPY of the variable pointed by eax-8, which temporarily stored in edx. Once we make sure the increment will not wrap around and make it zero, we perform the increment operation on the actual variable


    CODE:00403FB2
    CODE:00403FB2 EndSub: ; CODE XREF: sub_403FA4+2 j
    CODE:00403FB2 ; sub_403FA4+8 j
    CODE:00403FB2 retn

    And we are out of here

    ; Return
    CODE:00403FB2 sub_403FA4 endp

    In this case, EAX contains the username (or offset to, whichever). First it checks if eax = 0 (maybe length?)
    EAX is a pointer.

    , if it's NOT, it does some rather twisted stuff. Starting from the line under 'jz short EndSub', I'm lost...

    It is working on a variable 8 bytes below the position pointed by EAX.

    Review the significance of brackets, which is the assembly way to work with pointers and references



    It goes back 8 chars? And then increases it again? I don't get it

    If I'm being too anoying, please tell me and I'll seek my answers elsewhere.

    Thanks,
    - Fahr

  3. #18
    Fahr
    Guest
    Ok! Thanks for the explanation

    So what it basically does is increase a dword that [eax-8] is the pointer to?

    Or to put it in C:

    DWORD* MyDWORD = NULL;
    *MyDWORD++;

    or am I wrong?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #19
    Fahr
    Guest
    Originally posted by naides
    IDA 4.5, released this year, includes a live debugger. Previous versions are only disassemblers, so yes, if you need to see the actual contents of variables in real time, you need to have Sice running in the background. I have not seen IDA 4.5 debugger in action, so I cannot comment on its use and quality.
    I got IDA 4.5 now, according to help it contains a debugger, but the actual debugger menu is not present

    so much for that idea...

    - Fahr
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #20
    That's because, if you've been reading about the copy you found, it is a modified "demo version" and never contained the "debugger" portion of the code.

    Regards.
    JMI

  6. #21
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Originally posted by Fahr
    Ok! Thanks for the explanation

    So what it basically does is increase a dword that [eax-8] is the pointer to?

    Or to put it in C:

    DWORD* MyDWORD = NULL;
    *MyDWORD++;

    or am I wrong?
    Not exactly. It only increases the variable pointed by MyDWORD if MyDWORD is not NULL

  7. #22
    Fahr
    Guest
    Originally posted by naides
    Not exactly. It only increases the variable pointed by MyDWORD if MyDWORD is not NULL
    And what does that mean if the DWORD points to a string? That it goes 1 char further?

    Also, I think this code is bogus, cuz it writes in EAX and then modifies it, but after it's done to Name, Email and Serial, it does a xor eax, eax...
    Whatever it is, I think it was generated by the compiler for some weird reason, but it doesn't seem to have any actual meaning...

    - Fahr
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #23
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Originally posted by Fahr
    And what does that mean if the DWORD points to a string? That it goes 1 char further?

    Also, I think this code is bogus, cuz it writes in EAX and then modifies it, but after it's done to Name, Email and Serial, it does a xor eax, eax...
    Whatever it is, I think it was generated by the compiler for some weird reason, but it doesn't seem to have any actual meaning...

    - Fahr

    I actually downloaded the app we are talking about and traced with softIce around the code you are interested in.

    Number One, as far as I can tell this code does not get called during serial validation, but I may be wrong, because I did not dig too much into the serial validation key generation routines.

    At start up this subroutine gets call repeatedly from position sub_422934+11

    eax points to a structure that contains, at eax, a null terminated string which corresponds to the name of a windows API, like 'CreateMutexA' etc. before it, at position [eax-04] there is a dword containing the length of the string pointed by eax.
    at [eax-08] there is a dword flag which at live tracing almost invariably contained 'FFFFFFFF' or -1, which is a rather common flag. every time your little subroutine got called, the 'FFFFFFF' at [eax-08] was moved to edx, edx was incremented and it wrapped around to zero, so the actual flag at [eax-08] was not incremented and left with the value 'FFFFFFFF'

    you can see all this action if you type in SoftIce: dd eax-08, while you are tracing through the code. in the data window you will see the structure I am talking about.


    Second point, this code, appears to me, has to do with Import symbols, IAT decoding etc, general housekeeping of a Win32 PE app, and not so much into the specifics of key validation; but I may be wrong, because I never saw this subroutine called from the other location at sub_41D144+16.

    Third Point:

    Your questions are naive, but they are smart. that is why I take some time into digging some answers, but, you need to read 'The Art of Assembly' as you trace trough code, so you learn to get a feel of what it is going on. By definition, computer code may be cryptic, but it is NOT ambiguous. if a CPU can figure outl what it is going on, you certainly can.


    Fourth, The code in Qmacro does not seem to me as heavily guarded and full of traps to a cracker, if they at some point echoed the right key in memory.

  9. #24
    Fahr
    Guest
    Thanks for the info, I'll be sure to look into it.

    So far I have been able to create a keymaker for it in Delphi, knowing what I know. Tracing through the code, I was able to grab a serial from memory. Retracing it I found some interesting things;

    First it pastes together your Name, Email and some key he hardcoded into it (QM-26092001-1637-MarkvanRenswoude), that's the date, time and name of the author (pretty stupid to hardcode it)
    This new 'key' it then generates gets put through some kind of introcate process and produces an output of 32 charachters HEX. With my knowledge of PHP, I was able to define it as an actual MD5 hash of the exact string it created. Comparing this MD5 hash to the actual code, it became clear that he creates the actual serial as follows:

    QM- + HASH chars 5 - 15 + - + HASH chars 1 - 3

    in Delphi:
    Code:
    GenerationKey := Name + Email + 'QM-26092001-1637-MarkvanRenswoude';
    
    // MD5
    GenerationKey := MD5Print(MD5String(GenerationKey));
    
    // Generate FinalKey
    EdtSerial.Text := 'QM-' + Copy(GenerationKey, 5, 10) + '-' + Copy(GenerationKey, 1, 3);
    Eventhough this works like a charm, I am still not satisfied. This program uses a very wellknown hash that I was accidentally able to recognize, but other programs don't. So my quest for dumping this keymaker to ASM still continues.

    What is this 'The Art of Assembly' you speak of? Sounds good.
    I am also digging through the assembly tuts at Krobar. I hope they're good.

    Thanks,
    - Fahr
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #25
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    The Art of Assembly is one of several OnLine, for-free assembly reference E-books, which you may easily find by typing 'the art of assembly' in google. one version is at http://www.arl.wustl.edu/~lockwood/class/cs306/books/artofasm/toc.html

    nothing to it, it is just a handy reference for obscure and not so obscure asm opcodes, variable formats, and so on. you may also find it as .pdf file for local printing, and off-line browsing.

  11. #26
    Fahr
    Guest
    heh, I am never offline, so I'll stick with this one

    Looks like a nice book, I'll read it through, thanks

    - Fahr
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. BUG-Win32Dasm-EXEscope-Str Table
    By Meteor in forum The Newbie Forum
    Replies: 9
    Last Post: November 28th, 2003, 10:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •