Sie sind auf Seite 1von 2

----------------------------------------------------------------------(A If Hacker's you've ever Guide cracked toHOW Reverse an TOapplication by BECOME Engineering =-BOOK-WORM-> A SERIAL before, Serial

KILLER you Number can understand Algorithms) the thrill of t he quest, but if you've gone as far as figuring out how serial numbers can be ge nerated, it puts you more into the mind frame of a secret agent, code breaking f or the FBI. In some cases it truly presents some of the toughest puzzles you'll ever encounter (except for perhaps, the "Rubik's Cube"). There is only one qua lity that is a must-have here....DETERMINATION! I can not stress that enough. If you're not willing to put some time into it, stop reading right now! So the magic My intentions word forfor today writing folksthis is??? article - DETERMINATION!!! are to provide steps and examples for tho sewill (Skills I Knowledge Macintosh Bitwise Basic Determination who be already Algebra in operations using operating in using 68k possess assembler (Ha! (The "sn" (OR, magic a to And the debugger printer, refer (As AND, you following word) long thought to XOR, (My doodling serial as favorites etc...) skills: you you'd number, on have never paper, in aregistration order: manual, use etc... it!) TMON, you arecode, should Jasik's, already etc... beassumed.) MacsBug) OK) throug hout THE Only ================== 2. 3. 4. Knowing 1. Finding =============== Where What How Do WHERE FOUR this four the can does this, the QUESTIONS is IS text. questions generated it it? IT? routine it bedo? we reversed? will need numbers can explore often to work? bebe each answered a challenge. question in solving in Luckily, detail. each the case: _GetIText trap will solve this question for you more often than not. In most cases, each field in t he dialog box will have a separate _GetIText issued to retrieve its contents. T hePress Technique ----------* (At Get Enter Set Exit Type following this to a the something "1234567890" debugger trap "OK" the point 1debugger technique application's for (or you _GetIText in equivalent) should allcan into non-sn the enter besn registration used fields field the in debugger. these screen instances: If not, read further for other te chniques.) * When View If itthe starting contains does contents not, to learn, "1234567890", continue of the youexecution area should start pointed single single until tostep by it stepping register does, the entire then A1start way from single this stepping point. As you become more experienced, you'll learn time saving skills by identifying s pecific library routines like "pascal to C string" functions which you may simpl y jump In moreover. challenging situations where _GetIText is not used, you may need to trap _TEKey. If pressing the return key is permitted in lieu of the mouse click to accept If Technique ----------(At * Each Press Get Enter Set Exit Type Start athis mouse case to a "1234567890" something "123456789" the "0" return debugger trap single the point 2debugger 3 is input, click application's for different. you stepping is in _TEKey use: into should intothe needed all non-sn the In enter to registration sn some sn accept fields field field the cases, debugger) thethe screen input, developer use: may be generating a checks um "as you type" and therefore Techniques 2 or 3 are necessary. In most others, he checks after you press return where Techniques 1 and 2 would suffice. Follo wing code after a _TEKey can be tedious. I often set breakpoints to _BlockMove after I return from a _TEKey break. Next, I check the area pointed to by regist er A0 after each _BlockMove is encountered until I find the sn which I entered. Sometimes you get lucky and can treat a _BlockMove break like a _GetIText break Other from techniques there. involve trapping _ModalDialog and finding where it will go when the user presses OK. I rarely use that technique anymore as there may be user functions attached to _ModalDialog which process each keystroke and if not, _Get IText will "Where is it?" put can you be further defined into asthe "Where code. does it first reference anything I've ty ped into the dialog box?". The sure-fire way to find it is to maintain the sing le stepping I'll be using upKnot to that 3.6 as point. an example as its sn routine is not too extensive but still requires some thinking in its reversal. The following code is found after This using isTechnique the PUSH MOVEA.L _Pack7 MOVE.L firstD0,(A0) 1occurrence 8(A7),A0 #1 4(A7),A0 (and ; =many StringToNum single of reference steps to later): the sn. Here it converts the sn st ring into a number for further processing. Now we're ready to proceed to questi onWho 2. The =================== * This Is Does number WHAT following the is cares it a DOES the length calculation lookup two. contain what step IT are DO? correct? table the where favorites specific on user on you some other one types? characters need to part fields developers to(mission of result get it result at out result predefined in in accomplished!) your in another? checking in a number part the locations? your another of two it? sn:part?and tablet of pencils paper. As you single step through the code, you must write down all that happe ns. I tend to use tree diagrams stemming from the sn which I write at the top o f the page with separation between each character. Sometimes I need to draw arr ows showing characters which are swapped. Sometimes I write replacement charact ers above them. Many times I have lines streaming down each character, or set o f characters, resembling long term division but involving bitwise and/or other o perators. Use whatever works best for you but be sure to take down everything i n a format Upon cruising legible through at the least code to past yourself, the initial or you'll string-to-number be sorry later. routine, we fin d this: ljb_2 At Now ITSGOOD liy_1 proc13 lao_1 lao_2 proc12 data11 In this viewing let's point CLR.L POP.B POP EXT.L SUBQ PUSH PEA _Alert LINK PUSH.L MOVEA.L CLR.B BEQ.S ANDI.L AND.L ADDI.L CMPI.L BNE.S MOVE.B UNLK POP.L BGE.S TST.L BLT.S JSR NEG.L MOVEQ JMP BRA.S DIVUL.L MOVE.L MOVEM.L RTS see thewhat we code, ITSGOOD ljb_2 vjb_2(A6) glob66(A5) -(A7) GETPREFS D0,vjb_1(A6) #1,glob43(A5) #$80 D0,vjb_2(A6) $2988(A5) DO_CLOSE ljb_3 #2,A7 #$81 0 ; know A6,#0 param1(A6),A2 funRslt(A6) (A2) #$100,D0 #$186A0,(A2) #31,D0 #$4531,D0 D0,D1 (A2),D0 proc13 #$9D,D0 liy_1 #1,funRslt(A6) A2 A6 (A7) lao_1 D1 lao_2 proc12 D0 D2-D3,-(A7) #2,D2 data11-2(D2.W*2) lan_1 D1,D1:D0 D1,D0 (A7)+,D2-D3 (alertID:INTEGER; lurks we that can inside "ITSGOOD" now construct "ITSGOOD": ; Rule jump retrieve if filterProc:ProcPtr):INTEGER must Assume All "result checks ==> somewhere NOT 1 2 3 4 a an continued set proc13 proc12 data11 return the return code invalid are of result rules =a0, valid! back zero. sn code jump to which (prime ITSGOOD to must error a zero) be met alert for p roper Rule Now 3. This ========================== HOW we 1sn 2 3 4 question : sn are CAN validation: (sn ready IT must >= MOD &rarely BE $100) $186A0 ((sn NOTanswer to REVERSED? be31) = & has 0athe zero + same question $4531) answer. = $9D I've seen quite a few different techn three. iques used in sn checksumming. The main thing to remember here is, good notes = success. I find it useful at this point to take a deep breath, view my notes, and ask myself "why?". Why is it flipping every 5th bit or why does it repeat a certain pattern over and over again? In answering these questions, you may fin d a simple way to repeat that capability in a more simplistic form. Another thi ng to keep in mind is that there are often multiple ways to derive the same sn. I will demonstrate this by providing two separate routines for reversing the Kn ot viewing In sn checksum. the rules which were derived from question two, we find that rule 3 w ill allow us to disregard rule 1. Rule 4 is the toughest one and will require u s to dust off our old algebra books for solutions to simplification or take the easy way out. First let's try the easy way, or better described as the "brute f orce" FOR NEXT Rule Although IFsn ((sn 1 2 3 4 method: = this : $186A0 (Disregarded Applied & $100)=0) method TO bymymaxno in the AND will insecond first outer (sn lieu work, MOD of half loop half it's ((sn rule of (sequentially of slow. &the 3) the 31) "IF" "IF" + $4531)=$9D) Trying statement statement increment every number THEN sn from PRINT is never $186A0) sn a good solution as the distance between valid numbers may be great. So let's look a li ttle 4 Let's Rule Also, deeper see the by : sheer sn now: same toxknowledge, MOD = find as ((sn * saying: ((sn a&better 31) & 31) we + know solution. $4531) + $4531) that = + $9D (sn $9D& 31) can have only 32 possibilities (0-31). So let's reinstate the formula where "p" may be any one of the 32 possi

Now we Rule bilities: 4 can : snsimply = x * create (p + $4531) an algorithm + $9D with nested loops. The outer loop will co ntrol FOR Notice NEXT FOR NEXT x=1 sn IF "x" p=0 =TO sn the x>= and TO mymaxno * last 31 (p $186A0 the + $4531) part inner AND of the loop ((sn + $9D "IF" will & $100) statement. control = 0) AND each This ((sn iteration is & where 31) = ofwe p) "p" THEN verify (0-31): PRINT thatsn p does , in fact, Using this second equal (sn approach & 31).greatly reduces the time needed to generate numbers a s we Now 4. This ================================= DO we are is THE are the skipping GENERATED ready easiest to through answerall NUMBERS question the WORK? to possibilities final answer question. as you bycan leaps simply and type bounds. them in to check t he results. I recommend trying the lowest and highest sn followed by a few in b etween and a series "in a row". If your notes and programming are good, they us ually all work fine. If there is a bug in your programming, they are usually al l wrong In this case, or theafter lowerrunning and/or both upperalgorithms, limits are we wrong. arrive at the same results. The re is, ENDING I've =============== taken of course, COMMENTS you on a journey noticeable through difference a simple in situation. speed between There them. are, however, man y more difficult routines being used in todays sn checksums. You must keep in m ind that nothing is impossible through determination. No matter how you fold a piece of paper, it's always possible to unfold it once again. Some folds may be tucked in deep and difficult to pull out. There may be times you encounter hun dreds of folds. But no matter how much time is put into folding that sheet of p aper, someone else can always unfold it. There's no reason why you can't be tha t person! Let =-BOOK-WORM-> the puzzles begin,