Another tutorial by seifer666

How to Keygen DiskArchie v1.1

Written by seifer666 for HellForge

06/30/2000

1)Introduction

Protection : Name/serial
Level : easy (recommended for newbies)
Tools needed : *Soft Ice
	       *A C/C++ compiler for the keygen
	       *What else u want : music... :p

Download location : http://software.freepage.de/hjensen/diskarc.htm

2)The serial sniffing

I launch the proggie and click on Enter register Data, name : seifer666[HF] and serial : 12345. Ok, now let's put a bpx on hmemcpy to see wtf can do the shareware. Exit the DLLs with F12 and trace with F10 until you arrive at :

:00448540 E81FBBFCFF              call 00414064			;we land here
:00448545 8B45F4                  mov eax, dword ptr [ebp-0C]   ;moves the name into eax
:00448548 E8ABB0FBFF              call 004035F8			;gets the length of the name
:0044854D 83F809                  cmp eax, 00000009		;if length <= 9
:00448550 0F8E64010000            jle 004486BA			;u have to enter more chars
:00448556 8B45F0                  mov eax, dword ptr [ebp-10]	;moves serial into eax
:00448559 E81EDBFBFF              call 0040607C			;eax = serial in hex (3039h)
:0044855E 8945E4                  mov dword ptr [ebp-1C], eax	;moves serial in [ebp-1C]
:00448561 8B45F4                  mov eax, dword ptr [ebp-0C]	;moves name into eax
:00448564 E88FB0FBFF              call 004035F8			;eax = length of the name (Dh)
:00448569 8945EC                  mov dword ptr [ebp-14], eax	;moves the length in [ebp-14]
:0044856C 33C0                    xor eax, eax			;eax = 0
:0044856E 8945E0                  mov dword ptr [ebp-20], eax	;[ebp-20] = 0
:00448571 8B45EC                  mov eax, dword ptr [ebp-14]	;eax = length of the name again
:00448574 85C0                    test eax, eax			;did we enter a name ?
:00448576 7E27                    jle 0044859F			;if no, please enter your name... 
:00448578 8945D8                  mov dword ptr [ebp-28], eax	;moves eax in [ebp-28]
:0044857B C745E801000000          mov [ebp-18], 00000001	;moves 1 into [ebp-18]

So, in this first part, the prog checks the length of the name, which has to be more than 9 chars long, and takes our fake serial in memory. After this, we arrive at the first part of the keygen :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044859D(C)
|
:00448582 8B45F4                  mov eax, dword ptr [ebp-0C]	;moves the name into eax
:00448585 8B55E8                  mov edx, dword ptr [ebp-18]	;edx = [ebp-18] = 1 at beginning
:00448588 8A4410FF                mov al, byte ptr [eax+edx-01]	;al = hex code of char at position edx-01
:0044858C 8845DF                  mov byte ptr [ebp-21], al	;[ebp-21] = al
:0044858F 33C0                    xor eax, eax			;eax = 0	
:00448591 8A45DF                  mov al, byte ptr [ebp-21]	;eax = [ebp-21]
:00448594 0145E0                  add dword ptr [ebp-20], eax   ;[ebp-20] += eax
:00448597 FF45E8                  inc [ebp-18]			;[ebp-18]++
:0044859A FF4DD8                  dec [ebp-28]			;next char, are all chars done ?
:0044859D 75E3                    jne 00448582			;no, does the loop again

This second part is quite easy to understand : all the ascii codes of the chars of the name are added and the result is put in [ebp-20]. This number will be used to find the serial, in the last part of the keygen :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00448576(C)
|
:0044859F 8B45E0                  mov eax, dword ptr [ebp-20]	;eax = sum of ascii codes
:004485A2 F76DEC                  imul [ebp-14]			;eax *= length of the name
:004485A5 8945E0                  mov dword ptr [ebp-20], eax	;[ebp-20] = eax
:004485A8 8B45EC                  mov eax, dword ptr [ebp-14]	;eax = length of the name
:004485AB 0145E0                  add dword ptr [ebp-20], eax	;[ebp-20] += length of the name
:004485AE 8B45F4                  mov eax, dword ptr [ebp-0C]	;moves name into eax
:004485B1 8A4001                  mov al, byte ptr [eax+01]	;al = hex code of second char of the name
:004485B4 8845DF                  mov byte ptr [ebp-21], al	;[ebp-21] = al
:004485B7 33C0                    xor eax, eax			;eax = 0
:004485B9 8A45DF                  mov al, byte ptr [ebp-21]	;eax = [ebp-21]
:004485BC F76DE0                  imul [ebp-20]			;[ebp-20] *= [ebp-21]
:004485BF 8945E0                  mov dword ptr [ebp-20], eax	;saves al into [ebp-20]
:004485C2 33C0                    xor eax, eax			;eax = 0
:004485C4 8A45DF                  mov al, byte ptr [ebp-21]	;eax = hex code of second char of the name
:004485C7 0145E0                  add dword ptr [ebp-20], eax	;[ebp-20] += eax
:004485CA 33C0                    xor eax, eax			;eax = 0
:004485CC 8A45DF                  mov al, byte ptr [ebp-21]	;eax = hex code of second char of the name
:004485CF F76DEC                  imul [ebp-14]			;multiply the length of the name by eax
:004485D2 0145E0                  add dword ptr [ebp-20], eax	;[ebp-20] += eax
:004485D5 8B45E0                  mov eax, dword ptr [ebp-20]	;eax = registration code = [ebp-20]
:004485D8 3B45E4                  cmp eax, dword ptr [ebp-1C]	;eax is compared to our fake serial
:004485DB 7574                    jne 00448651			;if not equal --> wrong messagebox	
:004485DD C605DC66450001          mov byte ptr [004566DC], 01	;else, we are registered

If we want to find our serial, we just have to type d eax at line 4485D8 :-). My final registration infos are : name : seifer666[HF] serial : 1481165
Now, let's finish this tut with the keygen for this shareware...

3)The keygen

We saw that the algo of the keygen was :

*Length of the name has to be greater than 9 chars
*Makes the sum of all ascii codes of each char of the name
*Multiplies it by the length of the name
*Adds the length of the name to it
*Multiplies it by the ascii code of the second char of the name
*Adds to it the ascii code of the second char of the name
*Finally adds the ascii code of the second char of the name multiplied by the length of the name

The translation of this algorithm in C can be :

/************************************************************************************************
//DiskArchie Keygen by seifer666

#include < stdio.h >
#include < conio.h >
#include < string.h >




int main()
{


	char name[100];
	unsigned long code= 0;
	int len, i;


	printf("**********************************************************\n");
	printf("		   DiskArchie Keygen                   \n");
	printf("	      Written by seifer666 for HF         \n");
	printf("**********************************************************\n");

	printf("\nEnter your name (more than 9 chars) : ");
	gets(name);
	len = strlen(name);

	if(len <= 9) //name has to be more than 9 chars long
	{
		printf("\nName should be more than 9 chars long !!");
		getch();
		return 1; //error returned
	}


	for(i=0;i < len;i++)
	{
		
		code += name[i]; //sum of ascii codes of name
	}

	code *= len;
	code += len;
	code *= name[1];
	code += name[1];
	code += name[1] * len;

	printf("Your registration code is : %lu", code);
	getch();
	return 0; //all is ok

}
************************************************************************************************/

That's all :p !

4)Final words

I hope u understood everything, but if something is wrong or if u have any comments, don't hesitate to contact me. We'll see us again very soon !

I greet my groups : DQF, digital Factory, HellForge

and my friends (no specific order) : ACiD BuRN, BoomBox, BlndAngl, Lucifer48, Volatility, Tscube, Visionz, amante4, alpine, FatBoyJoe, Warez Pup, Eternal_bliss, r!sc, [mega], Sushi, MagicRaphoun, TaMaMbolo, Kahel,V-Rom, Ep-180, morrinth, Tres`ni, Dawai, DXF, CiniMod, xor, Air2k, grAnix, LordOfLa, karlitoXZ, [ManKind], Falcon^, Dazzler.... and all I've forgotten ;-)

seifer and HellForge

You can join me at seifer666@caramail.com or #ICQ : 61545376