.---. .---. .----------. | \ / | .-. | | | |\ \ / /| | | | .--------. .-----------. .---------. .-------. | .-------' | | \ \ / / | | `-' | .------' `----. .----' | .-------' | ,---. | | | | | \ \/ / | | .-. | | | | | | | | | | | `----. | | \__/ | | | | \ \ | | | `----. | `---' | | ,----' | | | | | | \ `-----. | | | ,----' | .---' | | | | | | | | `----. | | | | | | , \ | | | | | | | | | | | | | | | |\ \ | | | | | | | | | | | | | | | | \ \ | '-------. | | | | | | .------' | | | | '------. | | \ \ | | `--' `--' `-' `--------' `-' `--------' `-' `-' `----------' .----------------------. .-----------| Proudly Presents |-----------. .--------------+----------------------------------------------+--------------. | A cracking tutor for: | | KeyEx v1.02 (keygen included) | `----------------------------------------------------------------------------' Someone asked me to crack and write a tut for this one. When I fired the program I thought it would be a tough one to crack, it needs a s/n AND A CRC. That LOOKS tough, but it isn't. I cracked this program within the minute, and so should you. This is going to be a very sort tutorial. There should be a keygen attached to this document. Programs I have used: - SoftIce v3.2 - W32dasm v8.9 - KeyEx v1.02 (http://members.eunet.at/tsamm/indexe.htm) .-----------------------------------------------------------------------------------------------. `-----------------------------------------------------------------------------------------------' Fire KeyEx and find the registration screen. Now enter your name, etc. I used: name: MisterE reg#: 123454 users: 100 CRC: 1234565 Press the OK button and the program says your CRC doesn't match the other registation data. It DOES NOT SAY that you have the wrong reg#!! Now fire w32dasm and search for 'crc'. You find this: * Possible StringData Ref from Code Obj ->"CRC error in registration file!" This isn't the error we are looking for, so continue your search. You should end up here. :0045386B 8BC6 mov eax, esi :0045386D E856FBFFFF call 004533C8 :00453872 3B45FC cmp eax, dword ptr [ebp-04] <= important cmp :00453875 7420 je 00453897 <= if equal, jump ==. :00453877 33C0 xor eax, eax | :00453879 898328010000 mov dword ptr [ebx+00000128], eax | :0045387F 6A10 push 00000010 | | * Possible StringData Ref from Code Obj ->"KeyEx" | | | :00453881 B9D8384500 mov ecx, 004538D8 | | * Possible StringData Ref from Code Obj ->"CRC does not match other registration " | ->"data!" | | | :00453886 BAE0384500 mov edx, 004538E0 | :0045388B A128964500 mov eax, dword ptr [00459628] | :00453890 E8CB1EFDFF call 00425760 | :00453895 EB16 jmp 004538AD | | * Referenced by a (U)nconditional or (C)onditional Jump at Address: | |:00453875(C) | | | :00453897 C6461001 mov [esi+10], 01 <=================' :0045389B 8B1540974500 mov edx, dword ptr [00459740] :004538A1 8BC6 mov eax, esi :004538A3 8B08 mov ecx, dword ptr [eax] Now look at the cmp. If something is eqeal then jump over the crc error message. Let's take a look what the value's of eax and esi. To do this fire SoftIce and place a breakpoint at hmemcpy. Hit the ok button and press F12 a few times to get in prot32 mode. Now type 'bpx 00453872' and continue the program. Type 'd ebx-4' to see your own serial. You might not recognize it YET. You should see (using 1234565 as CRC) 85 D6 12. Now remember that values get pushed in reversed order. So 85 D6 12 should be 12 D6 85 and this is (? 12d685 => 1234565). Guess what eax is. Yeah, it is the right CRC!!! (69700) You have done it!! That wasn't too hard, was it? Now go register some more software. .-----------------------------------------------------------------------------------------------. `-----------------------------------------------------------------------------------------------' Well, I hope you learned SOMETHING from this tutor. If you have any comments, questions, or whatever, mail me at MisterE@freemail.nl OR look for me at EFNET => #cracking4newbies or #cracking .-----------------------------------------------------------------------------------------------. | GREETZ | `-----------------------------------------------------------------------------------------------' Well, can rather be short with this: Greetz go to: everyone on #cracking4newbies - #tno - #inside98 .-----------------------------------------------------------------------------------------------. `-----------------------------------------------------------------------------------------------'