²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²
²² ____ __ __ ²²ßÛ
²² / _/_ _ __ _ ___ ____/ /____ _/ / ²² ÛßÛ
²² _/ // ' \/ ' \/ _ \/ __/ __/ _ `/ / ²² Û Û
²² /___/_/_/_/_/_/_/\___/_/ \__/\_,_/_/ ²² Û Û
²² ____ __ __ ²² Û Û
²² / __ \___ ___ _______ ___ ___/ /__ ____ / /____²² Û Û
²² / /_/ / -_|_-</ __/ -_) _ \/ _ / _ `/ _ \/ __(_-<²² Û Û
²²/_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/²² Û Û
²² ²² Û Û
²² Web: http://www.ImmortalDescendants.org ²² Û Û
²² Author: ACiD BuRN ²² Û Û
²² Date: 24/05/2000 ²² Û Û
²² Topic: Keygening MP3 Explorer 3.2 ²² Û Û
²² Level: beginners ²² Û Û
²² ²² Û Û
²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² Û Û
ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ Û
ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ
tools used:
- Soft ice 3.23 (best version for me :)
- a C++ compiler
- a brain
- Some good music :)
Note: I assume you know how to use this tools , else you gotta find some easy
tutorials that teach you how to use them and come back once your ready :)
Oh yeah , another tutor from your lil ACiD BuRN :) the frog is back from hell heh!
Ok, looks like i am finally back in cracking and reversing stuff hehe ;)
After a goddamn long time without doing anything coz of my illness ( which isn't fixed thought)
i am ready to make others tutorials :)
Enough blabla! let's Rock :)
oh by the way , i keygened CORE trial CrackMe :p
I'm gonna teach you a good way to keygen many shits !
using BPR can help you a lot in keygening, you will see :)
1)Let's Rock
Run mp3 explorer and go in the '?' menu and look in about:)
Here is a place to enter name/serial hehe!
enter name: ACiD BuRN
enter code: 12321
in fact, the bpr technic will put us directly in the generation part of the algo!
without tracing like a fool :)
look that:
Put a bpx on GetWindowtextA and press on the OK button!
Soft ice pop up! Break due to BPX USER32!GETWINDOWTEXTA ..
btw don't press anything ! (i.e: F11 or F12)
we're gonna look the stack parameter.for a best lisibility , we will look dword (command = dd)
so , in soft ice: dd esp
Why that ?! huh
"dd" means: display dword and "esp" is the stack pointer!
After pressing "dd esp", the Soft-ice's window change and we can see the parameters :
xxxx:yyyyyyyy A B C D ................
xxxx:yyyyyyyy E F G H ................
Where A,B,C,D,E... look like: XXXXXXXX (Of course XXXXXXXX are some numbers hehe)
You should see something like that:
xxxx:yyyyyyyy 0044423B 00000464 015DB338 0000000A ...........
We will only use this :)
(As you noticed, here A=0044423B , B=00000464, C= 015DB338...)
We can see here the adress where our name ends (015DB338).
type D "adress where the name ends"
For example here is is: D 015DB338
Now , you can press F11 and you should see the name at the address we looked
(where the name ended...)
Good, we are on the good way eheh!
We're gonna put a BPR (break on memory range).
this kind of BP works like this:
bpr "start adress" "end address" RW
RW means: Read and write.
So, it's gonna stop when something is reading or writting in this adress !
So, under Soft-ice, type this:
bpr 015DB338 015DB338 + (length of the name - 1) RW
ACiD BuRN (length: 9 -> 9 - 1 = 8)
In our target, for ACiD BuRN , we type this :
bpr 15DB338 015DB338+8 RW
Now , you can disable our bpx on getwindowtextA! ( bd 0 )
You just have to press F5 and we will land in directly in the algo :)
well , on this app , not directly , we land in the dll so keep pressing F5 till you are
in DLLs :)
'Coz, we don't give a flying fuck of them :p
Once you are in the App, we are in the good place ! and algo starts there :
look my winice.log
----------------------SNiP----- SNiP----- SNiP----------------------------
:bpx getwindowtexta
Break due to BPX USER32!GetWindowTextA (ET=1.17 seconds)
:dd esp
:d 15f5a18
Break due to G (ET=268.99 microseconds)
:bpr 15f5a18 15f5a18+8 RW
:bd 0
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
:u eip l 50
comment: here comes the first loop:
025F:0040A173 8B442420 MOV EAX,[ESP+20] ; EAX contains the adress of my name
025F:0040A177 0FBE0C06 MOVSX ECX,BYTE PTR [EAX+ESI] ; ECX = hex value of 1st char
025F:0040A17B 51 PUSH ECX
025F:0040A17C E8E9BB0100 CALL 00425D6A ; intresting !!!!
025F:0040A181 83C404 ADD ESP,04
025F:0040A184 03E8 ADD EBP,EAX ; add ascii value in hex to EBP
025F:0040A186 46 INC ESI ; next char!
025F:0040A187 3BF7 CMP ESI,EDI ; All chars done ?!
025F:0040A189 7CE8 JL 0040A173 ; no, jmp start !
025F:0040A18B 8B4C240C MOV ECX,[ESP+0C] /
025F:0040A18F BAC0D40100 MOV EDX,0001D4C0 /
025F:0040A194 2BD5 SUB EDX,EBP / we will look that
025F:0040A196 33C0 XOR EAX,EAX / after !
025F:0040A198 3BCA CMP ECX,EDX /
025F:0040A19A 8D4C2420 LEA ECX,[ESP+20] /
025F:0040A19E 0F94C0 SETZ AL /
So, we see that it takes ascii value of each chars and add them in EBP.
But there is a Call which looks intresting ! let's have a closer look in it :
:u eip l 50
025F:00425D6A 53 PUSH EBX
025F:00425D6B 33DB XOR EBX,EBX ; EBX=0
025F:00425D6D 391D74344800 CMP [00483474],EBX
025F:00425D73 7513 JNZ 00425D88
025F:00425D75 8B442408 MOV EAX,[ESP+08] ;move ascii value in EAX
025F:00425D79 83F861 CMP EAX,61 ;compare it to 61h
025F:00425D7C 7C59 JL 00425DD7 ;less than 61? jump to 425DD7
025F:00425D7E 83F87A CMP EAX,7A ;compare it to 7A
025F:00425D81 7F54 JG 00425DD7 ;greater than 7A? jump to 425DD7
025F:00425D83 83E820 SUB EAX,20 ;less than 7A but greater than 61 (eax-20)
025F:00425D86 5B POP EBX
025F:00425D87 C3 RET ;ret! come out of the call!
025F:00425D88 56 PUSH ESI
025F:00425D89 BE88484800 MOV ESI,00484888
025F:00425D8E 57 PUSH EDI
025F:00425D8F 56 PUSH ESI
Ok , so what's goin' on ?!
Well it compares the char to 61 , 7A!
61h = a and 7Ah = z if it is less than 7A but greater than 61 it substract 20 to it
Well , this is just making all the chars in uppercase !
So the serial for ACiD BuRN will be the same than for Acid Burn , acid burn, ACID burn...
So what does the main loop ?
Convert in uppercase and then add ascii value to EBP...
Do all Chars and then we land here:
025F:0040A18B 8B4C240C MOV ECX,[ESP+0C] ; ECX = our fake entered serial
025F:0040A18F BAC0D40100 MOV EDX,0001D4C0 ; EDX = 1D4C0h = 12000
025F:0040A194 2BD5 SUB EDX,EBP ; EDX = EDX - EBP
025F:0040A196 33C0 XOR EAX,EAX ; EAX = 0
025F:0040A198 3BCA CMP ECX,EDX ; Compare fake serial to good one
025F:0040A19A 8D4C2420 LEA ECX,[ESP+20]
025F:0040A19E 0F94C0 SETZ AL
it is clear enough !
So the algo is:
- convert all chars to uppercase
- add all ascii value
- Substract the result of ascii added to 12000
Now ,you can easily code a keygen for MP3 Explorer !
As usual , i am gonna give you the source of a working Keygen coded by me :)
No more Visual basic ( i was lazy hehehe!) here it is C++ + inline asm :)
-------------------------start of my source---------------------------------
#include <stdio.h>
#include <string.h>
#include <conio.h>
int main(){
int i,len;
unsigned char name[100];
unsigned long check=128;
printf("\Mp3 Explorer Keygen By : ACiD BuRN [Immortal descendants] \n ");
printf("\__________________________________________________________");
printf("\nEnter name: ");
gets(name);
len=strlen(name);
asm
{
xor ecx, ecx
xor edi, edi
mov edx, [len]
start1:
movsx eax, [name+ecx]
cmp eax, 97
jl temp1
cmp eax, 122
jg temp1
sub eax, 32
temp1:
add edi, eax
inc ecx
cmp ecx, edx
jne start1
mov eax, 120000
sub eax, edi
mov [check], eax
}
printf("=: %lu" ,check); /* %lu = decimal, check = serial */
printf("\nEnjoy!");
getch();
return 0;
}
----------------------------end of my source---------------------------------
Info:
if you compil this keygen it will works but if you enter a name with
accents ie: frédéric or Cédric ... the given serial won't work..
Why that ? i dunno ... looks like the compiler fuck up a bit the code hehe
Because if you compil this algo in a 32 bits GUI Keygen it will works for evername !
But hell ! i ain't gonna give you my C++ template :p hehe :)
This tutorial is over and i hope you learnt something from it...
btw , as i don't have internet anymore, don't mail me your question coz i don't
know when i would read them!
But Go on #Cracking4newbies and go nag an OP there ;-Þ
This tutorial is dedicated to my girly!
Celine , you own me !:)
Greets fly out to:
no specific order
CyberBlade,R!SC , ^INFeRNo^ , AB4DS , Klefz , Volatility ,
TORN@DO , T4D , Jeff , [Virus] , JaNe , Appbusta , Duelist , tKC , BuLLeT ,
Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio ,
SiFLyiNG , Fire Worx , CrackZ , neural_en , WarezPup , _y , SiONIDE ,
SKORPIEN , Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux ,
Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD , ytc ,
Kwai_lo , Killer_3K , TaMaMBoLo , gizmo , Gota , ExtaBrain , Alpine ,
WarezPup , zoltan , [yAtes] , TarGon , Icecream , Punkguy2 , Sortof ,
TRDdonjuan , Lord Soth , Judged , G-Rom , Quantico , Christal , psike , Leo0n ,
Albator , +Spath , +Frog's Print , toutim , Pulsar , Night , psike , Uno , F|SH ,
Lixus , LosT , RD-116 , Ben0 , Whizkid , [MandKind] , alpine , Alsindor ,
Stone , Elraizer , Fravia+ , Iczelion , nody , Asphalt , Rhythm ,
rudeboy , X-Calibre , Cirus , shaoni...
...
"Put your name here! :P" ...
Take Care,
ACiD BuRN [Immortal Descendants / ECLiPSE ]