File Split v1.4 Cracking Tutorial Difficulty : Easy For this tut , you need : 1) File Split v1.4; 2) SoftIce 3) A working BRAIN . Hi folks , I'm back ! This is my third tut , and I'm gonna show you how to make a KeyGen for FILE SPLIT v1.4 . OK , first start file FSPLIT.EXE and click on REGISTER. Fill in the two boxes , enter in SoftIce with CTRL-D , type BPX GETDLGITEMTEXTA , press ENTER and then F5 to exit. Click on OK and SoftIce will pop up. Now, type BD* and press ENTER , then press F11 once,F10 for nine times and F8 once. You will see this piece of code : :0040481E 55 push ebp :0040481F 8BEC mov ebp, esp :00404821 83EC0C sub esp, 0000000C :00404824 53 push ebx :00404825 56 push esi :00404826 57 push edi :00404827 8B7D08 mov edi, dword ptr [ebp+08] :0040482A 8D4DFC lea ecx, dword ptr [ebp-04] :0040482D 51 push ecx :0040482E 8D4DF8 lea ecx, dword ptr [ebp-08] :00404831 51 push ecx :00404832 8D4DF4 lea ecx, dword ptr [ebp-0C] :00404835 51 push ecx * Possible StringData Ref from Data Obj ->"%4d-%2d-%5d" | :00404836 687DAB4000 push 0040AB7D <------ LOOK AT THIS... OK, let's see what this instruction means: type D 40AB7D and you will see something like this: %4d-%2d-%5d . It means that your code must be divided in three parts , each one separated by a dash. The first part must be MAX 4 chars , the second one MAX 2 chars and the third one MAX 5 chars. So, exit SoftIce with F5 , thype a fake code like this : 1234-56-78901 , enter SoftIce again with CTRL-D , type BPX GETDLGITEMTEXTA press F5 to exit and then press OK . SoftIce will pop up. Now, type BD* and press ENTER , then press F11 once,F10 for nine times and F8 once , and keep stepping with F10 until you reach this point : :0040483B FF750C push [ebp+0C] :0040483E E829150000 call 00405D6C :00404843 668B5DF4 mov bx, word ptr [ebp-0C] <---- First important instruction :00404847 035D10 add ebx, dword ptr [ebp+10] <---- Second important instruction :0040484A 83C414 add esp, 00000014 :0040484D 57 push edi :0040484E E825140000 call 00405C78 :00404853 83C404 add esp, 00000004 :00404856 85C0 test eax, eax <---- Checks if the NAME BOX is empty. :00404858 7515 jne 0040486F <---- If it is , jump to BAD CRACKER. Now, what does the program do ??? Simple:type ? BX and you'll see that the first four numbers of our fake serial are moved into BX (BX changes as well as EBX. The same for CX and ECX.). The next instruction adds 4012 decimal to the number contained in EBX (the same as BX): so , if the first four numbers of your fake serial were 1234 , EBX will contain: 1234+4012 = 5246 . .................. .................. .................. :0040486F 8BF7 mov esi, edi <---- ESI contains our name , and the code routine loops until the whole name is processed. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004048A5(C) | :00404871 8BCB mov ecx, ebx <---- Moves the value of EBX into ECX :00404873 6681E10040 and cx, 4000 <---- ANDS ECX by 4000 HEX :00404878 6681F90040 cmp cx, 4000 <---- Checks ECX :0040487D 750B jne 0040488A <---- If ECX isn't equal to 4000 HEX, then Jump. :0040487F 80E73F and bh, 3F <---- Subtracts 4000 HEX to EBX :00404882 66D1E3 shl bx, 1 <---- Shifts to the left EBX of 1 byte :00404885 80CB01 or bl, 01 <---- Adds 1 to EBX :00404888 EB03 jmp 0040488D * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040487D(C) | :0040488A 66D1E3 shl bx, 1 <---- Shifts to the left EBX of 1 byte * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404888(U) | :0040488D 0FBE0E movsx ecx, byte ptr [esi] <---- Moves one name char into ECX :00404890 33CB xor ecx, ebx <---- ECX is XORed with EBX :00404892 334DF8 xor ecx, dword ptr [ebp-08] <---- ECX is XORed with the 2nd part of our fake serial :00404895 89CB mov ebx, ecx <--- Moves the result into EBX :00404897 46 inc esi <----| :00404898 57 push edi <----| :00404899 E8DA130000 call 00405C78 <----| Increments the counter :0040489E 83C404 add esp, 00000004 <----| :004048A1 03C7 add eax, edi <----| :004048A3 3BC6 cmp eax, esi <----| :004048A5 77CA ja 00404871 <---- Loop until the whole name is done :004048A7 EBB1 jmp 0040485A <---- Exits the calculation routine This was the code calculation routine. It uses our name and the first two parts of the serial we typed to calculate the third part of the code , wich is the real serial number. So , when the whole name is done , place the cursor at 404897 and type ? EBX : you will see the third part of your code. For example , here is my key : Name : ShadowMan Code : 1234-56-9385 That's all. I hope you'll learn something from this tut. Si Vis Pacem , Para Bellum . Seeya in the next tut . ----====( ShadowMan )====---- - 27 January 2001 -