ARTEAM EZINE ISSUE IV
Now, we are ready to analyze the Checks’ routines of License Code.
5.4.3 GENERAL CHECK’S SCHEME Figure 87 shows the first part of a more complex subroutine that identifies General Check’s scheme used in this target: 00410640 SUB ESP,444 00410646 PUSH 11 00410648 CALL dwice.00427220 0041064D ADD ESP,4 00410650 CMP EAX,0F 00410653 JMP NEAR DWORD PTR DS:[EAX*4+address of indexes table] … A Heap object is randomly selected to be copied in the stack area; … 0041073F OR ECX,-1 00410742 XOR EAX,EAX 00410744 PUSH EDI 00410745 LEA EDI, stack’s offset of License Code 0041074C REPNE SCAS BYTE PTR ES:[EDI] 0041074E NOT ECX 00410750 DEC ECX 00410751 CMP ECX,1E ; ECX = Length of Serial; 00410754 JE Next … Next 00410765 PUSH Parameter passed by address 00410766 CALL Hashing Block procedure 0041076B MOV ECX, index of License Code Buffer … 00410786 MOV CL,BYTE PTR SS:[Base offset of License Code + ECX] 0041078D MOV EDX,EAX ; EAX is a return’s value of the Hashing Block Procedure; 0041078F AND EDX,1F ; EDX is the index of Hash String Buffer; 00410792 CMP CL,BYTE PTR SS:[Base offset of Hash String + EDX*2] 00410796 JE Next Check 00410798 POP EDI 00410799 XOR EAX,EAX ; if EAX == 0, we did a mistake!; 0041079B ADD ESP,444 004107A1 RETN … Next Check 004107A2 MOV ECX, another index of License Code … 004107BA MOV CL,BYTE PTR SS:[ Base offset of License Code + ECX] 004107C1 MOV EDX,EAX 004107C3 SHR EDX,5 004107C6 AND EDX,1F ; EDX is another index of Hash String Buffer; 004107C9 CMP CL,BYTE PTR SS:[ Base offset of Hash String + EDX*2] 004107CD JE Next next Check 004107CF POP EDI 004107D0 XOR EAX,EAX ; if EAX == 0, we did a mistake!; 004107D2 ADD ESP,444 004107D8 RETN … Next next Check …
Reversing the Protection’s scheme of Alexey Pajitnov’s game Dwice by Gyver75
134