Difference between revisions of "Example 2b"

From SkullSecurity
Jump to navigation Jump to search
Line 1: Line 1:
{{Construction}}
{{Construction}}


This is the third (and, basically, final) part of the Starcraft CDKey Decode. I'm going to present the code only, not the answer (although you can find the finished product around). This may cover things we haven't talked about (like a function call and local variables, for example).  
This is the third (and, basically, final) part of the Starcraft CDKey Decode. I'm going to present the code and the final answer, but not the interim steps. This may cover things we haven't talked about (like a function call and local variables, for example).  


As usual, esi is a pointer to the cdkey.  
As usual, esi is a pointer to the cdkey.  
Line 38: Line 38:
     jns    short top
     jns    short top
</pre>
</pre>
== Finished Code ==
Here is the resulting code, in Java
<pre>
    /** Gets the final CDKey values. */   
    protected void getFinalValue()
    {
        int hashKey = 0x13AC9741;
        byte[] key = cdkey.getBytes();
           
        for (int i = (cdkey.length() - 2); i >= 0; i--)
        {
            if (key[i] <= '7')
            {
                key[i] ^= (byte) (hashKey & 7);
                hashKey = hashKey >>> 3;
            }
            else if (key[i] < 'A')
            {
                key[i] ^= (byte)(i & 1);
            }
        }
    }
</pre>
This will produce a new numeric string, sub-strings of which are sent to Battle.net as integers (the first two characters are the product, the next 7 are "Val1", and the next three are "Val2".
I'm afraid I don't have any sample values for this one.

Revision as of 17:52, 17 November 2008

Stop hand.png This page is under construction. USE AT YOUR OWN RISK!







This is the third (and, basically, final) part of the Starcraft CDKey Decode. I'm going to present the code and the final answer, but not the interim steps. This may cover things we haven't talked about (like a function call and local variables, for example).

As usual, esi is a pointer to the cdkey.

    mov     ebp, 13AC9741h
    mov     ebx, 0Bh

top:
    movsx   eax, byte ptr [ebx+esi]
    push    eax             ; Parameter to toupper()
    call    _toupper        ; Call toupper()
    add     esp, 4          ; Fix the stack (don't worry about this)
    cmp     al, 37h
    mov     byte ptr [ebx+esi], al
    jg      short body1
    mov     ecx, ebp
    mov     dl, cl
    and     dl, 7
    xor     dl, al
    shr     ecx, 3
    mov     byte ptr [ebx+esi], dl
    mov     ebp, ecx
    jmp     short body2

body1:
    cmp     al, 41h
    jge     short body2
    mov     cl, bl
    and     cl, 1
    xor     cl, al
    mov     byte ptr [ebx+esi], cl

body2:
    dec     ebx
    jns     short top


Finished Code

Here is the resulting code, in Java

    /** Gets the final CDKey values. */    
    protected void getFinalValue()
    {
        int hashKey = 0x13AC9741;

        byte[] key = cdkey.getBytes();
            
        for (int i = (cdkey.length() - 2); i >= 0; i--) 
        { 
            if (key[i] <= '7') 
            { 
                key[i] ^= (byte) (hashKey & 7); 
                hashKey = hashKey >>> 3; 
            } 
            else if (key[i] < 'A') 
            { 
                key[i] ^= (byte)(i & 1); 
            } 
        }
    }

This will produce a new numeric string, sub-strings of which are sent to Battle.net as integers (the first two characters are the product, the next 7 are "Val1", and the next three are "Val2".

I'm afraid I don't have any sample values for this one.