File Split v1.4 Cracking Tutorial 

Difficulty : Easy

For this tut , you need :

1) File Split v1.4;
2) SoftIce
3) A working BRAIN .

Hi folks , I'm back ! This is my third tut , and I'm gonna show you how to make a KeyGen for
FILE SPLIT v1.4 .
OK , first start file FSPLIT.EXE and click on REGISTER. Fill in the two boxes , enter in 
SoftIce with CTRL-D , type BPX GETDLGITEMTEXTA , press ENTER and then F5 to exit.
Click on OK and SoftIce will pop up. Now, type BD* and press ENTER , then press F11 once,F10 for nine times and F8 once.
You will see this piece of code :

:0040481E 55                      push ebp
:0040481F 8BEC                    mov ebp, esp
:00404821 83EC0C                  sub esp, 0000000C
:00404824 53                      push ebx
:00404825 56                      push esi
:00404826 57                      push edi
:00404827 8B7D08                  mov edi, dword ptr [ebp+08]
:0040482A 8D4DFC                  lea ecx, dword ptr [ebp-04]
:0040482D 51                      push ecx
:0040482E 8D4DF8                  lea ecx, dword ptr [ebp-08]
:00404831 51                      push ecx
:00404832 8D4DF4                  lea ecx, dword ptr [ebp-0C]
:00404835 51                      push ecx

* Possible StringData Ref from Data Obj ->"%4d-%2d-%5d"
                                  |
:00404836 687DAB4000              push 0040AB7D   <------ LOOK AT THIS...

OK, let's see what this instruction means: type D 40AB7D and you will see something like this:
 %4d-%2d-%5d . It means that your code must be divided in three parts , each one separated by a dash.
The first part must be MAX 4 chars , the second one MAX 2 chars and the third one MAX 5 chars.
So, exit SoftIce with F5 , thype a fake code like this : 1234-56-78901 , enter SoftIce again with CTRL-D , type BPX GETDLGITEMTEXTA press F5 to exit and then press OK . SoftIce will pop up. Now, type BD* and press ENTER , then press F11 once,F10 for nine times and F8 once , and keep stepping with F10 until you reach this point :


:0040483B FF750C                  push [ebp+0C]
:0040483E E829150000              call 00405D6C
:00404843 668B5DF4                mov bx, word ptr [ebp-0C]    <---- First important instruction :00404847 035D10                  add ebx, dword ptr [ebp+10]  <---- Second important instruction
:0040484A 83C414                  add esp, 00000014
:0040484D 57                      push edi
:0040484E E825140000              call 00405C78
:00404853 83C404                  add esp, 00000004
:00404856 85C0                    test eax, eax <---- Checks if the NAME BOX is empty.
:00404858 7515                    jne 0040486F  <---- If it is , jump to BAD CRACKER.

Now, what does the program do ??? Simple:type ? BX and you'll see that the first four numbers of our fake serial are moved into BX (BX changes as well as EBX. The same for CX and ECX.). The next instruction adds 4012 decimal to the number contained in EBX (the same as BX): so , if the first four numbers of your fake serial were 1234 , EBX will contain: 1234+4012 = 5246 . 


..................
..................
..................

:0040486F 8BF7                    mov esi, edi   <---- ESI contains our name , and the code                                                             routine loops until the whole name is                                                            processed.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004048A5(C)
|
:00404871 8BCB                    mov ecx, ebx   <---- Moves the value of EBX into ECX
:00404873 6681E10040              and cx, 4000   <---- ANDS ECX by 4000 HEX
:00404878 6681F90040              cmp cx, 4000   <---- Checks ECX
:0040487D 750B                    jne 0040488A   <---- If ECX isn't equal to 4000 HEX, then Jump.
:0040487F 80E73F                  and bh, 3F     <---- Subtracts 4000 HEX to EBX
:00404882 66D1E3                  shl bx, 1      <---- Shifts to the left EBX of 1 byte
:00404885 80CB01                  or bl, 01      <---- Adds 1 to EBX
:00404888 EB03                    jmp 0040488D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040487D(C)
|
:0040488A 66D1E3                  shl bx, 1      <---- Shifts to the left EBX of 1 byte

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404888(U)
|
:0040488D 0FBE0E                  movsx ecx, byte ptr [esi]   <---- Moves one name char into ECX 
:00404890 33CB                    xor ecx, ebx                <---- ECX is XORed with EBX
:00404892 334DF8                  xor ecx, dword ptr [ebp-08] <---- ECX is XORed with the 2nd
                                                                    part of our fake serial

:00404895 89CB                    mov ebx, ecx   <--- Moves the result into EBX
:00404897 46                      inc esi             <----| 
:00404898 57                      push edi            <----| 
:00404899 E8DA130000              call 00405C78       <----| Increments the counter
:0040489E 83C404                  add esp, 00000004   <----|
:004048A1 03C7                    add eax, edi        <----|
:004048A3 3BC6                    cmp eax, esi        <----|
:004048A5 77CA                    ja 00404871    <---- Loop until the whole name is done      
:004048A7 EBB1                    jmp 0040485A   <---- Exits the calculation routine

This was the code calculation routine. It uses our name and the first two parts of the serial we typed to calculate the third part of the code , wich is the real serial number.
So , when the whole name is done , place the cursor at 404897 and type ? EBX : you will see the third part of your code.
For example , here is my key :

Name : ShadowMan
Code : 1234-56-9385

That's all. I hope you'll learn something from this tut.

Si Vis Pacem , Para Bellum .

Seeya in the next tut .

 ----====( ShadowMan )====----

      - 27 January 2001 -