REVERSE CODING ---------------------REVERSE CODING ---------------------# Released by Cybnet Security Group # legalz: odi!y and use at "ill# i!

you a$e any c%anges# i pro&e ents# updates or use t%e code # in anot%er pro'ect# please send us "%at you did and gi&e credit # i! you %a&e any (uestions# post t%e at !oru )%ac$ert%reads)net # be sure to c%ec$ out %ac$ert%reads)org !or updates and ne" tutorials*do"nloads Copyrig%ts reser&ed to $++t# ,--, !ro C./NE0 Security Group --------------------------------------------------------------------------------------------------Inde1: ------2)Introduction ,)Disclai er +)3e1adeci al 4)R56 and RO6 7)5S6 8)Needed progra s 9)Crac$ing :)Conclusion -----------------------------Introduction---------;elco e to y Re&erse Coding tutorial< In t%is paper# you "ill learn %o" to crac$ and odi!y your o"n so!t"are) I=ll try to get into as uc% detail as possible# yet also du b it do"n a bit) >? -------------------------------------------------------------------------------------------------------Disclai er-----------5ll in!or ation is purely !or educational purposes only< 0%e aut%or cannot be %eld responsible !or any @ab?use o! t%is in!or ation) ASE 50 .OAR O;N RISB<<< -------------------------------------------------------------------------------------------------------3e1adeci al---------0o begin# I= going to teac% you about %e1adeci al# so i! you already $no" it# t%en o&e on) E&en i! you do already $no" it# I suggest stic$ing around !or a re!res% ent o! your e ory)>? 3e1adeci al# or %e1 as it=s ore co only $no"n# is a base 28 nu bering syste ) /ase 28 eaning t%at it consists o! 28 nu bers: --C and 5-D) Eac% o! t%ese nu bers @5-D>2--28? %a&e a &alue o! 4 bits and are also called nibbles) In representing a %e1adeci al nu ber# one "ould "rite an E-1E be!ore t%e actual bit set) -1 is si ply a tag put be!ore a %e1 nu ber to let progra ers $no" t%at it is in !act# %e1) ;%en "riting %e1# you "ill not need to use t%is pre!i1) I! you %a&en=t already noticed# t%e -1 pre!i1 loo$s si ilar to t%at o! e1ponential

notation) 5ctually t%is is "%ere -1 %as been deri&ed# seeing as %o" %e1 is si ply a nu ber t%at %as been raised to a po"er o! 28) 0%is eans 2- in %e1adeci al represents t%e &alue 28F-# or 28) So c%ec$ out t%is e1a ple: -1/+ @%e1?> ,G28@s(uared?F22G28@to t%e 2st po"er?F+G28@to t%e po"er o! - ? >,G,78F22G28F+>8C2 @deci al? .ea%# you could do all o! t%at# or you could be lazy and use an auto ated progra t%at does it all !or you) ;%y do you need to $no" %e1H /ecause it=s used by e&ery piece o! so!t"are and %ard"are) 3o"H 6e ory based address allocation) 3ere=s an e1a ple: ;%en you clic$ed on your bro"sers icon to launc% it# t%e clic$ triggered a EcallE @an as !unction t%at "ill be discussed ore in dept% in later c%apters)? "%ic% "ent bac$ to t%e progra s e ory "it% t%e Eclic$ in it=s %and)E It !inds t%e address "%ere t%e code is t%at a$es t%e progra launc% and e1ecutes it) 0%e address is "ritten in# you guessed it# %e1) 5n e1a ple o! an address "ould be so et%ing li$e t%is: 2-2c7-2: 72-: "ould be t%e actual speci!ic address and 2-2c "ould be t%e sector o! R56 "ere t%e address is located) 0%ose are t%e basics o! 3e1adeci al .ou s%ould probley read t%is c%apter againbecause getting a !ir grasp on %e1 is essential to crac$ing and oding progra s) -----------------------------------------------------------------------------------------------------------R56 and RO6-------In t%is section "e are gonna learn about R56 and RO6) 6any people $no about t%e %ard"are part o! R56 and RO6 and t%at=s gonna be &ery use!ul to you)))))) 'ust not in t%is tutorial) >? ;e are about to learn about t%e Eso!t"areE side) I use t%e ter so!t"are loosly in t%at so!t"are tends to %a&e a GAI @Grap%ical Aser Inter!ace? and t%is does not) /A0# t%ere are "ays to access and odi!y t%e be%a&ior o! it t%at I "ill tal$ about in t%is c%apter# as "ell as in t%e ne1t) 0o start o!!# I=ll ans"er so e co on (uestions: ;%at is R56H R56 @Rando 5ccess 6e ory? is basically e ory and t%e process o! accessing it) 0%e ter ERando 5ccess 6e oryE "as approprietly gi&en to t%is e ory unit because "%en e1ecuting a co and# t%e CIA doesn=t %a&e to scroll t%roug% all t%e e ory on your IC until it !inds t%e rig%t address) It Erando lyE "%ips out t%e addy !ro it=s bac$ poc$et and ser&es it up)0%is process is bot% (uic$ and e!!icient) Jearning t%is process "ill %elp you understand t%e 5S6 !unctions in t%e ne1t c%apter) 3o" does R56 "or$H ;%en a co and is issued and t%e e ory is pulled !ro !ile# it ust !irst go t%roug% "%at is called a E&ectorE) 5 &ector is a Egate"ayE or a EsectorE o! R56 "%ere t%e

address o! t%e !unction is stored "it% ot%ers o! it=s o"n $ind) 5n e1a ple o! a &ector "ould be so et%ing li$e t%is: :c----b4-:c--!!!! 0%is eans t%at all EaddressiiE @%e%e? t%at are bet"een t%ose &alues are stored in t%at sector o! R56) 5 &ector acts as a gate"ay in t%at# !irst# pass t%roug% a &ector to get to address) .our a&erage progra probley %as about +- to 4- ain &ectors# sectioning o!! !ro boot until e1it) Bno"ing t%e &ector o! an addy or a !unction "ill greatly reduce your %eadac%e "%en you start searc%ing !or it) RO6) RO6 /oot RO6 %as &ectors# "ill lea&e it is a part o! e ory t%at doesn=t c%ange) @5lt%oug% "e can c%ange it)>? ? !or instance# !ollo"s t%e sa e plan o! action it is called upon) RO6 also 'ust li$e R56) RO6 is not t%at i portant "%en it co es to crac$ing to "e alone !or no")

/ac$ to R56) /elie&e it or not# but addressii @t%ere I go again# I= suc% a g++$)? actually !ollo" certain !or ats or synta1=s !or certain !unctions) 0a$e %ot $eys !or e1a ple: In t%e under ground# "e call t%e EKo$er co andsE) /y pressing a certain co bonation o! $eys# a progra "ill run# close# be stupid# "%ate&er) 0%e synta1 !or a Ko$er co and is as !ollo"s: -d-aaaaa! ---z&&&& Jet=s e1a ine t%is !or at a little closer) -d> 0%e procle ation o! a speci!yed !or at aaaaa> 0%e address o! t%e !unction !> 0%e !loat or re ainderL EDloating point nu berE L deci al ---> ENOIE No operation z> 0%e E/ooleonE as "e t%e CFF progra ers call it) 5 booleon is an EID# 03ENE state ent) EID t%is is true# 03EN do t%is)E Value -> e(ualL 2> di!!erentL ,>less t%anL +>greater t%an) &&&&> 0%e co bonation o! %e1 &alues @0%e &alues o! t%e $eys pressed? used to e1ecute t%e EC5JJE Say t%e E5E $ey %ad a &laue o! !!!b and t%e E/E $ey %as a &laue o! !!!d) .ou "ould t%en add bot% &alues using a %e1 calculator and get !!!C as t%e su ) 0%e output on you calculator "ould s%o" 2!!!:) 5dd t%e !irst &alue and t%e last &alue to !ind t%e !ourt% byte seg ent) So say

"e=&e !ound t%e address o! t%e Ko$er !unction @usually in t%e boot RO6 sector? co only called t%e E6aple addressE and "e are ready to progra in so e %e1 code) Our code ay loo$ li$e t%is: -d9ae892 ----!!!C 0%is eans t%at ID t%e &alue o! !!!C @5 and /? is e(ual @-? to t%e address @aaaa!? o! t%e !unction# 03EN e1ecute it) SeeH Easy isn=t itH .ou=ll need to $no" t%ings li$e t%is "%en odding progra s as a use o! e1ecuting o! your arbitrary code in certain parts o! your progra at a certain ti e) Ko$er co ands are also re&ersable in t%at i! you enter t%e sa e code e1cept "it% a 2#,# or +# in t%e z slot and by c%anging t%e button co bonations) Re&ersable eaning ter inating t%e !unction or ot%er !unctions t%at "ere started) 5 good use !or t%is is !or !ire"alls and babysitting progra s) 5re you on a college ac%ine and can=t do"nload stu!! because o! t%at pes$y !ire"allH Crac$ it open and progra in so e Ko$er co ands so you can turn it on and o!! at "ill ;I03OA0 t%e ad inistrator=s pass"ord< ---------------------------------------------------------------------------------------------------------------5S6----------------------0o start o!! "it% our s all and to t%e point 5S6 section# I=ll "arn you in ad&ance# a!ter reading t%is# you=ll need to go ta$e a s%o"er cause t%is is disgusting< 3ere "e go< 0o begin# I= gonna de!ine !or you so e !unctions t%at you=ll be seeing alot o!# and be using) 3ere t%ey are: ):3e1:) ):5S6:) ):6E5NING:) 97#-!:7 'ne 'u p i! not e(ual 94#-!:4 'e 'u p is e(ual eb ' p 'u p directly to C- nop no operation 99#-!:9 'a 'u p i! abo&e -!:8 'na 'u p i! not abo&e -!:+ 'ae 'u p i! abo&e or e(ual to -!:, 'nae 'u p i! not abo&e or e(ual -!:, 'b 'u p i! belo" -!:+ 'nb 'u p is not belo" o!:8 'be 'u p i! belo" or e(ual -!:9 'nbe 'u p i! not belo" or e(ual -!:! 'g 'u p i! greater -!:e 'ng 'u p i! not greater -!:d 'ge 'u p i! greater or e(ual -!:c 'nge 'u p i! not greater or e(ual -!:c 'l 'u p i! less -!:d 'nl 'u p i! not less -!:e 'le 'u p i! less or e(ual

-!:! 'nle 'u p i! not less or e(ual 0%e easy t%ing about ost o! t%e !unctions in 5S6 are t%at t%ey sound li$e "%at t%ey ean) Ku p# eans o! coarse# to Ku p !ro one t%ing to anot%er) E1a ple: E' p --4-2944E "ould %its t%e !unction) ean to 'u p directly to t%e address --4-2944 once t%e code

Jet=s loo$ at EC5JJE) Call is a !unction t%at is used to EcallE a certain tas$# string# address# "%ate&er) 0a$e a loo$ at t%is e1a ple: ECall --4-ccc,E t%is "ould o! coarse call t%e address --4-ccc, and use it) 0%ose are t%e !unctions you=ll be using) 0%e reason "%y I= not going into loads o! detail in t%is c%apter is because "%en crac$ing so!t"are# not an e1tensi&e a ount o! $no"ledge o! 5S6 is needed) I! you "ant to $no" ore or need %elp "it% so et%ing# e- ail e at t%e address pro&ided at t%e end o! t%is tutorial) 0%is c%apter "asn=t so nasty "as itH Na%# it "as easy >? -------------------------------------------------------------------------------------------------------------------------Needed Irogra s---------------0%e progra s you "ill need are as !ollo"s: ;Das :)C or 3ig%er 3ie" 8)2 So!tice !or "inC1 &+),4 Sub it;ol!@de o?&4)-2 @%ttp:**""")trellian)co *s"ol!? Irogra ing Janguage @C#CFF#Iascal#5S6 "%ate&er you "ould li$e? Ire!ably C !or t%is tutorial< 5nd a brain @no seriously? ---------------------------------------------------------------------------------------------------------------------------Crac$ing----------------------------O$# %ere "e go< 0%e !irst t%ing you need to do is to open up So!tIce and t%en s"ol!+,)e1e "%ic% is t%e na e gi&en to our target progra ) Go to t%e %elp enu and select register) 3ere=s "%ere your brain "ill co e in# start to loo$ !or %o" t%e protection is running by entering so e rando crap into t%e blan$ space) Don=t press t%e OB button yet t%oug%) Instead# press C0RJ-D to bring up So!tIce) ;%at "e are gonna try to do is de!ine a brea$point# using /IM % e cpy) 3it C0RJ-D again and it "ill bring you bac$ to t%e progra ) Clic$ OB on t%e bo1 and So!tIce "ill again pop up) No" press D2, and it "ill bring you to t%e target progra code) Scroll do"n a !e" lines and !ind: :--4289DC :--4289DD :--4289E4 :--4289E7 :D4C,42- lea ec1# d"ord ptr NespF2-O--Lec1>t%e rando crap you typed in) :DC4,C------- lea ed1# d"ord ptr NespF------C-O-Led1>na e 72 pus% ec1 7, pus% ed1

:--4289E8 serial :--4289E/ :--4289EE :--4289D:--4289D8 :--4289D5 :--428:-2 :--428:-, :--428:-+ :--428:-: :--428:-/ :--428:-D

E:/747-2-- call --4,5D5-----Lt%is is t%e call "%ic% calculates t%e :+C42- add esp# ------2---L :7C- test ea1# ea1----Land return ea1>2 i! true @booleon >? ? -D:7C8------ 'ne --428::C----L'u p to registered :D44,4-: lea ea1# d"ord ptr NespF-:O :D:C,4::------ lea ec1# d"ord ptr NespF------::O 7- pus% ea1 72 pus% ec1 E:8:49-2-- call --4,5D9-----Lt%is call tests our serial :+C4-: add esp# -------:---L :7C- test ea1# ea1----L!or &+)MM one) 94++ 'e --428:4,L'u p is e(ual

0%e call t%at "e "ant to !ocas on is at --4289E8) 0%is call tests "et%er our serial is !or t%e correct &ersion or not) Jet=s trace t%e call --45D5-: GRe!erenced by a C5JJ at address: :--4,5/DC :--4,5D5 :+EC+- sub esp# ------+:--4,5D5+ 77 pus% ebp :--4,5S54 78 pus% esi :--45D57 79 pus% edi :--4,5D58 :/9C,4444 o& edi# d"ord ptr NespF44O--Ledi>our !a$e serial :--45D55 :7DD test edi# edi :--45D5C -D459-2---- 'e --4,5D7C----Ldie i! e pty :--45D/, :/8C,44- o& ebp# d"ord ptr NespF4-O--ebp>our na e :--4,5D/8 :7ED test ebp# ebp :--45D/: -D:4C/-2---- 'e --4,5D7C---Ldie i! e pty :--45D/E :5-9 o& al# byte ptr NediO--Lco pare 2st byte o! serial "it% =p=# die :--4,5DC- +C7- c p al# 7-----L :--4,5DC, -D:7:9-2---- 'ne --4,5D4D----Li! not e(ual :--4,5DC: :-9D-2+4 c p byte ptr NediF-2O# +4--:co pare byte o! serial "it% =4= :--45DCC 97-C 'ne --4,5DD5----L :--4,5DCE C9-7--C:4+---------- o& d"ord ptr N--4+C:--O# -------:--4,5DD: E/2C ' p --4,5DD8 5s "e can see by t%e abo&e# t%e code tells us t%at t%e !irst &alue o! our serial "ill be =p= and a cycle o! a !our byte algoryt% ) I could go on and on about all o! t%e internals o! all t%is stu!! but t%at "ould be going beyond t%e scope o! t%is tutorial) 0%e idea "as to s%o" %o" to crac$ t%is pro# and t%ats "%at I= going to do) /ased on t%e in!or ation I=&e gi&en you# and t%e in!or ation t%at you can deduce !ro reading t%e code# I=&e "ritten a s all $ey generator in C) I! you $no" C# t%en you=ll be able to tell "%ere i got t%e algoryt% s to "rite it) So %ere it is: #includePstdio)%Q #includePconio)%Q int ain@&oid? N long code>7777:+#count2#count,L c%ar na eR,7S#codR7S#type>=-=L

clrscr@?L te1tcolor@24?L print!@E0%is is a si ple $ey-generator "ritten by $++t o! C./NE0 Security GroupE?L print!@E>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>E?L te1t color@2-?L print!@ESub it;ol!@de o?&er4)2 crac$ed by $++tE?L te1tcolor@24?L print!@ETcTcTcE#-12-#-12-#-12-E?L te1tcolor@2,?L print!@E.upE? prin!@E-No&e ber ,--,E?L prin!@E=UnUnSelect Edition IRO@-? or Enterprise@2? @-*2?>E?L scan!@ETcE#Vtype?L i!@type>>=2=?code>779,:+L getc%ar@?L prin!@EEnter Registration Na e>E?L scan!@ETRWUnSE#na e?L !or@count2>-Lcount2P>+Lcount2FF codRcount2S>na eRcount2SL !or@count>2Lcount2>+Lcount2FF?N !or@count,>-Lcount,P>+Lcount,FF? codRcount,S>codRcount,SG@codeT2--?L code>code*2--L O !or@count2>-Lna eRcount2SQ-Lcount2FF?L !or@count,>-Lcount,P>+Lcount,FF? codRcount,S>codRcount,SW@na eRcount2SF+?L !or>@count2-+Lcount2Q>-Lcount2--?N code>codeF@codRcount2SV-1DD?L i!@count2Q-? code>codeG-12--L O i!@codeP-?code>-codeL !or@LcodeP2----L? code>codeG2-L !or@LcodeQCCCCCCL? code>code*2-L print!@.our Serial Nu ber>ITc4-TldE#@type>>=2=?H =E=:=4=code?L return L O O$< So< 5n o&erall conclusion o! t%is code is: 2)Dirst t"o c%aracters o! t%e serial ust be eit%er =IE= or =I4=) ,)6ultiply e&ery !irst !our c%aracters or our na e "it% e&ery byte o! our serial be!ore =-= +)MOR e&ery !our byte "it% e&ery byte o! our na e) 4)Con&ert to positi&e nu ber i!P-) 7)Con&ert to nu ber bet"een 2---- and 2------) Dorgi&e e i! t%is code is buggy as I "rote it &ery (uic$ly in t%e little spare ti e I %ad) ------------------------------------------------------------------------------------------------------------Conclusion------;ell %o" "as your !irst crac$ing e1pierienceH Not bad e%H O$ "ell i! you %a&e any (uestions# proble s#co ents#)))))critics s)))))))you can e- ail t%e to e at:

$++tX%us% ail)co ------------------------------