Welcome to Cracking Tutorial #32! Ah finally, I'm back! Many thanks goto Ms_Jessca for providing me a modem. (Jess: thank you, my liefie!) Today I'll do 2 versions.. (#31 and 32) *welp* Like I said earlier, nothing is gonna stop me now! :) Anyway, enjoy it! :) Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.00 W32Dasm 8.93 Hacker's View 6.10 SmartCheck 6.03 TASM 5.00 Windows Commander 4.00 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) How to crack ICCD 4.x Cracker : SylviriusX aka WT Target : ICCD 4.0 (www.capway.com/iccd) Comment : A Windows95 CD Player with cool features. Tools : - SoftIce 3.23 or later - Brain Ok, lets we start. 1. Run ICCD. 2. Enter your name and any s/n into the field. Don't press "Register", yet. 3. Press Ctrl-D (Softice). 4. Type "BPX GETDLGITEMTEXTA" and press F5 to return to ICCD. (Intermezzo : GetDlgItemTextA is function which use by ICCD to read our name and serial number) 5. Now, press "Register". 6. Yippy ! You're back to SoftIce. Press F11 to get the caller. 7. You'll see ICCD! in the window.(Can you see it ?) Trace downward (F10) 7 times (pass the "CALL GetDlgItemTextA") and you're back to USER32! function. Intermezzo : You'll back to the USER32! function because ICCD need to read the field for second time( to get the *s/n* we entered, the first was used to get our *Name*) 8. Press F11 to get the caller (and again ICCD!) Trace downward (F10) until you landing in : LEA ECX, [EBP-0200] PUSH ECX ;save our s/n to ECX 9. What's ECX? Press D ECX and hmm! it's our fake S/N in data window. 10. Trace downward (F10) until you landing in : LEA EAX,[EBP-0400] PUSH EAX ;save our name to EAX 11. Type D EAX. Yessss!, Our Name appear in Data Window. (We are little bit closer, hehe) 12. Trace downward (F10) until you landing in : LEA ECX,[EBP-0300] PUSH ECX ;save uncomplete real S/N to ECX 13. Type D ECX, hmm! You got some Number in Data Window. (Note: Actually, This is our S/N but it isn't complete) 14. Trace downward (F10) until you landing in : LEA EAX,[EBP-0100] PUSH EAX ;complete real S/N in EAX 15. Type D EAX, Voila! Our complete Serial Number. (Note: Our complete serial number is same as you've got in Step 12 plus "ICCD" prefix) 16. Type BC* to clear the breakpoint we've set. 17. Press F5 to back to ICCD. Enter our Serial Number (ICCDxxxxxxxxxxxxxxx) and a *"beautiful" dialog box appear* to "congratulate" us. Name : SYLVIRIUSX S/N : ICCD36223641295 HOW TO GET A PASSWORD OF A EXE PROTECTED EXE FILE PROTECTED BY EXE PROTECTOR v 2.01a Tutor by RSiP Tools to use ~~~~~~~~~~~~ SMARTCHECK 6.03 Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ http://members.xoom.com/_The_wizard Start SmartCheck (sc) Open (crtl-O) "protected program.exe" [this protected program will show a message box to ask you for a password and displays Protected by : EXE Protector v 2.01a] Run the program by press F5 Press on all the errors the Acknowledge button untill the program starts. Jou will have to enter a password... Enter any number/name and press OK (e.g. 12345) there is a new message : You have supplied a worng password (should be wrong) don't press the OK button! Now go back to the protected.exe - Program Results window.[left screen] go to string : [+] cmdOK_Click en expand it. (last action) You will see: OnError txtPassword.Text LCase FreeFile returns Integer:1 Open Get Chr (this is the first letter/number of the password) .... Integer charcode = 114 0x0072 [this is displayed in the right screen] Chr (this is the second letter/number etc...) .... Integer charcode = 115 0x0073 Chr .... Integer charcode = 105 0x0069 Chr .... Integer charcode = 112 0x0070 To recover the password just type the DEC code in on the numeric pad with the ALT button pressed DEC HEX eg. Integer charcode = 114 0x0072 DEC 114 = r (=hex 72) Integer charcode = 115 0x0073 DEC 115 = s (=hex 73) Integer charcode = 105 0x0069 DEC 105 = i (=hex 69) Integer charcode = 112 0x0070 DEC 112 = p (=hex 70) so the password in this example is : rsip NB the password is NOT case sensitive so RSiP is the same as rsip or RSIP if there are 4 Chr then the password is 4 letters/numbers long. There could be more ore less Chr. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RSiP would like to thank tKC for his tutors. Ga zo door. Name of Game: Advanced Video Poker v1.00 Cracker: Kmos Company: DarkStar is Over... Nationality: PoRtUgUeSe Date: 27/06/99 URL: http://aha.ru/~aasamson/ Protection: Name & Serial Number Introduction: ------------- Now...It's time to crack the game Advanced Video Poker v1.00! It's fantastic:) This game need a Name and a Serial Number! Sorry, my bad english, because he isn't my mother language! If that Tutorial have bugs or something like that, please send me a email to Kmos@Mail.pt ! If you have questions about that Tutorial, send me a email! oK? IMPORTANT: This is my first Tutorial and my first KeyGenerator...sorry my bad words or something like that! Tools: ------ SoftIce v2.25 (With WINICE.DAT Updated) ! SmartCheck v6.03 How to Start: ------------- You start the game, and you see in menu the command register, because you need register this program! If you don't register you can't play all levels of game! Now...It's time to crack this game! A good information, it's the game was made in Visual Basic v5.0 ! You need edit your WINICE.DAT and put this line: EXP=C:\WINDOWS\SYSTEM\MSVBVM50.DLL and after this, restart your computer to update SoftIce! Start of Crack: --------------- Now...restart computer with SoftIce ready, and run the game! Click in register menu and will appear a Registration Box, then I put Kmos/DS in 1999 in name and 123456 in Serial Number, but don't click in bottom Ok! After, press Ctrl+D and you is inside SoftIce, now...it's time to put a breakpoint for get a serial number! First...I put a breakpoint(bpx) at GetDlgItemTextA, but he don't working...and I try again, but I will put a breakpoint(bpx) at GetWindowTextA, but he don't working again...I'm CrAzY! :) After this, I put a breakpoint(bpx) at __vbastrcomp and he working! I put this breakpoint, because it's a VB program, and this is a function of MSVBVM50.DLL, this function compare two strings or two integers, is the ideal! After click in OK, and you was kicked into SoftIce, now you will search for your serial number for name Kmos/DS in 1999, press dd esi and your serial will appear in data window: Data Window: ------------ 1.5.3.3.8.1.8.7. 2.0.7.4.7.5.2... It's my registration number! Name: Kmos/DS in 1999 Serial Number: 153381872074752 <-2-Part-oF-Crack--(-Make-a-KeyGenerator-)----------------------------------> Start of KeyGenerator: ---------------------- Now...I'll make a KeyGenerator for this Game = Advanced Video Poker v1.00 ! Run SmartCheck program...open Avp100 game and lick in -> bottom to run game...after click in registration menu and put a Name and a Serial number! I put name: Kmos/DS in 1999 and Serial: 123456, why 123456, because...I think this program check if your name have six letters! Then you need write a name >= 6 ! Close game in SmartCheck in |-| stop bottom and Now...click in mnuRegister_Click. Click in frmFun.Show...after click in cmdFunOk_Click and he show you the calculation routine! Now...go down! <-| \|/ KeyGenerator tips: ------------------ I make that KeyGen with name: Kmos/DS in 1999 and Serial: 123456 ! First_Char! K + K =150 75 + 75 =150 <= Total of Char First Char! Char_Number_Two! m + K =184 109 + 75 =184 <= Total of Char Number Two! Total_of_char_number_two + Total_of_First_char =334 184 + 150 =334 <= Total of second calculation! Char_Number_Three! o + K =186 111 75 =186 <= Total of char_number_three! Total_of_Char_Number_Three + Total of second calculation =520 186 + 334 =520 <= Total of 3 calculation! Char_Number_Four! s + K =190 115 + 75 =190 <= Total of char_number_four! Total_of_Char_Number_Four + Total of 3 calculation! =710 190 + 520 =710 <= Total of 4 calculation! Char_Number_Five! / + K =122 47 + 75 =122 <= Total of char_number_five! Total_of_char_number_five + Total of 4 calculation! =832 122 + 710 =832 <= Total of 5 calculation! ----------------------------------------------------------------------------- RESUME: Each caracter of the name + the first caracter of the name, in that case is eg: / = 45 (Decimal) + K = 75 (Decimal) ! After...They added wil be 122 (Decimal) + 710 (Total of 4 calculation), eg: 122 + 710 = 832 <= TOtal! You understand this? It's very simple! ----------------------------------------------------------------------------- The second part of KeyGeneration Routine is very simple to code! :) This number 2232, is the decimal code of First part of KeyGeneration Routine! Then 2232 * 2 ! Then the result of this operation is 4464 then this number multiply with 2 and you need make this operations 36 X ! oK? 2232*2=4464 after... <-| 4464*2=8928 after... | 8928*2=17856 after... | 36 X (Multiply total of decimal number of name with 2) 17856*2=35712 after... | 36 operations of multiplication by 2 ! 35712*2=71424 after... | 71424*2=142848 after... <-| ...........after... 76690936037376*2=153381872074752 <= This is the serial number for name: Kmos/DS in 1999 ! X = Number of Operations ! MY BIG PROBLEM: My first problem of KeyGen is code this tips to a coder language! - I write them in Visual Basic...because this game was writted in Visual Basic ! KeyGenerator Source Code: ------------------------- Create a Standart EXE Process and put this in code window! <-| \|/ ' ' KeyGenerator for game Advanced Video Poker v1.00 ' bY Kmos in 1999 ! ' Dim value(100) As Integer Dim i As Integer Dim total As Double Private Sub Command1_Click() '-------------------------------------- ; Anything Special If Text1.Text = "" Then Text2.Text = "" MsgBox "Please insert a name!", vbCritical + vbOKOnly, "Error..." Exit Sub End If '-------------------------------------- value(i) = 0 ; Value = zero total = 0 ; Total = zero '-------------------------------------- For i = 1 To Len(Text1.Text) ; Loop i = 1 to length(text1.text) ; Text1.text = Name value(i) = (Asc(Mid(Text1.Text, i, 1))) ; Value(i) = (Asc(Mid(Text1.Text, i,1))) ; This formule, convert name to ASCII caracters Next ; Next... '-------------------------------------- total = value(1) * 2 ; Total = Value number one of name * 2 '-------------------------------------- For i = 2 To Len(Text1.Text) ; Loop i = 2 chars to length(text1.text) ; Text1.text = Name total = total + value(i) + value(1) ; Total = total + value(i) + value(1) ; Total = total(decimal numbe for text1.text) + value in i + first value Next ; Next... '-------------------------------------- For i = 1 To 36 ; Loop i = 1 To 36 total = total * 2 ; Total = Total * 2 ; The number in total will multiply 36 X by 2 ! Next ; Next... '-------------------------------------- Text2.Text = total ; Put Total(Serial Number) in Text2.Text '-------------------------------------- End Sub <-End-oF-KeyGenerator-Source-Code----------------------cUt------------------> Comments & Suggestions: ----------------------- This game is very very simple to crack! I think that... This game is writted in Visual Basic, It's very simple to get a serial code! If you will be a professional cracker, you need read good tutorials, and study assembly very much! :) GreetZ: ------- Roscas: From Portugal...is not a cracker...but He's a good coder! He help me! Prophecy: to give me good tutorials and good API references! Duelist: This is my friend from Portugal and he's a CrAcKeR! tKC: Good GuY! He will help me in KeyGenerators...I think! ACiD_BuRN: He have a good tutorial about SmartCheck :) Good wOrK! ----------------------------------------------------------------------------- If you search me in Internet, go to EFnet at #C.i.A or #Cracking4Newbies, they are my channels! See my HoMe PaGe aT: http://kmos.8m.com/ , and get my Tutorials and Cracks! To CrEdIt mE, mY E-MaiL iS: Kmos@Mail.pt ! ----------------------------------------------------------------------------- Grand Theft Auto: London (PSX UK VERSION) Tutor by PinguTM (PinguTM@hotmail.com) This is my 9th tutorial, whey another one ;) ** The 1st PSX tutorial to hit tKC's tutors... Well i hope it does ** Defeating CD swap Tools: Hiew, any Hex editor Anyone that has/played this game will know you need the original Grand theft auto disk in order to play GTA: London which sucks, and even if you have this you still need to insert it into the psx for authentication which is still an arse. So.......... 1. Make an ISO Image, whatever of the GTA:London PSX disk 2. Once completed, fire up good ole Hiew. Press F4, and select HEX. Do you remember any of the text on the insert disk prompt? -Fire it up in your PSX and have a look! Good so you are sitting in Hiew at Hex mode. Press F7 and do an Ascii search for the text you seen 3. Ok, once found you should scroll up a little till you see something like this.. cdrom:\LONDON.EX E;1 \SLES.....etc.. 4. You will notice that there is 2 SLES files, Well One is for GTA:London and one if for Grand theft auto. Well i can tell you that SLES_017.14 is the file on GTA:London and SLES_000.32 is the file on the Grand theft auto disc 5. Well what we want to do is press F3 for edit mode, then press Tab so we can type ASCII char's. Move the cursor to the second 0 of SLES_000.32 and type 17.14 now press F9 to update and F10 to quit. 6. Burn the ISO, whatever to a CD-r and insert into your modded PSX. Boot up and when it asks for your grand theft auto disk just press X and it will read the SLES file on the GTA:London disk :) It will now ask you to insert the GTA:London disk so just press X Again. 7. Quite kool how this lil' patch will save you having to purchase Grand theft auto and disk swapping too. Cya next time :) P.S. This tut could have been a lil' more helpful but i wrote it well after i cracked GTA:London so this was just comming from memory. Also if you fuck any cdr's coz of this tut dont blame me. It worked for me and thats what counts :) ! -=-=-=- PinguTM -=-=-=- How to crack ORGANIZE! Your collection apps v5.18 by hello dudes =) today i will teach u how to crack vb apps with 3 Nags screens and a time limit! i am sure you are saying : Fucking hard ! heheh ! i was tracing with S-ice when i got an idea ! i will explain how i did it ! 1)tools required : - Smart-check 6 - Hex editor - a brain =) 2)how to crack the nags ! so , for this we will use Smart check ! Load Oyc in SC and run it , click on the nag , wait for the ok button enable and then exit this shitty app... In smart check double clik on : frmOYCMain_load and look down until you found the ".show" of the form in smart check ! you will see this : + frmStart_Load + frmStart.Show .... .... .... frmShareware_Load frmShareware.Show so, in this case the important thing is : frmstart.Show. At the right of smart check , you will see the offset where this is located and the file. for this nag we see that it is in : OYC.exe at the offset : 000FDA4D OK ! I suppose you are thinking what the hell i want to show u ! heheh now , i used my brain to kick that nag , coz we now that a nag can be called by a call , so i though why don't we go at this offset and look for the 1st call near it ? So , fire up your hex editor and go at this offset : 000FDA4D. ok , now you know that a call start with : E8.... in hex and his longer is 5 bytes ! So , in your favourite hex editor do a search a E8 above this offset you will found : E8986FF0FF :) replace it by nop (90) and you will obtain : 9090909090 save your files (do a backup before) and run the file ! Like magic , the first Nag is killed ! Good ! hehe Now , it is time to kick the second nag ! you see on my picture above that there is another ".show" do the same that for the first nag and the timer and the nag will be out ! i won't show u the value to replace , coz it is exaclty the same that in the first nag. And it is good for you to practice :) i want to say u that , when we kicked this nag , we kicked the Time Limit of the prog too ! Good Feeling ! Ok , now the 3rd nag that won't be easy like the others ! So, in smart check , double clik on : "mnuFExit_click" (you will found it at the end of the smart check report) then double click on "frmOYCMain_Unload" and scroll down until u see : "frmEnd.Show" so look at the right and take the offset : 1001A1 Ok , now you say , we will do like the 2 others , and that will be good ! heheh , nop! doesn't work ! Ok , i though a little and i remembered that you can look for a jump to kick a nag , and in vb apps i always see JUMP like this : OF84 or OF85 =) so, use your hex editor and go to this offset : 1001A1. Do a seach of "0F" in the upper direction.And we have found : 0F849A000000 so replace it by 0F859A000000 (the je become jne) and save your files... Now , run it ! No more nags , time limit ! Great , we made it ! 3)Notes: i wrotte this tut to show , that we can patch VB apps and sometimes a brain is more useful that tracing with Sice (i said : sometimes). So, this way to crack vb nags don't work all the time , but i cracked some apps using this way , so , don't be mad on me :) if you see that the offset is in the MSVBVM50 or 60 dll , just do a copy of it and place it in the app direcoty and now patch it.Like that the Prog will use this Dll and not the one in Windows\system. You won't be have prob with others apps who use the dll ! I hope this tutorial was not too boring and sorry for my bad english... if you have any questions , mail me to : ACiD_BuRN@nema.com or acid2600@hotmail.com if you crack one app a day using this way , tell me plz :) Greetings to : ALl ReFLeXZ TeaM , All ECLiPSE TeaM , ALL PWA team , ALL Toxic TeaM and all CrossOver Team coz i am member in this cool groups ! Also greets to : tKC , BuLLeT , Duelist , Eternal Bliss , HarvestR, Parker, Agora , duelist , R!SC , Lucifer48 , tC , Pozeidon ... if i forget to put ur name here , sorry coz too many people to greets ! and Maybe you can found me on IRC on Effnet under this channel : #c.i.a , #cracking4newbies ... ACiD BuRN All Software by Design Products (19 Programs) by p0SEIDON [C.i.A-Trial] Date: 28.06.1999 tUT 1 about: How to code a KeyGen for all Software by Design Products (19 Programs) only with SoftIce. (without W32Dasm) Before starting this tut I wanna say only (like anybody else): excuse my really bad english =Tools needed= ============== Soft Ice 3.2X (www.crackstore.com / softice.tsx.org (fosi.da.ru) / protools.cjb.net...) get the programs at: www.execpc.com/~sbd (we'll crack all shareware-proggies (19)) Ok lets start with Font Show 3.5. Start the prog and goto Help->Register. Now you see a window with tree Input-Fields. 1. User Name / 2. Organization / 3. Registration Just write something into the fields. I typed: 1: p0SEIDON (p0<-- for all who don't know, that's a zero) 2: [C.i.A] 3: 305419896 Why did I type 305419896 coz 305419896 is 12345678 in hex and so you can identify your RegCode in any register very quickly. Ok so lets go into SoftIce (CTRL+D) and set some BPX. TYPE: BPX GetWindowTextA BPX GetDlgItemTextA ok lets leave SoftIce with F5 or type X. Enter your Informations and boom! you're in SoftIce. Ok now lets think a little bit. Till now a function which gets text from an edit box have been called 1 time. So lets run the program two times again.(press F5 F5).Ok now! the last call which gets the text from the last Edit-Box so we press F11 to go back to the calling code-location. We're in the EXE now. Ok now you should something like: (cut from W32DASM (urls: see above)) goto : read the comments till your position 004067E3 * Reference To: USER32.GetDlgItemTextA, Ord:00F5h | :004067BE 8B2DC8C54100 mov ebp, dword ptr [0041C5C8] = the function on which we set our BPX. It's moved to EBP = so you can call it call ebp insted of USER32.Get.... * Possible Reference to Dialog: DialogID_0834, CONTROL_ID:0065, "" | :004067C4 6A65 push 00000065 :004067C6 8D5E32 lea ebx, dword ptr [esi+32] :004067C9 57 push edi :004067CA FFD5 call ebp = USER32.GetDlgItemTextA -->gets our username :004067CC 6A32 push 00000032 :004067CE 53 push ebx :004067CF 6A66 push 00000066 :004067D1 57 push edi :004067D2 FFD5 call ebp = gets our company :004067D4 8D442410 lea eax, dword ptr [esp+10] :004067D8 6800010000 push 00000100 :004067DD 50 push eax * Possible Ref to Menu: MenuID_03E8, Item: "Font Properties" | * Possible Reference to String Resource ID=00103: "Show information about the selected font" | :004067DE 6A67 push 00000067 :004067E0 57 push edi :004067E1 FFD5 call ebp = gets our serial :004067E3 8D442410 lea eax, dword ptr [esp+10]===> here you are. ESP+10 is moved to EAX = press F10 and then D EAX. Ah! your Serial OK! :004067E7 50 push eax = it pushes our Serial ? :004067E8 E8735C0000 call 0040C460 = uninteresting :004067ED 83C404 add esp, 00000004 = too :004067F0 8BE8 mov ebp, eax = too :004067F2 56 push esi = type: D ESI; damn our name: interesting :004067F3 E8E8500000 call 0040B8E0 = lookes like the generate Code-Routine! but only name? :004067F8 83C404 add esp, 00000004 :004067FB 3D92A71901 cmp eax, 0119A792 = EAX is compared to a number :00406800 7518 jne 0040681A = if eax <> $0119A792 THEN JMP ...with your name it jmp's * Possible StringData Ref from Data Obj ->"Gregory Braun" = but let's look whats going on here | :00406802 68BC4D4100 push 00414DBC = Gregory Brown isn't the name of the author * Reference To: KERNEL32.lstrcpyA, Ord:0296h | :00406807 8B2D7CC44100 mov ebp, dword ptr [0041C47C] :0040680D 56 push esi :0040680E FFD5 call ebp * Possible StringData Ref from Data Obj ->"Software Design" | :00406810 68AC4D4100 push 00414DAC = Software Design name of authors company = what :00406815 53 push ebx = lets think a little bit about the traced source :00406816 FFD5 call ebp = he generates your serial with YOUR name and :00406818 EB07 jmp 00406821 = compares it to another and after that he copies his name and his company into some locations. HEY! possibly the serial he compares with yours is the serial of his name an d company. What the hell...what a shit is he doing. We could stop here coz you have one serial now: User Name : Gregory Brown Company : Software Design Serial : 18458514 (serial yours is compared in hex) further you could generate now any serial for your name (but not for company name coz till this code your company isn't pushed). But we want to generate a keymaker so lets trace into the gen-procedure. trace into the serial-gen procedure with F8 at .004067F3. set a BP on the first instruction you see: :0040B8E0 53 push ebx <-- bpx; just doubleclick :0040B8E1 56 push esi :0040B8E2 8B74240C mov esi, dword ptr [esp+0C] ok now press F5. Why? we wanna see how often the serial-gen procedure is called. BPX set then press F5--> SoftIce stopps F5-->SoftIce stopps F5-->nothing happens ok now we know how often the SerialGen-procedure is called. at whole 3 times 1. to compare to author's serial 2. generate name-serial 3. generate company-serial how could I see that. very easy. BPX on the Gen-procedure is set so disable all other breakpoints (BD bpnumber). ok lets press Ok in the registration Dialog again. SoftIce pops-up 1. compare to autors serial. 2. stop now we will examine the sourcecode sorounding the Gen-proc so press F11. now you'll see the following code: :0040B340 8B442404 mov eax, dword ptr [esp+04] :0040B344 56 push esi :0040B345 8B35A04A4100 mov esi, dword ptr [00414AA0] = one constant value is moved to esi ($F950059F ? ESI) :0040B34B 50 push eax = push of our username? :0040B34C 81CE78030000 or esi, 00000378 = the valued is ORed with 378 ?what a shit does Gregory? :0040B352 E889050000 call 0040B8E0 = compare to the call above; definitely the same :0040B357 83C404 add esp, 00000004 =====> we're here now :0040B35A 03F0 add esi, eax = eax is the return value of the Gen-proc as we see above = and is add to esi which was set above :0040B35C 8B44240C mov eax, dword ptr [esp+0C] :0040B360 50 push eax = push of our company? :0040B361 E87A050000 call 0040B8E0 = again our gen-procedure, yea :0040B366 83C404 add esp, 00000004 :0040B369 03C6 add eax, esi = we go him! the return value of the second Gen-Call is = add to esi; used above! aha! :0040B36B 5E pop esi :0040B36C C3 ret To confirm our we set a BPX on .0040B352: type BD * and doubleclick on the call ok! then leave softice and press the ok in the Dialog. SoftIce pops-up on that code-location: type D EAX: your UserName! trace over until (with F10 not F8) you reach .0040B361 the second call type D EAX: your Company! ok trace until the .0040B36B and type ? EAX: for me its: FB130631 in hex and 4212327985 in dec. Ok lets test our new generated serial. Enter serial and IT WORKS KEWL HE! Ok now we can generate a valid serial for Name and Company but we haven't finished yet coz we wannan code an KeyMake. The things we know till now: (you can get all this values with '? ESI' or so) ESI:=$F950059F; ESI:=ESI OR $378; (ESI=F95007FF) | |---EAX:=GenerateSerial(UserName); | |------ESI:=ESI+EAX; | | |---EAX:=GenerateSeral(Company); | |------EAX:=ESI+EAX; Ok the thing we don't know is how the GenerateSerial-function works, but we know we it is located so we just have to examine the Gen-proc and analyse how it works. If you start beeing lazy know i'll tell you something about 10 proggies use the same Genroutine just other constant-values for ESI?..what a shit. So lets start analysing the GenerateSerial-Routine: Thas the hole GenerateSerial-routine: (the parameter for the Gen-Proc i named GenString) :0040B8E0 53 push ebx = here we had set our BPX :0040B8E1 56 push esi :0040B8E2 8B74240C mov esi, dword ptr [esp+0C] = move parameter to esi (1. username / 2. company) :0040B8E6 57 push edi :0040B8E7 55 push ebp :0040B8E8 33FF xor edi, edi :0040B8EA 56 push esi = esi=GenString * Reference To: KERNEL32.lstrlenA, Ord:029Ch | :0040B8EB FF1594C44100 Call dword ptr [0041C494] = calls the procedure for checking length :0040B8F1 85F6 test esi, esi = check 1. char in String if '' then exit :0040B8F3 7432 je 0040B927 = jump to end of Gen-proc without Add for ESI :0040B8F5 85C0 test eax, eax = check length of GenString :0040B8F7 742E je 0040B927 = if length=0 then Exit :0040B8F9 B900000000 mov ecx, 00000000 = count set to zero :0040B8FE 7E27 jle 0040B927 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B925(C) | REPEAT :0040B900 0FBE9C0844654100 movsx ebx, byte ptr [eax+ecx+00416544]= 1)EBX:=Asciic(StringList1[length(GenString)+Count]) :0040B908 0FBE2C0E movsx ebp, byte ptr [esi+ecx] = 2) EBP:=Asciic(GenString[Count] :0040B90C 8D5101 lea edx, dword ptr [ecx+01] = 3) EDX:=EDX+1; (or ECX+1) :0040B90F 0FAFDD imul ebx, ebp = 4) EBX:=EBX*EBP :0040B912 0FBE897C654100 movsx ecx, byte ptr [ecx+0041657C] = 5) ECX:=Asciicode(StringList2[ecx]) :0040B919 0FAFD9 imul ebx, ecx = 6) EBX:=EBX*ECX :0040B91C 0FAFDA imul ebx, edx = 7) EBX:=EBX*EDX :0040B91F 03FB add edi, ebx = 8) EDI:=EDI+EBX :0040B921 8BCA mov ecx, edx = 9) ECX:=EDX :0040B923 3BC2 cmp eax, edx = 10)IF EDX=>length of GenString THEN END :0040B925 7FD9 jg 0040B900 = 11) UNTIL EDX=>EAX; * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040B8F3(C), :0040B8F7(C), :0040B8FE(C) | :0040B927 8BC7 mov eax, edi = EAX:=EDI; :0040B929 5D pop ebp :0040B92A 5F pop edi :0040B92B 5E pop esi :0040B92C 5B pop ebx :0040B92D C3 ret Ok! let's start explaining..if you are Delphi-Coder you understood my explanations I hope but for all others I'll try to explain. Before I start explaining something important. The algorithm is really small but the only unusual thing is that the author uses a StringList/table but don't worry i'ts very easy. A StringList is a list of many letters. too see the StringList type at any code-location IN FontShow: "D 00416544" for StringList1 and "D 0041657C" for StringList2 StringList1 : ARRAY [0..55] of Byte =($23,$73,$65,$72,$42,$26,$6e,$7a, $7c,$6d,$66,$4d,$31,$2f,$35,$28, $21,$73,$64,$24,$4d,$71,$2e,$7b, $73,$5d,$2b,$73,$46,$6a,$74,$4b, $70,$7a,$53,$64,$74,$7a,$6f,$58, $71,$6d,$62,$5e,$41,$6c,$40,$64, $76,$3a,$73,$3f,$78,$2f,$00,$00); StringList2 : ARRAY [0..55] of Byte =($7c,$62,$21,$70,$7a,$2a,$6c,$73, $3b,$72,$6e,$7c,$6c,$66,$24,$76, $69,$5e,$41,$78,$70,$65,$29,$72, $78,$35,$61,$69,$63,$26,$39,$2f, $32,$6d,$35,$6c,$73,$69,$34,$40, $30,$64,$6d,$5a,$77,$39,$44,$63, $6d,$71,$70,$66,$68,$77,$00,$00); That are the both StringLists. The number are the ascii-codes in hex. The same numbers you see after typing D StringListX. Ok thats the Gen-Proc for older programs Delphi Source see below. Newer Software by Design Products have another Gen-Proc routine, but they have the same structure. All programs by Gregory Brown have this protection scheme.(StringLists). But he's very lazy coz he uses in every prog the SAME stringtable and the same structure. Ok lets take closer look at the main Gen-proc. Lets look at 1): :0040B900 0FBE9C0844654100 movsx ebx, byte ptr [eax+ecx+00416544] movsx transfears a byte from a memory location in the first parameter; here EBX; Now lets look what is moved to ebx. What is EAX? look at .0040B8EB the lstrlena call coz it moves the length of the GenString into EAX. Ok but what is ECX its a modifier which is set to 0 before entering the main-Gen-proc. Ok one thing left 00416544! what's that! thats the string-list I've told you above. Ok lets analyse the expression in brackets. The whole expression points on a string but at what location. The StringList [.00416544] is a constant value coz it doesn't change. So the only variable value are the registers. Ok what can eax be: only a decimal value which is greater than eax coz if eax is 0 the Gen-proc exits after the lstrlena call. ECX is a modifier which is set in Gen-proc. Ok lets summarize our informations: If the Register EAX+ECX where both 0 then the expression would point to the beginning of the StringList1, so EAX and ECX only modify the point in the StringList1. The movsx moves the ASCII-CODE of the letter the byte ptr instruction points to into EAX. ok now 2): :0040B908 0FBE2C0E movsx ebp, byte ptr [esi+ecx] The same thing like above but without a StringList. ESI points to the Username and ECX is out little modifier. So EBP's value is the ASCII-VALUE of the ECX+1 . letter. (why ECX+1 coz we start counting by one. the O point in a delphi-string contains the length of the String) 3): :0040B90C 8D5101 lea edx, dword ptr [ecx+01] Very easy he! edx:=ECX+1 4): :0040B90F 0FAFDD imul ebx, ebp Very easy too! EBX the result of the multiplication: EBX:=EBX*EBP 5) :0040B912 0FBE897C654100 movsx ecx, byte ptr [ecx+0041657C] !StringList2!; Ok now you should be able to recognize that a StringList is used. (StringList2). ECX is the ASCII-VALUE of the ECX+1 letter. I wrote down the used ASCII-CODES above in my byte-array. 6/7/8/9): :0040B919 0FAFD9 imul ebx, ecx = 6) EBX:=EBX*ECX :0040B91C 0FAFDA imul ebx, edx = 7) EBX:=EBX*EDX :0040B91F 03FB add edi, ebx = 8) EDI:=EDI+EBX :0040B921 8BCA mov ecx, edx = 9) ECX:=EDX Some very easy maths. (I hope!). Small explanation see above. Not very hard, he! 10): :0040B923 3BC2 cmp eax, edx :0040B925 7FD9 jg 0040B900 The end of the main-Gen-proc function. IF EDX