²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²
    ²²                                                   ²²ßÛ
    ²²   /   /                    / /      / /           ²² ÛßÛ
    ²²   / //  ' \/  ' \/   \/   /   /   `/ /            ²² Û Û
    ²² /   / / / / / / /\   / /  \  /\ , / /             ²² Û Û
    ²²                                                   ²² Û Û
    ²²  /    \                        / /         / /    ²² Û Û
    ²² / / / / - | -</   / - )   \/    /   `/   \/   ( -<²² Û Û
    ²²/     /\  /   /\  /\  / // /\ , /\ , / // /\  /   /²² Û Û
    ²²                                                   ²² Û Û
    ²²      Web: http://www.ImmortalDescendants.org      ²² Û Û
    ²²                Author: ACiD BuRN                  ²² Û Û
    ²²                Date: 24/05/2000                   ²² Û Û
    ²²        Topic: Keygenning MP3 Explorer 3.2         ²² Û Û
    ²²                Level: beginner                    ²² Û Û
    ²²                                                   ²² Û Û
    ²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² Û Û
      ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ Û
        ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ

=========================================================================
Introduction
=========================================================================
Oh yeah , another tutor from your lil ACiD BuRN :) the frog is back from 
hell heh! Ok, looks like i am finally back in cracking and reversing stuff 
hehe ;) After a goddamn long time without doing anything coz of my illness 
(which isn't fixed thought) i am ready to make others tutorials :) Enough 
blabla! let's Rock :) Oh by the way, I keygenned CORE trial CrackMe :p

I'm gonna teach you a good way to keygen lots of shit!
Using BPR can help you a lot in keygenning, you will see :)

=========================================================================
Tools Used
=========================================================================
- Soft ice 3.23 (best version for me :)
- a C++ compiler
- a brain
- Some good music :)

Note: I assume you know how to use these tools, otherwise you gotta find 
some easy tutorials that teach you how to use them and come back once 
you're ready :)

=========================================================================
Let's Rock
=========================================================================

Run mp3 explorer and go in the '?' menu and look in about :) Here is a 
place to enter name/serial hehe!
enter name: ACiD BuRN
enter code: 12321

In fact, the bpr technique will put us directly in the generation part of 
the algo! without tracing like a fool :)

Put a bpx on GetWindowtextA and press on the OK button! Soft ice pops up! 
Break due to BPX USER32!GETWINDOWTEXTA... btw don't press anything! 
(i.e: F11 or F12) we're gonna look the stack parameter. For best 
visibility, we will look dword (command = dd) so, in soft ice: dd esp
Why's that?! huh

"dd" means: display dword and "esp" is the stack pointer!
After pressing "dd esp", the Soft-ice's window change and we can see the 
parameters:

xxxx:yyyyyyyy  A     B     C     D  ................
xxxx:yyyyyyyy  E     F     G     H  ................


Where A,B,C,D,E... look like:  XXXXXXXX (Of course XXXXXXXX are some 
numbers hehe)

You should see something like this:

xxxx:yyyyyyyy   0044423B  00000464  015DB338  0000000A  ...........

We will only use this :)

(As you noticed, here A=0044423B , B=00000464, C= 015DB338...)
We can see here the adress where our name ends (015DB338).

type D "adress where the name ends" For example here is is: D 015DB338

Now, you can press F11 and you should see the name at the address we 
looked (where the name ended...) Good, we are on the right way eheh!

We're gonna put a BPR (break on memory range). This kind of BP works 
like this:

bpr "start adress" "end address" RW

RW means:  Read and write.  So, it's gonna stop when something is 
reading or writing to this address.

So, under Soft-ice, type this:
bpr 015DB338 015DB338 + (length of the name - 1) RW

ACiD BuRN (length: 9 -> 9 - 1 = 8)
In our target, for ACiD BuRN, we type this :

bpr 15DB338 015DB338+8 RW

Now, you can disable our bpx on getwindowtextA! ( bd 0 ) You just have 
to press F5 and we will land in directly in the algo :) Well, on this 
app, not directly, we land in the dll so keep pressing F5 till you are 
in DLLs :)

'Coz, we don't give a flying fuck of them :p

Once you are in the App, we are in the good place! and algo starts 
there: look at my winice.log

----------------------SNiP----- SNiP----- SNiP----------------------------

:bpx getwindowtexta
Break due to BPX USER32!GetWindowTextA  (ET=1.17 seconds)
:dd esp
:d 15f5a18
Break due to G (ET=268.99 microseconds)
:bpr 15f5a18 15f5a18+8 RW
:bd 0
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
:u eip l 50

comment: here comes the first loop:

025F:0040A173  8B442420            MOV     EAX,[ESP+20]  ; EAX contains the adress of my name
025F:0040A177  0FBE0C06            MOVSX   ECX,BYTE PTR [EAX+ESI] ; ECX = hex value of 1st char
025F:0040A17B  51                  PUSH    ECX
025F:0040A17C  E8E9BB0100          CALL    00425D6A      ; intresting !!!!
025F:0040A181  83C404              ADD     ESP,04
025F:0040A184  03E8                ADD     EBP,EAX      ; add ascii value in hex to EBP
025F:0040A186  46                  INC     ESI          ; next char!
025F:0040A187  3BF7                CMP     ESI,EDI      ; All chars done ?!
025F:0040A189  7CE8                JL      0040A173     ; no, jmp start !


025F:0040A18B  8B4C240C            MOV     ECX,[ESP+0C]         /
025F:0040A18F  BAC0D40100          MOV     EDX,0001D4C0        /
025F:0040A194  2BD5                SUB     EDX,EBP            /   we will look that
025F:0040A196  33C0                XOR     EAX,EAX           /    after !
025F:0040A198  3BCA                CMP     ECX,EDX          /
025F:0040A19A  8D4C2420            LEA     ECX,[ESP+20]    /
025F:0040A19E  0F94C0              SETZ    AL             /


So, we see that it takes ascii value of each chars and adds them in EBP.
But there is a Call which looks intresting ! let's have a closer look in it :

:u eip l 50

025F:00425D6A  53                  PUSH    EBX
025F:00425D6B  33DB                XOR     EBX,EBX         ; EBX=0
025F:00425D6D  391D74344800        CMP     [00483474],EBX  
025F:00425D73  7513                JNZ     00425D88
025F:00425D75  8B442408            MOV     EAX,[ESP+08]  ;move ascii value in EAX
025F:00425D79  83F861              CMP     EAX,61        ;compare it to 61h     
025F:00425D7C  7C59                JL      00425DD7      ;less than 61? jump to 425DD7
025F:00425D7E  83F87A              CMP     EAX,7A        ;compare it to 7A
025F:00425D81  7F54                JG      00425DD7      ;greater than 7A? jump to 425DD7
025F:00425D83  83E820              SUB     EAX,20        ;less than 7A but greater than 61 (eax-20)  
025F:00425D86  5B                  POP     EBX
025F:00425D87  C3                  RET                   ;ret! come out of the call!
025F:00425D88  56                  PUSH    ESI
025F:00425D89  BE88484800          MOV     ESI,00484888
025F:00425D8E  57                  PUSH    EDI
025F:00425D8F  56                  PUSH    ESI



Ok, so what's goin' on?! Well it compares the char to 61 , 7A! 
61h = a and 7Ah = z  if it is less than 7A but greater than 61 it 
subtracts 20 from it.  Well , this is just making all the chars 
uppercase! So the serial for ACiD BuRN will be the same than for 
Acid Burn, acid burn, ACID burn... So what does the main loop do? 
Convert to uppercase and then add  ascii value to EBP...  Do all 
Chars and then we land here:

025F:0040A18B  8B4C240C            MOV     ECX,[ESP+0C]   ; ECX = our fake entered serial
025F:0040A18F  BAC0D40100          MOV     EDX,0001D4C0   ; EDX = 1D4C0h = 12000  
025F:0040A194  2BD5                SUB     EDX,EBP        ; EDX = EDX - EBP
025F:0040A196  33C0                XOR     EAX,EAX        ; EAX = 0
025F:0040A198  3BCA                CMP     ECX,EDX        ; Compare fake serial to good one
025F:0040A19A  8D4C2420            LEA     ECX,[ESP+20]  
025F:0040A19E  0F94C0              SETZ    AL            

it is clear enough !
So the algo is:

- convert all chars to uppercase
- add all ascii values 
- Subtract the result of ascii added to 12000

Now ,you can easily code a keygen for MP3 Explorer !
As usual, i am gonna give you the source of a working Keygen coded by me :)
No more Visual basic (i was lazy hehehe!) here it is C++ + inline asm :)


-------------------------start of my source---------------------------------

#include <stdio.h>
#include <string.h>
#include <conio.h>

int main(){
    int i,len;

    unsigned char name[100];

    unsigned long check=128;

    printf("\Mp3 Explorer Keygen By : ACiD BuRN [Immortal descendants] \n ");
    printf("\                                                          ");
    printf("\nEnter name: ");
    gets(name);
    len=strlen(name);

asm
{
       xor ecx, ecx
       xor edi, edi	
       mov edx, [len]

start1:
       movsx eax, [name+ecx]
       cmp eax, 97
       jl temp1
       cmp eax, 122
       jg temp1
       sub eax, 32

temp1:
       add edi, eax
       inc ecx
       cmp ecx, edx
       jne start1

       mov eax, 120000
       sub eax, edi
       mov [check], eax

}
    
    printf("=: %lu" ,check); /* %lu = decimal, check = serial */
    printf("\nEnjoy!");
getch();
return 0;

}

----------------------------end of my source---------------------------------

Info:

if you compile this keygen it will work, but if you enter a name with 
accents ie: frédéric or Cédric ... the given serial won't work.. Why's 
that? I dunno ... looks like the compiler fucks up a bit of the code hehe
Because if you compile this algo in a 32 bits GUI Keygen it will works for 
every name! But hell, i ain't gonna give you my C++ template :p hehe :)


This tutorial is over and i hope you learned something from it... btw , as 
i don't have internet anymore, don't mail me your question coz i don't 
know when i would read them! But Go to #Cracking4newbies and go nag an OP 
there ;-Þ

=========================================================================
Final Words
=========================================================================
This tutorial is dedicated to my girly! 
Celine, you own me !:)

Greets fly out to (no specific order):

CyberBlade, R!SC, ^INFeRNo^, AB4DS, Klefz, Volatility, TORN@DO, T4D, Jeff, 
[Virus], JaNe, Appbusta, Duelist, tKC, BuLLeT, Lucifer48, MiZ, DnNuke, 
Bjanes, Skymarshall, afkayas, elmopio, SiFLyiNG, Fire Worx, CrackZ, 
neural en, WarezPup, y, SiONIDE, SKORPIEN, Lazarus, Eternal Bliss, 
Magic Raphoun, DEZM, Bisoux, Carpathia, K17, theMc, noos, Xmen, TeeJi, 
JB007, Arobas, T0AD, ytc, Kwai lo, Killer 3K, TaMaMBoLo, gizmo, Gota, 
ExtaBrain, Alpine, WarezPup, zoltan, [yAtes], TarGon, Icecream, Punkguy2, 
Sortof, TRDdonjuan, Lord Soth, Judged, G-Rom, Quantico, Christal, psike, 
Leo0n, Albator, +Spath, +Frog's Print, toutim, Pulsar, Night, psike, Uno, 
F|SH, Lixus, LosT, RD-116, Ben0, Whizkid, [MandKind], alpine, Alsindor,
Stone, Elraizer, Fravia+, Iczelion, nody, Asphalt, Rhythm, rudeboy, 
X-Calibre, Cirus, shaoni...
...
"Put your name here! :P" ...

Take Care,

			ACiD BuRN [Immortal Descendants / ECLiPSE ]