"Para herseyi yapar diyen adam, Para icin herseyi yapan adamdir"

NE dosya tipi ve Tpascal ile yazilmis. Softlock’un eski versiyonu ile korunuyor. Verilen bir serial no icin (bende #21253) 4 digitli bir code girmek gerekiyor. “1907” -> [bpx hmemcpy] -> [F12] ->

Bu noktadan sonra, dikkatli bir bicimde trace edecegiz. Birkac kez [F12] ile dondukten sonra geldigimiz yer ->

...
356F:0758 PUSH WORD PTR [BP-06]
356F:075B CALL 346F:0D65
356F:0760 PUSH AX
356F:0761 LES DI,[BP+06]
356F:0764 ADD DI,080E
356F:0768 PUSH ES
356F:0769 PUSH DI
356F:076A CALL 02AA                     <- ax=5436 oldu
356F:076D POP DX                        <- ax=1907
356F:076E CMP AX,DX                     <- esitler mi ?
356F:0770 JNZ 0784                      <- kotu cocuk

Cok kolay bir bicimde, gecerli seriali bulduk. Peki Keygen ? [bpx 076A] ->

...
346F:0D80 PUSH DI
346F:0D81 CALL 07BB
346F:0D84 MOV AX,[BP-06]                <- ax = 5305h = 21253
346F:0D87 MOV [BP+FDA6],AX
346F:0D8B PUSH A791                     <- sabit
346F:0D8E LEA DI,[BP+FDA6]              <- 5305
346F:0D92 PUSH SS
346F:0D93 PUSH DI
346F:0D94 CALL 056E                     <- ax = 49F4 oldu
346F:0D97 MOV AX,[BP+FDA4]
346F:0D9B SHL AX,0B
346F:0D9E OR AX,[BP+FDA4]
346F:0DA2 MOV [BP+FDA4],AX
346F:0DA6 PUSH WORD PTR [BP+FDA6]       <- 49F4
346F:0DAA LEA DI,[BP+FDA4]              <- 0801 <- sabit
346F:0DAE PUSH SS
346F:0DAF PUSH DI
346F:0DB0 CALL 056E                     <- ax = 1DC2 oldu
346F:0DB3 MOV AX,[BP+FDA6]              <- ax = 49F4
346F:0DB7 XOR AX,[BP+FDA4]              <- 49F4 XOR 1DC2 = 5436
346F:0DBB MOV [BP-02],AX
346F:0DBE MOV AX,[BP-02]
346F:0DC1 LEAVE
346F:0DC2 RETF 0002

Keygen yazabilmek icin 49F4 ve 1DC2 sayilarinin nasil hesaplandiklarini bulmamiz gerekiyor. Bu iki sayi da CALL 056E cagrisi sonucunda olusuyor. Aralarindaki tek fark, cagri oncesi PUSH edilen sayilar.

346F:056E PUSH BP
346F:056F MOV BP,SP
346F:0571 MOV AX,0002
346F:0574 CALL 33CF:03CB
346F:0579 SUB SP,02
346F:057C MOV AX,[BP+08]                <- ax = A791 <- sabit
346F:057F XOR DX,DX                     <- dx = 0
346F:0581 MOV [4F90],AX
346F:0584 MOV [4F92],DX
346F:0588 PUSH FF
346F:058A CALL 33CF:1ADC                <- ax = 1AF1 oldu
346F:058F MOV [BP-02],AX
346F:0592 LES DI,[BP+04]
346F:0595 MOV AX,ES:[DI]                <- ax = 5305
346F:0598 XOR AX,[BP-02]                <- 5305 XOR 1AF1 = 49F4
346F:059B MOV ES:[DI],AX
346F:059E LEAVE
346F:059F RET 0006

1AF1 sayisi nasil hesaplandi ? [bpx 058A] ->

33CF:1ADC CALL 1B39                     <-ax = 09D6, dx = 1AF2 oldu
33CF:1ADF MOV BX,SP
33CF:1AE1 MOV CX,DX                     <- cx = 1AF2
33CF:1AE3 MUL WORD PTR SS:[BX+04]       <- 09D6 * FFFF = 09D5F62A
33CF:1AE7 MOV AX,CX                     <- ax = 1AF2
33CF:1AE9 MOV CX,DX                     <- cx = 09D5
33CF:1AEB MUL WORD PTR SS:[BX+04]       <- 1AF2 * FFFF = 1AF1E50E
33CF:1AEF ADD AX,CX                     <- E50E + 09D5 = EEE3
33CF:1AF1 ADC DX,00                     <- 1AF1
33CF:1AF4 MOV AX,DX                     <- ax = 1AF1
33CF:1AF6 RETF 0002

Incelememiz gereken sadece CALL 1B39 cagrisi kaldi.

33CF:1B39 MOV AX,[4F90]                 <- ax = A791
33CF:1B3C MOV BX,[4F92]                 <- bx = 0000
33CF:1B40 MOV CX,AX                     <- cx = A791
33CF:1B42 MUL WORD PTR CS:[1B6F]        <- A791 * 8405 = 566A09D5
33CF:1B47 SHL CX,1                      <- 4F22
33CF:1B49 SHL CX,1                      <- 9E44
33CF:1B4B SHL CX,1                      <- 3C88
33CF:1B4D ADD CH,CL                     <- C488
33CF:1B4F ADD DX,CX                     <- 566A + C488 = 1AF2
33CF:1B51 ADD DX,BX
33CF:1B53 SHL BX,1
33CF:1B55 SHL BX,1
33CF:1B57 ADD DX,BX
33CF:1B59 ADD DH,BL
33CF:1B5B MOV CL,05
33CF:1B5D SHL BX,CL
33CF:1B5F ADD DH,BL
33CF:1B61 ADD AX,0001
33CF:1B64 ADC DX,00
33CF:1B67 MOV [4F90],AX
33CF:1B6A MOV [4F92],DX
33CF:1B6E RET

Yukaridaki bolumler 0DB0’da tekrardan cagiriliyorlar. Keygen kodumuzu hemen yazabiliriz.

.data

serial    dw 21253
sabit_1   dw 08405h
deg_1     dw 0h
deg_2     dw 0h
deg_3     dw 0h

.code

start:

xor eax, eax                     ; registerleri sifirlama
xor ebx, ebx
xor ecx, ecx
xor edx, edx

mov ax, serial                  ; 21253

mov deg_1, 0A791h               ; 0DB8’deki sabit deger
mov deg_2, ax                   ; 21253
call @056E                      ; ax = 49F4 olarak dondu
 

mov deg_3, ax                   ; sakla

mov deg_1, ax                   ; 49F4
mov deg_2, 0801h                ; 0DAA’daki sabit deger
call @056E                      ; ax = 1DC2 olarak dondu

xor ax, deg_3                   ; 1DC2 XOR 49F4 = 5436

@cikis:
invoke ExitProcess, 0

@056E:
call @1ADC                      ; ax = 1AF1, ax = 15C3
xor ax, deg_2                   ; 5305 XOR 1AF1 = 49F4, 15C3 XOR 0801 = 1DC2
ret


@1ADC:
call @1B39
mov bx, 0ffffh
mov cx, dx
mul bx
mov ax, cx
mov cx, dx
mul bx
add ax, cx
adc dx, 00
mov ax, dx                      ; 1AF1, 15C3
ret

@1B39:
mov ax, deg_1                   ; A791, 49F4
mov bx, 0
mov cx, ax
mul sabit_1                     ; 8405 <- sabit_1
shl cx, 1
shl cx, 1
shl cx, 1
add ch, cl
add dx, cx
add dx, bx
shl bx, 1
shl bx, 1
add dx, bx
add dh, bl
mov cl, 5
shl bx, cl
add dh, bl
add ax, 01
adc dx, 00
ret

end start
 

Bir programı kullanarak para kazanıyorsanız, programı satın alın.