Cracking Tutorial #87:
Family Key Logger v2.30
SpyArsenal.com - KMiNT21 Software
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 01/2003
[difficulty:] medium
[where:] http://www.spyarsenal.com
[tOOLz:] w32dasm 8.93, Hiew 6.0, Softice 4.05, Visual Basic 6
KANAL23 Tutorial
http://www.kanal23.net
|
Rating
|
Easy { }
Medium {X}
Hard { }
Pro { }
|
Woohoo, found my laptop (I was able to ping it
but i didn't know where it was) and now we can play with Softice some more!
Today is one of the most fun apps to crack because they try various tricks but
they are all old tricks and very blatant as to what they are up to, very easy to
follow so this will be an example program and we will patch it many different
ways to crack it as well as explaining the code in depth and also keygenning the
program.
Family keylogger is a kinda kool program although easy to make on your own, it
is just a keylogger but a nicely setup one at that and it runs in the systray
and can also be hidden from all kinds of viewing, very stealth like.
This tutorial is fairly long so get a pop and a smoke if
you plan on reading it all.
Well first lets attack this the easy way, patch
jobby. Disassemble the code in w32dasm and make sure you have your backups as we
will need them later so we can patch different ways and also follow the code in
softice. Open the String Refs and we can see this:
"\Family Key Logger""
<-registry key not used with
serial
"\Family Key Logger\Family Key "
<-registry key not used with
serial
"2305-1959-0603-4944-0407-0202"
<-is it a hardcoded key? NO
"About"
"Are you sure?"
"Arial"
"cisvc.dll"
"cisvc.txt"
"CKMiNT21FAMILYKEYLOGGER"
"Clear log"
"Error!"
"Error. I can create main window!"
"Error. I can register window class"
"Exit"
"Family Key Logger v2.30"
"FamilyKeyLogger"
"fkl.chm"
<-help file
"Help"
"Hide icon"
"Home page"
"http://fkl.netfirms.com/?2305-1959-0603-4944-0"
<-bad key that looked
hardcoded (above)
"http://fkl.netfirms.com/?TSRh-keygen"
<-bad keycode from a
blacklisted keygen
"http://fkl.netfirms.com/?TSRh-serial"
<-bad keycode from a
blacklisted serial
"http://www.spyarsenal.com/cgi-bin/feedback.pl?"
<-feedback, send comments
"http://www.spyarsenal.com/familykeylogger/inde"
<-homepage
"http://www.spyarsenal.com/familykeylogger/regi"
<-when you click "goto the
register page now"
"http://www.spyarsenal.com/index.html?familykey"
<-homepage
"I can't find the functions in "
"I can't load dll"
"I can't set Keyboard Hook! "
"InstallKeyboardHook"
"Invalid key!" <-after
you put in a bad key and visit the badkey webpage
"Kernel32.dll"
"mailto:subscribe@spyarsenal.com?subject=family"
<-subscribe to news
"open"
"Options"
"Options..."
"RegisterServiceProcess"
"Registration"
"Send comments"
"Serial.key" <-hmmmm
"SetOptions"
"Software"
"Software\KMiNT21\FamilyKeyLogger"
<-registry key not used with serial
"Software\Microsoft\Windows\CurrentVersion\Run"
<-registry key not used with serial
"Software\Microsoft\Windows\CurrentVersion\Unin"
<-registry key not used with serial
"Sorry"
"Stealth mode"
"Subscribe to news"
"test"
"Thank you for registration!"
<-no, thank you
"To unhide press hot key (by default "
"Transparent"
"UnInstallKeyboardHook"
"View log"
"Warning! Please read HELP if you "
"You have not registered. Go to "
<-eck
"You must log-in to your computer "
"You must register to use this "
<-try and put a check in
startup hidden in the options.
First let's check out our error when we try to register the program:
Invalid Key! Well we can either trace that back or go after the "Thank you for
registration!" Let's check the latter:
![]()
:004030E6 FF1570104000 Call
dword ptr [00401070]
:004030EC E82BECFFFF call 00401D1C
:004030F1 85C0 test eax, eax
:004030F3 7427 je 0040311C
<-jump to "Invalid Key!"
:004030F5 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"FamilyKeyLogger"
|
:004030F7 A1F0504000 mov eax, dword ptr [004050F0]
:004030FC 50 push eax
* Possible StringData Ref from Data Obj ->"Thank you for registration!"
|
:004030FD 8B0D34514000 mov ecx, dword ptr [00405134]
:00403103 51 push ecx
:00403104 8B5508 mov edx, dword ptr [ebp+08]
:00403107 52 push edx
![]()
So let's just change this:
:004030F3 7427 je 0040311C (offset 24F3)
To this:
:004030F3 4840 dec eax, inc
eax
This allows any code to register, although
registration will not stay.
![]()
Next we have the annoying nag: "You have not registered. Go to registration
page?"
I think this pops up after the eval time but maybe before, who cares, we double
click on it in the String Refs and see this area of code.
![]()
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00401AEF(C), :00401AF8(C)
|
:00401B04 E813020000 call 00401D1C
:00401B09 85C0 test eax, eax
:00401B0B 7558 jne 00401B65
<-another obvious one
:00401B0D E872050000 call 00402084
:00401B12 8945C8 mov dword ptr [ebp-38], eax
:00401B15 B915000000 mov ecx, 00000015
:00401B1A 2B4DC8 sub ecx, dword ptr [ebp-38]
:00401B1D 83F90A cmp ecx, 0000000A
:00401B20 7D43 jge 00401B65
:00401B22 6A24 push 00000024
* Possible StringData Ref from Data Obj ->"FamilyKeyLogger"
|
:00401B24 8B15F0504000 mov edx, dword ptr [004050F0]
:00401B2A 52 push edx
* Possible StringData Ref from Data Obj ->"You have not registered. Go to "
->"registration page?"
|
:00401B2B A130514000 mov eax, dword ptr [00405130]
:00401B30 50 push eax
:00401B31 B930594000 mov ecx, 00405930
:00401B36 E83EFAFFFF call 00401579
:00401B3B 50 push eax
![]()
So let's change this:
:00401B0B 7558 jne 00401B65
(Offset F0B)
To this:
:00401B0B EB58 jmp 00401B65
No more nag, the code will jump it everytime!
![]()
Now the last part is an option that can only be used when you are registered.
Once again look in the String Ref's and trace it that way.
You must register to use this option: Start in hidden mode. Register now?
* Possible StringData Ref from
Data Obj ->"FamilyKeyLogger"
|
:00402F10 8B15F0504000 mov edx, dword ptr [004050F0]
:00402F16 52 push edx
:00402F17 B930594000 mov ecx, 00405930
:00402F1C E869E6FFFF call 0040158A
:00402F21 E8F6EDFFFF call 00401D1C
:00402F26 85C0 test eax, eax
:00402F28 7552 jne 00402F7C
<-we can make this one jump
past it
:00402F2A 833DD45D400000 cmp dword ptr [00405DD4], 00000000
:00402F31 743F je 00402F72
<-or we can make this one jump
past it
:00402F33 6A04 push 00000004
* Possible StringData Ref from Data Obj ->"Sorry"
|
:00402F35 68B8584000 push 004058B8
* Possible StringData Ref from Data Obj ->"You must register to use this "
->"option: "Start in hidden mode". "
->"Register now?"
![]()
So just change this:
:00402F28 7552 jne 00402F7C (offset 2328)
To this:
:00402F28 EB52 jmp 00402F7C
![]()
ok well run the program and it's cracked, so lets attack it another way! Copy
over the uncracked backup and notice in the same DIR is a file called "Serial.key",
it's also in the String Refs. Let's
go after Serial.key (note below the code on the right is what we want, jmp means
make it jmp.
* Referenced by a CALL
at Addresses:
|:00401783 , :00401B04 , :00402F21 , :004030EC
|
:00401D1C 55 push ebp
:00401D1D 8BEC mov ebp, esp
:00401D1F 81EC0C020000 sub esp, 0000020C
:00401D25 6804010000 push 00000104
:00401D2A 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:00401D30 50 push eax
:00401D31 B930594000 mov ecx, 00405930
:00401D36 E8C5F4FFFF call 00401200
* Possible StringData Ref from Data Obj ->"Serial.key"
<-serial is stored here
|
:00401D3B 8B0D00514000 mov ecx, dword ptr [00405100]
:00401D41 51 push ecx
:00401D42 8D95FCFEFFFF lea edx, dword ptr [ebp+FFFFFEFC]
:00401D48 52 push edx
* Reference To: KERNEL32.lstrcatA, Ord:02F9h
|
:00401D49 FF157C104000 Call dword ptr [0040107C]
:00401D4F 6A00 push 00000000
:00401D51 6880000000 push 00000080
:00401D56 6A03 push 00000003
:00401D58 6A00 push 00000000
:00401D5A 6A03 push 00000003
:00401D5C 6800000080 push 80000000
:00401D61 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:00401D67 50 push eax
* Reference To: KERNEL32.CreateFileA, Ord:0034h
|
:00401D68 FF1580104000 Call dword ptr [00401080]
:00401D6E 8985F4FDFFFF mov dword ptr [ebp+FFFFFDF4], eax
:00401D74 83BDF4FDFFFFFF cmp dword ptr [ebp+FFFFFDF4], FFFFFFFF
:00401D7B 7507 jne 00401D84
:00401D7D 33C0 xor eax, eax
:00401D7F E9FC020000 jmp 00402080
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D7B(C)
|
:00401D84 6A00 push 00000000
:00401D86 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8]
:00401D8C 51 push ecx
:00401D8D 68FE000000 push 000000FE
:00401D92 8D95F8FDFFFF lea edx, dword ptr [ebp+FFFFFDF8]
:00401D98 52 push edx
:00401D99 8B85F4FDFFFF mov eax, dword ptr [ebp+FFFFFDF4]
:00401D9F 50 push eax
* Reference To: KERNEL32.ReadFile, Ord:0218h <-read
serial from file, great SI BPX
|
:00401DA0 FF156C104000 Call dword ptr [0040106C]
:00401DA6 8B8DF8FEFFFF mov ecx, dword ptr [ebp+FFFFFEF8]
:00401DAC C6840DF8FDFFFF00 mov byte ptr [ebp+ecx-00000208], 00
:00401DB4 8B95F4FDFFFF mov edx, dword ptr [ebp+FFFFFDF4]
:00401DBA 52 push edx
* Reference To: KERNEL32.CloseHandle, Ord:001Bh
|
:00401DBB FF1584104000 Call dword ptr [00401084]
:00401DC1 83BDF8FEFFFF0A cmp dword ptr [ebp+FFFFFEF8], 0000000A
:00401DC8 7307 jnb 00401DD1 <-take this jump, make
sure serial is more that 10 chars
:00401DCA 33C0 xor eax, eax
:00401DCC E9AF020000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401DC8(C)
|
:00401DD1 0FBE85F8FDFFFF movsx eax, byte ptr [ebp+FFFFFDF8]
:00401DD8 0FBE8DF9FDFFFF movsx ecx, byte ptr [ebp+FFFFFDF9]
:00401DDF 03C1 add eax, ecx
:00401DE1 0FBE95FAFDFFFF movsx edx, byte ptr [ebp+FFFFFDFA]
:00401DE8 03C2 add eax, edx
:00401DEA 0FBE8DFBFDFFFF movsx ecx, byte ptr [ebp+FFFFFDFB]
:00401DF1 03C1 add eax, ecx
:00401DF3 85C0 test eax, eax
:00401DF5 7507 jne 00401DFE <-make me jump
:00401DF7 33C0 xor eax, eax
:00401DF9 E982020000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401DF5(C)
|
:00401DFE 8D95F8FDFFFF lea edx, dword ptr [ebp+FFFFFDF8]
:00401E04 52 push edx
* Reference To: KERNEL32.lstrlenA, Ord:0308h
|
:00401E05 FF1590104000 Call dword ptr [00401090]
:00401E0B 83F81D cmp eax, 0000001D
:00401E0E 7407 je 00401E17 <-make me jump
:00401E10 33C0 xor eax, eax
:00401E12 E969020000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E0E(C)
|
:00401E17 0FBE85FCFDFFFF movsx eax, byte ptr [ebp+FFFFFDFC]
:00401E1E 83C00A add eax, 0000000A
:00401E21 83F837 cmp eax, 00000037
:00401E24 7E07 jle 00401E2D <-make me jump
:00401E26 33C0 xor eax, eax
:00401E28 E953020000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E24(C)
|
:00401E2D 0FBE8D01FEFFFF movsx ecx, byte ptr [ebp+FFFFFE01]
:00401E34 83C101 add ecx, 00000001
:00401E37 83F92E cmp ecx, 0000002E
:00401E3A 7E07 jle 00401E43 <-make me jump
:00401E3C 33C0 xor eax, eax
:00401E3E E93D020000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E3A(C)
|
:00401E43 0FBE9506FEFFFF movsx edx, byte ptr [ebp+FFFFFE06]
:00401E4A 83C214 add edx, 00000014
:00401E4D 83FA41 cmp edx, 00000041
:00401E50 7E07 jle 00401E59 <-make me jump
:00401E52 33C0 xor eax, eax
:00401E54 E927020000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E50(C)
|
:00401E59 0FBE850BFEFFFF movsx eax, byte ptr [ebp+FFFFFE0B]
:00401E60 83C014 add eax, 00000014
:00401E63 83F841 cmp eax, 00000041
:00401E66 7E07 jle 00401E6F <-make me jump
:00401E68 33C0 xor eax, eax
:00401E6A E911020000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E66(C)
|
:00401E6F 0FBE8D10FEFFFF movsx ecx, byte ptr [ebp+FFFFFE10]
:00401E76 83C150 add ecx, 00000050
:00401E79 83F97D cmp ecx, 0000007D
:00401E7C 7E07 jle 00401E85 <-make me jump
:00401E7E 33C0 xor eax, eax
:00401E80 E9FB010000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E7C(C)
|
:00401E85 0FBE95FCFDFFFF movsx edx, byte ptr [ebp+FFFFFDFC]
:00401E8C 0FBE8501FEFFFF movsx eax, byte ptr [ebp+FFFFFE01]
:00401E93 3BD0 cmp edx, eax
:00401E95 755A jne 00401EF1 <-make me jump, avoid
bad keygen serial
:00401E97 0FBE8DFCFDFFFF movsx ecx, byte ptr [ebp+FFFFFDFC]
:00401E9E 0FBE9506FEFFFF movsx edx, byte ptr [ebp+FFFFFE06]
:00401EA5 3BCA cmp ecx, edx
:00401EA7 7548 jne 00401EF1
:00401EA9 0FBE85FCFDFFFF movsx eax, byte ptr [ebp+FFFFFDFC]
:00401EB0 0FBE8D10FEFFFF movsx ecx, byte ptr [ebp+FFFFFE10]
:00401EB7 3BC1 cmp eax, ecx
:00401EB9 7536 jne 00401EF1
:00401EBB 0FBE95FCFDFFFF movsx edx, byte ptr [ebp+FFFFFDFC]
:00401EC2 83FA2D cmp edx, 0000002D
:00401EC5 742A je 00401EF1
:00401EC7 6A03 push 00000003
:00401EC9 6A00 push 00000000
:00401ECB 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"http://fkl.netfirms.com/?TSRh-keygen"
|
:00401ECD 685C554000 push 0040555C
* Possible StringData Ref from Data Obj ->"open"
|
:00401ED2 6884554000 push 00405584
:00401ED7 6A00 push 00000000
* Reference To: SHELL32.ShellExecuteA, Ord:0072h
|
:00401ED9 FF15BC104000 Call dword ptr [004010BC]
:00401EDF 6810270000 push 00002710
* Reference To: KERNEL32.Sleep, Ord:0296h
|
:00401EE4 FF1570104000 Call dword ptr [00401070]
:00401EEA 33C0 xor eax, eax
:00401EEC E98F010000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401E95(C), :00401EA7(C), :00401EB9(C), :00401EC5(C)
|
:00401EF1 0FBE85FDFDFFFF movsx eax, byte ptr [ebp+FFFFFDFD]
:00401EF8 83F854 cmp eax, 00000054
:00401EFB 7424 je 00401F21 <-nop
:00401EFD 0FBE8D02FEFFFF movsx ecx,
byte ptr [ebp+FFFFFE02]
:00401F04 83F954 cmp ecx, 00000054
:00401F07 7418 je 00401F21 <-nop
:00401F09 0FBE9507FEFFFF movsx edx, byte ptr [ebp+FFFFFE07]
:00401F10 83FA54 cmp edx, 00000054
:00401F13 740C je 00401F21 <-nop
:00401F15 0FBE850CFEFFFF movsx eax, byte ptr [ebp+FFFFFE0C]
:00401F1C 83F854 cmp eax, 00000054
:00401F1F 752A jne 00401F4B <-make me jump, avoid
bad serial
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401EFB(C), :00401F07(C), :00401F13(C)
|
:00401F21 6A03 push 00000003
:00401F23 6A00 push 00000000
:00401F25 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"http://fkl.netfirms.com/?TSRh-serial"
|
:00401F27 688C554000 push 0040558C
* Possible StringData Ref from Data Obj ->"open"
|
:00401F2C 68B4554000 push 004055B4
:00401F31 6A00 push 00000000
* Reference To: SHELL32.ShellExecuteA, Ord:0072h
|
:00401F33 FF15BC104000 Call dword ptr [004010BC]
:00401F39 6810270000 push 00002710
* Reference To: KERNEL32.Sleep, Ord:0296h
|
:00401F3E FF1570104000 Call dword ptr [00401070]
:00401F44 33C0 xor eax, eax
:00401F46 E935010000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401F1F(C)
|
* Possible StringData Ref from Data Obj ->"2305-1959-0603-4944-0407-0202"
|
:00401F4B 68BC554000 push 004055BC
:00401F50 8D8DF8FDFFFF lea ecx, dword ptr [ebp+FFFFFDF8]
:00401F56 51 push ecx
* Reference To: KERNEL32.lstrcmpA, Ord:02FCh
|
:00401F57 FF1574104000 Call dword ptr [00401074]
:00401F5D 85C0 test eax, eax
:00401F5F 752A jne 00401F8B <-make me jump, avoid
hardcoded blacklisted
:00401F61 6A03 push 00000003
:00401F63 6A00 push 00000000
:00401F65 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"http://fkl.netfirms.com/?2305-1959-0603-4944-0"
->"407-0202"
|
:00401F67 68DC554000 push 004055DC
* Possible StringData Ref from Data Obj ->"open"
|
:00401F6C 6814564000 push 00405614
:00401F71 6A00 push 00000000
* Reference To: SHELL32.ShellExecuteA, Ord:0072h
|
:00401F73 FF15BC104000 Call dword ptr [004010BC]
:00401F79 6810270000 push 00002710
* Reference To: KERNEL32.Sleep, Ord:0296h
|
:00401F7E FF1570104000 Call dword ptr [00401070]
:00401F84 33C0 xor eax, eax
:00401F86 E9F5000000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401F5F(C)
|
:00401F8B 0FBE95F8FDFFFF movsx edx, byte ptr [ebp+FFFFFDF8]
:00401F92 0FBE85F9FDFFFF movsx eax, byte ptr [ebp+FFFFFDF9]
:00401F99 03D0 add edx, eax
:00401F9B 0FBE8DFAFDFFFF movsx ecx, byte ptr [ebp+FFFFFDFA]
:00401FA2 0FBE85FBFDFFFF movsx eax, byte ptr [ebp+FFFFFDFB]
:00401FA9 03C8 add ecx, eax
:00401FAB 3BD1 cmp edx, ecx
:00401FAD 7407 je 00401FB6 <-make me jump
:00401FAF 33C0 xor eax, eax
:00401FB1 E9CA000000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FAD(C)
|
:00401FB6 0FBE8D11FEFFFF movsx ecx, byte ptr [ebp+FFFFFE11]
:00401FBD 0FBE9514FEFFFF movsx edx, byte ptr [ebp+FFFFFE14]
:00401FC4 03CA add ecx, edx
:00401FC6 0FBE8512FEFFFF movsx eax, byte ptr [ebp+FFFFFE12]
:00401FCD 0FBE9513FEFFFF movsx edx, byte ptr [ebp+FFFFFE13]
:00401FD4 03C2 add eax, edx
:00401FD6 3BC8 cmp ecx, eax
:00401FD8 7407 je 00401FE1 <-make me jump
:00401FDA 33C0 xor eax, eax
:00401FDC E99F000000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FD8(C)
|
:00401FE1 0FBE85FDFDFFFF movsx eax, byte ptr [ebp+FFFFFDFD]
:00401FE8 83F807 cmp eax, 00000007
:00401FEB 7D07 jge 00401FF4 <-make me jump
:00401FED 33C0 xor eax, eax
:00401FEF E98C000000 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FEB(C)
|
:00401FF4 0FBE8DFFFDFFFF movsx ecx, byte ptr [ebp+FFFFFDFF]
:00401FFB 83F907 cmp ecx, 00000007
:00401FFE 7D04 jge 00402004 <-make me jump
:00402000 33C0 xor eax, eax
:00402002 EB7C jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FFE(C)
|
:00402004 0FBE95FEFDFFFF movsx edx, byte ptr [ebp+FFFFFDFE]
:0040200B 0FBE85FFFDFFFF movsx eax, byte ptr [ebp+FFFFFDFF]
:00402012 3BD0 cmp edx, eax
:00402014 7D04 jge 0040201A <-make me jump
:00402016 33C0 xor eax, eax
:00402018 EB66 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402014(C)
|
:0040201A 0FBE8D07FEFFFF movsx ecx, byte ptr [ebp+FFFFFE07]
:00402021 0FBE9508FEFFFF movsx edx, byte ptr [ebp+FFFFFE08]
:00402028 3BCA cmp ecx, edx
:0040202A 7504 jne 00402030 <-make me jump
:0040202C 33C0 xor eax, eax
:0040202E EB50 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040202A(C)
|
:00402030 0FBE8508FEFFFF movsx eax, byte ptr [ebp+FFFFFE08]
:00402037 0FBE8D0AFEFFFF movsx ecx, byte ptr [ebp+FFFFFE0A]
:0040203E 03C1 add eax, ecx
:00402040 83F80C cmp eax, 0000000C
:00402043 7D04 jge 00402049 <-make me jump
:00402045 33C0 xor eax, eax
:00402047 EB37 jmp 00402080 <-jump to fail
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00402043(C)
|
:00402049 0FBE950CFEFFFF movsx edx, byte ptr [ebp+FFFFFE0C]
:00402050 0FBE850DFEFFFF movsx eax, byte ptr [ebp+FFFFFE0D]
:00402057 03D0 add edx, eax
:00402059 83FA06 cmp edx, 00000006
:0040205C 7D04 jge 00402062
:0040205E 33C0 xor eax, eax
:00402060 EB1E jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040205C(C)
|
:00402062 0FBE8D0EFEFFFF movsx ecx, byte ptr [ebp+FFFFFE0E]
:00402069 0FBE950FFEFFFF movsx edx, byte ptr [ebp+FFFFFE0F]
:00402070 83C201 add edx, 00000001
:00402073 3BCA cmp ecx, edx
:00402075 7404 je 0040207B
<-make me jump
:00402077 33C0 xor eax, eax
:00402079 EB05 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402075(C)
|
:0040207B B801000000 mov eax, 00000001
<-load 1 in eax, registered
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401D7F(U), :00401DCC(U), :00401DF9(U), :00401E12(U), :00401E28(U)
|:00401E3E(U), :00401E54(U), :00401E6A(U), :00401E80(U), :00401EEC(U)
|:00401F46(U), :00401F86(U), :00401FB1(U), :00401FDC(U), :00401FEF(U)
|:00402002(U), :00402018(U), :0040202E(U), :00402047(U), :00402060(U)
|:00402079(U)
|
:00402080 8BE5 mov esp, ebp
:00402082 5D pop ebp
:00402083 C3 ret
<-return from routine
![]()
Ok..3 years later we are finally done. We just need to make the following
changes, note the value on the right is the new value we want and the number in
() is the offset in HIEW:
:00401D7B 7507 jne 00401D84
<-jmp -unless otherwise noted, all jumps return
:00401DC8 7307 jnb 00401DD1
<-jmp (11c8) -with eax having something other
:00401DF5 7507 jne 00401DFE
<-jmp (11F5) -than one.
:00401E0E 7407 je 00401E17
<-jmp (120E)
:00401E24 7E07 jle 00401E2D
<-jmp (1224)
:00401E3A 7E07 jle 00401E43
<-jmp (123A)
:00401E3A 7E07 jle 00401E43
<-jmp (1250)
:00401E66 7E07 jle 00401E6F
<-jmp (1226)
:00401E7C 7E07 jle 00401E85
<-jmp (127C)
:00401E95 755A jne 00401EF1
<-jmp (1295) - avoids bad keygen code
:00401EFB 7424 je 00401F21
<-nop (12FB)----|
:00401F07 7418 je 00401F21
<-nop (1307) |---avoids bad serial
:00401F13 740C je 00401F21
<-nop (1313) |
:00401F1F 752A jne 00401F4B
<-jmp (131F)---|
:00401F5F 752A jne 00401F8B
<-jmp (135F) - checks blacklisted serial that was
hardcoded -> 2305-1959-0603-4944-0407-0202
:00401FAD 7407 je 00401FB6
<-jmp (13AD)
:00401FD8 7407 je 00401FE1
<-jmp (13D8)
:00401FEB 7D07 jge 00401FF4
<-jmp (13EB)
:00401FFE 7D04 jge 00402004
<-jmp (13FE)
:00402014 7D04 jge 0040201A
<-jmp (1414)
:0040202A 7504 jne 00402030
<- jmp (142A)
:00402043 7D04 jge 00402049
<-jmp (1443)
:0040205C 7D04 jge 00402062
<-jmp (145C)
:00402075 7404 je 0040207B <-jmp (1475)
after all that crap we finally land here and what is at the end of this long
boring road?
:0040207B B801000000 mov eax, 00000001
<-put 1 in EAX, and we are regged...
So instead of nopping and jumping all this crap (which will let us be regged
also) lets just start at the beginning of the call and put a 1 in eax and return
it.
Called from 4 places...
* Referenced by a CALL at Addresses:
|:00401783 , :00401B04 , :00402F21 , :004030EC
|
:00401D1C 55 push ebp
:00401D1D 8BEC mov ebp, esp
So lets change it to this:
* Referenced by a CALL at Addresses:
|:00401783 , :00401B04 , :00402F21 , :004030EC
|
:00401D1C B801000000 mov eax, 00000001
:00401D21 C3 ret
cracked cracked cracked
thats 3 different ways....whats next! We could probably also change the first
bad jump and make it land at location 40207B. Plenty of different ways.
![]()
Ok, let's break this code down so we can understand what is going on, then we
can keygen it!
![]()
* Referenced by a CALL at Addresses:
|:00401783 , :00401B04 , :00402F21 , :004030EC
|
:00401D1C 55 push ebp
:00401D1D 8BEC mov ebp, esp
:00401D1F 81EC0C020000 sub esp, 0000020C
:00401D25 6804010000 push 00000104
:00401D2A 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:00401D30 50 push eax
:00401D31 B930594000 mov ecx, 00405930
:00401D36 E8C5F4FFFF call 00401200
* Possible StringData Ref from Data Obj ->"Serial.key"
<-our keyfile
|
:00401D3B 8B0D00514000 mov ecx, dword ptr [00405100]
:00401D41 51 push ecx
:00401D42 8D95FCFEFFFF lea edx, dword ptr [ebp+FFFFFEFC]
:00401D48 52 push edx
* Reference To: KERNEL32.lstrcatA, Ord:02F9h
|
:00401D49 FF157C104000 Call dword ptr [0040107C]
:00401D4F 6A00 push 00000000
:00401D51 6880000000 push 00000080
:00401D56 6A03 push 00000003
:00401D58 6A00 push 00000000
:00401D5A 6A03 push 00000003
:00401D5C 6800000080 push 80000000
:00401D61 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:00401D67 50 push eax
* Reference To: KERNEL32.CreateFileA, Ord:0034h
<-createfileA api creates
serial.key
|
:00401D68 FF1580104000 Call dword ptr [00401080]
:00401D6E 8985F4FDFFFF mov dword ptr [ebp+FFFFFDF4], eax
:00401D74 83BDF4FDFFFFFF cmp dword ptr [ebp+FFFFFDF4], FFFFFFFF
:00401D7B 7507 jne 00401D84
<-jump if serial.key can be created or is there
:00401D7D 33C0 xor eax, eax
:00401D7F E9FC020000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D7B(C)
|
:00401D84 6A00 push 00000000
:00401D86 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8]
:00401D8C 51 push ecx
:00401D8D 68FE000000 push 000000FE
:00401D92 8D95F8FDFFFF lea edx, dword ptr [ebp+FFFFFDF8]
:00401D98 52 push edx
:00401D99 8B85F4FDFFFF mov eax, dword ptr [ebp+FFFFFDF4]
:00401D9F 50 push eax
* Reference To: KERNEL32.ReadFile, Ord:0218h
<-readfile api checks
serial.key for serial number
|
:00401DA0 FF156C104000 Call dword ptr [0040106C]
:00401DA6 8B8DF8FEFFFF mov ecx, dword ptr [ebp+FFFFFEF8]
:00401DAC C6840DF8FDFFFF00 mov byte ptr [ebp+ecx-00000208], 00
:00401DB4 8B95F4FDFFFF mov edx, dword ptr [ebp+FFFFFDF4]
:00401DBA 52 push edx
* Reference To: KERNEL32.CloseHandle, Ord:001Bh
|
:00401DBB FF1584104000 Call dword ptr [00401084]
:00401DC1 83BDF8FEFFFF0A cmp dword ptr [ebp+FFFFFEF8], 0000000A
<-Ah = 10d
:00401DC8 7307 jnb 00401DD1
<-serial must be 10 chars or more, jmp here
:00401DCA 33C0 xor eax, eax
:00401DCC E9AF020000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401DC8(C)
|
:00401DD1 0FBE85F8FDFFFF movsx eax, byte ptr [ebp+FFFFFDF8]
<-put char 1 in EAX
:00401DD8 0FBE8DF9FDFFFF movsx ecx, byte ptr [ebp+FFFFFDF9]
<-put char 2 in ECX
:00401DDF 03C1 add eax, ecx
<-add char 1 & 2, store in EAX
:00401DE1 0FBE95FAFDFFFF movsx edx, byte ptr [ebp+FFFFFDFA]
<-put char 3 in EDX
:00401DE8 03C2 add eax, edx
<-add EAX and char 3, store in EAX
:00401DEA 0FBE8DFBFDFFFF movsx ecx, byte ptr [ebp+FFFFFDFB]
<-put char 4 in ECX
:00401DF1 03C1 add eax, ecx
<-add EAX & char 4, store in EAX
:00401DF3 85C0 test eax, eax <-test eax, 0 fail, any other pass (this just
checks to see if anything is entered in the registration box/serial.key file)
:00401DF5 7507 jne 00401DFE
<-eax must not be 0, jmp here if serial is entered
:00401DF7 33C0 xor eax, eax
:00401DF9 E982020000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401DF5(C)
|
:00401DFE 8D95F8FDFFFF lea edx, dword ptr [ebp+FFFFFDF8]
:00401E04 52 push edx
* Reference To: KERNEL32.lstrlenA, Ord:0308h
|
:00401E05 FF1590104000 Call dword ptr [00401090]
:00401E0B 83F81D cmp eax, 0000001D
<-compare length of serial (eax) with
1Dh(29d)
:00401E0E 7407 je 00401E17
<-jump if you have entered 29 chars
:00401E10 33C0 xor eax, eax
:00401E12 E969020000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E0E(C)
|
:00401E17 0FBE85FCFDFFFF movsx eax, byte ptr [ebp+FFFFFDFC]
<-put serial char 5
in eax, so char 5 must be a "-" or it wil fail, 45d = "-", then add 10 and compare
with 55d, right on.
:00401E1E 83C00A add eax, 0000000A
<-add 10d (Ah) to eax
:00401E21 83F837 cmp eax, 00000037
<-compare with 55d (37h)
:00401E24 7E07 jle 00401E2D
<-jump if eax is less or equal to 55d
:00401E26 33C0 xor eax, eax
:00401E28 E953020000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E24(C)
|
:00401E2D 0FBE8D01FEFFFF movsx ecx, byte ptr [ebp+FFFFFE01]
<-put serial char 10
in ecx, so char 10 must be a "-" or it wil fail, 45d = "-", add 1 then compare with
46, ok.
:00401E34 83C101 add ecx, 00000001
<-add 1d (1h) to ecx
:00401E37 83F92E cmp ecx, 0000002E
<-compare with 46d (2Eh)
:00401E3A 7E07 jle 00401E43
<-jump if less then or equal tp 46d
:00401E3C 33C0 xor eax, eax
:00401E3E E93D020000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E3A(C)
|
:00401E43 0FBE9506FEFFFF movsx edx, byte ptr [ebp+FFFFFE06]
<-put serial char 15
in edx, so char 15 must be a "-" or it wil fail, 45d = "-", add 20 then compare with
65, ok.
:00401E4A 83C214 add edx, 00000014
<-add 20d (14h) to edx
:00401E4D 83FA41 cmp edx, 00000041
<-compare with 65d (41h)
:00401E50 7E07 jle 00401E59
<-jump if less then or equal to 65d
:00401E52 33C0 xor eax, eax
:00401E54 E927020000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E50(C)
|
:00401E59 0FBE850BFEFFFF movsx eax, byte ptr [ebp+FFFFFE0B]
<-put serial char 20
in eax, so char 20 must be a "-" or it wil fail, 45d = "-", add 20 then compare with
65, ok.
:00401E60 83C014 add eax, 00000014
<-add 20d (14h) to eax
:00401E63 83F841 cmp eax, 00000041
<-compare with 65d (41h)
:00401E66 7E07 jle 00401E6F
<-jump if less then or equal to 65d
:00401E68 33C0 xor eax, eax
:00401E6A E911020000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E66(C)
|
:00401E6F 0FBE8D10FEFFFF movsx ecx, byte ptr [ebp+FFFFFE10] <-put serial char 25
in ecx, so char 25 must be a "-" or it wil fail, 45d = "-", add 80 then compare with
125, ok.
:00401E76 83C150 add ecx, 00000050
<-add 80d (50h) to ecx
:00401E79 83F97D cmp ecx, 0000007D
<-compare with 125d (7Dh)
:00401E7C 7E07 jle 00401E85
<-jump if less then or equal to 125d
:00401E7E 33C0 xor eax, eax
:00401E80 E9FB010000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E7C(C) <-(this part of the code double checks to make sure a "-" is
entered in the correct places)
|
:00401E85 0FBE95FCFDFFFF movsx edx, byte ptr [ebp+FFFFFDFC]
:00401E8C 0FBE8501FEFFFF movsx eax, byte ptr [ebp+FFFFFE01]
:00401E93 3BD0 cmp edx, eax
<-compare char 5 and 10 (edx is char 5)
:00401E95 755A jne 00401EF1
<-equal then no jump
:00401E97 0FBE8DFCFDFFFF movsx ecx, byte ptr [ebp+FFFFFDFC]
:00401E9E 0FBE9506FEFFFF movsx edx, byte ptr [ebp+FFFFFE06]
:00401EA5 3BCA cmp ecx, edx
<-compare char 15 and 5 (edx is char 5)
:00401EA7 7548 jne 00401EF1
<-equal then no jump
:00401EA9 0FBE85FCFDFFFF movsx eax, byte ptr [ebp+FFFFFDFC]
:00401EB0 0FBE8D10FEFFFF movsx ecx, byte ptr [ebp+FFFFFE10]
:00401EB7 3BC1 cmp eax, ecx
<-compare char 15(ecx) and 10(eax)
:00401EB9 7536 jne 00401EF1
<-equal then no jump
:00401EBB 0FBE95FCFDFFFF movsx edx, byte ptr [ebp+FFFFFDFC]
:00401EC2 83FA2D cmp edx, 0000002D
<-compare edx with "-" (2Dh)
:00401EC5 742A je 00401EF1
<-take this jump if char 5 of serial is "-"
:00401EC7 6A03 push 00000003
:00401EC9 6A00 push 00000000
:00401ECB 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"http://fkl.netfirms.com/?TSRh-keygen"
<-fail due to blacklisted serial from an old keygen, then trickle down to failed
jump
|
:00401ECD 685C554000 push 0040555C
* Possible StringData Ref from Data Obj ->"open"
<-open webpage above telling
you how bad you are
|
:00401ED2 6884554000 push 00405584
:00401ED7 6A00 push 00000000
* Reference To: SHELL32.ShellExecuteA, Ord:0072h
|
:00401ED9 FF15BC104000 Call dword ptr [004010BC]
:00401EDF 6810270000 push 00002710
* Reference To: KERNEL32.Sleep, Ord:0296h
|
:00401EE4 FF1570104000 Call dword ptr [00401070]
<-kernel32.sleep....i hate the
wait
:00401EEA 33C0 xor eax, eax
:00401EEC E98F010000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401E95(C), :00401EA7(C), :00401EB9(C), :00401EC5(C)
|
:00401EF1 0FBE85FDFDFFFF movsx eax, byte ptr [ebp+FFFFFDFD]
<-land here from
401EC5
:00401EF8 83F854 cmp eax, 00000054
<-compare char 6 (eax) with 54h (84d or T)
:00401EFB 7424 je 00401F21
<-jump to fail if 6th char is a "T", blacklisted
serial number
:00401EFD 0FBE8D02FEFFFF movsx ecx, byte ptr [ebp+FFFFFE02]
:00401F04 83F954 cmp ecx, 00000054
<-compare char 11 (ecx) with 54h (84d or T)
:00401F07 7418 je 00401F21
<-jump to fail if char 11 (ecx) is a "T", blacklisted
serial number
:00401F09 0FBE9507FEFFFF movsx edx, byte ptr [ebp+FFFFFE07]
:00401F10 83FA54 cmp edx, 00000054
<-compare char 16 (edx) with 54h (84d or T)
:00401F13 740C je 00401F21
<-jump to fail if char 16 (edx) is a "T", blacklisted
serial number
:00401F15 0FBE850CFEFFFF movsx eax, byte ptr [ebp+FFFFFE0C]
:00401F1C 83F854 cmp eax, 00000054
<-compare char 21 (eax) with 54h (84d or T)
:00401F1F 752A jne 00401F4B
<-jump if not "T", else move on to blacklisted
serial
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401EFB(C), :00401F07(C), :00401F13(C)
|
:00401F21 6A03 push 00000003
:00401F23 6A00 push 00000000
:00401F25 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"http://fkl.netfirms.com/?TSRh-serial"
<-bad webpage
|
:00401F27 688C554000 push 0040558C
* Possible StringData Ref from Data Obj ->"open"
<-open above webpage because
you were bad and used a blacklisted serial
|
:00401F2C 68B4554000 push 004055B4
:00401F31 6A00 push 00000000
* Reference To: SHELL32.ShellExecuteA, Ord:0072h
<-shell execute opens the webpage with your default web browser
|
:00401F33 FF15BC104000 Call dword ptr [004010BC]
:00401F39 6810270000 push 00002710
* Reference To: KERNEL32.Sleep, Ord:0296h
<-ugg..
|
:00401F3E FF1570104000 Call dword ptr [00401070]
:00401F44 33C0 xor eax, eax
:00401F46 E935010000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401F1F(C)
|
* Possible StringData Ref from Data Obj ->"2305-1959-0603-4944-0407-0202"
<-another blacklisted number ours is compared with.
|
:00401F4B 68BC554000 push 004055BC
<-land here from 401F1F (D 4055BC in SI to
see)
:00401F50 8D8DF8FDFFFF lea ecx, dword ptr [ebp+FFFFFDF8]
:00401F56 51 push ecx <-D ECX in SI to see your entered serial
* Reference To: KERNEL32.lstrcmpA, Ord:02FCh
|
:00401F57 FF1574104000 Call dword ptr [00401074]
<-lstrcmpA, compare your serial
with the blacklisted "2305-1959-0603-4944-0407-0202", we come back with 0 or 1
:00401F5D 85C0 test eax, eax
:00401F5F 752A jne 00401F8B
<-jump if not zero, otherwise fail with blacklisted
serial...we want to jump here.
:00401F61 6A03 push 00000003
:00401F63 6A00 push 00000000
:00401F65 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"http://fkl.netfirms.com/?2305-1959-0603-4944-0"
->"407-0202"
<-blacklisted serial webpage
|
:00401F67 68DC554000 push 004055DC
* Possible StringData Ref from Data Obj ->"open"
<-open above page
|
:00401F6C 6814564000 push 00405614
:00401F71 6A00 push 00000000
* Reference To: SHELL32.ShellExecuteA, Ord:0072h
<-shell execute the default
browser...
|
:00401F73 FF15BC104000 Call dword ptr [004010BC]
:00401F79 6810270000 push 00002710
* Reference To: KERNEL32.Sleep, Ord:0296h
<-blah ZZzzzZZzzZzzz..
|
:00401F7E FF1570104000 Call dword ptr [00401070]
:00401F84 33C0 xor eax, eax
:00401F86 E9F5000000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401F5F(C) <-land from 401F5F
|
:00401F8B 0FBE95F8FDFFFF movsx edx, byte ptr [ebp+FFFFFDF8]
<-get char 1 into EDX
:00401F92 0FBE85F9FDFFFF movsx eax, byte ptr [ebp+FFFFFDF9]
<-get char 2 into EAX
:00401F99 03D0 add edx, eax <-add char 1 & 2, store in EDX
:00401F9B 0FBE8DFAFDFFFF movsx ecx, byte ptr [ebp+FFFFFDFA]
<-get char 3 into ECX
:00401FA2 0FBE85FBFDFFFF movsx eax, byte ptr [ebp+FFFFFDFB]
<-get char 4 into EAX
:00401FA9 03C8 add ecx, eax
<-add char 3 & 4, store in ECX
:00401FAB 3BD1 cmp edx, ecx
<-compare the results of the above
:00401FAD 7407 je 00401FB6
<-jump if they are equal, else fail
:00401FAF 33C0 xor eax, eax
:00401FB1 E9CA000000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FAD(C) <-land from 401FAD
|
:00401FB6 0FBE8D11FEFFFF movsx ecx, byte ptr [ebp+FFFFFE11]
<-get char 26 into ECX
:00401FBD 0FBE9514FEFFFF movsx edx, byte ptr [ebp+FFFFFE14]
<-get char 29 into EDX
:00401FC4 03CA add ecx, edx <-add char 26 & 29, store in ECX
:00401FC6 0FBE8512FEFFFF movsx eax, byte ptr [ebp+FFFFFE12]
<-get char 28 into EAX
:00401FCD 0FBE9513FEFFFF movsx edx, byte ptr [ebp+FFFFFE13]
<-get char 27 into EDX
:00401FD4 03C2 add eax, edx
<-add char 28 & 27, store in EAX
:00401FD6 3BC8 cmp ecx, eax
<-compare the results of the above
:00401FD8 7407 je 00401FE1
<-jump if they are equal, else fail
:00401FDA 33C0 xor eax, eax
:00401FDC E99F000000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FD8(C)
|
:00401FE1 0FBE85FDFDFFFF movsx eax, byte ptr [ebp+FFFFFDFD]
:00401FE8 83F807 cmp eax, 00000007
<-put char 1 in EAX (char 1 = 31d)
:00401FEB 7D07 jge 00401FF4
<-jump if eax is greater than or equal to 7h
:00401FED 33C0 xor eax, eax
:00401FEF E98C000000 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FEB(C)
|
:00401FF4 0FBE8DFFFDFFFF movsx ecx, byte ptr [ebp+FFFFFDFF]
:00401FFB 83F907 cmp ecx, 00000007
<-put char 2 in ECX (char 2 = 32d)
:00401FFE 7D04 jge 00402004
<-jump if ECX is greater than or equal to 7h
:00402000 33C0 xor eax, eax
:00402002 EB7C jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FFE(C)
|
:00402004 0FBE95FEFDFFFF movsx edx, byte ptr [ebp+FFFFFDFE]
<-put char 7 in EDX
:0040200B 0FBE85FFFDFFFF movsx eax, byte ptr [ebp+FFFFFDFF]
<-put char 8 in EAX
:00402012 3BD0 cmp edx, eax
<-compare char 7 & 8
:00402014 7D04 jge 0040201A
<-if char 7 is greater than char 8 then ok
:00402016 33C0 xor eax, eax
:00402018 EB66 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402014(C)
|
:0040201A 0FBE8D07FEFFFF movsx ecx, byte ptr [ebp+FFFFFE07]
<-put char 16 in ECX
:00402021 0FBE9508FEFFFF movsx edx, byte ptr [ebp+FFFFFE08]
<-put char 17 in EDX
:00402028 3BCA cmp ecx, edx
<-compare char 16 & 17
:0040202A 7504 jne 00402030
<-jump if ECX and EDX dont equal (our jump)
:0040202C 33C0 xor eax, eax
:0040202E EB50 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040202A(C)
|
:00402030 0FBE8508FEFFFF movsx eax, byte ptr [ebp+FFFFFE08]
<-put char 17 in EAX
:00402037 0FBE8D0AFEFFFF movsx ecx, byte ptr [ebp+FFFFFE0A]
<-put char 19 in ECX
:0040203E 03C1 add eax, ecx
<-add char 17 & 19
:00402040 83F80C cmp eax, 0000000C
<-compare results with 0Ch (12d)
:00402043 7D04 jge 00402049
<-jump if greater than or equal to 12d
:00402045 33C0 xor eax, eax
:00402047 EB37 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402043(C)
|
:00402049 0FBE950CFEFFFF movsx edx, byte ptr [ebp+FFFFFE0C]
<-put char 21 in EDX
:00402050 0FBE850DFEFFFF movsx eax, byte ptr [ebp+FFFFFE0D]
<-put char 22 in EAX
:00402057 03D0 add edx, eax
<-add char 21 & 22
:00402059 83FA06 cmp edx, 00000006
<-compare the results with 6h (6d)
:0040205C 7D04 jge 00402062
<-jump if greater than or equal to 6
:0040205E 33C0 xor eax, eax
:00402060 EB1E jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040205C(C)
|
:00402062 0FBE8D0EFEFFFF movsx ecx, byte ptr [ebp+FFFFFE0E]
<-put char 23 in ECX
:00402069 0FBE950FFEFFFF movsx edx, byte ptr [ebp+FFFFFE0F]
<-put char 24 in EDX
:00402070 83C201 add edx, 00000001
<-add 1d (1h) to EDX
:00402073 3BCA cmp ecx, edx
<-compare char 23 to char 24+1
:00402075 7404 je 0040207B
<-jump if equal to registered! (Finally)
:00402077 33C0 xor eax, eax
:00402079 EB05 jmp 00402080
<-jump to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402075(C)
|
:0040207B B801000000 mov eax, 00000001
<-our "set registered" flag
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401D7F(U), :00401DCC(U), :00401DF9(U), :00401E12(U), :00401E28(U)
<-all these
|:00401E3E(U), :00401E54(U), :00401E6A(U), :00401E80(U), :00401EEC(U)
<-from above
|:00401F46(U), :00401F86(U), :00401FB1(U), :00401FDC(U), :00401FEF(U)
<-skip the
|:00402002(U), :00402018(U), :0040202E(U), :00402047(U), :00402060(U)
<-regged flag
|:00402079(U)
<-at 40207B.
|
:00402080 8BE5 mov esp, ebp
:00402082 5D pop ebp
:00402083 C3 ret
<-return form routine
So following all that should get you a valid code, there are tons, here's the
first one code i was able to generate:
AAAA-1324-5678-90AB-CDFE-AAAA
FamilyKeyLogger
Thank you for registration!
[OK]
So to generate a valid code we need to make an equation that follows these
rules:
1. The sum of the first 2 chars must equal the sum of the second 2 chars. (AAAA)
2. Chars 5, 10, 15, 20, & 25 must all be a "-"
3. The serial length must be 29 chars, no more, no less
4. Chars 6, 11, 16, & 21 must not be the letter "T"
5. This serial is invalid: 2305-1959-0603-4944-0407-0202
6. The sum of chars 26 & 29 must be equal to the sum of chars 28 & 27 (AAAA)
7. Char 6's decimal value must be equal to or greater than 7d (1 is 31d, so any
number)
8. Char 8's decimal value must be equal to or greater than 7d (2 is 32d, so any
number)
9. Char 7 must be equal to or greater than char 8
10. Char 16 & 17 must not equal (Text4.Text = "8" & "9")
11. The sum of chars 17 & 19 must be greater than 12d (any number)
12. The sum of chars 21 & 22 must be greater than 6d (any number)
13. Char 23 must equal the value of char 24 + 1d (Text5.Text = 10 + Str$(Value)
& "4" & "3" & "-") <-the 4 and the 3 as you can see.
Now we have all we need to make a keygen!
Today let's code it in VB6, this language sucks but is very easy to learn.
So anyway I just made a form with 7 text boxes and a 2 command buttons and yes
the code is
sloppy i only wasted about 20mins on it.
Here's the code:
Private Sub Command1_Click()
Text1.Text = "AAAA-"
Randomize
Value = Int(8 * Rnd)
Text2.Text = "1" & 1 + Str$(Value) & "1" & 1 + Str$(Value) & "-"
Randomize
Value = Int(1000 * Rnd)
Text3.Text = 1000 + Str$(Value) & "-"
Randomize
Value = Int(89 * Rnd)
Text4.Text = "8" & "9" & 10 + Str$(Value) & "-"
Randomize
Value = Int(10 * Rnd)
Text5.Text = 10 + Str$(Value) & "4" & "3" & "-"
Text6.Text = "AAAA"
Text7.Text = Text1.Text & Text2.Text & Text3.Text & Text4.Text & Text5.Text &
Text6.Text
End Sub
Private Sub Command2_Click()
MsgBox "This VB6 keygen coded bY: sLeEpY¿ [KaNaL23 RCE]", vbInformation, "Yo!"
End Sub
Some of the stuff was hardcoded cause i am lazy, the AAAA can be also BBBB or
CCCC ect, or FEFE or EDED whatever you like as long as you follow the guidelines
of the code.
![]()
OK, the longest tutorial, 58
seconds to load on a 28.8 modem...hopefully you aren't using that.
"FACTS AND EVENTS AND IDEAS ARE TERMS OF MEASUREMENT RATHER THAN REALITIES OF
NATURE."
--Zen Proverb
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read
from everyone who writes them.
CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.
="Courier New" size="2" color="#00FFFF">