Welcome to cheekey's Cracking Tutorial #2! so today two new tutorials, both are keygen tutz and if you understand my first tut, it'll be easy for ya. Target: Waveflow 3.0 (http://www.waveflow.com) Protection: Serial Solution: KeyGen Toolz: Softice 4.x, BCB 4 (for codin the Keygen) Ok i hope you know how to use softice (setting breakpoints, etc.) so let's start - set THE ;) breakpoint (bpx hmemcpy), and "push F12 until we reach 32bit code. You recognize 32bit code when the memory address has the following form: XXXX:XXXXXXXX When we reached it, we press F10 until you reach code where there's no "ret" in the next 5 lines. Now we have reached the part where it gets interesting." (snippet of one of LaZaRuS' tutz - get em all: www.learn2crack.org) :004561D8 8B45F4 mov eax, dword ptr [ebp-0C] :004561DB 8D55FC lea edx, dword ptr [ebp-04] :004561DE E871050000 call 00456754 // (1) :004561E3 8B55FC mov edx, dword ptr [ebp-04] :004561E6 58 pop eax :004561E7 E824DBFAFF call 00403D10 :004561EC 0F855E010000 jne 00456350 . . . . you'll see if you just trace through nothin special like a serial routine (mostly movzx) so let's go in the first call (1) :00456754 55 push ebp :00456755 8BEC mov ebp, esp :00456757 83C4F8 add esp, FFFFFFF8 :0045675A 53 push ebx :0045675B 56 push esi :0045675C 8BF2 mov esi, edx :0045675E 8945FC mov dword ptr [ebp-04], eax :00456761 8B45FC mov eax, dword ptr [ebp-04] :00456764 E84BD6FAFF call 00403DB4 :00456769 33C0 xor eax, eax :0045676B 55 push ebp :0045676C 68E1674500 push 004567E1 :00456771 64FF30 push dword ptr fs:[eax] :00456774 648920 mov dword ptr fs:[eax], esp :00456777 8BC6 mov eax, esi :00456779 E806D2FAFF call 00403984 :0045677E 33DB xor ebx, ebx :00456780 8B45FC mov eax, dword ptr [ebp-04] :00456783 E878D4FAFF call 00403C00 :00456788 85C0 test eax, eax :0045678A 7E13 jle 0045679F :0045678C BA01000000 mov edx, 00000001 :00456791 8B4DFC mov ecx, dword ptr [ebp-04] -+ :00456794 0FB64C11FF movzx ecx, byte ptr [ecx+edx-01] | :00456799 03D9 add ebx, ecx | haha looks good, doesn't it ? ;) :0045679B 42 inc edx | :0045679C 48 dec eax | :0045679D 75F2 jne 00456791 -+ ok we see a routine which looks like the normal routine which mostly every shareware prog use. And, i tell u it is the one ! It adds all Ascii-codes of the chars of your name together ... ok let's keep that in mind 1. serial = Ascii-codes added together ok when all values are added it goes on with the code: :0045679F 895DF8 mov dword ptr [ebp-08], ebx // save for later use :004567A2 DB45F8 fild dword ptr [ebp-08] // ? :004567A5 DB2DF0674500 fld tbyte ptr [004567F0] // ? :004567AB DEC9 fmulp st(1), st(0) // ? :004567AD E806C2FAFF call 004029B8 hmm we know ebx contains our value ... then at :0045679F it is saved for later use ... and then three commands which can not be found so often ... but you see "fmulp st(1), st(0)". "st" means stack (i hope u know the stack). So let's enable the stack window enter "wf" in soft-ice (thx to Azzy for the hint ;) and watch what these commands do ... i dunno what they do in fact, but you'll see it ... ok we see our value in st1 next call our value in st2 and ".8" in st1, then in st1 a ne value which will be rounded ... hmm looks like that the new value is calculated of our old one and the 0.8 ... and yes it is 1. serial = Ascii-codes added together 2. serial = serial*0.8 (rounded) ok let's go on: :004567B2 F7E8 imul eax // serial = serial*serial :004567B4 8BD8 mov ebx, eax // saved in ebx :004567B6 8B45FC mov eax, dword ptr [ebp-04] :004567B9 E842D4FAFF call 00403C00 :004567BE 03C0 add eax, eax // eax = length of name + length of name :004567C0 03D8 add ebx, eax // added to ebx :004567C2 8BC3 mov eax, ebx :004567C4 8BD6 mov edx, esi :004567C6 E8190BFBFF call 004072E4 :004567CB 33C0 xor eax, eax a few calls and you'll see: :00403D17 39D0 cmp eax, edx // compare real serial (d eax) with fake(d edx) :00403D19 0F848F000000 je 00403DAE so we got everything for the serial calculation ... serial = (all Ascii-codes added together * 0.8) * (all Ascii-codes added together * 0.8) + namelength + namelength Example: name: cheekey [l2c] serial = ( 1207 * 0.8) * ( 1207 * 0.8) + 13 + 13 = 933182 and here is the win32c++ (i use the BCB 4 ) code-snippet for a keygen (create two textboxes, for other shit read the notes) ... //--------------------------------------------------------------------------- void __fastcall TForm1::Edit1Change(TObject *Sender) { AnsiString strSerial = Edit1->Text; int iFertig = 0; float bla = 0; if (strSerial.Length() > 0) { for (int i = 1; i <= strSerial.Length(); i++) // the ascii-codes adding routine starts { iFertig += static_cast(strSerial[i]); // iFertig = iFertig + new ascii-value } bla = iFertig*0.8; // result * 0.8 bla += 0.5; // this is the lace where i wanna say thx to _dracon_ ! isn't it a good iFertig = bla; // idea to add 0.5 to the float and then puttin in in a integer to round !? iFertig = iFertig*iFertig + strSerial.Length() + strSerial.Length(); // yeah and the rest of the routine Edit2->Text = iFertig; } else { Edit2->Text = "You have to enter at least 1 char"; } } //--------------------------------------------------------------------------- you registered the prog and wanna unregister it ? edit the "wavedit.ini" in your Waveflow dir ! ok thats @ll folks ... how contact me: mail:cheekey99@hotmail.com efnet: #learn2crack