ARTEAM EZINE ISSUE IV
For others Check’s routines, you can see the asm source of my Keygen, it’s quite commented! ;)
5.6
ADDENDUM – EXERCISE
Don’t worry, it’s a my little proposal; if you traced the program as I described here, you have surely notice many duplications of calls inside Time’s Flag controls ( see Figure 14. ) and also you can see others address constants that seem to work like Time’s Flags itself… why? Once registered the game, where ‘s saved the License Code? Exact, in Window’ registry, more precisely in: HKEY_LOCAL_MACHINE\SOFTWARE\WildSnake Software\Dwice\1.0. Here, both License Name and License Code are stored as REG_SZ. So, when we launch the game, the program tests the presence of these keys and, if they exist, it does the same controls; for exercise, you can trace this Checks and discover new Time’s Flags (Registry Time’s Flags! ;-D). It’s important to underline as License Code is saved in to registry in a cryptic form; I discovered it tracing the case BB8 of CALL dwice.0040E7A4h do you remember the “final good judgment” ?). Inside it, we can find: PUSH Offset of License Code PUSH Buffer of Cryptic License Code CALL dwice.00424AA0
The CALL underlined in red, simply crypts the License Code passed as 1° parameter by address and the result is stored in Cryptic License Code’s Buffer ( 2° parameter passed by address ).
Reversing the Protection’s scheme of Alexey Pajitnov’s game Dwice by Gyver75
150