Dedication

Intoduction & Protection

iNTROdUCTION :

Keygenz ... once again
Welcome to part 2 of these tutorials on how to make keygenz ... i have selected rather little bit harder keygen for this time, but its hardness not in the complexity of the algo. it is in the length of it !!!

pROTEcTION :

o.k this prog needs a name and a code to register , like allways we will find the code first then see how the algo works and code a keygen ... so let's start ...

The Essay

o.k after u have installed the prog. run it , u will see a nag screen reminding u that this is a trail version , and there is a button labled Enter Code ... , so click on it and there u go , it needs a name and a code to register , so enter ur info, in my case i wrote :

Name : FaT[BiT] \ TNT!
Code : 1234567890

o.k before u click on the o.k button , get into softice and set a breakpoint like this one :

bpx GetDlgItemTextA

now press F5 to exit softice, then press the o.k button , softice will break , press F11 to get the caller , then clear all breakpoints (bc *) , then trace with the F10 command until u reach this code :

:0040B724 50                      push eax <-- eax has our dummy code
:0040B725 51                      push ecx <-- ecx has our name
:0040B726 E855080000              call 0040BF80 <-- check call, put result in eax
:0040B72B 83C408                  add esp, 00000008
:0040B72E 85C0                    test eax, eax
:0040B730 7447                    je 0040B779 <-- if not valid code , jump to error

o.k when u r at address 0040B726 press F8 to get into the call , then trace with the F10 command until u reach this code :

:0040BFAC AA                      stosb
:0040BFAD E8AE000000              call 0040C060 <-- the call that calcualtes the real code
:0040BFB2 8B8C2414010000          mov ecx, dword ptr [esp+00000114]

o.k now after the prog execute the call at address 0040BFAD write in softice (d eax) and u will see ur real code in the data window ... now write the code that u got and exit softice (press F5) and let's try it, kool it worked now lets unregister it first then try to find the algo.

u can unregister it using regedit by going to this path :

[HKEY_CURRENT_USER\Software\SuperCleaner\Registration]

and delete all the keys that u find there, then press F5 to refresh the registry and let's begin ...

The Keygen

o.k now let's get back to the call at address 0040BFAD , when u r at this address, press F8 to get in it, then trace with the F10 command until u reach this code :

:0040C09B 8B1504BD4100            mov edx, dword ptr [0041BD04] <-- edx has 26h = 38d
:0040C0A1 0FBE1C38                movsx ebx, byte ptr [eax+edi] <-- ebx has a char from our name (*)
:0040C0A5 03DA                    add ebx, edx <-- add the content of edx to ebx
:0040C0A7 03CB                    add ecx, ebx <-- add the content of ebx to ecx
:0040C0A9 40                      inc eax <-- add 1 to the counter
:0040C0AA 3BC6                    cmp eax, esi <-- check if counter reached our name length
:0040C0AC 7CF3                    jl 0040C0A1 <-- if less jump to (*)

o.k after this loop finishes ecx will have the result, but trace with the F10 command until u reach this code :

:0040C0B5 51                      push ecx <-- ecx has the result from the above algo.
:0040C0B6 6834BD4100              push 0041BD34 <-- holds the format specifier "%ld-"
:0040C0BB 53                      push ebx <-- ebx will hold the converted result after
:0040C0BC FF15C0924100            Call [USER32!wsprintfA] <-- calling wsprintfA

o.k after the call at address 0040C0BC is executed take a look at the ebx register (d ebx) and the first part of our code will apear in the data window, now let's continue to trace with the F10 command until we reach to this code :

:0040C0CD 8B1508BD4100            mov edx, dword ptr [0041BD08] <-- edx has 34h = 52d
:0040C0D3 0FBE2C38                movsx ebp, byte ptr [eax+edi] <-- ebp has a char from our name (*)
:0040C0D7 0FAFEA                  imul ebp, edx <-- multiply the content of edx by ebp
:0040C0DA 03CD                    add ecx, ebp <-- add the content of ebp to ecx
:0040C0DC 40                      inc eax <-- add 1 to the counter
:0040C0DD 3BC6                    cmp eax, esi <-- check if counter reached our name length
:0040C0DF 7CF2                    jl 0040C0D3 <-- if less jump to (*)

in case u didn't notice this last piece of code is like the first one but only with 2 diffrences , edx holds the value 34h instead of 26h, and the prog multiply it by our name chars. instead of adding ... and the only thing common between these 2 codes is that ecx will hold the final result, now continue to trace with the F10 command until u reach this code ...

:0040C0F9 52                      push edx <-- edx holds the 2nd part of our code
:0040C0FA 53                      push ebx <-- ebx holds the 1st part of our code
:0040C0FB FF15D0904100            Call [KERNEL32!lstrcatA] <-- concatinate the 1st part & 2nd part

o.k again after the prog execute the call at 0040C0FB take a look at the ebx register (d ebx) and u will get the 1st and 2nd part concatinated togther ... but this is not the final result as u can see our code in the data window ends with (-) so the code is not finished, again we continue to trace ...

calculate the 3rd part

:0040C109 8B150CBD4100            mov edx, dword ptr [0041BD0C] <-- edx has 0Ch = 12d
:0040C10F 0FBE2C38                movsx ebp, byte ptr [eax+edi] <-- ebp has a char from our name (*)
:0040C113 03EA                    add ebp, edx <-- add the content of edx to ebp
:0040C115 03CD                    add ecx, ebp <-- add the content of ebp to ecx
:0040C117 40                      inc eax <-- add 1 to the counter
:0040C118 3BC6                    cmp eax, esi <-- check if counter reached our name length
:0040C11A 7CF3                    jl 0040C10F <-- if less jump to (*)

... concatenate the 3rd part with 1st and 2nd part of the code

calculate the 4th part

:0040C144 8B1510BD4100            mov edx, dword ptr [0041BD10] <-- edx has 0Eh = 14d
:0040C14A 0FBE2C38                movsx ebp, byte ptr [eax+edi] <-- ebp has a char from our name (*)
:0040C14E 0FAFEA                  imul ebp, edx <-- multiply the content of edx by ebp
:0040C151 03CD                    add ecx, ebp <-- add the content of ebp to ecx
:0040C153 40                      inc eax <-- add 1 to the counter
:0040C154 3BC6                    cmp eax, esi <-- check if counter reached our name length
:0040C156 7CF2                    jl 0040C14A <-- if less jump to (*)

Finally ... concatenate the 4th part with 1st, 2nd, and 3rd part

:0040C170 50                      push eax <-- eax holds the 4th part of our code
:0040C171 53                      push ebx <-- ebx holds the 1st 3 parts of our code
:0040C172 FF15D0904100            Call [KERNEL32!lstrcatA] <-- concatinate the final reg. code

Wow ... Thank god !!!
now after the prog execute the call at 0040C172, take alook at the ebx register and offcourse it will holds the final real reg code ...

So what now !!! let's review all this code :
1. we have 4 constants 38, 52, 12 and 14, we also have a counter = 0.

2. for (counter = 0 to counter = namelength) do,
take a char from name, add 38 to it , add the result to 1st part of code, take next char

3. printf (1st part of code + the (-) char)

4. for (counter = 0 to counter = namelength) do,
take a char from name, multiply it by 52, add the result to 2nd part of code, take next char

5. printf (2nd part of code + the (-) char)

6. for (counter = 0 to counter = namelength) do,
take a char from name, add 12 to it , add the result to 3rd part of code, take next char

7. printf (3rd part of code + the (-) char)

8. for (counter = 0 to counter = namelength) do,
take a char from name, multiply it by 14, add the result to 4th part of code, take next char

9. printf (4th part of code)

now let's code our keygen using Borland's C++ compiler ...

#include <stdio.h>
#include <conio.h>
#include <string.h>

int main (void)
{
        char name[80], ch;
        unsigned int count;
        int code = 0 ;

        clrscr();
        printf("======================================================\n");
        printf(" SuperCleaner v2.2 - keymaker - by FaT[BiT] \\TNT!\n");
        printf("======================================================\n\n");

        printf("Name : ");
        gets(name);

        for( count = 0 ; count < strlen(name); ++count) // generate 1st part
          {
            ch = name[count];
            code += ch + 38;
           }
        printf("Code : %d-", code);

        code = 0 ;
        for( count = 0 ; count < strlen(name); ++count) // generate 2nd part
          {
            ch = name[count];
            code += ch * 52;
           }
        printf("%d-", code);

        code = 0 ;
        for( count = 0 ; count < strlen(name); ++count) // generate 3rd part
          {
            ch = name[count];
            code += ch + 12;
           }
        printf("%d-", code);

        code = 0 ;
        for( count = 0 ; count < strlen(name); ++count) // generate 4th part
          {
            ch = name[count];
            code += ch * 14;
           }
        printf("%d", code);

        return 0 ;
      }

o.k after u compile this code, run it, enter ur name, take the reg. code back to the prog and ...

Final WordZ