Another C4N Tutorial Flu[X] Tutor #10 Author: Flu[X] Date: Sometime in 2000 Materials Required: Brain SoftIce 3.2+ Tasm 5- for Keygen CyberClean v1.01 (http://www.thelimitsoft.com/cyberclean.html) Overview: In this tutorial I will show you how to make another keygen. This time i will provide an ASM keygen to show you how! NOTE: Since the writing of this tutor the author has come out with version 1.5, however the serials are the same so the protection would be the same, just different addresses. Cracking: Load up softice and your app. When you start it it will ask you if you want to Register it. Accept the option to register and fill in any infos. Break to SI and set a BP on hmemcpy. Leave SI and Hit the button on the window. Hit F12 until you are in the main program code (past a bunch of RET's). Begin your Trace until you land here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040675B(C) | :00406713 66C745CC0800 mov [ebp-34], 0008 :00406719 33C0 xor eax, eax :0040671B 8945FC mov dword ptr [ebp-04], eax :0040671E 8D55FC lea edx, dword ptr [ebp-04] <-EDX is the name u entered :00406721 FF45D8 inc [ebp-28] :00406724 8B86C8010000 mov eax, dword ptr [esi+000001C8] :0040672A E831B60000 call 00411D60 :0040672F 8B55FC mov edx, dword ptr [ebp-04] <- move 2 bytes to edx :00406732 8D45FC lea eax, dword ptr [ebp-04] <- set eax pointer :00406735 03D3 add edx, ebx <-increase pointed to letter by position :00406737 4A dec edx <- go back one spot :00406738 0FBE0A movsx ecx, byte ptr [edx] <- ecx = value of position in name string minus 1 :0040673B 83E17F and ecx, 0000007F <- ignore this :0040673E BA02000000 mov edx, 00000002 <- ignore this :00406743 03F9 add edi, ecx <- edi = edi+ecx :00406745 FF4DD8 dec [ebp-28] :00406748 E89B110100 call 004178E8 :0040674D 43 inc ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406711(U) | :0040674E 8B86C8010000 mov eax, dword ptr [esi+000001C8] :00406754 E8B7B50000 call 00411D10 :00406759 3BD8 cmp ebx, eax :0040675B 7CB6 jl 00406713 :0040675D 69D76B280400 imul edx, edi, 0004286B <- edx= eax*4386bh :00406763 89D7 mov edi, edx <-move serial to edi :00406765 83FF01 cmp edi, 00000001 <- is serial >1 ? :00406768 7D05 jge 0040676F <- if generated # is greater than 1 jump Explanation of code: Basically all the program is doing is adding up all the ascii values of your name EXCEPT for the last letter and then multiplying by a constant. A later on check shows that this is inded true. Below is the checking of the serial. :0040679B 53 push ebx :0040679C E8DF4F0300 call 0043B780 :004067A1 59 pop ecx :004067A2 8BD8 mov ebx, eax :004067A4 FF4DD8 dec [ebp-28] :004067A7 8D45F8 lea eax, dword ptr [ebp-08] :004067AA BA02000000 mov edx, 00000002 :004067AF E834110100 call 004178E8 :004067B4 66C745CC1400 mov [ebp-34], 0014 :004067BA 8BCF mov ecx, edi :004067BC 8BC1 mov eax, ecx :004067BE 99 cdq :004067BF 33C2 xor eax, edx :004067C1 2BC2 sub eax, edx :004067C3 3BD8 cmp ebx, eax <-compare our serial to real one So the alogorithm is simple: (Sum of name Except for the last char) * 4286Bh = Serial Below is the Keygen I wrote to Show you how ;---------BEGIN KEYGEN SOURCE------------- ; compile with ;tasm kg.asm ;tlink /t kg.obj Code Segment Assume CS:CODE,DS:CODE org 100h ;com .386 start: ;YOURCODE GOES BELOW HERE mov ah,9 lea dx,welcomescreen int 21h call getname lea si,namez cmp byte ptr[si+1],2 jge sumstring mov ah,9 lea dx,warnmessage int 21h int 20h sumstring: mov ah,9 lea dx,serialis int 21h xor eax,eax xor cx,cx mov cl, byte ptr[si+1] add si,2 xor eax,eax xor ebx,ebx dec cl sumstring1: mov bl, byte ptr[si] add eax,ebx inc si loop sumstring1 imul eax,eax,4286bh call printdec ;END YOUR CODE int 20h ;exit ;==========GET NAME PROCEDURE=========== ;parameters= none getname: mov ah,9 lea dx,askname int 21h mov ah,0ah ;buffered kbd input with clear lea dx,namez int 21h call nextline ;carriage return RET ;==========CARRIAGE RETURN PROCEDURE=========== ;parameters=none nextline: mov ah,9 lea dx,carriagereturn int 21h RET ;========Print Decimal# toscreen==================== ;Parameters = eax Number to print to screen ; ; Returns nothing Printdec: lea di,tempbuffer mov ebx,10 xor ecx,ecx decloop:xor edx,edx div ebx push edx inc ecx cmp eax,0 jne decloop restoreb: pop edx add dl,'0' mov al,dl stosb dec ecx jnz restoreb mov ah,9 ;print lea dx,tempbuffer int 21h lea si,tempbuffer mov cx,16 rest1: mov byte ptr[si],'$' inc si loop rest1 ret ;=====data area===== namez db 32,0,32 dup(0) serial db 32,0,32 dup(0) company db 20,0,20 dup(0) email db 32,0,32 dup(0) warnmessage db 'Name must be at least 3 characters long','$' carriagereturn db 13,10,'$' askname db 'Enter Name: ','$' askcompany db 'Enter company: ','$' askemail db 'Enter E-Mail Address: ','$' serialis db 'Your Registration code is: ','$' tt dd ? tot dd ? tempbuffer db 17 dup('$') welcomescreen db 'ÉÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍ»',13,10 db 'ºFlu[X]º KEYGEN º 2000º',13,10 db 'ÌÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍ͹',13,10 db 'º This Keygen is intended for those º',13,10 db 'º users who have lost their original º',13,10 db 'º Key. If you do not legally own the º',13,10 db 'º software, do NOT use the Keygen. º',13,10 db 'º º',13,10 db 'º Support software vendors! º',13,10 db 'ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹',13,10 db 'º CyberClean v1.01+ º',13,10 db 'ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ',13,10,'$' code ends END START ;------------------END KEYGEN SOURCE-------------------- I hope to see you again in Flu[X] tutor #11 As always if you like a program buy it! This essay is for educational purposes ONLY! Software authors deserve your support! Flu[X]/C4N 2000 http://tuts2000.cjb.net