About this tutorial:
Tutorial:Total Reversing of Cover Your Tracks 3.5

Target:Cover Your Tracks 3.5(http://www.ffsoftware.com)

Tools:SoftIce 3.24(this is a good software, worth buying)

Date:2nd January 2000

Descriptions&Comments:Total Reversing of Cover Your Tracks 3.5. Hmm, well, almost, we still lack of clean way to unregister this program to totally reverse this program. Hopefully, someone can send me a clean way(I can but with mine is a dirty way) of unregistering so that we can really reverse this program totally and I will update this document giving full credit of the "Unregistering" section to that person. Not a matter to us now. We will ignore that, fish a serial first and code a keygen later. Thanks to a good friend of mine, ^tCM^ for the keygen's source.

Protections:Name/Serial, Nag, Keygen

Disclaimer:This file is used for educational purposes only. Any misuse of the information presented here is not my responsibility.

Copyright information:This tutorial is copyright © 1999 ManKind

Starting words:
Hello,welcome to my tutorial. I am ManKind, a newbie in cracking who want to share my cracking skills with other newbies. Contact me at mankind001@bigfoot.com
The process:
Part 1:Easy way of locating correct registration code
Nothing special here. This is the easiest serial fish experience that I have ever had, can be said as "10 second crack". Load up Cover Your Tracks, a nag comes out, press the Register button, a new register window pop up, enter some fake info(need at least 7 character for each text field), fill in something like below:

Name:ManKind/ImmortalDescendants
Registration Code:23199981

Go into SoftIce and set a breakpoint on hmemcpy like below:

bpx hmemcpy

Leave SoftIce, press the Register button, SoftIce will pop up, press F5 once to let SoftIce read the data at the other text field, press F11 once to go back to the code which called the hmemcpy function, press F12 11 times to RETurn to the main call, press F10 once to step over the current code and finally the white indicator of SoftIce will land on the following code:

:00457967 POP EAX

At this moment, EDX contains the real registration code for our name(refer to the code on top of the above code). Do the following command and you will see the real registration code in the data window:

d edx

What's in the data window? A long string. I saw the following for my name:

v9hAwhuwvvgsm9kuya3yhu9hma

No, though I know the above is the correct registration code, don't register with it because you will have trouble to unregister it and you will not be able to progress and do a keygen.

Part 2:Understanding the keygeneration routines
Well, you will ask that since we have already fished out a serial from Cover Your Tracks, why should we ever need to understand the keygeneration routines of it? The answers are simple, firstly, this may serve as a keygen tutorial, secondly, we do this because we want to reverse this program totally. What I mean by totally? Totally means we know how the correct registration code is generated based on the name we enter.

This part is also easy owing to the simple keygeneration routines. Now, I'll will just give you a brief idea on the keygeneration routines. By debugging like the first part, one letter at a time, I discovered this(or you can also go into Cover Your Tracks when SoftIce break on hmemcpy, disable hmemcpy breakpoint, set a breakpoint on address 00457967(refer to above), press F5 to let SoftICE runs and finally you will brought to the place where you can just type 'd edx' to view your correct registration code):

A=9, B=o, C=3, D=u, E=y, F=t, G=r, H=6, I=w, J=q, K=A, L=k, M=v, N=h, O=g, P=f, Q=d, R=s, S=a, T=m, U=8, V=b, W=eP, X=1, Y=x, Z=z, any other character including space=null

Condition:There are no difference between upper case alphabets with lower case alphabets, that mean A=9 then a=9 also. The name must at least contain 7 alphabets from A to Z or else it will be an invalid name. The code will be counted from left to right like for example:

M a n K i n d
v 9 h A w h u

With these informations, it will not be too hard for you to code a keygen. Well, after you understand the keygeneration routine, what should you do? You should really code a keygen. I have included a C++ source of a simple Cover Your Tracks keygen below written by tCM, a good friend of mine and slightly edited by myself. I compile it on my Visual C++ 6.0 but it should be able to compile on any other C++ compiler.

#include <ctype.h>
#include <stdio.h> //I only edited the introduction part!
#include <conio.h> //nothing special here, just playing a fool!
#include <string.h>

void main() {
    // Introduction
    printf("Cover Your Tracks 3.5 Keygen by ManKind/ImmortalDescendants \n");
    printf("===================================================\n");

    // Prompt the user
    printf("Please enter your name \n");
    fflush(stdout); // make sure the prompt is flushed from output buffer to the screen
    char UserName[100]; // Note: this may crash if you enter more than 100 characters
    gets(UserName);

    // Then I want to read his name and make the following substitution:
    // A=9, B=o, C=3, D=u, E=y, F=t, G=r, H=6, I=w, J=q, K=A, L=k, M=v, N=h, O=g, P=f, Q=d,
    // R=s, S=a, T=m, U=8, V=b, W=eP, X=1, Y=x, Z=z, any other character including space=null

    // define the new alphabet as a lookup table with an entry for
    // each caharcter.

        int i,k,temp,name_lenth;
    char name[100]={0},new_name[100]={0};
        char Lookup[] = "9o3uytr6wqAkvhgfdsam8be1xz";
        char W_ONLY[]= "eP";

        // Condition:There are no difference between upper case alphabets with
    // lower case alphabets, that mean A=9 then a=9 also.
    // Eliminate invalid letters by writing the translated
    // character at a different position.
    //char *P, *Q;
    //for (P = Q = UserName; *P; ++P) {
    // unsigned Index = toupper(*P) - 'A'; // place in lookup table
    // if (Index < sizeof Lookup) *Q++ = Lookup[Index]; // translate
    //}
    //*Q = '\0'; // terminate the translated string

       strcpy(name,UserName);
       strupr(name);
       name_lenth=strlen(name);

       for(i=0,k=0;i temp=name[i];
       if(temp>=0x41 && temp<=0x5A){
       if(temp==0x57){
       strcat(new_name,W_ONLY);
       k+=2;
       }
       else if(temp!=0x57){
       new_name[k]=Lookup[temp-0x41]; // if it dosent work use
       new_name[k]=Lookup[0x41-temp];
       k++;
       }
       }
       }

       printf("Registration Code = %s\n", new_name);
    // I want to display the new name after substitution to the user
    // Note: this will end as soon as a null character is found
    //printf("Registration Code = %s\n", UserName);

    // wait for a keypress before exiting
    getche();
}

That's all for now. Hope to see you soon on my next tutorial. As usual, contact me if I make any mistake, give me your feedback, comments, suggestions and opinions about this tutorial and my way of presenting it.

Extra notes:
I think you have noticed that I have modified the template(format) of my essay. We are in a new millenium, so, I guess I have to have a new template. I hope you like this new design. Thanks again to ^tCM^ for being kind, patient, coding the keygen and giving the source. Thanks to my reader who supported my work. In return of your support, I will continue to write more good essays. Thanks again!

Ending:
Thanks and greetz to:
+ORC, +HCU, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, Crackz, cLUSTER, LaZaRuS, mrfanatic, yes123, WhizKiD, Volatility, Acid Burn, Eternal Bliss, R!SC, MisterE, Shadow, ^tCM^, WaJ, Borna Janes, Lord Soth, Lucifer48, Neural, Latigo, Alpine, flag erratum, Nitrus, frogs print, Muad`Dib, Iczelion, Warezpup, Bomber Monkey, llama and other crackers, individuals and organisations who have helped me, either directly or indirectly.

Service for ManKind
ManKind
mankind001@bigfoot.com