| Target: | Zip Manager 5.3 |
| Author: | Software Excellence By Design |
| Protection: | Name/Serial |
| Tools used |
- lcc - SoftICE 3.2 |
| Level |
(X) Beginner (X) Intermediate ( ) Advanced ( ) Expert |
:0045D7BD C745F800000000 MOV DWORD PTR [EBP-08],00000000 :0045D7C4 C745F400000000 MOV DWORD PTR [EBP-0C],00000000 :0045D7CB C745F000000000 MOV DWORD PTR [EBP-10],00000000 :0045D7D2 C745EC00000000 MOV DWORD PTR [EBP-14],00000000 :0045D7D9 C745E800000000 MOV DWORD PTR [EBP-18],00000000 :0045D7E0 C745E438270000 MOV DWORD PTR [EBP-1C],00002738 :0045D7E7 8B4508 MOV EAX,[EBP+08] :0045D7EA 8945FC MOV [EBP-04],EAX :0045D7ED 66C745D80000 MOV WORD PTR [EBP-28],0000 :0045D7F3 E904000000 JMP 0045D7FC :0045D7F8 66FF45D8 INC WORD PTR [EBP-28] :0045D7FC 0FBF45D8 MOVSX EAX,WORD PTR [EBP-28] :0045D800 83F82B CMP EAX,2B :0045D803 0F8D5B000000 JGE 0045D864 :0045D809 0FBF45D8 MOVSX EAX,WORD PTR [EBP-28] :0045D80D 8B4DFC MOV ECX,[EBP-04] :0045D810 0FBE0408 MOVSX EAX,BYTE PTR [ECX+EAX] :0045D814 8945E0 MOV [EBP-20],EAX :0045D817 8B45E0 MOV EAX,[EBP-20] :0045D81A 69C049870100 IMUL EAX,EAX,00018749 :0045D820 0145F8 ADD [EBP-08],EAX :0045D823 8B45E0 MOV EAX,[EBP-20] :0045D826 69C061870100 IMUL EAX,EAX,00018761 :0045D82C 0145F4 ADD [EBP-0C],EAX :0045D82F 8B45E0 MOV EAX,[EBP-20] :0045D832 69C095860100 IMUL EAX,EAX,00018695 :0045D838 0145F0 ADD [EBP-10],EAX :0045D83B 8B45E0 MOV EAX,[EBP-20] :0045D83E 69C037870100 IMUL EAX,EAX,00018737 :0045D844 0145EC ADD [EBP-14],EAX :0045D847 8B45E0 MOV EAX,[EBP-20] :0045D84A 69C057870100 IMUL EAX,EAX,00018757 :0045D850 0145E8 ADD [EBP-18],EAX :0045D853 8B45E0 MOV EAX,[EBP-20] :0045D856 69C0D9860100 IMUL EAX,EAX,000186D9 :0045D85C 0145E4 ADD [EBP-1C],EAX :0045D85F E994FFFFFF JMP 0045D7F8 :0045D864 8B45F0 MOV EAX,[EBP-10] :0045D867 0345F4 ADD EAX,[EBP-0C] :0045D86A 0345F8 ADD EAX,[EBP-08] :0045D86D 0345E4 ADD EAX,[EBP-1C] :0045D870 0345E8 ADD EAX,[EBP-18] :0045D873 0345EC ADD EAX,[EBP-14] :0045D876 B93DBB0D00 MOV ECX,000DBB3D :0045D87B 99 CDQ :0045D87C F7F9 IDIV ECX :0045D87E 8D4201 LEA EAX,[EDX+01] :0045D881 8945DC MOV [EBP-24],EAX :0045D884 8B450C MOV EAX,[EBP+0C] :0045D887 3945DC CMP [EBP-24],EAX :0045D88A 0F850F000000 JNZ 0045D89F :0045D890 B801000000 MOV EAX,00000001 :0045D895 E90C000000 JMP 0045D8A6Now you have to understand the calculation instructions ... that's mostly quite easy once you found them all. Try to work out how the serial is generated yourself and then read on ...
- multiplicated by 18749 h and added to [EBP-08] (0045D81A and 0045D823) - multiplicated by 18761 h and added to [EBP-0C] (0045D826 and 0045D82C) - multiplicated by 18695 h and added to [EBP-10] (0045D832 and 0045D838) - multiplicated by 18737 h and added to [EBP-14] (0045D83E and 0045D844) - multiplicated by 18757 h and added to [EBP-18] (0045D84A and 0045D850) - multiplicated by 186D9 h and added to [EBP-1C] (0045D856 and 0045D85C)If your name is not 2B h chars long, then the rest of the chars will be just ignored.
short int Calculate(HWND hDialog)
{
unsigned char name[50] = {0};
unsigned char serial[100] = {0};
unsigned long EAX = 0;
unsigned long TMP = 0;
unsigned long EBP_10 = 0;
unsigned long EBP_0C = 0;
unsigned long EBP_08 = 0;
unsigned long EBP_1C = 0x2738;
unsigned long EBP_18 = 0;
unsigned long EBP_14 = 0;
unsigned long i = 0;
static HWND hControl;
hControl = GetDlgItem(hDialog, EDIT_NAME);
GetWindowText(hControl, &name, 43);
for (i = 1; i <= 0x2B; i++)
{
if (i <= strlen(name))
{
EAX = name[i-1];
EBP_08 += (EAX * 0x18749);
EBP_0C += (EAX * 0x18761);
EBP_10 += (EAX * 0x18695);
EBP_14 += (EAX * 0x18737);
EBP_18 += (EAX * 0x18757);
EBP_1C += (EAX * 0x186D9);
}
}
EAX = EBP_10 + EBP_0C + EBP_08 + EBP_1C + EBP_18 + EBP_14;
TMP = EAX / 0xDBB3D;
EAX = EAX - (TMP * 0xDBB3D);
EAX += 1;
wsprintf(serial, "%lu", EAX);
hControl = GetDlgItem(hDialog, EDIT_CODE);
SetWindowText(hControl, serial);
return 0;
}
Feel free to e-mail me feedback, questions or whatever (NO crack requests!!). You can
also talk to me on IRC (EFNet) at
#ImmortalDescendants,
#PhrozenCrew or
#cracking4newbies.