Professional Documents
Culture Documents
Part 1 - How To Make A Key Generator Using W32Dasm
Part 1 - How To Make A Key Generator Using W32Dasm
htm
Step One
Once you have installed Particle Fire, open your screensaver settings in Window's Display Properties. Select the Particle Fire screensaver. Hit
the Settings... button. The Particle Fire settings dialog should appear. At the bottom of this dialog there is an edit box which is labeled Serial
#: There should be a 0 within this box. Obviously this is where the serial number will eventually go. The first thing I would do is open
Microsoft Spy++ or eXeScope and try to find the dialog item ID Number. (Look up GetDlgItem() on MSDN to understand what a dialog item ID
is.)
1 of 4 4/8/2011 2:36 PM
Part 1 - How to Make a Key Generator Using W32Dasm http://www.mouseindustries.com/tuts/w32dasm_tut1/part_01.htm
OK, now we know that the ID of the dialog item is 0x000003F0 (or 1008 in decimal).
Now since we are all Window's gurus here, we know that in order to read a value or text from a window we have to use one of the following API
calls:
GetWindowText()
GetDlgItemText()
GetDlgItem()
GetDlgItemInt()
I am going to assume (since there is a ZERO already in the box) that he used SetDlgItemInt(). So I will also assume that he is going to use
GetDlgItemInt() to get the value. Don't feel like assuming? No problem, I'll do it the long way to cover all the bases.
First, let's open up the Particle Fire screen saver in W32Dasm. Once it finishes disassembling, there is a menu item named Functions and a
submenu called Imports. Click it. (For us impatient ones who hate the mouse, use ALT+F+I) These are all the API functions that this program
imports from system DLLs.
Now what we are looking for are GetWindowText(), GetDlgItemText(), GetDlgItem() or GetDlgItemInt() We should know that these functions
are exported by the User32.DLL (if you don't know this, just scroll down until you find the export by name.) Let's try to find GetWindowText()
first. Can't find it? Me either... so this means he is not using it. Now, with knowing he isn't using GetWindowText(), we can scratch
GetDlgItem() off our list of target functions. (You can only use GetWindowText() with the returned HWND of GetDlgItem() to get a window's
text or value.) Confused? Just go to microsoft.com and search GetDlgItem() and read up on it.
Ok, so let's move on to GetDlgItemText(). Can you find it on the list of imports? Nope! Ok, that leaves one final call... GetDlgItemInt(). Find
this call in the list. It should be listed as USER32.GetDlgItemInt. See the picture below.
Once you have found it in the list, double-click on it. The first reference W32Dasm should take us to will look like this:
2 of 4 4/8/2011 2:36 PM
Part 1 - How to Make a Key Generator Using W32Dasm http://www.mouseindustries.com/tuts/w32dasm_tut1/part_01.htm
Ok, with knowing (basically) how the stack works, we can tell from the code above that it is "pushing" 4 values onto the stack before the call to
GetDlgItemInt(). What are these 4 values? Let's look at how the API is defined:
hDlg - Handle to the dialog box that contains the control of interest.
lpTranslated - Pointer to a variable that receives a success or failure value (TRUE indicates success, FALSE indicates failure). If this
parameter is NULL, the function returns no information about success or failure.
bSigned - Specifies whether the function should examine the text for a minus sign at the beginning and return a signed integer value if it
finds one (TRUE specifies this should be done, FALSE that it should not).
Now, with knowing all this basic information, let's look at the above code from a different view:
See how that works? Pretty simple. Starts by pushing the last parameter on first and the first parameter on last. With knowing this, we know
that this function will not help us. Why? Because we are looking for the ID of 0x000003F! As you can see here, it is pushing 0x000003EA on
to the stack. This isn't the ID we are looking for! But that was a good review on what to expect next, right ?
Let's continue on by going back to our Import list and double clicking on the same item again. Keep double clicking until you come to this
address 0x00001948. It should look like this:
This may be a tad confusing... Basically the author of this program is calling GetDlgItemInt() twice. Let me show you in pseudo code:
3 of 4 4/8/2011 2:36 PM
Part 1 - How to Make a Key Generator Using W32Dasm http://www.mouseindustries.com/tuts/w32dasm_tut1/part_01.htm
He is calling it twice... for what reason? I have no idea, the author is more of an artist than a Window's programmer, I guess :)
Ok, we know that GetDlgItemInt() returns the value inside of the edit box in number form. But where is the number? In assembler, if you call
a routine that returns a value (i.e.: a function), the returned value is stored in EAX.
Take a look at code line :00402565. There we see EAX being moved to a static pointer! So now we know that the serial number is stored
at a DWORD pointer at address 00412114!
4 of 4 4/8/2011 2:36 PM