Welcome to Cracking Tutorial #41! Hiya peepz, Here's another tutor for you... heheh.. nothing's gonna stop us now! :) OK, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.01 W32Dasm 8.93 Hacker's View 6.20 SmartCheck 6.03 TASM 5.00 Windows Commander 4.01 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://mercury.spaceports.com/~quel/protools/ or ask any crackers to get you these tools! Are you ready?! OK! ;) -= How to get your personal serial in all Software by Design apps=- by ChosenFew for newbies, by a newbie Tools used: Softice 4.01 Where to get the programs: http://www.execpc.com/~sbd and get the file TheWorks.zip (2,92 Mb) which contains all software by SBD The following 23 programs are included: AppPaths for Windows 95/NT Audition for Windows 95/NT BattleStar for Windows 95/NT CardBase for Windows 95/NT Crypto for Windows 95/NT Disk CleanUp for Windows 95/NT DLL Show for Windows 95 File Shredder for Windows 95/NT FontShow for Windows 95/NT FxEdit for Windows 95/NT Icon Extractor for Windows 95/NT Kart Data for Windows 95/NT NoteBook for Windows 95/NT Password Keeper for Windows 95/NT Programmer's IDE for Windows 95/NT Reminders for Windows 95/NT RGB Editor for Windows 95/NT Screen Loupe for Windows 95/NT Submit It for Windows 95/NT ToolBar for Windows 95/NT Touch for Windows TxEdit for Windows 95/NT WebTime for Windows 95/NT Program description: In this package are some nice apps, like DLLShow and Icon Extractor -- some of the apps are freeware, but you can always delete them. In this tutorial we will find out that the author of these programs hasn't done much effort to protect his software: the serial routine is the same in every program, and he was nice enough to bundle them all in 1 large package! Getting your serials! OK.. As example program i'll use Icon Extractor v 3.3 but it doesn't really matter because the protection is the same in all the other apps. When we start IconEx, we'll see the"30-day ShareWare Evaluation Copy" and in the About-box it tells us we are UNREGISTERED. Well.. Let's register it then! Let's go to Help / Register and the register-dialog pops up. We see 3 fields in which we have to put our information, User Name, Organisation and Registration. So i filled these with the following: UserName : ChosenFew Organisation: [XTC] Registration: 911 When we click the OK button now Icon Extractor tells us we have entered an invalid registrationnumber -- so, we acknowledge that and we're back in the registrationbox, and our info is still there. Now ,we'll CTRL-D into SoftIce and set a few BPX's to see on which one it will break. : bpx getwindowtexta : bpx getdlgitemtexta Now press F5 once to get back in our register-dialog. Press OK again, and SoftIce will break on GetDlgItemTextA..! Press F11 to get to the caller and look at the EAX register in the register-window from Softice: it says EAX=00000009 (if you are UNABLE to see to register-window in Softice, type WR on the commandline in Softice ) Hey! My name is 9 characters also! That's good... but we don't need to check our name, so we'll have to let the program run a bit further until it will break again, so we have to press F5 again. *BREAK* Good, another break! Press F11 again and look at the EAX : it has changed to EAX=00000005! Well, [XTC] is 5 characters, so when we press F5 again i'll bet EAX=00000003 then! Let's do just that: F5 , F11 and look at EAX: yes! (remember -- when you enter your personal info in IconExtractor these values will be different of course:P ) So finally, here we are! We see a lot of code here, but keep in mind what we are looking for here: our REAL serial. If nothing happens, IconExtractor would just tell us that our serial sucks and we are still UNREGISTERED. So obviously, it compares our fake serial with a real serial that it will generate based on our UserName and Organisation. So it is safe to say (and our luck that these programs are so easy to "serial"and practise on) that it will call a checking routine, then compare our serialnumber to the real, generated serial and jump to either the "registered" section of the program, or the "unregistered" section . In asm that would be: CALL (codelocation) -> where it generates the real serial based on username/company CMP EAX,EBP -> here it compares our entered (fake) serial in EAX to the REAL one in EBX JZ (registered location) -> ..and it jumps to the "Thank you for registering" section of the program when the serials match eatchother, else it will tell us that we have entered the wrong serial and we can start over again :) So, we have a general idea of what we should be looking for! Let's go a bit through the code now.. It is also interesting to check out what is in all that registers in the register-window: Press F10 once, and we are on the line xxxx:00407D27 PUSH EAX -> if we do a "d eax" here we'll see our fake serial, and if we do a "d esi" we'll see our UserName and Organisation.. Good! Now let's trace a bit down through the code (use F10 to do so) until we find something that matches our idea -- a CMP line. We find the first CMP at : xxxx:00407D3B CMP EAX, 0199A792 -> well , if we do a " ? eax" here it gives a value but it's not our serialnumber... so let's F10 some more to find another CMP with a CALL in front of it Next one: xxxx:00407D5A CMP EAX, 0D5FCE3C -> nothing again, so let's keep tracing with F10 Next one: xxxx:00407D6F CALL 0040DB00 -> Our serial-routine! If you want to check it out, press F8 here to go into this call and see what it does exactly xxxx:00407D74 ADD ESP,08 --> Not important for us (hehe i don't know what it does) xxxx:00407D77 CMP EAX, EBP -> But i know what this does! Let's do a "? ebp" here... Wow! It compares our fake serial with SOMETHING in EAX...... let's see what's in EAX: "? eax" EAX= 4013244178 well, that looks like our REAL serial! xxxx:00407D79 JZ 00407D99 -> Here it jumps, but we don't need this part anymore Now, let's try our real serial from EAX in IconExtractor! First type BC* to clear all breakpoints, we don't need to break again since we have found our serial we hope.. We enter the correct serial in the Registration-box, press OK and... Thank you for Registering! Cool! And the best part is: this method will work flawlessly on all the other apps in TheWorks.zip, so go register them as well and try to understand what the code actually does. Greets/Thanks This was my first tutorial -- hope you enjoyed it and that you could understand my English hehe Thanks go out to tKC and all those guys who filled his tutorials -- i read everyone of them Also Intern for giving me the basics -- get his tutorials also! Greets to all who read and enjoy these fine tutorials -- If you need me, catch me in #cracks , #zor or #x-t-c on EFNET ChosenFew 13-09-1999 How to Crack STRiNGZ's VB Crack-Me By SiONiDE-CiA Toolz Needed: SmartCheck 6.01 (Because it's a VB app) The Crack-Me (duh) Step 1: Okay, run the Crack-Me and lets see what protection it has. Well we see that there is a NAME/SERIAL section, and that looks about it. Ok, Enter SmartCheck, and make sure it is configured correctly. Click "Program, Settings" and make sure every box is ticked in "Error detection", and everything except "Report Mouse...." is ticked in "Reporting". Right, now that's done, we can start to Crack. Open the Crack-Me in SmartCheck and press "F5" to run the prog. Enter any name and serial into the boxes. I entered "Name: SiONiDE-CiA, Serial: 123123123". Hit "Check", and wait... Nothing happens. Exit the Crack-Me and you should be back in SmartCheck. Step 2: In the box "Program Results" scroll down until you see "check_Click". Expand it (double click) and you should see around 32 other branches depending on the length of your name. Every three lines you should see an "Asc returns Integer:XX" with an ASCII value after it. Put tigether all the values and you will see you name. Asc returns Integer:83 S Asc returns Integer:105 i Asc returns Integer:79 O Asc returns Integer:78 N Asc returns Integer:105 i Asc returns Integer:68 D Asc returns Integer:69 E Asc returns Integer:45 - Asc returns Integer:67 C Asc returns Integer:105 i Asc returns Integer:65 A Okay, we now know that our serial will be after all the Values which make up the Name entered. Step 3: Under the last value, click on the Branch that says "Left". On the right hand side you should see something like this: -string (variant) ` `--double .dblVal = 1039188316104 <=-This looks like our REAL serial. `-Long length = 9 0x00000009 <=-The length the serial must be. Ok, now we have our serial and the length it should be, we cut "1039188316104" down to "9" digits, and that would make our REAL, WORKiNG serial: "103918831". Run the Crack-Me Enter: NAME: SiONiDE-CiA SERiAL: 103918831 What do we get??? A nice little MSG box saying "CORRECT SERiAL. WELL DONE!" Walla, Cracked :P I hope you enjoyed this short tut. I would like to Thank tKC for all past tuts which encouraged me, and all my friends on iRC for sticking by me :P Basics of Cracking :) By SiONiDE-CiA Hiya again, I've had several E-Mails requesting that I write s a tut on "General Cracking". As you will probably know, this isn't exactly a small section, so put some coffee on :) Toolz Needed: W32Dasm 8.9 hIEW SoftIce 3x or 4 (I use 4) SmartCheck 6.01 A few lame targets :) Section 1: W32Dasm. Ok, we might as well start with the original, W32Dasm. W32Dasm is a Windows Disassembler. It will allow you to wiew programs in ASM. The most common way to use it is to load up your file, wait ages, and then click on String Data References (SDR). Step 1: Patching an easy prog to enter any Name/Serial. Ok, find an easy target, make sure it has a Name/Serial protection (duh). Ok... run the prog and enter the registration screen, enter any name, and a random serial. Click "OK", and you should get an error message, write this down, or remember it :) Step 2: Load up your progs executable file with W32Dasm, and wait for it to disassemble. When done, click on "SDR", a window will pop up with a list in it. Scroll down until you see your error message, when found, double click on it, then exit "SDR". Now you should see something like this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:********(C) <=- This is what we want. * Possible StringData Ref from Code Obj - > "Your Error Message Here" Note: In a real prog, this will be different :) *'s will be replaced with the address. Ok, from the menu, select "Goto Code Location" and enter the address which will replace the *'s. Ok, you should now end up at something that looks like this: :******** 41 inc ecx :******** E8B1CFF7FF call ******** <=- A call. :******** 0F8532010000 jne ******** <=- If the call fails, jump to the error message from before. "jne" = Jump if not equal. So what would happen if we changed it to "je", Jump is equal. This would mean, when a fake serial is enetered, no more error box, so it must jump to the registered box, and reg the prog. Ok, make sure the Green Bar is highlighed over the part with "jne". Write down the offset at the bottom of W32Dasm. Step 3: Load up your target in hIEW (Hacker View) and press ENTER twice to eneter "decode mode". Press "F5" and enter the earlier offset. You should see what you saw in W32Dasm, but now it can be edited :) Press "F3" to edit, and change 0F85 --> 0F84 (je). Press "F9" to update the file and exit hIEW. Run your target, enter any name/serial, and walla, reged! The above process will work for time limits as well. In SDR, search for a message like "Sorry, this version of blah has expired", and do the above actions, change "jne" to "je". No more timelimit :) Section 2: SoftIce. Softice is a Debugger (a damn good one). It is very useful for fishing the REAL serials out of programs. No patching involved. It will allow you to many more things, but this is the main one. Step 1: I trust, your winice.dat is configured well, so lets start. Pick a program with a Name/Serial Protection. Enter the progs registration screen and enter any name, and eny serial. Before pressing ENTER, lets set a few Break Points. Break Points will break when the prog does a certain thing. Eg. BPX MessageBoxA will break on a message box :) Here are the most common: BPX GetDlgItemTextA BPX GetWindowTextA BPX MessageBoxA BPX Hmemcpy <=- Breaks on everything :P The "A" at the end means 32-Bit, if your target is 16-Bit, leave out the "A". Ok, Press "Ctrl+D" to enter softice, and set some of the above Break Points. Press "Ctrl+D" again to return to windows. At the reg screen, press "OK", and BOOM, you should be back in Softice". Since this is a Name/Serial Protection, we must press "F5" once to get to the right part. Once done, press "F11". Ok, this kinda looks like W32Dasm, so press "F10" to trace through the target, until you come to an intereting call. Like the one you saw in the W32Dasm section of this tut. Here is a basic example: :******** **** CMP EAX, EDX :******** **** je ******** Ok, type D EDX, and in the data screen, you should see your fake serial. Hmmm.... So what does it compare with ?!? Type D EAX and hopefully you should see your valid serial up in the data screen. Write this down, type "BC *" to clear all Break Points, and "Ctrl+D" to return back to the prog. Enter the name you entered before, and the serial you just found. Walla, cracked :)) Section 3: SmartCheck. Programmers use SmartCheck all the time to test their VB apps. But it can also be used to crack their VB apps. Let me show you how :P Step 1: Configure SmartCheck. In "Program, Settings" make sure every box is ticked in the "Error detection" tab, and everything except "Report Mouse...." is ticked in the "Reporting" teb. Now that's done, lets start. Load up your target exe in SmartCheck by pressing "F5". Th program should load, do what you would do when cracking, enter the registration screen. Enter your name, and a random serial. CLick "OK", and exit te prog. What SmartCheck has done is it's recorded everything that has happened just then. This means that somewhere, our serial is hiding. Ok, as you clicked "OK" in the prog, you should have noticed which Button was recorded, this will make the serial easier to find :P EG. "Command1_Click". Double click on it to expand, and you should see a lot more barnces of your tree. I will give an example from a Crack-Me I did (also wrote a tut) to save me writing it all out again. Step 2: In some way, it will calculate your name. From the crack-me, it was done like this: -------------------- Paste From Tut -------------------- Asc returns Integer:83 S Asc returns Integer:105 i Asc returns Integer:79 O Asc returns Integer:78 N Asc returns Integer:105 i Asc returns Integer:68 D Asc returns Integer:69 E Asc returns Integer:45 - Asc returns Integer:67 C Asc returns Integer:105 i Asc returns Integer:65 A -------------------- Paste From Tut -------------------- As you can see, the values spell out my Name. Hmmm... We know that the serial comes after the name, so lets scroll down some more. Sometimes there is only one branch left, so lets click on that. In the box on the right of SmartCheck, we should see something like this: -------------------- Paste From Tut -------------------- -string (variant) ` `--double .dblVal = ************* `-Long length = * 0x000000** -------------------- Paste From Tut -------------------- Ok... Where it says "double .dblVal = ", this should be our serial in a longer form. Inder it, "Long length = ", this is the length of the serial. What ever the length is, just take that many off the "longer formed serial". Let me give you an example: -string (variant) ` `--double .dblVal = 87132165476872 `-Long length = 5 0x00000005 This means we just take "5" off of "87132165476872" which would make our serial "87132". I'm afraid that's all in this tut, but I will be back. I hope you enjoyed it :)) I would like to Thank tKC for all past tuts which encouraged me, and all my friends on iRC for sticking by me :P Cya next time, SiONiDE (SiONiDE@mail.com) VB cracking: How to keygen Snowman32 v2.42 by ACiD BuRN [ECLiPSE / CiA] hello all! this is my 25th tutor , and i got some thanks for my previous tutors! thx all ppls who read my tuts and like them! well , let's start now! Level : easy protection : name / serial where to get : http://www.abc-ware.de/ tools needed : Smart check 6 and VB to code the keygen I)KEYGENING IT! Ok , fire up your smart check and run the app with it! go in the register menu , and enter : name : ACiD BuRN City : heheh serial: 112233 the programme say us : incorrect serial , blablabla! in smart check , you must see : Mid$(String:"ACiD BuRN",Long1,VARIANT:Integer:1) Asc(String:"A") returns Integer:65 Mid$(String:"ACiD BuRN",Long2,VARIANT:Integer:1) Asc(String:"C") returns Integer:67 Mid$(String:"ACiD BuRN",Long3,VARIANT:Integer:1) Asc(String:"i") returns Integer:105 ...... this continue with all chars , but what the heck he is doing ?? In smart check , click on show all events, now u must see: interesting! lemme explain you , what he is doing! Asc(String:"A") returns Integer:65 <== take the ascii value in decimal __vbavaradd(VARIANT:empty,VARIANT:Integer:65) <== this add the ascii value to the last one __vbavarsub(VARIANT:65,VARIANT:Integer:1) <== this substract the result of the addition with 1 __vbavarmov(VARIANT:64,VARIANT:Empty) <== mov the result for using it later.. so , we see what it is doing! it take the ascii value of the current place of the loop, and add it to the last ascii result (here it is 0 "empty") then it substract one value (here it is 1) and then move the result somewhere to use it later! let's look the next char : C , we see : Asc(String:"C") returns Integer:67 <== take the ascii value in decimal __vbavaradd(VARIANT:64,VARIANT:Integer:67) <== this add the ascii value to the last final value (64 here) __vbavarsub(VARIANT:131,VARIANT:Integer:2) <== this substract the result of the addition with 2 (2 = the current place of the char) __vbavarmov(VARIANT:129,VARIANT:64) <== overwritte the last value with the new one.. ......... well , the prog does this for all chars of the name for ACiD BuRN we found : 635 this value is found near the last letter of the name : "N" for ACiD BuRN : Asc(String:"N") returns Integer:78 <== take the ascii value in decimal __vbavaradd(VARIANT:566,VARIANT:Integer:78) <== this add the ascii value to the last one __vbavarsub(VARIANT:644,VARIANT:Integer:9) <== Substract the value with the current posstion of the name (N = 9th place of my name) __vbavarmov(VARIANT:635,VARIANT:566) <== mov the result for using it later.. ok , now u see what i mean! now , scroll down in smart check and u see what the program is doing with the City entered : i entered "heheh" as serial : Asc(String:"h") returns Integer:104 <== take the ascii value in decimal __vbavaradd(VARIANT:empty,VARIANT:Integer:104) <== this add the ascii value to the last one __vbavarsub(VARIANT:104,VARIANT:Integer:1) <== this substract the result of the addition with 1 __vbavarmov(VARIANT:103,VARIANT:Empty) <== mov the result for using it later.. ehe , this look familiar! let's look the next char who must be : "e" we see : Asc(String:"h") returns Integer:104 <== take the ascii value in decimal __vbavaradd(VARIANT:103,VARIANT:Integer:104) <== this add the ascii value to the last one __vbavarsub(VARIANT:207,VARIANT:Integer:3) <== substract the value with the current posstion of the City (here "h" of heheh ==> 3rd place) __vbavarmov(VARIANT:204,VARIANT:103) <== mov the result for using it later.. ok , look the pic i added with this tut : you see that the programme do the same loop with the City than with the name , except it don't use all chars! exemple : it takes one char , then skip the next char , take one char , then skip the next one ... for heheh : it takes : the first "h" , then skip the next char "e" , than take the next char "h" , then skip the next char "e" , and take the next char "h". hope u understand now! another example for: ACiD_BuRN it take : Ai_uN now , i am sure u understand! the final value coming from the City is : 303 the final value coming from the name is : 685 (u remember! i hope) Now you see this in smart check : __vbavarMul(VARIANT:635,VARIANT:Integer:303) <== multiply the value from the name with the value from the City __vbavarAdd(VARIANT:192405,VARIANT:Long:45) <== add the result with "45" but what is this value ? where does it come from ?? lemme look something! A brain is usefull , hehe length of the name entered : 9 (length of ACiD BuRN = 9) length of the city entered : 5 (length of heheh = 5) 9*5=45! wow we did it! so it add the result with the multiplication of the length of the name with the lentgh of the city! so : 192405 + 45 = 192450 long(192450)-->Double(192450) hehe , good =) scroll down and u see this : Hex$(VARIANT:byRef Double:1.0069e+007) if you click on this u see : 10068993 at the right of the smart check window then u will see something looking like this : __vbaVarTstNe(VARIANT:String:"112233",VARIANT:"99A401").... heh , this look like a comparaison! i am sure if we enter : 99A401 as serial , it will be registered! but we want to code a keygen! we had 192450, and just under this we find : 10068993 Damn , where this shit comes from ?? Again , a little brain is usefull =) 10068993 - 192450 = 9876543 hehe , look like it add 9876543 to our result! and then convert it to hexadecimal! 10068993 = 99A401 in hexa! BINGO! we succeed! Lemme , explain you quickly the algo! ************************************************ALGO******************************************** 1st : do the loop with all chars of the name 2nd : do the loop with some chars of the City 3rd : muliply their result to obtain on value 4th : add it with the result of the multiplication between the length of the name and the length of the City.. 5th : add this to 9876543 6th : convert the result in hexadecimal 7th : nothing much , the result in hexadecimal is the correct serial! ********************************************END OF THE ALGO************************************* 2)KEYGEN SOURCE IN VB5: like in all my tuts , i give u a working source of a keygen! i code it in VB coz it is easy to translate in another language! i limited the length of the City to 26, coz i coded it quickly , and i didn't know how to make it work using another way! sorry , but it works fine! ------------------------------KEYGEN SOURCE IN VB5----------------------------------------------- For i = 1 To Len(Text1.Text) bignum = bignum + Asc(Mid$(Text1.Text, i, 1)) bignum = bignum - i Next i val1 = bignum For x = 1 To Len(Text2.Text) If x = 2 Then GoTo nah If x = 4 Then GoTo nah If x = 6 Then GoTo nah If x = 8 Then GoTo nah If x = 10 Then GoTo nah If x = 12 Then GoTo nah If x = 14 Then GoTo nah If x = 16 Then GoTo nah If x = 18 Then GoTo nah If x = 20 Then GoTo nah If x = 22 Then GoTo nah If x = 24 Then GoTo nah If x = 26 Then GoTo nah bignum2 = bignum2 + Asc(Mid$(Text2.Text, x, 1)) bignum2 = bignum2 - x nah: Next x val2 = bignum2 temp2 = val1 * val2 temp3 = Len(Text1.Text) * Len(Text2.Text) temp3 = temp3 + temp2 temp3 = temp3 + 9876543 Text3.Text = Hex(temp3) ------------------------------END OF KEYGEN SOURCE IN VB5---------------------------------------- heh , i think the 26 max length for a City is enough! so , just do a new project in vb , put 3 text box : 1 for the name 1 for the city (set the max limit to 26) 1 for the serial create a Button , double click on it , and copy past this source! run the keygen , and have Fun! 3)Ending.... Well , this tut is finish , hope u understand all this piece of shit, but if you have a comment or one question, mail me you can found all my tuts at : MAIL: ACiD_BuRN@nema.com Web page URL: http://acidburn2000.cjb.net/ Enjoy! Greetings to my groups : ECLiPSE / CiA / ODT Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo , Killer_3K.... if your name is not here sorry! too much ppls to greets! ACiD BuRN [ECL/CiA] How to Keygen Ellipse HTML Sidekick 2000 by ACiD BuRN [ECLiPSE / CiA] hi there again! i am back for another tut , on a visual basic programme =) and , as usual , teaching you how to keygen it! ------------------------------------------------------------------------------------------------- description: VB Level : easy tools needed: Smart check 6 , delphi for the keygen url: http://surf.to/ellipsoft ------------------------------------------------------------------------------------------------- I)Ready.. Go! Fire up your smart check (i assume it is configured correctly) and open sidekick.exe Run it with smart check... now , the app is loaded , go in the help menu , and then : REGISTER =)) i love this menu! eheh well , now enter your name and serial (btw : this is not like usual shareware , it is a input box who ask u to enter your name and after your serial) i entered: Name : ACiD Serial: 1122 this bitch say us : Invalid Registration code blablablabla! anyway , close this programme now... In smart check , u must see something like this : sRegister_Click (this is the register's button name u pushed to register) so , click on it , you see : inputbox shit ... and few lines below , u see : Mid$(String:"ACiD",long:1,VARIANT:Integer:1) -> take the 1st char asc(String:"A") returns Integer:65 -> take this ascii value Str$(VARIANT:Integer:65) string("65")-->Double(65) -> ascii value of the char Double("147")-->Double(147) -> fucking value shit , what the heck is this "147" ?? where does it come from ?? again , a brain is usefull! , what about substracting this 2 values ? 147 - 65 = 82 ok , it is 82 , now let's see the other char! Mid$(String:"ACiD",long:2,VARIANT:Integer:1) -> take the 1st char asc(String:"C") returns Integer:67 -> take this ascii value Str$(VARIANT:Integer:67) string("67")-->Double(67) -> ascii value of the char Double("149")-->Double(149) -> fucking value hehe , lemme something :) 149 - 67 = 82! wow , i think i know how this fucking value is calculated! i looked the other chars , and i am right! look this picture you see it is the same for all chars! scrool down a bit , and just under the last calcul on the char (D for ACiD) u see something looking like this : Mid$(String:"78231",long:1,VARIANT:Integer:1) asc(String:"7") returns Integer:55 Str$(VARIANT:Integer:55) string("55")-->Double(55) Double("137")-->Double(137) heh, this looks similar for us! lets look if the add value is same : 137 - 55 = 82 good , it is the same , it take the ascii value , and add 82 to it (values are in hexadecimal) look the pic for the rest : well , now we don't see anything about the the value calculated above! so , click where u see the msgbox thing : Msgbox(VARIANT:String:"Invalid Registration code....",Integer:0 ... so , click on this , and click on : Show all events lemme comment what u must see now : __vbastrcat(String:"147149187150,String:"137138132133131") this function add string. exemple : __vbastrcat(String:"ABC", String:"000") this will add the string "ABC" to the string "000" so the result is : 000ABC so , for our programme : __vbastrcat(String:"147149187150,String:"137138132133131") this add : 147149187150 to 137138132133131 and the result is : 137138132133131147149187150 don't forget this values are strings! so here "add" is not "+" well , 147149187150137138132133131 loos like a serial number! run the app again , enter name : ACiD , and 137138132133131147149187150 as serial... Good , the msgbox : "Thank you for registering" appears! heh , well if you look a little the values we get , you see for 147149187150 147 149 187 150 remember this ?? this come from the name : ACiD ascii value of A = 65 add ascii with 82: 65 + 82 = 147 ascii value of C = 67 add ascii with 82: 67 + 82 = 149 ascii value of i = 105 add ascii with 82: 105 + 82 = 187 ascii value of D = 68 add ascii with 82: 68 + 82 = 150 so , it take ascii values in decimal , add to them 82 , and add each results as string: 147 + 149 + 187 + 150 = 147149187150 now , for the other value : 78231 we obtain : 137138132133131 ascii value of 7 = 55 add ascii with 82: 55 + 82 = 137 ascii value of 8 = 56 add ascii with 82: 56 + 82 = 156 ascii value of 2 = 50 add ascii with 82: 50 + 82 = 132 ascii value of 3 = 51 add ascii with 82: 51 + 82 = 133 ascii value of 1 = 49 add ascii with 82: 49 + 82 = 131 so , it take ascii values in decimal from this code, add to them 82 , and add each results as string: 137 + 138 + 132 + 133 + 131 = 137138132133131 and then it add as string the value from the name to the value for the code : 137138132133131 + 147149187150 = 137138132133131147149187150 well , u know how to make a keygen now! but i will tell u something about the "code" : 78321 if you look the readme txt file you see: "To register, send a *Post Office Money order*, made out to Tim Boling. On a separate piece of paper, please include your First/Last name, Product Name, ProductID code, which is 78231, and the name you would like this product registered to. *All envelopes MUST include a return address!* You must also include a valid email address. This is where your Registration Key will be sent to." hmm : "ProductID code, which is 78231" nice! so now this number is just the product ID! btw , u must see it in about menu too! i looked other app by ellipse software , and the algo is similar , the product ID change... if you want to train , try to keygen them ;p 2)Source in delphi! like in all my keygening tuts , i allways show code of a working keygen this time , i coded it in delphi (nice to change a little)... ********************************source in delphi************************************************* procedure TForm1.Button1Click(Sender: TObject); var i: integer; ascii,ascii2 : string; begin for i:=1 to length(edit1.text) do begin ascii:=ascii + inttostr((ord(edit1.text[i])+82)); end; begin for i:=1 to length(edit3.text) do begin ascii2:=ascii2 + inttostr((ord(edit3.text[i])+82)); end; edit2.text:=ascii2+ascii; end; end; *******************************************end of source***************************************** to make this work : - 1st create a new project - 2nd put 3 texts box (1 for name (edit1.text there), 1 for product ID (edit3.text there) , and 1 for the serial (edit2.text there)... - 3rd put one button double click on the button and past this code! have fun , and enjoy it ... 3)Ending.... Well , this tut is finish , hope u understand all this piece of shit, but if you have a comment or one question, mail me you can found all my tuts at: MAIL: ACiD_BuRN@nema.com Web page URL: http://acidburn2000.cjb.net/ Enjoy! Greetings to my groups : ECLiPSE / CiA / ODT Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo , Killer_3K TaMaMBoLo... if your name is not here sorry! too much ppls to greets! ACiD BuRN [ECL/CiA] We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #42 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Socko for Splash Logo. ChosenFew for providing a tut in this version. SiONiDE for providing 2 tuts in this version. ACiD BuRN for providing 2 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! And all the tutors can be found at www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 15 September 1999 Cracking Tutorial #41 is dedicated to Ms_Jessca, my liefie only. Who else?