Dedication Fly to

Intoduction & Protection

iNTROdUCTION :

Boo !!! hi there !! and welcome to another tutorial !! ...

but that will not stop us , it will make us stronger and yes as some cracking group said (sorry i don't remember the name ) "We Will Never STOP living this way", and they can say what they want to say , and do what they want to do , cuz as may fav. person once said:

pROTEcTION :

this proggy is like allways , it needz a Name and a Code to register, or let me say to UNLOCK !!, so let's start feeling GUILTY and crack this proggy !!

The Essay

o.k like allways , run the prog to take a look at it , ohh kool !! notice the "UNREGISTERED SHAREWARE" at the caption, now let's examine this prog , click on "Edit Theme" and look u can't edit any theme until u UNLOCK this program , so let's enter and name and code to unlock it !! in my case i wrote :

Name : FaTzBiT
Code : 1234567890

and there u go !! our error message !! "You have entered an invalid ..."

o.k so let's try to find the real code then , press the o.k button to close the error message !! and then fire up softice [Ctrl + d] and set a breakpoint like this :

Bpx GetDlgItemTextA

now press F5 to exit softice . then click on the o.k button , softice will break !! , press F5 then press F11 and u should be at this code :

:0040D058 681C044300              push 0043041C
:0040D05D 8D8DD0FBFFFF            lea ecx, dword ptr [ebp+FFFFFBD0]
:0040D063 E80D68FFFF              call 00403875
:0040D068 385DB4                  cmp byte ptr [ebp-4C], bl
:0040D06B 7414                    je 0040D081

o.k now all this code is not good for us , becuz all it do that it puts our name and our code in the registery , so we continue to trace until we reach this code :

:0040D09A FF750C                  push [ebp+0C]
:0040D09D E8D084FFFF              call 00405572 <-- we step into this call
:0040D0A2 85C0                    test eax, eax
:0040D0A4 59                      pop ecx
:0040D0A5 0F8484010000            je 0040D22F

o.k now we u are att address 0040D09D press the F8 button to go into the call , and u should see like this code :

:00405572 55                      push ebp <-- the start code of call at 0040D09D
:00405573 8BEC                    mov ebp, esp
:00405575 81EC74020000            sub esp, 00000274
:0040557B 8B4508                  mov eax, dword ptr [ebp+08]
:0040557E 8365FC00                and dword ptr [ebp-04], 00000000
...

o.k so we are inside the call now !! , do u see "..." this means that the code is too long , ( why ? ) becuz , it will compare our name with a list of blacklisted names, so trace with the F10 until u reach this code ( it is a long trace !!) :

:0040588B 0FBE5405D4              movsx edx, byte ptr [ebp+eax-2C] <-- edx has a char. from our name
:00405890 8BF8                    mov edi, eax <-- set the value
:00405892 83E701                  and edi, 00000001 <-- of counter 1 and
:00405895 47                      inc edi <-- counter 2 -- (*)
:00405896 0FAFD7                  imul edx, edi <-- multiply our char. by counter
:00405899 03D0                    add edx, eax <-- add the value of counter 2 to the result of the multiplication
:0040589B 0155FC                  add dword ptr [ebp-04], edx <-- add the value of edx to where the real serial is
:0040589E 40                      inc eax <-- add one to eax
:0040589F 3BC1                    cmp eax, ecx <-- compare the eax with the length of our name
:004058A1 72E8                    jb 0040588B -- if below take the next char. and do the alog. again
:004058A3 8175FC04446482          xor dword ptr [ebp-04], 82644404 <-- xor our result with 8264404h = 136725508d
:004058AA 7D08                    jge 004058B4
:004058AC 8B45FC                  mov eax, dword ptr [ebp-04] <-- put the result in eax
:004058AF F7D8                    neg eax <-- neg = 2's complement of eax
:004058B1 8945FC                  mov dword ptr [ebp-04], eax <-- store it back in ebp-04

Then trace until this code

:004058CD 8D4590                  lea eax, dword ptr [ebp-70] <-- eax point to our fake code
:004058D0 50                      push eax <-- store it in the stack
:004058D1 E8BF8E0100              call 0041E795 <-- convert our fake code string to integer value and store it in eax
:004058D6 3945FC                  cmp dword ptr [ebp-04], eax <-- compare our real code with the fake code
:004058D9 59                      pop ecx
:004058DA 0F85D4000000            jne 004059B4 <-- jump if not equal to error message

o.k like allways ... here is the algo. in ENGLISH :) ( sorry [XasX] i don't speak spanish !! )

first we take a char from our name, let say it is the first char, then we set the 2 counters (*) , one of them is set to 1 and the other is set to zero ( edi = 1, eax = 0 ) , then we multiply our char, with counter which is equal to 1 ( edi ) then we add to the result of the multiplication the value of counter 2 which is equal to 0
( eax = 0 ) , then at last we add the result to the location of the real code ( ebp-04 ) , and we add one to counter 2 and see if counter 2 is equal to the length of our name , if it is not we take the next char. and do the same alog again , but there is something u should know that counter1 is not incremented by 1 each time , it is anded by 1 every time we loop .

after we finish our name, we xor the result with 8264404h = 136725508d , then we put it in eax , then we negate the eax, which means we take the 2's complement of eax , now if you where at this line in softice after the neg insturction has been executed write ? eax and see your real code ...

now if you continue to trace with the F10 button, until u reach at address 004058CD and wrote ? eax , u will see ur fake code/serial at the data window, continue to trace but don't step in the call at address 004058D1 just bypass it, and see ur real code/serial changing to integer value and stored into eax, now the next command will compare our fake code/serial with the calcualted one, and if they are equal it will NOT diaplay the error message it will diaplay the thank u message ....

hehehe o.k o.k ... i know that u have alot of questions to ask, here some of what u may have in mind :

Q1 : how did u find the algo. ?

A1 : the first thing u have to know is that i'm a cracker, and all crackers know assembly and plus we know how to use softice to trace commands, now all u have to do when u are working with softice is to pay attention to what is going on , now as u can see in this tutorial i first tried to break one GetDlgItemTextA and it worked ,but if it didn't work i will use another api to break on , 2nd thing since the first breakpoint worked for reading my name then u have to know that it will use the same breakpoint to get the code/serial that u have entered, if u happen to find a prog that do the same thing then make sure that if u press the F5 button in softice it will exit and the error message will be displayed, and this is what happend with this program, now the other thing, i have traced after the program have read my fake code/serial to see what it is doing with my fake code/serial .... ( i hope that answers ur question !! )

Q2 : are u sure that this is the right algo. ?

A2 : in this case yes, and the reason is that 1st it calculates a serial from my name and the 2nd it take my fake code/serial and compare it with the calcualted one. and the 3rd reason is that if the equal check failed then the error message is displayed , or let's say the program make the error action becuz my code/serial is not valid ...

Q3 : if i want to patch where shall i patch ?

A3 : althogh in this case i don't agree of patching, and i don't also agree in finding a single code/serial , but if u want to know where to patch , it is at address 004058DA where the prog jump to the error message, cuz at this address if ur code is invalid then it'll jump to display the error messaage, but we don't want that . so the best patch is to nop the code at address 004058DA so whatever serial/code u have entered it will allways be valid ...

now if u have other questions feel free to email me ....

now let's code a keygen for this program ...
here is the source code for a keygen , it is written in C ,and i've used Turbo C++ v3.0 to compile it ...

// a keygen for Desktop Themes v1.89 by FaT[BiT] \ TNT!

#include <stdio.h>
#include <conio.h>

int main (void)
 {
   long i, count1 = 1;
   long count2 = 0;
   unsigned long code = 0 ;
   char ch;
   unsigned char name[50];

   clrscr();
   printf("------------------------------------------------------------------\n");
   printf("      Desktop Themes v1.89 - Keymaker - by FaT[BiT] \\ TNT!\n");
   printf("------------------------------------------------------------------\n\n");
   printf(" Name : ");
   gets (name);
   if (strlen (name)==0) {
     printf(" Err : No name entered.");
     exit (1);
    }

    for(i=0;i<=strlen(name) - 1 ;i++) {
      ch = name[i];
      code += ((ch * count1) + count2++);
      count1 = count2;
      count1 &= 1;
      count1++;
    }

   code = ~(code ^ 0x82644404) + 1;
   printf(" Code : %ld", code);
   return 0 ;
  }

o.k now let's enter our name in the keygen and copy ur code and paste it in the prog and ...

Final Wordz