Another Lesson in Software Reversing

Thursday March 8thASM, RCE Category

IITAC.orgYes, you can (most probably) consider this to be a fairly regular segment from this point on :) As I said before I’ve always been partial to RCE, and I don’t think I’ll ever get sick of it. Today’s installment is another tutorial that I felt shouldn’t be published. The reason is because it’s a tutorial on how to solve an example reversing challenge for the IITAC online RCE adacemy, and I generally don’t think it’s a good move to show other people how to do this stuff when they can get certified for it. However, this is just a training example so I think I’m safe.

The challenge consists of a few tasks:

  1. Removing a nag-screen
  2. Finding a hard-coded serial number
  3. Finding a valid name/serial combination
  4. Writing a key generator

You’ll notice from the tutorial that the full source code is included written in 32-bit ASM. Again, I would appreciate the feedback on the quality from anyone who wishes to give it (that includes you Alister ;) ) as I’m always looking to improve what I write.

You can grab it from here.

Beatbox Fame Game Do you Enjoy what you do for a Living?

4 Comments

  1. MooChonkee
    August 9, 2007

    This a really good tutorial, especially for beginners. You need a fairly good knowledge of basic asm though, in order to understand what’s going on (without any, not even the - very useful - comments will help you).
    Anyway, keep up the good work :)

    However, I think some of your code is … superfluous :)
    In your keygen source you subclass the edit box to know when the user typed something. This is kinda redundant, besides, I don’t know if this works if the user pastes his name from the clipboard.
    Instead, you could easily change the source like this:

    .WMCOMMAND: ; handle the command messages

    ; did the edit box content change?
    cmp [wParam], EN_CHANGE shl 16 + IDE_NAME
    jne .CHKBTNPRESSED

    call GenerateSerial
    mov EAX, 0; return FALSE
    jmp .FINISH

    .CHKBTNPRESSED:
    ; did the user try to close the dialog?
    cmp [wParam], BN_CLICKED shl 16 + IDCANCEL
    je .WMCLOSE
    mov EAX, 0 ; return FALSE
    jmp .FINISH

    You can remove the whole subclassing code then :>

    Sorry for sounding like a wise-ass, just trying to give some feedback :)
    And another sorry for any grammar or spelling mistakes ;D

  2. OJ
    August 10, 2007

    Many thanks for your comment! You don’t have to apologise at all for anything you’ve said :) I appreciate feedback of all kinds, and nothing you have said is rude or derogatory!

    I think that your comment is inconsistent though. Firstly you say that the source is ’superfluous’ (that is, by definition: serving no useful purpose; having no excuse for being), which implies that there is code in the keygen that serves no purpose. I’m afraid I don’t agree. Each bit of code serves the purpose that it was designed to serve.

    I sub-class the edit control to catch key strokes. This allows me to generate a key as the user is typing their name. The reason is so they don’t have to take another step (of pressing a button) to generate the key, it’s done for them automatically. Most people type their name rather than paste it. EN_CHANGE doesn’t fire consistently across different version of windows, and hence isn’t as portable as checking for WM_CHAR. Supporting copy/paste wasn’t high on my priority list :)

    Bear in mind that there are always a million ways to skin a cat. This problem can be solved through a variety of methods. Just because one person uses another method which is perfectly viable, it doesn’t mean that their code is superfluous. Let’s not forget that there’s a chance that the coder is subclassing the edit box because he/she knows that they are going to do it anyway for another reason (such as custom drawing).

    If this is the only ‘bad’ point that you’ve noticed then I must be doing ok :)

    I’d also like to say that the source code for the keygen is there for those who feel like looking at it. The purpose of the tutorial was actually to focus on the reversing side more than the keygen side.

    Thank you for your comment MooChonkee, I appreciate the feedback and the suggested code fix :)

  3. MooChonkee
    August 10, 2007

    I didn’t know EN_CHANGE works differently on different OS’. The subclassing makes sense then ;)

    I normally use it in my key… er… programs and it always worked as expected (not really tested it on other OS’ though). Subclassing is something I only do for ‘ownerdrawn’ edit boxes (which means responding to WM_CTLCOLOREDIT & WM_PAINT, it’s not actually ownerdraw) as readonly edit boxes are handled like static controls internally -> if you change static control colors it will affect your readonly edit controls as well ;)

    As for the word ’superfluous’, I was unsure about whether to use it or not, I just looked it up in the dictionary =D
    I guess redundant is more appropiate, I didn’t want to use the word twice in one sentence and I thought they are more or less identical :)

  4. OJ
    August 10, 2007

    Yup, exactly my point. When there is further need to draw or make things behave differently to normal, that’s when subclassing is required. It’s also handy for writing control libraries, but that’s a whole different topic.

    I am also aware of the behaviour of read-only text boxes, and that one of the few differences is that read-only text boxes still allow the text to be ’selected’ (and hence copied).

    Have you had a look at the other RCE tutorials (in particular the one on DirectX and Blowfish)? I’d appreciate some feedback there as well if you have time.

    Thanks again for your comments :)

Leave a comment

Size

Colors