*** Keygenning Toggler v1.0 *** *** by webmasta/ryan *** ******************************* Jan 31st 2001 Tools: Softice v3.25 (best for me) and a Programming Language %View This with full Screen% The Target: Toggler v1.0 (c) Aestas Software URL: http://members.execulink.com/~pjones/toggler/togglr10.zip Size: 30kb VERY SMALL, TRY IT!! After opening this bugger, you goto the About box and it says "Enter Registration Number"... awwww, how sweet =) Lets enter a Name and any Serial.. I choose: webmasta/PGC 676767 Next, go into Softice, and bpx GetWindowTextA and GetDlgItemTextA.. it doesnt matter which cuz they will both break on this program. =) I choose GetWindowTextA.. Now go back to the program and hit OK... we should have gone back to Sice. You will land in USER32 or Kernel, just hit F11 *ONCE*. you should see something like this: Land here | :004024FC 50 push eax :004024FD FF15C8404000 Call dword ptr [004040C8] :00402503 59 pop ecx :00402504 89450C mov dword ptr [ebp+0C], eax :00402507 8D45D8 lea eax, dword ptr [ebp-28] :0040250A 6A28 push 00000028 :0040250C BE0A040000 mov esi, 0000040A :00402511 50 push eax :00402512 56 push esi :00402513 FF7508 push [ebp+08] :00402516 FFD7 call edi :00402518 50 push eax :00402519 FFD3 call ebx :0040251B 8D45D8 lea eax, dword ptr [ebp-28] :0040251E 50 push eax :0040251F FF750C push [ebp+0C] :00402522 E899000000 call 004025C0 // GOOD STUFF! :00402527 59 pop ecx :00402528 85C0 test eax, eax :0040252A 59 pop ecx :0040252B 742D jnz 0040255A // RIGHT HERE! Now, What I like to do is scroll down in the code and look for where it jumps to the msgbox, or RETs. I scrolled all the way down and i see that a Message box gets called around 0040255C. So when i scroll back up i look for a jne, jnz, jmp, je, etc that might jump to there. AHH HA! at 0040252B!! It tests eax, jump if not zero, so SOMETHINg made that eax change its value.... well the only logical thing to do would be to go inside that call at 00402522, that probably has our answer =) *Newbie* Calls in ASM are the same things as functions in C/C++ .. its like we are calling to another part of the program. The Good Stuff..... Lets trace into the call.. :004025C0 56 push esi :004025C1 33F6 xor esi, esi // Makes esi = 0 :004025C3 39742408 cmp dword ptr [esp+08], esi // compare our fake serial to 0 :004025C7 7504 jne 004025CD // jump if we did enter a serial :004025C9 33C0 xor eax, eax // else, go back :004025CB 5E pop esi :004025CC C3 ret // go back, no name entered :004025CD 8B4C240C mov ecx, dword ptr [esp+0C] // move name from esp+0C to ecx :004025D1 8A01 mov al, byte ptr [ecx] // move 1st, 2nd, 3rd etc. ascii of my name into al :004025D3 84C0 test al, al // if the ascii is 0 (no more letters) :004025D5 7408 je 004025DF // we are done.. goto last part :004025D7 0FBEC0 movsx eax, al // move ascii of letter to eax :004025DA 03F0 add esi, eax // esi = esi + eax (esi is the total) :004025DC 41 inc ecx // increase ecx by one (counter) :004025DD EBF2 jmp 004025D1 // jump to the beginning :004025DF 8B442408 mov eax, dword ptr [esp+08] // put our fake serial :004025E3 B939060000 mov ecx, 00000639 // put 0x639 in ecx :004025E8 99 cdq // convert doubleword to quad ;) dont worry about it hehe :004025E9 F7F9 idiv ecx // divide our fake serial by 0x639 (stored in esi) :004025EB 33C9 xor ecx, ecx // clear ecx :004025ED 3BF0 cmp esi, eax // compare fake_serial/0x639 with total :004025EF 5E pop esi :004025F0 0F94C1 sete cl :004025F3 8BC1 mov eax, ecx :004025F5 C3 ret WOOHOOO .. ok time for some "reverse engineering" =) Most of us have taken a math class before, so if you want to set it up like this, we shall: fake_serial / 0x639 = fake_total fake_total MUST = real_total (in esi) The program takes your fake serial and divides it by 0x639, then compares it to the total of adding all yers asciis up. So, if we want to reverse this, we must MULTIPLY 0x639 x real_total (esi). That will give us our serial number!! (Decimal). Ok, since this is a newbies tutorial, I will write a Keygen in VB... *** START OF SOURCE *** For i = 1 To Len(ecx) esi = esi + Asc(Mid(ecx, i, 1)) Next i esi = esi * 1593 ' 0x639 in decimal Serial.Text = LTrim(eax) ***END OF SOURCE*** Welp, another one cracked... Greets: WarezPup for telling me to write this tutorial =)) Nitrus, Muad`Dib, llama, C_DKnight, WarezPup, #cracking4newbies, risc, nchanta, Snacker, josephCo, Predator, FireWorx, rizza, lithium2, BNW, sheep140, insane[pgc], thesmurf, speedsta, Immortal Desendants, CrEaM, izelion, dlw, ACiD BuRN, Toth, hell, Dow, dennison, prs, TK4, glen, jess0r, metaray, nail, Black Acid, TCA wh0res, #cracking4newbies, FireWorx, Dormouse, Da_DiABLO, PGC, DC (R.I.P), RiSE and DVN Thanks to Fravia, tKC, Maud`Dib, LaZaRuS, risc, Eternal Bliss, Tornado, Acid Burn, and others for thier great Tutorials! Contact Info: #cracking4newbies on Efnet (IRC) or webmasta@pgc-cracker.com