Dedication

Intoduction & Protection

iNTROdUCTION :

Keygenz ...
people really like to see thier name on the about screen instead the name of the cracker, i think this is how ppl rate crackers sometimes (i.e : if he can make a keygen then he is a good cracker ) , hmm ... !! but this is not allways true , for example this prog , anyone with a little cracking exp. can keygen it ....

pROTEcTION :

This prog need a Registration name and a Registration code to register , so what are we waiting for ... let's CRACK ..

The Essay

After u have intalled the prog, run it , and a window will show asking us for our Registraion Name and Code , so let's enter a dummy code , in my case i wrote :

Registration Name : FaT[BiT] \ TNT!
Registration Code : 1234567890

Now before you click on the Register button get into softice and set a breakpoint like this :

bpx hmemcpy

then press F5 to exit now press on the register button and softice will break , so press F11 once the press F12 for 11 times, then clear all the breakpoints (bc *) , and you will be at this code :

:00456CE5 8B45FC                  mov eax, dword ptr [ebp-04] <-- eax has our name
:00456CE8 E843CEFAFF              call 00403B30 <-- get our name length
:00456CED 83F803                  cmp eax, 00000003 <-- compare the length with 3
:00456CF0 0F8EC6000000            jle 00456DBC <-- jump if less or equal to error
:00456CF6 8D55FC                  lea edx, dword ptr [ebp-04]
:00456CF9 8B83E0020000            mov eax, dword ptr [ebx+000002E0]
:00456CFF E89036FDFF              call 0042A394 <-- get our code from the text box
:00456D04 8B45FC                  mov eax, dword ptr [ebp-04] <-- eax has our dummy code
:00456D07 E824CEFAFF              call 00403B30 <-- get the length of our dummy code
:00456D0C 83F80A                  cmp eax, 0000000A <-- compare it with 0Ah= 10d
:00456D0F 0F8EA7000000            jle 00456DBC <-- jump if less or equal to error

o.k until now , we have passed the 1st check but NOT the 2nd, cause in my case the length of my dummy code in 10 chars. , so if u have entered a 10 char dummy code , set a break point on the jump at address 00456D0F by double clicking on the jump command in the code window in softice (where the white bar is) , then press F5 (twice) to exit softice and add only 1 char to ur dummy code then click on register again and u are back to address 00456D0F , and passed the 2nd check . now continue to trace with the F10 command until u are here :

:00456D35 8B45F4                  mov eax, dword ptr [ebp-0C] <-- eax has our name
:00456D38 8D55F8                  lea edx, dword ptr [ebp-08] <-- where the real code is stored
:00456D3B E8A4F8FFFF              call 004565E4 <-- calcualte the real code
:00456D40 8B55F8                  mov edx, dword ptr [ebp-08] <-- real code in edx
:00456D43 58                      pop eax <-- eax has our dummy code
:00456D44 E8F7CEFAFF              call 00403C40 <-- check if they are equal
:00456D49 7571                    jne 00456DBC <-- if not then jump to error

O.k for some people the prog is 100% cracked , but for others it is not , so if u want to fish a serial for ur name then when u are at address 00456D43 write in softice (d edx) and u will see ur real code in the data window , now if u want to continue in this tut to make a keygen then i think u should try a different name and see the reg. code for it, what do u see ? ... is there something commen between them ... o.k did u get them ... kool lets move on ...

The Keygen

o.k this is the best part of the tut ...
When you are at address 00456D3B press F8 to get into the call , then trace with the F10 button until u reach this code :

:00456624 8B75FC                  mov esi, dword ptr [ebp-04] <-- esi points to our name (*)
:00456627 0FB67416FF              movzx esi, byte ptr [esi+edx-01] <-- put in esi a char. from our name
:0045662C 03DE                    add ebx, esi <-- add it to the contents of ebx
:0045662E 42                      inc edx <-- increment edx to take next char
:0045662F 48                      dec eax <-- decrement eax (name length)
:00456630 75F2                    jne 00456624 <-- jump if not zero to (*)
:00456632 0FAFD9                  imul ebx, ecx <-- multiply the result by the name length
:00456635 69C3CA090000            imul eax, ebx, 000009CA <-- multiply ebx by 9CAh = 2506d, put result in eax

O.k i think the above couldn't be more clearer ... yes i think it is ...
At the end of the algo. above, our code is in eax, before u reach the code below the prog will convert our calculated code in the eax to string, so trace with the F10 command until u reach this code :

:0045664B 8B45F0                  mov eax, dword ptr [ebp-10] <-- eax has our real code string
:0045664E B907000000              mov ecx, 00000007 <-- note the value in ecx
:00456653 BA01000000              mov edx, 00000001
:00456658 E8D7D6FAFF              call 00403D34
.
.
.
:00456666 8B45F4                  mov eax, dword ptr [ebp-0C] <-- eax = our real code string - last digit

O.k let me explain something here ...
at 0045664B eax point to our real code string , that is the code that has been calcualted in the previous algo. but now it is a string as i said before. the prog put 7 in the ecx register , after that at address 00456666 eax point to our real code string but without the last digit , this means that the prog check if our real code string is more than 7, if it is then eliminate the digits that come after the 7th digit in my case the prog eliminate only the 8th digit , in other wordz take the first 7 char. from our real code string

now continue to trace with the F10 button until u reach this code ...

:00456669 E8C2D4FAFF              call 00403B30 <-- get length of real code str in eax
:0045666E 8BD0                    mov edx, eax <-- edx now has 7
:00456670 83EA02                  sub edx, 00000002 <-- edx is now 5
:00456673 B902000000              mov ecx, 00000002
:00456678 8B45F4                  mov eax, dword ptr [ebp-0C] <-- eax has our real code str
:0045667B E8B4D6FAFF              call 00403D34 <-- take the 5th & 6th char. from real code str

o.k it is getting pretty dirty here ...
the best way to explain the code above is that the prog take the 5th and 6th char from our real code string and store them in different memory location ... (y ?) ... until now i don't have the answer but lets continue to trace with the F10 command until u reach this code :

:00456686 8B55FC                  mov edx, dword ptr [ebp-04] <-- edx point to our name
:00456689 8A12                    mov dl, byte ptr [edx] <-- dl has our 1st char from our name
:0045668B E8C8D3FAFF              call 00403A58

o.k kool ... haha now we've got it !!
now the prog take from our name the first char. and if u want to trace inside the call at address 0045668B go ahead! , but i will tell u what is going on !!! , since dl has the first char from our name , it check if it is small, if it is change it to capital , if it is not then do nothin , then it stores the char in new memory location ...

so ... don't u think it is time to stop the trace ... (y ???)
at first when we find the reg. code for our name, the code has the following format :

S X X C X X X X X X X <-- remember !! i told u to find 2 reg. code for 2 names

where the C stands for our first char. from our name and the first 2 Xs is the same as the 5th and 6th Xs , and then add the S at the start of the code , and the last 7 Xs is the calcualted code, so we have now all the components to make a code for our name , which i have described above ... but for some ppl i will repeat the algo quickly ...

1. get the name, if it is less than or equal 3 char. then error
2. add all its char.
2. then multiply the result from 2 by the length of the name and 2506
4. convert the result from 3 to string and take the first 7 char.
5. take the 5th and 6th char. and keep them in safe place ... (Hey!!! that hurts !!)
6. take the first char from our name and convert it to captial if it was small , and also keep it in a safe place after the 5th & 6th char. (AHHH !!!)
7. put in the safe place the 'S' char at the begining
8. put the result from 4 to the end of the string, that is after the first char. from our name
9. we have our code ... let's register ...

so ... if we put this algo. in C/C++ words it will give us a keygen ...

#include <stdio.h>
#include <conio.h>
#include <stdlib.h>
#include <string.h>

int main (void)
{
    char name[40], codestr[8], ch;
    int i;
    unsigned long code = 0;

    clrscr();
    printf("======================================================\n");
    printf(" ShutIt! v1.0 - keymaker - by FaT[BiT] \\TNT!\n");
    printf("======================================================\n\n");
    printf("Registraion Name : ");
    gets(name);

    if (strlen(name) <= 3)
     {
       printf("Registraion Code : Error Short Name (at least 4 char)");
       exit(1);
      }

    for(i = 0; i < strlen(name) ; ++i)
     {
      ch = name[i];
      code += (unsigned long char) ch ;
      }

    code *= (unsigned long int) strlen(name) * 2506;
    ultoa(code, codestr, 10);
    codestr[7] = 0;
    printf("Registraion Code : S%c%c%c%s", codestr[4], codestr[5], toupper(name[0]), codestr);
    return 0 ;
   }

o.k after u compile this prog, run it and enter ur name and take the reg. code back to the prog and ...

Final WordZ