Welcome to cheekey's Cracking Tutorial #4!

This is my fourth tutorial after a long time of idling / releasind some Keygens in the 
rls-scene ... I have left Germany and I'm now staying in the US, have phun !


Target: Media Ripper 32 v1.5 (http://flash.onego.ru/mr32/)
Protection: Serial
Solution: Keygen Deluxe
Toolz: Softice 4.x, Delphi 5 (for codin the Keygen)

Ok i hope you know how to use softice (setting breakpoints, etc.) so let's start
- set THE ;) breakpoint (bpx hmemcpy), and "push F12 until we reach 32bit code.
  You recognize 32bit code when the memory address has the following form: XXXX:XXXXXXXX
  When we reached it, we press F10 until you reach code where there's no "ret" in the next
  5 lines. Now we have reached the part where it gets interesting." (snippet of one of 
  LaZaRuS' tutz - get em all: www.learn2crack.org)
- as u hopefully recognized it's always the same if u compare this tut to my other ones.
  But why I'm writing another one again ? It's the new Keygen style, if u use the new one
  u don't even have to copy ur name/serial ... try it !

so here we go, we are now inside the prog and lets trace a little bit (F10) and enter everytime
when one of the eXx's changes "d eXx". At :0045C4CA we get something interesting if we enter 
"d eax". It'S a string containing our name + company, and a few lines deeper our fake serial


:0045C4CA 8B45F0                  mov eax, dword ptr [ebp-10] //here

the next lines you'llsee a call and "cmp eax, 00000019", this will check whether the length of
ur name + company is at least 25 chars long, if not the next instructions until 0045C4F4 will
add "Media Ripper 32 Registr." to ur name + company. For example the "name" string could now be
"Bill GatesMicrosoftMedia Ripper 32 Registr."



:0045C4CD E88678FAFF              call 00403D58
:0045C4D2 83F819                  cmp eax, 00000019           //here
:0045C4D5 7D1D                    jge 0045C4F4
:0045C4D7 8D55D4                  lea edx, dword ptr [ebp-2C]
:0045C4DA 8B45F0                  mov eax, dword ptr [ebp-10]
:0045C4DD E826B7FAFF              call 00407C08
:0045C4E2 8B55D4                  mov edx, dword ptr [ebp-2C]
:0045C4E5 8D45F4                  lea eax, dword ptr [ebp-0C]
:0045C4E8 B974C74500              mov ecx, 0045C774
:0045C4ED E8B278FAFF              call 00403DA4
:0045C4F2 EB0B                    jmp 0045C4FF


But if the name + company contains more than 25 chars the program directly gets on :0045C4F4
Then the next lines nothing interesting happens, at :0045C524 eax becomes the ANSI code of 
the first char and xors it with a counter in the next line (ebx). At :0045C542 u'll see that
the first 2 chars of the result of the xor operation before are added to an string. For example:
if the result was 142, the string becomes his old value + "14". At :0045C54E the counter is
compared with 26, if its neither or equal the prog jumps to :0045C51A and will do the same
routine with the second char again. 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045C551(C)
|
:0045C51A 8D45D4                  lea eax, dword ptr [ebp-2C]
:0045C51D 50                      push eax
:0045C51E 8D55D0                  lea edx, dword ptr [ebp-30]
:0045C521 8B45F4                  mov eax, dword ptr [ebp-0C]
:0045C524 0FB64418FF              movzx eax, byte ptr [eax+ebx-01]
:0045C529 33C3                    xor eax, ebx
:0045C52B E858B8FAFF              call 00407D88
:0045C530 8B45D0                  mov eax, dword ptr [ebp-30]
:0045C533 B902000000              mov ecx, 00000002
:0045C538 BA01000000              mov edx, 00000001
:0045C53D E81A7AFAFF              call 00403F5C
:0045C542 8B55D4                  mov edx, dword ptr [ebp-2C]
:0045C545 8D45F8                  lea eax, dword ptr [ebp-08]
:0045C548 E81378FAFF              call 00403D60
:0045C54D 43                      inc ebx
:0045C54E 83FB1A                  cmp ebx, 0000001A
:0045C551 75C7                    jne 0045C51A

Now a long time again nothing interesting happens until :0045C5C9 and the next lines. eax
becomes the real serial and edx ur entered serial. U'll see that the real serial is always
"MR32" + the string which was calculated a few lines before. the call at :0045C5CF compares
them and the next conditional jump decides whether u are the good or bad boy ...



:0045C5C9 8B45EC                  mov eax, dword ptr [ebp-14]
:0045C5CC 8B55E8                  mov edx, dword ptr [ebp-18]
:0045C5CF E89478FAFF              call 00403E68
:0045C5D4 0F85AD000000            jne 0045C687


ok now we got everything for our keygen :) and here is the basic delphi code :
(Edit1 = Name ; Edit2 = Serial ; Edit3 = company)


//---------------------------------------------------------------------------

procedure TForm1.Edit1Change(Sender: TObject);
var i : Integer;
var iTemp : Integer;
var fTemp : extended;
var strblub : String;
var strSerial : String;
var strSerial2 : String;
begin
if Edit1.Text = '' then
begin
Edit2.Text := 'At least 1 char for the name';
end
else
begin
StrSerial := '';
StrSerial2 := '';
Strblub := '';
strSerial := Edit1.Text + Edit3.Text;
if length(strSerial) < 25 then strSerial := strSerial + 'Media Ripper 32 Registr.';
for i:= 1 to 26 do
begin
strblub := inttostr(Ord(strSerial[i]) xor i);
StrSerial2 := strSerial2 + strblub[1] + strblub[2];
end;
strSerial := 'MR32-' + strSerial2[1] + strSerial2[2] + strSerial2[3] + strSerial2[4] + '-' + strSerial2[5] + strSerial2[6] + strSerial2[7] + strSerial2[8] + strSerial2[10] + strSerial2[11] + strSerial2[12] + strSerial2[13] + '-' + strSerial2[15] + strSerial2[16] + strSerial2[17] + strSerial2[18];

Edit2.Text := strSerial;
end;
end;

//---------------------------------------------------------------------------

now the interesting part, and the part why i wrote this tut. We want our Keygen to enter
the serial automatically in the programm if the user enters his name and company into the
Editboxes of Media Ripper 32. To do this we have to get the handles of the Editboxes, and
they change everytime u run the prog but we got the api :) So to get the main handle we use
findwindowexa ...

example :

//---------------------------------------------------------------------------
hwnd:=findwindowexa(0,0,0,'MediaRipper 32 Registration');
//---------------------------------------------------------------------------

now u'll try to get the handle of the next child (in this case "TGroupBox")
To get the class name of the next handle use e.g. "ALDI666 WinNFO".

//---------------------------------------------------------------------------
hwnd2:=findwindowexa(hwnd,0,'TGroupBox',0);
//---------------------------------------------------------------------------

and so on ...

//---------------------------------------------------------------------------
hwndedit1:=findwindowexa(hwnd2,0,'TEdit',0);
hwndedit2:=findwindowexa(hwnd2,hwndedit1,'TEdit',0);
hwndedit3:=findwindowexa(hwnd2,hwndedit2,'TEdit',0);
hwndedit4:=findwindowexa(hwnd2,hwndedit3,'TEdit',0);
//---------------------------------------------------------------------------

and so on ...

now u can GET or SET the text of the Editboxes ... 
to get the text u first have to fill up a string with " " so it gets the length of ur name.
Then WM_GETTEXT gets the content of the name-Editbox (hwndedit6 = namebox)

//---------------------------------------------------------------------------
slength := SendMessage(hwndedit6, WM_GETTEXTLENGTH,0,0) +1;
for i:= 1 to slength do
begin
strgetname := strgetname + ' ';
end;
SendMessage(hwndedit6,WM_GETTEXT,slength,Longint(Pchar(strgetname)));
//---------------------------------------------------------------------------

do the same with the company and make ur serial calculation ... and enter the serial
parts with WM_SETTEXT in ur shareware prog 

//---------------------------------------------------------------------------
SendMessage(hwndedit4,WM_SETTEXT,0,Longint(Pchar('MR32')));
SendMessage(hwndedit3,WM_SETTEXT,0,Longint(Pchar(strserialpart2)));
SendMessage(hwndedit2,WM_SETTEXT,0,Longint(Pchar(strserialpart3)));
SendMessage(hwndedit1,WM_SETTEXT,0,Longint(Pchar(strserialpart4)));
//---------------------------------------------------------------------------

thats it ... i don't wnna paste the complete code ... try it urself ! u got everything to 
do it :) and don't forget to make a check whether the prog is really activated :

//---------------------------------------------------------------------------
if hwnd <> 0 then
begin

  .
  .
  . some code ...
  .
  .

end;
//---------------------------------------------------------------------------

- I added WinNFO and the Media Ripper 32 Keygen I released as cantal at iNTENSiON

-you registered the prog and wanna unregister it ?
 -delete HKEY_CURRENT_USER\Software\MediaRipper32


ok thats @ll folks ... 

how to contact me: 

mail:cheekey99@hotmail.com
efnet: #learn2crack


have phun !
