Dedication Fly to

Intoduction & Protection

iNTROdUCTION :

hi there and wellcome to another tutorial ...
Maybe the worst thing that crackers ever made is tutorials, and you may ask why i'm saying this , will if crackers DIDN't wrote any tutorials no one will be able to figure out how the crack has been made and they will not be able to defeat it in the next version , but anyway the crackers are poeple who love knowledge and want to share it with the world if then can !! unlike other people ( you know whom i'm talking about !! ) ...

pROTEcTION :

This program or shall i say these programz have the same protection , they all need a name and a REgistration code and today we will lean how to find our registration code and also how to write a keygen for it ....

The Essay

o.k like allways install the prog and run it , you will be hit with a nag screen with the button register on it !! so click it and and enter you info , in may case i wrote like this :

Name : FaT[BiT] \ TNT!
Registration Number : 1234567890

i will make things short here , there is no need to see our error message , so fire up softice and set a breakpoint like this one

Bpx Hmemcpy

now press F5 , then click the o.k button and softice will break , press F11, then press F12 for 11 times , clear all the break points , and you will be at this code :

:xxxxxxxx          mov eax,[ebp-04] <-- eax has our name
:xxxxxxxx          call xxxxxxxx <-- get the length of our name
:xxxxxxxx          test eax,eax check if it is empty
:xxxxxxxx          jle xxxxxxxx <-- if yes then jump

now trace with the F10 button until you reach to this code :

:xxxxxxxx          mov eax,[ebp-10] <-- eax has our name
:xxxxxxxx          call xxxxxxxx <-- get the length of our name in eax
:xxxxxxxx          imul eax,eax,00893FB4 <-- multiply eax with 00893FB4h = 8994740

now after you have executed the imul command see the value of eax by typing '? eax' and write it down , hols on this is part of our real serial but trace until this command by the F10 button

:xxxxxxxx          call xxxxxxxx
:xxxxxxxx          mov edx, [ebp-08] <-- our real code in edx
:xxxxxxxx          pop eax <-- eax has our fake code
:xxxxxxxx          call xxxxxxxx <-- call to check if they are equal
:xxxxxxxx          jnz xxxxxxxx <-- if not jump to error message

now when we are at the last call before the jump , check the content of edx by writting 'd edx', and you will see our real code and also check the content of eax , and you will se our fake code , but wait a min , look at our real code and take a good look at it , it has the value of the multiply right !! ... here let me explain (in my case)

The Result from the Multiply :         134921100
The Content of edx :                  2806134921100791

i don't have anything to add or to explain i think everything is clear !! but i will list the code for a keygen...

// a keygen for CoolStrip Designer v1.2.4 by FaT[BiT] \ TNT!

#include <stdio.h>
#include <conio.h>

main ()
  {
        unsigned char name[40] ;
        unsigned long code = 0;
        clrscr();
        printf("------------------------------------------------------------------\n");
        printf(" CoolStrip Designer v1.2.4 - Keymaker - by FaT[BiT] \\ TNT!\n");
        printf("------------------------------------------------------------------\n\n");
        printf("Enter Your Name : ");
        gets(name);
        if ((code = strlen(name)) != 0) printf("Registration Code : 2806%ld791", code * 8994740);
                else printf("Err : No Name Entered.");
        return 0;
  }

now write this code and save it as xxxxxxxx.c then compile and link it ,run it enter your name and ...

NOTE : now you can try on any other product by Cfi, all you have to do is to change the begining of the registration code and also the end plus to know in what to multiply our name string length with ... that's all

Final WordZ