|
|
|
|
|
|
|
|
iNTROdUCTION :
Keygenz ... once again
Welcome to part 2 of these tutorials on how to make keygenz ... i have selected rather little bit harder keygen for this time,
but its hardness not in the complexity of the algo. it is in the length of it !!!
pROTEcTION :
o.k this prog needs a name and a code to register , like allways we will find the code first then see how the algo works and code a keygen ... so let's start ...
|
o.k after u have installed the prog. run it , u will see a nag screen reminding u that this is a trail version , and there is a button labled Enter Code ... , so click on it and there u go , it needs a name and a code to register , so enter ur info, in my case i wrote :
Name : FaT[BiT] \ TNT!
Code : 1234567890
o.k before u click on the o.k button , get into softice and set a breakpoint like this one :
bpx GetDlgItemTextA
now press F5 to exit softice, then press the o.k button , softice will break , press F11 to get the caller , then clear all breakpoints (bc *) , then trace with the F10 command until u reach this code :
:0040B724 50 push eax <-- eax has our dummy code
:0040B725 51 push ecx <-- ecx has our name
:0040B726 E855080000 call 0040BF80 <-- check call, put result in eax
:0040B72B 83C408 add esp, 00000008
:0040B72E 85C0 test eax, eax
:0040B730 7447 je 0040B779 <-- if not valid code , jump to error
o.k when u r at address 0040B726 press F8 to get into the call , then trace with the F10 command until u reach this code :
:0040BFAC AA stosb
:0040BFAD E8AE000000 call 0040C060 <-- the call that calcualtes the real code
:0040BFB2 8B8C2414010000 mov ecx, dword ptr [esp+00000114]
o.k now after the prog execute the call at address 0040BFAD write in softice (d eax) and u will see ur real code in the data window ... now write the code that u got and exit softice (press F5) and let's try it, kool it worked now lets unregister it first then try to find the algo.
u can unregister it using regedit by going to this path :
[HKEY_CURRENT_USER\Software\SuperCleaner\Registration]
and delete all the keys that u find there, then press F5 to refresh the registry and let's begin ...
|
o.k now let's get back to the call at address 0040BFAD , when u r at this address, press F8 to get in it, then trace with the F10 command until u reach this code :
:0040C09B 8B1504BD4100 mov edx, dword ptr [0041BD04] <-- edx has 26h = 38d
:0040C0A1 0FBE1C38 movsx ebx, byte ptr [eax+edi] <-- ebx has a char from our name (*)
:0040C0A5 03DA add ebx, edx <-- add the content of edx to ebx
:0040C0A7 03CB add ecx, ebx <-- add the content of ebx to ecx
:0040C0A9 40 inc eax <-- add 1 to the counter
:0040C0AA 3BC6 cmp eax, esi <-- check if counter reached our name length
:0040C0AC 7CF3 jl 0040C0A1 <-- if less jump to (*)
o.k after this loop finishes ecx will have the result, but trace with the F10 command until u reach this code :
:0040C0B5 51 push ecx <-- ecx has the result from the above algo.
:0040C0B6 6834BD4100 push 0041BD34 <-- holds the format specifier "%ld-"
:0040C0BB 53 push ebx <-- ebx will hold the converted result after
:0040C0BC FF15C0924100 Call [USER32!wsprintfA] <-- calling wsprintfA
o.k after the call at address 0040C0BC is executed take a look at the ebx register (d ebx) and the first part of our code will apear in the data window, now let's continue to trace with the F10 command until we reach to this code :
:0040C0CD 8B1508BD4100 mov edx, dword ptr [0041BD08] <-- edx has 34h = 52d
:0040C0D3 0FBE2C38 movsx ebp, byte ptr [eax+edi] <-- ebp has a char from our name (*)
:0040C0D7 0FAFEA imul ebp, edx <-- multiply the content of edx by ebp
:0040C0DA 03CD add ecx, ebp <-- add the content of ebp to ecx
:0040C0DC 40 inc eax <-- add 1 to the counter
:0040C0DD 3BC6 cmp eax, esi <-- check if counter reached our name length
:0040C0DF 7CF2 jl 0040C0D3 <-- if less jump to (*)
in case u didn't notice this last piece of code is like the first one but only with 2 diffrences , edx holds the value 34h instead of 26h, and the prog multiply it by our name chars. instead of adding ... and the only thing common between these 2 codes is that ecx will hold the final result, now continue to trace with the F10 command until u reach this code ...
:0040C0F9 52 push edx <-- edx holds the 2nd part of our code
:0040C0FA 53 push ebx <-- ebx holds the 1st part of our code
:0040C0FB FF15D0904100 Call [KERNEL32!lstrcatA] <-- concatinate the 1st part & 2nd part
o.k again after the prog execute the call at 0040C0FB take a look at the ebx register (d ebx) and u will get the 1st and 2nd part concatinated togther ... but this is not the final result as u can see our code in the data window ends with (-) so the code is not finished, again we continue to trace ...
calculate the 3rd part
:0040C109 8B150CBD4100 mov edx, dword ptr [0041BD0C] <-- edx has 0Ch = 12d
... concatenate the 3rd part with 1st and 2nd part of the code
calculate the 4th part
:0040C144 8B1510BD4100 mov edx, dword ptr [0041BD10] <-- edx has 0Eh = 14d
Finally ... concatenate the 4th part with 1st, 2nd, and 3rd part
:0040C170 50 push eax <-- eax holds the 4th part of our code
:0040C10F 0FBE2C38 movsx ebp, byte ptr [eax+edi] <-- ebp has a char from our name (*)
:0040C113 03EA add ebp, edx <-- add the content of edx to ebp
:0040C115 03CD add ecx, ebp <-- add the content of ebp to ecx
:0040C117 40 inc eax <-- add 1 to the counter
:0040C118 3BC6 cmp eax, esi <-- check if counter reached our name length
:0040C11A 7CF3 jl 0040C10F <-- if less jump to (*)
:0040C14A 0FBE2C38 movsx ebp, byte ptr [eax+edi] <-- ebp has a char from our name (*)
:0040C14E 0FAFEA imul ebp, edx <-- multiply the content of edx by ebp
:0040C151 03CD add ecx, ebp <-- add the content of ebp to ecx
:0040C153 40 inc eax <-- add 1 to the counter
:0040C154 3BC6 cmp eax, esi <-- check if counter reached our name length
:0040C156 7CF2 jl 0040C14A <-- if less jump to (*)
:0040C171 53 push ebx <-- ebx holds the 1st 3 parts of our code
:0040C172 FF15D0904100 Call [KERNEL32!lstrcatA] <-- concatinate the final reg. code
Wow ... Thank god !!!
now after the prog execute the call at 0040C172, take alook at the ebx register and offcourse it will holds the final real
reg code ...
So what now !!! let's review all this code :
1. we have 4 constants 38, 52, 12 and 14, we also have a counter = 0.
2. for (counter = 0 to counter = namelength) do,
take a char from name, add 38 to it , add the result to 1st part of code, take next char
3. printf (1st part of code + the (-) char)
4. for (counter = 0 to counter = namelength) do,
take a char from name, multiply it by 52, add the result to 2nd part of code, take next char
5. printf (2nd part of code + the (-) char)
6. for (counter = 0 to counter = namelength) do,
take a char from name, add 12 to it , add the result to 3rd part of code, take next char
7. printf (3rd part of code + the (-) char)
8. for (counter = 0 to counter = namelength) do,
take a char from name, multiply it by 14, add the result to 4th part of code, take next char
9. printf (4th part of code)
now let's code our keygen using Borland's C++ compiler ...
#include <stdio.h>
int main (void)
clrscr();
printf("Name : ");
for( count = 0 ; count < strlen(name); ++count) // generate 1st part
code = 0 ;
code = 0 ;
code = 0 ;
return 0 ;
#include <conio.h>
#include <string.h>
{
char name[80], ch;
unsigned int count;
int code = 0 ;
printf("======================================================\n");
printf(" SuperCleaner v2.2 - keymaker - by FaT[BiT] \\TNT!\n");
printf("======================================================\n\n");
gets(name);
{
ch = name[count];
code += ch + 38;
}
printf("Code : %d-", code);
for( count = 0 ; count < strlen(name); ++count) // generate 2nd part
{
ch = name[count];
code += ch * 52;
}
printf("%d-", code);
for( count = 0 ; count < strlen(name); ++count) // generate 3rd part
{
ch = name[count];
code += ch + 12;
}
printf("%d-", code);
for( count = 0 ; count < strlen(name); ++count) // generate 4th part
{
ch = name[count];
code += ch * 14;
}
printf("%d", code);
}
o.k after u compile this code, run it, enter ur name, take the reg. code back to the prog and ...
|
tKC ... (for showing me the light !! )
LW2000 ... ( Thanx alot i now use my brain )
[XasX] ... (best founder ever)
AzmO ... (yes!! man we are different !! )
Sir dReAm ... (one of the best crackers )
ASTAGA ... (the best cracking tutorials writer)
BoneZ , VaibLitzeR , and ShaQ ... (good luck to u all !! )
and to all TNT!CRACK!TEAM! members ... (keep up the good work !!)
any comments mail me : fatzbit@gmx.net
See ya in another tut !!! Soon !!!
--= EOF =--