Cracking "Code Keeper v 1.0"
Date: July 5, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew

Program Name : Code Keeper v1.0
Location     : http://www.icynorth.com/

Method: ECHO + Char COMPARE

<<Note : this document is only for educational purpose ONLY>>
-------------------------------------------------------------------------------


As usual, locate the place to enter the registeration code. Then, I entered

Name : evc_viper
Code : 54545454

Fire-up Soft-Ice and set a breakpoint by typing 'bpx getwindowtexta'.
Press 'x Enter' to exit Soft-Ice.

Now, click the 'OK' button and you are back into Soft-Ice. Press 
'x enter' one time and you are back to Soft-Ice again.

Press F11 to get back to the caller. Press 'F10' until you get to location
0040837C. (You will probably need to press F10 hunders of times)

:0040837C 50                      push eax

'd eax' and you will see the position that hold your registration code.

:0040837D E801E50100              call 00426883
:00408382 8BCF                    mov ecx, edi
:00408384 E88799FFFF              call 00401D10
:00408389 85C0                    test eax, eax
:0040838B 0F84AC000000            je 0040843D

The above call at 00408384 checks the length of registeration code.
If it is not equal to D(hex)=13(decimal), you are a bad cracker. The following
code shows what is in 00401D10.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
:00401D10 6AFF                    push FFFFFFFF
:00401D12 68A87F4400              push 00447FA8
:00401D17 64A100000000            mov eax, dword ptr fs:[00000000]
:00401D1D 50                      push eax
:00401D1E 64892500000000          mov dword ptr fs:[00000000], esp
:00401D25 51                      push ecx
:00401D26 8B442414                mov eax, dword ptr [esp+14]
:00401D2A C744240C00000000        mov [esp+0C], 00000000
:00401D32 8378F80D                cmp dword ptr [eax-08], 0000000D                
				           ; [eax-8] holds the length of the 
				           ; registration code you entered.
:00401D36 7424                    je 00401D5C ; if length equals D, jump to 
                                              ; 00401D5C
:00401D38 8D4C2414                lea ecx, dword ptr [esp+14]
:
:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Ok. Let's get out of Soft-Ice and re-type the code as : 5454545454545. and 
repeat the above process until you are at the call 00408384. Press F8 to
get inside the call. 

Since the length of the code now is D, so we will jump to 00401D5C.
 
:00401D5C 53                      push ebx
:00401D5D 8D4C2404                lea ecx, dword ptr [esp+04]
:00401D61 6A04                    push 00000004 ; a number
:00401D63 51                      push ecx
:00401D64 8D4C2420                lea ecx, dword ptr [esp+20]
:00401D68 E8D1200200              call 00423E3E
:00401D6D 8B00                    mov eax, dword ptr [eax]

Now, eax holds the first 4 characters of your fake registration code.

:00401D6F 6874D14500              push 0045D174

Type 'd 45D174', you will see 'CKIN' in your data window. 

:00401D74 50                      push eax
:00401D75 E8B2DC0000              call 0040FA2C

The above call compare the first 4 characters with 'CKIN'. If they
are the same, eax=00000000, otherwise, eax=FFFFFFFF. (-1)

:00401D7A 83C408                  add esp, 00000008
:00401D7D 8D4C2404                lea ecx, dword ptr [esp+04]
:00401D81 85C0                    test eax, eax
:00401D83 0F95C3                  setne bl
:00401D86 E8834D0200              call 00426B0E
:00401D8B 84DB                    test bl, bl
:00401D8D 5B                      pop ebx
:00401D8E 7424                    je 00401DB4

If the first 4 characters equals 'CKIN', jump to 00401DB4.

:00401DB4 8B542414                mov edx, dword ptr [esp+14]
:00401DB8 8A420C                  mov al, byte ptr [edx+0C]

move the last character in to AL and compare it with 1(=31(hex)), 3(=33),
7(-37) or 9(=39)

:00401DBB 3C31                    cmp al, 31
:00401DBD 7430                    je 00401DEF
:00401DBF 3C33                    cmp al, 33
:00401DC1 742C                    je 00401DEF
:00401DC3 3C37                    cmp al, 37
:00401DC5 7428                    je 00401DEF
:00401DC7 3C39                    cmp al, 39
:00401DC9 7424                    je 00401DEF
:00401DCB 8D4C2414                lea ecx, dword ptr [esp+14]
:00401DCF C744240CFFFFFFFF        mov [esp+0C], FFFFFFFF
:00401DD7 E8324D0200              call 00426B0E
:00401DDC 33C0                    xor eax, eax
:00401DDE 8B4C2404                mov ecx, dword ptr [esp+04]
:00401DE2 64890D00000000          mov dword ptr fs:[00000000], ecx
:00401DE9 83C410                  add esp, 00000010
:00401DEC C20400                  ret 0004

Notice that if the last character of your fake registeration code is either
1, 3, 7 or 9, you will jump to 00401DEF and eventually you are registered.

So, get out of Soft-Ice and enter

Name: evc_viper
Code: CKIN545454541
(or CKIN545454543 or CKIN545454547 or CKIN545454549)

and you will see the "Thank you for registering" messagebox. Job done.


Final Note:
   Part of the registeration code is NOT generated based on your name. It is 
   hard-coded inside the program. Alos, the checking routine verifies the
   last character of you fake registeration code to see if it is either
   1, 3, 7 or 9. 


Ob Duh
   Do I really have to remind you all that by buying and NOT stealing the 
   software you use will ensure that these software houses will continue to
   produce even *better* software for us to use and more importantly, to
   continue offering even more challenges to breaking their often weak
   protection systems.

+ViPeR+
[E]bola [V]irus [C]rew
July 5, 1999