home *** CD-ROM | disk | FTP | other *** search
/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Code Inside / Tut11.txt < prev    next >
Encoding:
Text File  |  2001-09-21  |  7.2 KB  |  144 lines
  1. ***************************************************************************************************************************************************
  2.                 Keygenning4Newbies KeygenMe #1
  3. ***************************************************************************************************************************************************
  4.  
  5. Author:        tHE ANALYST [UCF/ID]
  6. Protection:    Name / Serial
  7. URL:        http://www.leelouonline.com/users/bofh/k4n/k4n.zip
  8. Tools:        SoftICE 4.05
  9.  
  10.  
  11. --->    Intro...
  12.  
  13. Hi and welcome to my next Tutorial :)
  14. This one is very easy and simple to follow so let's begin :)
  15.  
  16.  
  17. --->    Let's Begin...
  18.  
  19. Open the CrackMe and it'll ask for some Name and Serial, I've used:
  20.  
  21. Name:        CoDe_InSiDe
  22. Serial:        1234567890
  23.  
  24. Then get into SoftICE (CTRL+D) and type "bpx hmemcpy" followed by "enter" (You can also use GetWindowTextA).
  25. Then out of SoftICE (CTRL+D) and press "Check the Serial" and SoftICE should popup.
  26. Now press (F12) 8 times till you see this:
  27.  
  28. ---------------------------------------------------------------------------------------------------------------------------------------------------
  29.  
  30. :0040109C 6A68                    push 00000068                <--- HERE WE LAND AFTER THE BREAK !!!
  31. :0040109E 53                      push ebx
  32.  
  33. * Reference To: USER32.GetDlgItem, Ord:0000h
  34.                                   |
  35. :0040109F E8FE9B0000              Call 0040ACA2
  36. :004010A4 6A64                    push 00000064
  37. :004010A6 8D8DE4FEFFFF            lea ecx, dword ptr [ebp+FFFFFEE4]
  38. :004010AC 51                      push ecx
  39. :004010AD 50                      push eax
  40.  
  41. * Reference To: USER32.GetWindowTextA, Ord:0000h
  42.                                   |
  43. :004010AE E8FB9B0000              Call 0040ACAE
  44.  
  45. * Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0067, ""
  46.                                   |
  47. :004010B3 6A67                    push 00000067
  48. :004010B5 53                      push ebx
  49.  
  50. * Reference To: USER32.GetDlgItem, Ord:0000h
  51.                                   |
  52. :004010B6 E8E79B0000              Call 0040ACA2
  53. :004010BB 8BF0                    mov esi, eax                <--- Move EAX in ESI
  54. :004010BD 8D8548FFFFFF            lea eax, dword ptr [ebp+FFFFFF48]    <--- EAX now points to our Name
  55. :004010C3 50                      push eax                <--- Save EAX
  56. :004010C4 E867050000              call 00401630                <--- Here it gets the length of our Name
  57. :004010C9 59                      pop ecx
  58. :004010CA 8945D8                  mov dword ptr [ebp-28], eax        <--- Save our length in EBP-28
  59. :004010CD 8D95E4FEFFFF            lea edx, dword ptr [ebp+FFFFFEE4]    <--- EDX now points to our "Fake" Serial
  60. :004010D3 52                      push edx                <--- Save EDX
  61. :004010D4 E857050000              call 00401630                <--- Here it gets the length of our "Fake" Serial
  62. :004010D9 59                      pop ecx
  63. :004010DA 68EAB04000              push 0040B0EA                <--- Points to nothing :)
  64. :004010DF E84C050000              call 00401630                <--- Here it gets the length of nothing
  65. :004010E4 59                      pop ecx
  66. :004010E5 680EB14000              push 0040B10E                <--- Points to nothing :)
  67. :004010EA E841050000              call 00401630                <--- Here it gets the length of nothing
  68. :004010EF 59                      pop ecx
  69. :004010F0 837DD803                cmp dword ptr [ebp-28], 00000003    <--- Compare the length of our Name with 00000003 (3 Decimal)
  70. :004010F4 7E7B                    jle 00401171                <--- If equal or lower we jump and get the Bad Guy message, else continue
  71. :004010F6 90                      nop                    <--- No OPeration
  72. :004010F7 90                      nop                    <--- No OPeration
  73. :004010F8 90                      nop                    <--- No OPeration
  74. :004010F9 90                      nop                    <--- No OPeration
  75. :004010FA 33C9                    xor ecx, ecx                <--- XOR ECX which is now 00
  76. :004010FC 33D2                    xor edx, edx                <--- XOR EDX which is now 00
  77. :004010FE 33DB                    xor ebx, ebx                <--- XOR EBX which is now 00
  78. :00401100 33C0                    xor eax, eax                <--- XOR EAX which is now 00
  79. :00401102 837DD832                cmp dword ptr [ebp-28], 00000032    <--- Compare the length of our Name with 00000032 (50 Decimal)
  80. :00401106 7D69                    jge 00401171                <--- If equal or greater we jump and get the Bad Guy message, else continue
  81. :00401108 90                      nop                    <--- No OPeration
  82. :00401109 90                      nop                    <--- No OPeration
  83. :0040110A 90                      nop                    <--- No OPeration
  84. :0040110B 90                      nop                    <--- No OPeration
  85.  
  86. ---------------------------------------------------------------------------------------------------------------------------------------------------
  87.  
  88. Ok, this looks much allready but it isn't :)
  89. It just simply takes our Name and "Fake" Serial we entered, and then it Compares our Name with 00000003 (3 Decimal) and 00000032 (50 Decimal).
  90. If lower or greater or equal we fail and get the Bad Guy message, else we continue.
  91. let's see what's next:
  92.  
  93. ---------------------------------------------------------------------------------------------------------------------------------------------------
  94.  
  95. :0040110C 0FBE840D48FFFFFF        movsx eax, byte ptr [ebp+ecx-000000B8]<--- Move the first Char in EAX
  96. :00401114 41                      inc ecx                <--- ECX +1
  97. :00401115 33C1                    xor eax, ecx                <--- XOR ECX with EAX
  98. :00401117 03D8                    add ebx, eax                <--- ADD EAX to EBX
  99. :00401119 3B4DD8                  cmp ecx, dword ptr [ebp-28]        <--- Compare EBP-28 (Length of our Name) with ECX
  100. :0040111C 75EE                    jne 0040110C                <--- If not equal we jump and repeat this loop, else continue
  101. :0040111E 6BC006                  imul eax, 00000006            <--- Multiply 00000006 with EAX
  102. :00401121 C1E307                  shl ebx, 07                <--- Shift EBX to the left with 07
  103. :00401124 03C3                    add eax, ebx                <--- ADD EBX to EAX
  104. :00401126 8945C8                  mov dword ptr [ebp-38], eax        <--- Save EAX in EBP-38
  105. :00401129 FF75C8                  push [ebp-38]                <--- Save the New Value
  106.  
  107. ---------------------------------------------------------------------------------------------------------------------------------------------------
  108.  
  109. And here we have the Algo, damn small ;)
  110. So, it does this:
  111.  
  112. It takes the first Char of our Name and puts it in EAX
  113. Increase ECX with 01
  114. Then XOR ECX with EAX
  115. Then ADD EAX to EBX
  116. Compare ECX with the length of our Name
  117. If not equal we repeat the loop, else continue
  118.  
  119. Then it Multiplies EAX with 06
  120. Shifts EBX to the left with 07
  121. And then ADDs EBX to EAX
  122. Final Result in EAX ---> use %lX to show the Serial in Readable Format (Ascii))
  123.  
  124. That's all :)
  125. I don't need to show more because after this piece of Code it will use "lstrcmpyA" to Compare the "Real" Serial with the "Fake" Serial :)
  126. I think you can KeyGen this in YOUR language now :)
  127. And i hope you learned something from this tutorial...
  128.  
  129.  
  130. --->    Greetings...
  131.  
  132. Everyone from TrickSoft            (www.TrickSoft.net)
  133. Everyone from Cracking4Newbies        (www.Cracking4Newbies.com)
  134. Everyone from Keygenning4Newbies :P    (Keygenning4Newbies.cjb.net)
  135. And Everyone i know and You...
  136. Thanks for reading !
  137.  
  138.                Don't trust the Outside, trust the InSiDe !!!
  139.  
  140.                         Cya...
  141.  
  142.                       CoDe_InSiDe
  143.  
  144. Email:    code.inside@home.nl