Sender: pepper_32@hotmail.com Received: from galaxy.chez.com ([194.98.133.161] (may be forged)) by arl-img-5.compuserve.com (8.8.6/8.8.6/2.9) with ESMTP id NAA19596 for <100114.453@compuserve.com>; Sun, 16 Nov 1997 13:33:07 -0500 (EST) Received: from hotmail.com (F78.hotmail.com [207.82.250.184]) by galaxy.chez.com (8.8.5/8.8.5) with SMTP id TAA08730 for ; Sun, 16 Nov 1997 19:31:47 +0100 (CET) Received: (qmail 4274 invoked by uid 0); 16 Nov 1997 18:32:11 -0000 Message-ID: <19971116183211.4273.qmail@hotmail.com> Received: from 194.231.124.37 by www.hotmail.com with HTTP; Sun, 16 Nov 1997 10:32:10 PST X-Originating-IP: [194.231.124.37] From: "pepper" To: msre@chez.com Subject: script 1 of 2 Content-Type: text/plain Date: Sun, 16 Nov 1997 10:32:10 PST Hi whoever is there: reverser is the greates page I ever found on the WEB. Helped me a lot and guess its time to say not only thank you but also to send some small "note". Have followed your instructions HOW and WHAT to send. Hope it will be interesting for more than only me. Pepper [PC] - "Script follows after next line" ============================================================== O'Basic - a real joke if used for Shareware Registration ! I found a nice tool from a German author: SysSave 3.2 which protects against crashes of the Win 95 Registry. Really fine. But more fascinating was the protection I never saw before. As usual asking for a name and a RegCode looked simple. Lets run WinIce and have a look using typical BPX like GetWindowTextA. The code we find looks crazy, like a Visual Basic program. But it is not VB. It is a kind of a script language called O'BASIC. And really we find OBENGINE.DLL which obviously does something similar as the well known DLLs for VB. Do we need a Decompiler and where to get from ? No, because O'BASIC works a bit different to VB. To shorten the story: set your BPX to enter somewhere in the code and then make a dump of the memory. Scroll up and down in a wide range and very soon you will see something in the Memory Window (NOT in the Code Window) which looks like clear Basic Source Code. Obviously the source code is saved in tokens like in VB cause the EXE-File does not show readable instructions. But during runtime the source is extracted before executed by OBENGINE.DLL So I call it a "Script Language". In the above mentioned sample we find in the memory dump: L# = Len(UserIn$) For I# =1 to L# Name#[I#]=Asc/Mid(UserIn$),I#,1) EndFor Reg# = 0 For I# = 1 to L# Reg# = Reg# + (Name#[I#]*I#) End For Reg# = Reg# + (SqRoot(Reg#)*SqRoot(Reg#)) Reg$ = Oct(Reg#) So simple like any Basic. UserIn$ seems to be the Name entered and Reg$ to be the RegCode. Lets try "Pepper" as Name and calculate the RegCode: 10636 - Bingo! A KeyGen now takes a few minutes. So what we learn is: if we have some unknown language using a DLL it's worth to make a memory dump during runtime... BtW: looking for the KeyGen ? Its out there as PC_SS32.ZIP by Pepper [PC] November 97 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com