Tray Day 4.5
BEGINNERS: the kill of a weak and badly written scheme
Back to the Snippets
30 January 1998
Courtesy of Reverser's page of reverse engineering
Advanced crackers begone: this is an easy, beginners oriented
essay, yet, for beginners, particularly intersting IMHO, because it shows
you how to 'follow' a protection scheme 'around the codecorners'. Besides we have
presented (and will present) so many 'higher cracking' essays that it is appropriate
to offer some interesting essays also to those that don't master yet the more
difficult tyechniques of our art. Beginners will learn here how a simple mathematical
verification routine works, and will be able to see 'in slow motion' the creation of a
registration nummer. Enjoy!
There is a crack, a crack in everything That's how the light
( )Intermediate ( )Advanced ( )Expert
What can I say more, it's basic
and straight forward .... No extra's or heavy coding
BEGINNERS: the kill of
a weak and badly written scheme
MaD '96 [CPT]
This is a useful hack of the beginner .... Reading through the essay we find a poorly protection
scheme which also has a mistake (you can find this when you reverse a newer util tray-text) but
more about this in the ending notes of this essay ... I'm not a talker, just a reverser!
The one and only SOFTICE 95 ver.
3.0 (or more)
Okay let's start....
Start the program and in nests in de systray...right click it and we have a menu
with a register option. Select it and key in your name and a random number. I used
MaD 96 (it's case sensitive)
12121212 (where have we seen this before ?)
Crack into soft ice (crtl-D) and search for the serial you returned.
S 30:0 lffffffff "12121212" (my example and +ORC)
It will come back with a address somewhere in 8XXXXXXX. For me it is
Set a break point on this address so we can scoop it (breakpoint it)....
Exit soft ice (F5) and hit the OK-button. We land right back into
soft ice, in the kernel at HMEMCPY....
okay now we need to reach the code-segment of tray day... I did it
by pressing the F12-key (p ret <enter>) until you reach the
code (9 times).
You will reach a part that look like this (disable the BPM):
Set a BPX at point of entry so we won't loose it...
:00401439 FF157C934000 Call dword ptr [0040937C] <<<< getdlgitemtexta
:0040143F 8945DC mov [ebp-24], eax <<<< entry point after F12 (9x)
:00401442 837DE005 cmp [ebp-20], 00000005
:00401446 0F8222000000 jb 0040146E
:0040144C 837DDC08 cmp [ebp-24], 00000008 <<<< Here
:00401450 0F8518000000 jne 0040146E
:00401456 8B45E0 mov eax, [ebp-20]
:00401459 50 push eax
:0040145A 8D45E4 lea eax, [ebp-1C]
:0040145D 50 push eax
:0040145E E8F9FDFFFF call 0040125C <<<< Here1
:00401463 83C408 add esp, 00000008
:00401466 85C0 test eax, eax <<<< Here2
:00401468 0F8520000000 jne 0040148E
Okay in this piece of code a lot is happening. At the marker "entry"
we enter the source-code of trayday and here the length of the serial you keyed
in is stored at a location.
Now (at the marker 'Here') the length of the serial is checked.
Make sure that you used a serial number of 8 digits if not... BAD boy...
Go back to the program and enter a serial of 8 digits and hit the
ok-button you will be back at your BPX (entry)
Step through the code until, at the marker 'Here2', a check is
performed with EAX ... I had a feeling (reversing is not always just the
knowledge which we can learn from reading essays... It's experience,
it's feeling... (feeling the call of the code I guess...)
but certainly no luck!)
EAX is at that point '0' let's make it a '1' changing it in memory
and let's run the program anew after having disabled all breakpoints.
R EAX 1
And see what happens! Registration succesfull! But it'is only for now...
If you exit the program and start it again, you'll notice that you have
Okay let's go in softice, enable the BPX only, go back to Win 95, start
trayday, enter a bogus serial and a bogus name and hit the okay-button...
tatatataaa! Back at the entry point...
Now trace into the call at marker 'Here 1' and see what we have there
:0040125C 55 push ebp
:0040125D 8BEC mov ebp, esp
:0040125F 83EC0C sub esp, 0000000C
:00401262 53 push ebx
:00401263 56 push esi
:00401264 57 push edi
:00401265 C745F400000000 mov [ebp-0C], 00000000
:0040126C 8B4508 mov eax, [ebp+08] <<<< Here 3
:0040126F 33C9 xor ecx, ecx
:00401271 8A4807 mov cl , [eax+07] <<<< Here 4
:00401274 83F938 cmp ecx, 00000038
:00401277 0F8407000000 je 00401284
:0040127D 33C0 xor eax, eax
:0040127F E93F010000 jmp 004013C3
At marker 'Here 3' EAX will be loaded with the location of the serial
Okay just step gently through the code... At marker 'here 4' the last
number of your entered serial is loaded in CL (remember serial could only
be 8 digits long).
Right after that, it is compared with '38' which is 8 in ascII.
So now we know that all serial numbers must have a 'hard-wired'
8 at their end in order to pass this "new" check.
Our number should therefore be xxxxxxx8. Just do a quick
R ECX 38
to fool the protection -for now- and let's go futher inside our
:00401284 C745FC00000000 mov [ebp-04], 00000000
:0040128B E903000000 jmp 00401293
:00401290 FF45FC inc [ebp-04]
:00401293 837DFC04 cmp [ebp-04], 00000004
:00401297 0F8F13000000 jg 004012B0
:0040129D 8B45FC mov eax, [ebp-04]
:004012A0 33C9 xor ecx, ecx
:004012A2 8A8858704000 mov cl , [eax+00407058]
:004012A8 014DF4 add [ebp-0C], ecx
:004012AB E9E0FFFFFF jmp 00401290
:004012B0 8B450C mov eax, [ebp+0C] <<<< Here 5
Set a temporary breakpoint on 004012B0 with F7 (here <enter>.
The jump if greater at 401297 will jump to that anyway.
This snippet of code calulates the total sum of the ascii
of your name. I did not included all the summing-code.
Just the parte where the last ASCII value is added:
:004012B3 33C9 xor ecx, ecx
:004012B5 8A8857704000 mov cl , [eax+00407057]
:004012BB 014DF4 add [ebp-0C], ecx <<< last ascii-value is added (name)
:004012BE B953000000 mov ecx, 00000053
:004012C3 8B45F4 mov eax, [ebp-0C]
:004012C6 99 cdq
:004012C7 F7F9 idiv ecx
:004012C9 8D420A lea eax, [edx+0A]
:004012CC 8945F8 mov [ebp-08], eax <<< store calc. value of the sum
:004012CF 8B4508 mov eax, [ebp+08]
:004012D2 33C9 xor ecx, ecx
:004012D4 8A08 mov cl , [eax] <<<here6
At the marker 'here 6' the first digit of your serial is fetched.
:004012D6 BB0A000000 mov ebx, 0000000A
:004012DB 8B45F8 mov eax, [ebp-08] <<< get the calc. value of the sum
:004012DE 99 cdq
:004012DF F7FB idiv ebx <<< big,heavy calculations
:004012E1 83C030 add eax, 00000030
:004012E4 3BC8 cmp ecx, eax <<< the big compare
'The big compare' , is the first 'KEYED IN' digit the same as the
calculated one. For us this was a 1 (31).... but the code wants 6 (36)
okay write this number down, he wants a six, he gets a six: our
code is now
Then fool the protection again,
R ECX EAX
And we fall through the next relative jump
:004012E6 0F851E000000 jne 0040130A <<< Bad_boy JUMP
:004012EC 8B4508 mov eax, [ebp+08]
:004012EF 33C9 xor ecx, ecx
:004012F1 8A4801 mov cl , [eax+01] <<< get second digit of your serial
:004012F4 BB0A000000 mov ebx, 0000000A
:004012F9 8B45F8 mov eax, [ebp-08]
:004012FC 99 cdq
:004012FD F7FB idiv ebx
:004012FF 8D4230 lea eax, [edx+30]
:00401302 3BC8 cmp ecx, eax <<< another big compare
'Another big compare' is performed by the code, which compares
your digit and the calcutaled digit.
We had 2 (32), but he wants a 3 (33). So our serial will
let's fool the code in the usual way before executing the CMP-opcode.
R ECX EAX
:00401304 0F8407000000 je 00401311 <<< good guy jumps...
:0040130A 33C0 xor eax, eax
:0040130C E9B2000000 jmp 004013C3 <<< bad guy goes ...
:00401311 B926000000 mov ecx, 00000026
:00401316 8B45F4 mov eax, [ebp-0C]
:00401319 99 cdq
:0040131A F7F9 idiv ecx
:0040131C 8D420A lea eax, [edx+0A]
:0040131F 8945F8 mov [ebp-08], eax
:00401322 8B4508 mov eax, [ebp+08]
:00401325 33C9 xor ecx, ecx
:00401327 8A4802 mov cl , [eax+02] <<<< get your third digit...
:0040132A BB0A000000 mov ebx, 0000000A
:0040132F 8B45F8 mov eax, [ebp-08]
:00401332 99 cdq
:00401333 F7FB idiv ebx
:00401335 83C030 add eax, 00000030
:00401338 3BC8 cmp ecx, eax <<< The compare-action
'Another big compare' is performed by the code between your
digit and the calcutaled digit
We had 1 (31) he wants a 1 (31). So our serial will now be
And by change we gambled one of the entries right... !
:0040133A 0F851E000000 jne 0040135E <<< bad guy jumps!
:00401340 8B4508 mov eax, [ebp+08]
:00401343 33C9 xor ecx, ecx
:00401345 8A4804 mov cl , [eax+04] <<< get FIFTH digit
:00401348 BB0A000000 mov ebx, 0000000A
:0040134D 8B45F8 mov eax, [ebp-08]
:00401350 99 cdq
:00401351 F7FB idiv ebx
:00401353 8D4230 lea eax, [edx+30]
:00401356 3BC8 cmp ecx, eax <<< the compare
Look here !!! The FOURTH digit is not used !!! So doing the
same action as before... The code wants now a 5 (35), we gave him
a 1 (31)... so the code now is
Fool the code as usual...
R ECX EAX
:00401358 0F8407000000 je 00401365 <<< good guy jumps ...
:0040135E 33C0 xor eax, eax
:00401360 E95E000000 jmp 004013C3
:00401365 B911000000 mov ecx, 00000011
:0040136A 8B45F4 mov eax, [ebp-0C]
:0040136D 99 cdq
:0040136E F7F9 idiv ecx
:00401370 8D420A lea eax, [edx+0A]
:00401373 8945F8 mov [ebp-08], eax
:00401376 8B4508 mov eax, [ebp+08]
:00401379 33C9 xor ecx, ecx
:0040137B 8A4805 mov cl , [eax+05] <<< get your sixth digit
:0040137E BB0A000000 mov ebx, 0000000A
:00401383 8B45F8 mov eax, [ebp-08]
:00401386 99 cdq
:00401387 F7FB idiv ebx
:00401389 83C030 add eax, 00000030
:0040138C 3BC8 cmp ecx, eax <<< the compare .... (boring)
Do the same operations as before ...
R ECX EAX
The code is now ...
:0040138E 0F851E000000 jne 004013B2 <<< bad guy jumps...
:00401394 8B4508 mov eax, [ebp+08]
:00401397 33C9 xor ecx, ecx
:00401399 8A4806 mov cl , [eax+06] <<< get seventh digit (your serial)
:0040139C BB0A000000 mov ebx, 0000000A
:004013A1 8B45F8 mov eax, [ebp-08]
:004013A4 99 cdq
:004013A5 F7FB idiv ebx
:004013A7 8D4230 lea eax, [edx+30]
:004013AA 3BC8 cmp ecx, eax <<< the compare...
:004013AC 0F8407000000 je 004013B9 <<< the good guy jumps...
You know the drill ...
R ECX EAX
The code is now ...
:004013B2 33C0 xor eax, eax <<< Bad guy flag
:004013B4 E90A000000 jmp 004013C3
:004013B9 B801000000 mov eax, 00000001 <<< Flag of the reg. one!
:004013BE E900000000 jmp 004013C3
:004013C3 5F pop edi
:004013C4 5E pop esi
:004013C5 5B pop ebx
:004013C6 C9 leave
:004013C7 C3 ret
Okay now we know the code for 'MaD 96' is '631x5218.. But what
about the fourth digit.. let's try just a number ... I picked 4 , just key in
the complete serial (disable all Breakpoints first) and see ... we are a
winner ... just pick any number you like for the fourth digit....
It's now easy to make a key-generator. OK, this is not such a
cool-tool but for me it was what I at the moment wanted...
Okay Have a lot of fun, and I hope you find what I have
written useful as study material.
Have a nice day ...... MaD'96
This essay was written on 9 January 1998, for my own site, and most
important, as a reference for later works... After using this util for a
while I cracked Traytext (It's from the same guy) because trayday already
saved me a lot of typing work and with traytext you can even paste complete
texts form the systray to your applications...
Well I reversed this target, and of course the proctection is quite
similar (subtract the values in stead of adding ) I found out that the
fourth digit was ment to be a '-'... XXX-XXXX
And that that he did not check it, was probably just a mistake of the
Happy hunting... MaD '96 [CPT]
I wont even bother explaining you that you should BUY this
target program if you intend to use it for a longer period than the allowed
one. Should you want to STEAL this software instead, you don't need to
crack its protection scheme at all: you'll find it on most Warez sites,
complete and already regged, farewell.
You are deep inside reverser's page of reverse engineering, choose
your way out:
Back to the Snippets
reverse engineering legal?