codereversing.com Report : Visit Site


  • Ranking Alexa Global: # 3,528,989

    Server:Apache...

    The main IP address: 208.113.153.68,Your server United States,San Francisco ISP:New Dream Network LLC  TLD:com CountryCode:US

    The description :the end of the world home audience index about analyzing product key authentication (2/2) january 6th, 2018 admin no comments tweet this post picks up where the other previous one concluded and wraps...

    This report updates in 01-Sep-2018

Created Date:2011-01-06
Changed Date:2018-12-05

Technical data of the codereversing.com


Geo IP provides you such as latitude, longitude and ISP (Internet Service Provider) etc. informations. Our GeoIP service found where is host codereversing.com. Currently, hosted in United States and its service provider is New Dream Network LLC .

Latitude: 37.774929046631
Longitude: -122.41941833496
Country: United States (US)
City: San Francisco
Region: California
ISP: New Dream Network LLC

HTTP Header Analysis


HTTP Header information is a part of HTTP protocol that a user's browser sends to called Apache containing the details of what the browser wants and will accept back from the web server.

Content-Encoding:gzip
Transfer-Encoding:chunked
Vary:Accept-Encoding,Cookie
Keep-Alive:timeout=2, max=99
Server:Apache
Connection:Keep-Alive
Cache-Control:max-age=3, must-revalidate
Date:Fri, 31 Aug 2018 22:27:16 GMT
Content-Type:text/html; charset=UTF-8

DNS

soa:ns1.dreamhost.com. hostmaster.dreamhost.com. 2017061600 18500 1800 1814400 14400
ns:ns3.dreamhost.com.
ns2.dreamhost.com.
ns1.dreamhost.com.
ipv4:IP:208.113.153.68
ASN:26347
OWNER:DREAMHOST-AS - New Dream Network, LLC, US
Country:US
mx:MX preference = 0, mail exchanger = mx2.sub5.homie.mail.dreamhost.com.
MX preference = 0, mail exchanger = mx1.sub5.homie.mail.dreamhost.com.

HtmlToText

the end of the world home audience index about analyzing product key authentication (2/2) january 6th, 2018 admin no comments tweet this post picks up where the other previous one concluded and wraps up the bypass in the product authentication algorithm in age of mythology . the previous post left off with the code showing the “invalid product key” popup at the call to 0x0040f880 . 0040d258 | e8 23 26 00 00 | call ebu4df6.40f880 0040d25d | 83 c4 0c | add esp,c 0040d260 | 89 5c 24 10 | mov dword ptr ss:[esp+10],ebx 0040d264 | 56 | push esi 0040d265 | ff 15 e8 62 46 00 | call dword ptr ds:[<&freelibrary>] 0040d26b | 8b 44 24 10 | mov eax,dword ptr ss:[esp+10] 0040d26f | 5f | pop edi 0040d270 | 5e | pop esi 0040d271 | 5d | pop ebp 0040d272 | 5b | pop ebx 0040d273 | 81 c4 58 03 00 00 | add esp, 358 0040d279 | c3 | ret the function at 0x0040f880 just passes in the string along with a few other parameters and calls another function to invoke the popup to appear. 0040f880 | 8b 4c 24 0c | mov ecx,dword ptr ss:[esp+c] | 0040f884 | 8b 54 24 08 | mov edx,dword ptr ss:[esp+8] | [esp+8]:"invalid product key" 0040f888 | 8d 44 24 10 | lea eax,dword ptr ss:[esp+10] | 0040f88c | 50 | push eax | 0040f88d | 8b 44 24 08 | mov eax,dword ptr ss:[esp+8] | [esp+8]:"invalid product key" 0040f891 | 51 | push ecx | ecx:"invalid product key" 0040f892 | 52 | push edx | 0040f893 | 50 | push eax | 0040f894 | e8 07 00 00 00 | call ebu4df6.40f8a0 | 0040f899 | 83 c4 10 | add esp,10 | 0040f89c | c3 | ret | stepping back to the original function, the return value — contained in eax — is set to [esp + 0x10] . prior to this instruction executing, eax is 1. on the failure case, [esp + 0x8] contains 0, which subsequently gets assigned to eax and returned to the caller. attaching a debugger and dynamically changing eax to 1 shows that the value is accepted and the installation process continues. to make it permanent, there are two simple options: nop out the instruction altogether since the correct value is in eax prior to execution, or change the instruction to mov eax, 1 to force the correct value into the register. during my test session, i just decided to nop out the instruction. replacing the 4-byte instruction at 0x0040d26b 0040d26b | 8b 44 24 10 | mov eax,dword ptr ss:[esp+10] with nops 0040d26b | 90 | nop 0040d26c | 90 | nop 0040d26d | 90 | nop 0040d26e | 90 | nop allows for the product authentication process to continue and the game to be installed. fortunately it turned out to be pretty simple: this authentication function simply returns a boolean value that the caller accepts without any other considerations. forcing a return of true was good enough to continue along in the process. thanks for reading and follow on twitter for more updates. follow me categories: game hacking , general x86 , programming , reverse engineering tags: analyzing product key authentication (1/2) july 21st, 2017 admin 1 comment tweet this post will cover the topic of product authentication in applications and how it can be bypassed. it aims to serve as a detailed walkthrough of how to locate these functions in a target application and methods in which an application can be modified to allow it to accept invalid product keys. the post will focus on a concrete application and will involve reverse engineering the code which is responsible for performing authentication. at this time, only the calling code will be investigated — this will not be a post about reverse engineering the actual algorithm itself, although that may come at a later date. tools not much is needed here outside of the standard tools. below is what was used when creating this post: cheat engine for memory scanning x64dbg for dynamic analysis installer executable (setup.exe) sha1 hash: ac9241f632ffb0d845e404fc06c3a204d2ee1b99 that comes with the age of mythology cd the target the target for this post will be age of mythology . it is a game that has had support dropped for modern operating systems and has also had its multiplayer servers shut down, which makes the game a nice target to practice on. the game requires a valid product key as part of the installation process. the verification is done entirely within the executable itself; there is no online activation required, which would greatly complicate the process. the installation process requires the input of a valid 25-character product key that is located on the physical cd case. failure to provide this product key results in an error dialog saying that the product key is invalid and prevents the user from continuing the installation process. the goal then is to bypass this process and be able to install the game without having a valid product key. this will involve finding the code responsible for calling the authentication function(s), reverse engineering it to understand how it works, and then finding a way to modify it so that it is possible to proceed in the installation process without having a valid key. finding the function as mentioned above, the natural starting point is to find where the product key is being verified. this can be accomplished in multiple ways, each one having its own benefits and drawbacks. for this example, the approach i took involved finding the key in memory and seeing where it was accessed. this was done by inputting a key into the box and then searching for the string in the process memory using cheat engine. doing this resulted in one address. finding out what writes to this address provided additional information to investigate at this point it is time to attach a debugger and begin stepping through some of this code. starting at the top of the list of addresses, the ones in the 0x757621… range looked interesting. given the high address, it can be concluded that these likely reside in a windows core dll. navigating to the first address in the debugger reveals that it is part of the lstrcpya function in kernel32.dll . 757621b0 | 6a 08 | push 8 757621b2 | 68 b8 f5 7c 75 | push kernel32.757cf5b8 757621b7 | e8 e0 85 00 00 | call kernel32.7576a79c 757621bc | 83 65 fc 00 | and dword ptr ss:[ebp-4], 0 757621c0 | 8b 55 0c | mov edx, dword ptr ss:[ebp+c] 757621c3 | 8b 45 08 | mov eax, dword ptr ss:[ebp+8] 757621c6 | 8b f0 | mov esi, eax 757621c8 | 2b f2 | sub esi, edx 757621ca | 8a 0a | mov cl, byte ptr ds:[edx] 757621cc | 88 0c 16 | mov byte ptr ds:[esi+edx], cl 757621cf | 42 | inc edx 757621d0 | 84 c9 | test cl, cl 757621d2 | 75 f6 | jne kernel32.757621ca 757621d4 | c7 45 fc fe ff ff ff | mov dword ptr ss:[ebp-4], fffffffe 757621db | e8 01 86 00 00 | call kernel32.7576a7e1 757621e0 | c2 08 00 | ret 8 there’s nothing surprising here, the two arguments are passed in [ebp+0x8] and [ebp+0xc]. the contents of the source argument are copied, one byte at a time, into the destination argument in a loop which terminates when a null terminator is found in the source parameter. setting a breakpoint on this function shows that it is being hit multiple times. it is initially hit five times for the five different parts of the key. afterwards it is hit with the entire key. for the first five parts, the call stack shows the call coming from the following: 0040cd06 | 50 | push eax | 0040cd07 | 68 d0 d8 47 00 | push ebud71f.47d8d0 | 47d8d0:"11111" 0040cd0c | ff d6 | call esi | esi:lstrcpya 0040cd0e | 8b 0d a0 cc 47 00 | mov ecx,dword ptr ds:[47cca0] | 0040cd14 | 8b 11 | mov edx,dword ptr ds:[ecx] | 0040cd16 | ff 92 90 00 00 00 | call dword ptr ds:[edx+90] | 0040cd1c | 50 | push eax | 0040cd1d | 68 d4 d9 47 00 | push ebud71f.47d9d4 | 47d9d4:"22222" 0040cd22 | ff d6 | call esi | esi:lstrcpya 0040cd24 | 8b 0d a4 cc 47 00 | mov ecx,dword ptr ds:[47cca4] | 0040cd2a | 8b 01 | mov eax,dword ptr ds:[ecx] | 0040cd2c | ff 90 90 00 00 00 | call dword ptr ds:[eax+90] | 0040cd32 | 50 | push eax | 0040cd33 | 68 d8 da 47 00 | push ebud71f.47dad8 | 47dad8:"33333" 0040cd38 | ff d6 | call esi | esi:lstrcpya 0040cd3a | 8b 0d a8 cc 47 00 | mov ecx,dword ptr ds:[47cca8] | 0040cd40 |

URL analysis for codereversing.com


http://www.codereversing.com/blog/archives/305#respond
http://www.codereversing.com/blog/archives/category/genx86
http://www.codereversing.com/blog/wp-content/uploads/2017/02/scr2.png
http://www.zhuaxia.com/add_channel.php?url=http://www.codereversing.com/blog/feed
http://www.codereversing.com/blog/archives/category/genx8664
http://www.bloglines.com/sub/http://www.codereversing.com/blog/feed
http://fusion.google.com/add?feedurl=http://www.codereversing.com/blog/feed
http://www.codereversing.com/blog/archives/339#comment-69942
http://www.codereversing.com/blog/archives/137#comment-73606
http://www.codereversing.com/blog/archives/category/gamehacking
http://www.codereversing.com/blog/wp-content/uploads/2017/02/map3.png
http://www.codereversing.com/blog/wp-content/uploads/2017/02/scr4.png
http://www.codereversing.com/blog/archives/category/reveng
http://www.codereversing.com/blog/archives/128#comment-73697
http://www.codereversing.com/blog/wp-content/uploads/2017/02/scr5.png

Whois Information


Whois is a protocol that is access to registering information. You can reach when the website was registered, when it will be expire, what is contact details of the site with the following informations. In a nutshell, it includes these informations;

Domain Name: CODEREVERSING.COM
Registry Domain ID: 1633647338_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.dreamhost.com
Registrar URL: http://www.DreamHost.com
Updated Date: 2018-12-05T08:13:21Z
Creation Date: 2011-01-06T04:38:00Z
Registry Expiry Date: 2020-01-06T04:38:00Z
Registrar: DreamHost, LLC
Registrar IANA ID: 431
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: ok https://icann.org/epp#ok
Name Server: NS1.DREAMHOST.COM
Name Server: NS2.DREAMHOST.COM
Name Server: NS3.DREAMHOST.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-08-11T09:27:21Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

  REGISTRAR DreamHost, LLC

SERVERS

  SERVER com.whois-servers.net

  ARGS domain =codereversing.com

  PORT 43

  TYPE domain

DOMAIN

  NAME codereversing.com

  CHANGED 2018-12-05

  CREATED 2011-01-06

STATUS
ok https://icann.org/epp#ok

NSERVER

  NS1.DREAMHOST.COM 64.90.62.230

  NS2.DREAMHOST.COM 208.97.182.10

  NS3.DREAMHOST.COM 66.33.205.230

  REGISTERED yes

Go to top

Mistakes


The following list shows you to spelling mistakes possible of the internet users for the website searched .

  • www.ucodereversing.com
  • www.7codereversing.com
  • www.hcodereversing.com
  • www.kcodereversing.com
  • www.jcodereversing.com
  • www.icodereversing.com
  • www.8codereversing.com
  • www.ycodereversing.com
  • www.codereversingebc.com
  • www.codereversingebc.com
  • www.codereversing3bc.com
  • www.codereversingwbc.com
  • www.codereversingsbc.com
  • www.codereversing#bc.com
  • www.codereversingdbc.com
  • www.codereversingfbc.com
  • www.codereversing&bc.com
  • www.codereversingrbc.com
  • www.urlw4ebc.com
  • www.codereversing4bc.com
  • www.codereversingc.com
  • www.codereversingbc.com
  • www.codereversingvc.com
  • www.codereversingvbc.com
  • www.codereversingvc.com
  • www.codereversing c.com
  • www.codereversing bc.com
  • www.codereversing c.com
  • www.codereversinggc.com
  • www.codereversinggbc.com
  • www.codereversinggc.com
  • www.codereversingjc.com
  • www.codereversingjbc.com
  • www.codereversingjc.com
  • www.codereversingnc.com
  • www.codereversingnbc.com
  • www.codereversingnc.com
  • www.codereversinghc.com
  • www.codereversinghbc.com
  • www.codereversinghc.com
  • www.codereversing.com
  • www.codereversingc.com
  • www.codereversingx.com
  • www.codereversingxc.com
  • www.codereversingx.com
  • www.codereversingf.com
  • www.codereversingfc.com
  • www.codereversingf.com
  • www.codereversingv.com
  • www.codereversingvc.com
  • www.codereversingv.com
  • www.codereversingd.com
  • www.codereversingdc.com
  • www.codereversingd.com
  • www.codereversingcb.com
  • www.codereversingcom
  • www.codereversing..com
  • www.codereversing/com
  • www.codereversing/.com
  • www.codereversing./com
  • www.codereversingncom
  • www.codereversingn.com
  • www.codereversing.ncom
  • www.codereversing;com
  • www.codereversing;.com
  • www.codereversing.;com
  • www.codereversinglcom
  • www.codereversingl.com
  • www.codereversing.lcom
  • www.codereversing com
  • www.codereversing .com
  • www.codereversing. com
  • www.codereversing,com
  • www.codereversing,.com
  • www.codereversing.,com
  • www.codereversingmcom
  • www.codereversingm.com
  • www.codereversing.mcom
  • www.codereversing.ccom
  • www.codereversing.om
  • www.codereversing.ccom
  • www.codereversing.xom
  • www.codereversing.xcom
  • www.codereversing.cxom
  • www.codereversing.fom
  • www.codereversing.fcom
  • www.codereversing.cfom
  • www.codereversing.vom
  • www.codereversing.vcom
  • www.codereversing.cvom
  • www.codereversing.dom
  • www.codereversing.dcom
  • www.codereversing.cdom
  • www.codereversingc.om
  • www.codereversing.cm
  • www.codereversing.coom
  • www.codereversing.cpm
  • www.codereversing.cpom
  • www.codereversing.copm
  • www.codereversing.cim
  • www.codereversing.ciom
  • www.codereversing.coim
  • www.codereversing.ckm
  • www.codereversing.ckom
  • www.codereversing.cokm
  • www.codereversing.clm
  • www.codereversing.clom
  • www.codereversing.colm
  • www.codereversing.c0m
  • www.codereversing.c0om
  • www.codereversing.co0m
  • www.codereversing.c:m
  • www.codereversing.c:om
  • www.codereversing.co:m
  • www.codereversing.c9m
  • www.codereversing.c9om
  • www.codereversing.co9m
  • www.codereversing.ocm
  • www.codereversing.co
  • codereversing.comm
  • www.codereversing.con
  • www.codereversing.conm
  • codereversing.comn
  • www.codereversing.col
  • www.codereversing.colm
  • codereversing.coml
  • www.codereversing.co
  • www.codereversing.co m
  • codereversing.com
  • www.codereversing.cok
  • www.codereversing.cokm
  • codereversing.comk
  • www.codereversing.co,
  • www.codereversing.co,m
  • codereversing.com,
  • www.codereversing.coj
  • www.codereversing.cojm
  • codereversing.comj
  • www.codereversing.cmo
Show All Mistakes Hide All Mistakes