Cracking "FileSync v 2.12"
Date: August 1, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew

Program Name : FileSync v 2.12
Location     : http://www.fileware.com

Method: HEX COMPARE

<<Note : this document is only for educational purpose ONLY>>
-------------------------------------------------------------------------------

In this tutorial, I only list the information you need to track down the real
registration number.

Breakpoint to set in Soft-Ice: getwindowtexta

After fill in the information and set the breakpoint in Soft-Ice, click 'ok'
button.

In Soft-ice, 
'X enter' one time.
'F11' one time to get back to the FileSync process.
'F10' thousands of times until you reach at 0041C87F.

(during this long 'F10', you will go into the kernel process again.
In this case, just 'F12' until you are out of it. Also, as far as I can 
recall, during this long 'F10' action, the program compares your fake code
with something and make you think you are in the checking routine. Well,
it is not. The real checking routine is shown below. Read on)

:
:
:0041C87F 52                      push edx 
:0041C880 50                      push eax

EDX contains the fake number we entered in hex form (EDX=03404C2E).
EAX points to the name we entered (evc_viper).

:0041C881 C68424E000000002        mov byte ptr [esp+000000E0], 02
:0041C889 E8BE4BFEFF              call 0040144C ; <-- call we need to trace in
:0041C88E 83C408                  add esp, 00000008
:0041C891 85C0                    test eax, eax
:0041C893 0F8489000000            je 0041C922

Need to trace the 'call 0040144C'. So, 'F8' on that line.

:0040144C E9EF200200              jmp 00423540

This block of code is short. Basically, on 00423545, the call generates the 
real code and put it in EAX (in hex format). Then, it compares the fake code
with the real one.

:00423540 8B442404                mov eax, dword ptr [esp+04]
:00423544 50                      push eax
:00423545 E830DEFDFF              call 0040137A ; <-- code generating routine
:0042354A 8B4C240C                mov ecx, dword ptr [esp+0C]
:0042354E 83C404                  add esp, 00000004
:00423551 85C9                    test ecx, ecx
:00423553 760A                    jbe 0042355F
:00423555 33D2                    xor edx, edx
:00423557 3BC1                    cmp eax, ecx ; EAX contains real code
                                               ; ECX contains fake code

Hence, to see the decimal format of the correct code, type '? eax'. In 
my case, it shows me '31061196'.

:00423559 0F94C2                  sete dl
:0042355C 8BC2                    mov eax, edx
:0042355E C3                      ret


Therefore, in order to register this program, enter the following info.

Name  : evc_viper
Number: 31061196

No "Thanks for registering" screen pop up. But if you click the "about..."
menu item again, you will see that it says "Registered to evc_viper". Done.

I list the code that generates the real code in the following just in case
that you are interested in writing a key generator for this program. 

>>>>> Call 0040137A >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

:0040137A E971230200              jmp 004236F0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040137A(U)
|
:004236F0 51                      push ecx
:004236F1 8B442408                mov eax, dword ptr [esp+08]
:004236F5 53                      push ebx
:004236F6 56                      push esi
:004236F7 57                      push edi
:004236F8 8B18                    mov ebx, dword ptr [eax]
:004236FA 33FF                    xor edi, edi
:004236FC 897C240C                mov dword ptr [esp+0C], edi
:00423700 8B73F8                  mov esi, dword ptr [ebx-08]
:00423703 83FE04                  cmp esi, 00000004
:00423706 7E33                    jle 0042373B
:00423708 3BF7                    cmp esi, edi
:0042370A 7E2F                    jle 0042373B
:0042370C 55                      push ebp
:0042370D 8D14B6                  lea edx, dword ptr [esi+4*esi] <--------
:00423710 33C9                    xor ecx, ecx                            |
:00423712 8D1492                  lea edx, dword ptr [edx+4*edx]          |
:00423715 C1E202                  shl edx, 02                             |
:00423718 0FBE2C19                movsx ebp, byte ptr [ecx+ebx] <---      |
:0042371C 8BC2                    mov eax, edx                      |     |
:0042371E 2BC1                    sub eax, ecx                      |     |
:00423720 0FAFC5                  imul eax, ebp                     |     |
:00423723 0FAFC7                  imul eax, edi                     |     |
:00423726 8B6C2410                mov ebp, dword ptr [esp+10]       |     |
:0042372A 03E8                    add ebp, eax                      |     |
:0042372C 41                      inc ecx                           |     |
:0042372D 3BCE                    cmp ecx, esi                      |     |
:0042372F 896C2410                mov dword ptr [esp+10], ebp       |     |
:00423733 7CE3                    jl 00423718                   <---      |
:00423735 47                      inc edi                                 |
:00423736 3BFE                    cmp edi, esi                            |
:00423738 7CD3                    jl 0042370D                   <---------
:0042373A 5D                      pop ebp
:0042373B 8B44240C                mov eax, dword ptr [esp+0C]
:0042373F 5F                      pop edi
:00423740 5E                      pop esi
:00423741 5B                      pop ebx
:00423742 59                      pop ecx
:00423743 C3                      ret

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


Final Note:
   none.


Ob Duh
   Do I really have to remind you all that by buying and NOT stealing the 
   software you use will ensure that these software houses will continue to
   produce even *better* software for us to use and more importantly, to
   continue offering even more challenges to breaking their often weak
   protection systems.


+ViPeR+
[E]bola [V]irus [C]rew
August 1, 1999