1. Try CC from 'Help Me - CRC Check and FileSize Check' topic
h**p://w*w.exetools.com/forum/showthread.php?threadid=2385

2. RC5/6 was implemented in a lot libraries on the net.

3. See atach as example RC6 work (it's source for Oscar 17(Summer Edition) Serials Database decipher).

Sorry, I forgot about RC6 Src

do you still have a page alephz?

remember great tools posted on it.

thanks

It was killed immediatly after I put on some stuff about
F-Group Software junk progs. (h**p://w*w.fgroupsoft.com)

Unfortunately, for now I haven't time to recovery it and more
sad, haven't time to enjoy with new junk from F-Group Software.

Well, I keep it in my TODO list :-\

No problem, I was a little confused by the previous file contents, had that somethings missing feeling.

Thankyou. I'll give this a look over.

5Alive

well,thanks for the answer!

Ups. I forgot I'm not supposed to post Requests in this Forum and JMI edited my post to this stupid message. :cool:

Actually if I'd taken the time to use the "search" button and "kanal" on the left side, I would have found the answer to my question is here:

http://www.exetools.com/forum/showthread.php?s=&threadid=2348&highlight=kanal

pd. LOL JMI 10x friend. :D

Just a quick update, the cc tool confirmed that the exe had rc5, now knowing these offsets I was able to locate the subroutine.
Thanks alephz!


I have since found a string ref to RC4 too! I think the serial number is a rc4 key, and the content decryption is handled by RC6.

The app produces a unique system id number using API calls to GetSystemInfo, GetComputerNameA and GetVolumeInformationA.
This is to restrict a valid password to a single PC.

If your system ID changes, you are sent an new serial to unlock the content. Therefore, system ID is equivalent to a user name and the serial is the password.

So I think I am looking at some sort of RC4 keygen. Yikes!
I've got some more questions I'll try to answer myself before posting.

I'm new to reverse engineering, where do the hours go?

5Alive.

RC4 isn't that hard ;)

Is the best solution to rip the RC4 code and insert it into yor own app? I'm using DeDe and IDA.

Once I isolated the code, is MASM the best tool for keygen creation?

I notice that Dede doesn't recognise win32 API calls and IDA doesn't recognise some custom Delphi library calls.

Can this be fixed, or do I need to work between the two to build a clearer picture of what the functions are doing?

I've compiled/created DCU/DSF file from source code to help me identify calls in DeDe.

As far as I'm aware FLIRT only supports Delphi 1.0 TPUs which is of no use to me. Anyone know any different and like to share their knowledge?

Thanks 5Alive.

You can try to rip the RC4 code.....
But pay attention to the S-box and to the field K!
Don't forget to rip the init routine!

When I code a keygen in ASM, I use MASM(32 v8).

That's why I usually use Olly and/or DeDe with IDA.
As sKAMER said: Olly and IDA --> deadly combo :D

Thanks, I'll keep your comments in mind when attempting this.

5Alive.

[QUOTE]Originally posted by ArC
[B]You can try to rip the RC4 code.....
But pay attention to the S-box and to the field K!
Don't forget to rip the init routine![QUOTE]

To find the values of the S-box and K field I would need to single step with a debugger to extract these values. Is this correct?

5Alive.

Usually there should be an init routine
which inits the S-Box and the K field.
If you want to rip, you will have to rip the init routine as well.
However, you should trace (with a debugger) the init routine
as well since it usually contains the key.

Thanks, I'll look into trying this. I have source for RC4 just now so I'll probably create my own little program to encrypt/decrypt to familiarise myself with it's workings.

5Alive.