Part 1 - How to Make a Key Generator Using W32Dasm http://www.mouseindustries.com/tuts/w32dasm_tut1/part_01.

htm

How to Make a Key Generator Using W32Dasm

Author: Andrew Aksel Heinlein [Mouse]
http://www.mouseindustries.com
mouse@mouseindustries.com

What you will need:

W32Dasm (even the shareware version will suffice) You can find a copy at www.programmerstools.org in the decompilers section.
Optional: A compiler that supports inline assembler (for example: Microsoft Visual C++)
Particle Fire Screen Saver version 1.1a (File size: 102,912 bytes) (found at: http://www.longbowdigitalarts.com/particlefire.html)
A window spy (Microsoft Spy++) or a resource editor (eXeScope). This is not needed, but it helps us find Dialog Item ID Numbers.
A computer, monitor and keyboard.

Step One

Once you have installed Particle Fire, open your screensaver settings in Window's Display Properties. Select the Particle Fire screensaver. Hit
the Settings... button. The Particle Fire settings dialog should appear. At the bottom of this dialog there is an edit box which is labeled Serial
#: There should be a 0 within this box. Obviously this is where the serial number will eventually go. The first thing I would do is open
Microsoft Spy++ or eXeScope and try to find the dialog item ID Number. (Look up GetDlgItem() on MSDN to understand what a dialog item ID
is.)

Finding the dialog item ID in Microsoft Spy++

Finding the dialog item ID with eXeScope

1 of 4 4/8/2011 2:36 PM
Part 1 - How to Make a Key Generator Using W32Dasm http://www.mouseindustries.com/tuts/w32dasm_tut1/part_01.htm

OK, now we know that the ID of the dialog item is 0x000003F0 (or 1008 in decimal).

Now since we are all Window's gurus here, we know that in order to read a value or text from a window we have to use one of the following API
calls:

GetWindowText()
GetDlgItemText()
GetDlgItem()
GetDlgItemInt()

I am going to assume (since there is a ZERO already in the box) that he used SetDlgItemInt(). So I will also assume that he is going to use
GetDlgItemInt() to get the value. Don't feel like assuming? No problem, I'll do it the long way to cover all the bases.

First, let's open up the Particle Fire screen saver in W32Dasm. Once it finishes disassembling, there is a menu item named Functions and a
submenu called Imports. Click it. (For us impatient ones who hate the mouse, use ALT+F+I) These are all the API functions that this program
imports from system DLLs.

Now what we are looking for are GetWindowText(), GetDlgItemText(), GetDlgItem() or GetDlgItemInt() We should know that these functions
are exported by the User32.DLL (if you don't know this, just scroll down until you find the export by name.) Let's try to find GetWindowText()
first. Can't find it? Me either... so this means he is not using it. Now, with knowing he isn't using GetWindowText(), we can scratch
GetDlgItem() off our list of target functions. (You can only use GetWindowText() with the returned HWND of GetDlgItem() to get a window's
text or value.) Confused? Just go to microsoft.com and search GetDlgItem() and read up on it.

Ok, so let's move on to GetDlgItemText(). Can you find it on the list of imports? Nope! Ok, that leaves one final call... GetDlgItemInt(). Find
this call in the list. It should be listed as USER32.GetDlgItemInt. See the picture below.

Once you have found it in the list, double-click on it. The first reference W32Dasm should take us to will look like this:

2 of 4 4/8/2011 2:36 PM
Part 1 - How to Make a Key Generator Using W32Dasm http://www.mouseindustries.com/tuts/w32dasm_tut1/part_01.htm

Author's Suggested Reading

See exactly how GetDlgItemInt() works by going to microsoft.com and looking it up or clicking here.

Author's poor attempt at a basic definition of the Stack

Assembler relies heavily on something called a "Stack." You "push" 32 bit pointers/values on to the stack to save the values in order to pass
them to other functions. It's basically like a growing array or vector of values. It uses the theory of "First on, Last Off" Think of it like a stack
of pancakes. You lay down one (push), "push" another one on top of the last. to get them off, you "pop" them off from the top down. (This is a
very basic description on the stack... I would suggest reading up on it to get a more precise definition.) (No, really, I mean that.)

Ok, with knowing (basically) how the stack works, we can tell from the code above that it is "pushing" 4 values onto the stack before the call to
GetDlgItemInt(). What are these 4 values? Let's look at how the API is defined:

Ok, great.. we see it requires 4 parameters:

hDlg - Handle to the dialog box that contains the control of interest.

nIDDlgItem - Specifies the identifier of the control whose text is to be translated.

lpTranslated - Pointer to a variable that receives a success or failure value (TRUE indicates success, FALSE indicates failure). If this
parameter is NULL, the function returns no information about success or failure.

bSigned - Specifies whether the function should examine the text for a minus sign at the beginning and return a signed integer value if it
finds one (TRUE specifies this should be done, FALSE that it should not).

Now, with knowing all this basic information, let's look at the above code from a different view:

See how that works? Pretty simple. Starts by pushing the last parameter on first and the first parameter on last. With knowing this, we know
that this function will not help us. Why? Because we are looking for the ID of 0x000003F! As you can see here, it is pushing 0x000003EA on
to the stack. This isn't the ID we are looking for! But that was a good review on what to expect next, right ?

Let's continue on by going back to our Import list and double clicking on the same item again. Keep double clicking until you come to this
address 0x00001948. It should look like this:

This may be a tad confusing... Basically the author of this program is calling GetDlgItemInt() twice. Let me show you in pseudo code:

3 of 4 4/8/2011 2:36 PM
Part 1 - How to Make a Key Generator Using W32Dasm http://www.mouseindustries.com/tuts/w32dasm_tut1/part_01.htm

He is calling it twice... for what reason? I have no idea, the author is more of an artist than a Window's programmer, I guess :)

Ok, we know that GetDlgItemInt() returns the value inside of the edit box in number form. But where is the number? In assembler, if you call
a routine that returns a value (i.e.: a function), the returned value is stored in EAX.

Take a look at code line :00402565. There we see EAX being moved to a static pointer! So now we know that the serial number is stored
at a DWORD pointer at address 00412114!

Step One Summary

Take a deep breath, the battle is half over. What
we have done up to this point is:

Find the serial number's edit box's ID

number.
Track down a reference to it in W32Dasm.
Find where the value is being stored.

If you are lost at this point, just start over and

re-read this step. Going on at this point without
knowing what your doing is worthless. If you are
feeling confident, let's go to the next step!

Continue on to step two...

4 of 4 4/8/2011 2:36 PM