How to Crack mIRC 5.x - eKH's Tutorial

How to Crack mIRC 5.x

Well, I will write my first little tuts on English !!! Please understand
if my English is Worst (at least my teacher said that) ;

Ok, Of course you know mIRC right ? It's a great tools for all of you,
IRC-demon ;)

The previous version of this software (5.4) has been cracked succesfully
by our cracker, h3n ... But I want to take a deep looking into the
progs, so I decide to create a simple keyGenZ, in Pascal.

First, I attack this version (5.5) via messageboxa, scroll up a little
bit until you see sendmessagea, 2 parameter got pushed (Dumped it, it is
your username and bogus serial), a call, and a simple conditional jump,
well it's absolutely looked like a serial routine in my eyes ;)

F8 into the call, after understanding a couple bytes of code, first mIRC
checked wheter your serial contain 2d(h) , it is a "-" if you know, then
it convert the first part of SerialZ (before - ) into the integer, keep
it in EBP-4 then the second part (after - ) into the integer,keep it at
EBP-8 ! Easy eh ? ;)

Than, trace a little bit and landed in this username2REALSerial Routine
;) :

:004921ED 8945F4 MOV [EBP-0C],EAX
:004921F0 33C0 XOR EAX,EAX
:004921F2 33DB XOR EBX,EBX
:004921F4 BA03000000 MOV EDX,00000003
:004921F9 8B4D08 MOV ECX,[EBP+08] -->> ECX pointed to
our username(1st char)
:004921FC 83C103 ADD ECX,03 -->> ECX pointed to our
username (4th char) !
:004921FF 3B55F4 CMP EDX,[EBP-0C] -->> EDX = 3, EBP-0C
= username length, it's sould bigger than 4 (I think) ;)

:00492202 7D1C JGE 00492220 -->> if it less, bye bye
dumbo !
:00492204 0FB631 MOVZX ESI,BYTE PTR [ECX] -->> 4,5,6,...
of username
:00492207 0FAF348560014D00 IMUL ESI,[EAX*4+004D0160] -->> eax=0,
004d0160 its a table, it should point some value !
:0049220F 03DE ADD EBX,ESI -->> keep it on EBX
:00492211 40 INC EAX
:00492212 83F826 CMP EAX,26 -->> EAX more than 26h ?
:00492215 7E02 JLE 00492219
:00492217 33C0 XOR EAX,EAX -->> Then Zero it !
:00492219 42 INC EDX
:0049221A 41 INC ECX
:0049221B 3B55F4 CMP EDX,[EBP-0C]
:0049221E 7CE4 JL 00492304
:00492220 3B5DFC CMP EBX,[EBP-04] -->> Remember EBX ?
It's compared with bogus code part 1 !
:00492223 7404 JZ 00492229
:00492225 33C0 XOR EAX,EAX
:00492227 EB45 JMP 0049226E
:00492229 33C0 XOR EAX,EAX
:0049222B 33DB XOR EBX,EBX
:0049222D BA03000000 MOV EDX,00000003
:00492232 8B4D08 MOV ECX,[EBP+08]
:00492235 83C103 ADD ECX,03
:00492238 3B55F4 CMP EDX,[EBP-0C]
:0049223B 7D23 JGE 00492260
:0049223D 0FB631 MOVZX ESI,BYTE PTR [ECX]
:00492240 0FB679FF MOVZX EDI,BYTE PTR [ECX-01]
:00492244 0FAFF7 IMUL ESI,EDI
:00492247 0FAF348560014D00 IMUL ESI,[EAX*4+004D0160]
:0049224F 03DE ADD EBX,ESI
:00492251 40 INC EAX
:00492252 83F826 CMP EAX,26
:00492255 7E02 JLE 00492259
:00492257 33C0 XOR EAX,EAX
:00492259 42 INC EDX
:0049225A 41 INC ECX
:0049225B 3B55F4 CMP EDX,[EBP-0C]
:0049225E 7CDD JL 0049233D
:00492260 3B5DF8 CMP EBX,[EBP-08] -->> EBX compared
with Bogus serial part2 !
:00492263 7404 JZ 00492269
:00492265 33C0 XOR EAX,EAX
:00492267 EB05 JMP 0049226E
:00492269 B801000000 MOV EAX,00000001
:0049226E 5F POP EDI
:0049226F 5E POP ESI
:00492270 5B POP EBX
:00492271 8BE5 MOV ESP,EBP
:00492273 5D POP EBP
:00492274 C20800 RET 0008

Well, I'm not in the mood explaining the second part of serial, cause
it's almost the same, with a little variation,

Before I forgot, here is the table on 4d0160 :

:d 4d0160 l 200
0167:004D0160 0B 00 00 00 06 00 00 00-11 00 00 00 0C 00 00 00 ................
0167:004D0170 0C 00 00 00 0E 00 00 00-05 00 00 00 0C 00 00 00 ................
0167:004D0180 10 00 00 00 0A 00 00 00-0B 00 00 00 06 00 00 00 ................
0167:004D0190 0E 00 00 00 0E 00 00 00-04 00 00 00 0B 00 00 00 ................
0167:004D01A0 06 00 00 00 0E 00 00 00-0E 00 00 00 04 00 00 00 ................
0167:004D01B0 0B 00 00 00 09 00 00 00-0C 00 00 00 0B 00 00 00 ................
0167:004D01C0 0A 00 00 00 08 00 00 00-0A 00 00 00 0A 00 00 00 ................
0167:004D01D0 10 00 00 00 08 00 00 00-04 00 00 00 06 00 00 00 ................
0167:004D01E0 0A 00 00 00 0C 00 00 00-10 00 00 00 08 00 00 00 ................
0167:004D01F0 0A 00 00 00 04 00 00 00-10 00 00 00 00 00 00 00 ................
0167:004D0200 00 00 00 00 53 6F 66 74-77 61 72 65 5C 6D 49 52 ....Software\mIR
0167:004D0210 43 00 00 6D 49 52 43 00-00 6E 61 6D 65 00 00 63 C..mIRC..name..c

After understanding the lame routine (but good for tuts, good "beginner"
tableing algorithm) I created a keygenZ in Pascal :

Program mIRC32 ;
uses crt ;

const magictable : array[0..159] of integer = ($0B, $00, $00, $00, $06,
$00, $00, $00, $11, $00, $00, $00, $0C, $00, $00, $00
, $0C, $00, $00, $00, $0E, $00, $00, $00, $05, $00, $00, $00, $0C, $00, $00, $00
, $10, $00, $00, $00, $0A, $00, $00, $00, $0B, $00, $00, $00, $06, $00, $00, $00
, $0E, $00, $00, $00, $0E, $00, $00, $00, $04, $00, $00, $00, $0B, $00, $00, $00
, $06, $00, $00, $00, $0E, $00, $00, $00, $0E, $00, $00, $00, $04, $00, $00, $00
, $0B, $00, $00, $00, $09, $00, $00, $00, $0C, $00, $00, $00, $0B, $00, $00, $00
, $0A, $00, $00, $00, $08, $00, $00, $00, $0A, $00, $00, $00, $0A, $00, $00, $00
, $10, $00, $00, $00, $08, $00, $00, $00, $04, $00, $00, $00, $06, $00, $00, $00
, $0A, $00, $00, $00, $0C, $00, $00, $00, $10, $00, $00, $00, $08, $00, $00, $00
, $0A, $00, $00, $00, $04, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $00) ;

var Username : string ;
i,j : integer ;
serial,k : longint ;

begin
clrscr ;
writeln('mIRC 5.x Key-Generator by flag eRRatum') ;
writeln('Please enter username (more than 4 char !) : ') ;
readln(username) ;

if length(username) <=4 then
begin
Textcolor(LightRed) ; writeln('Enter more than 4 char, Dumbo !') ;
halt ;
end;

for i:=4 to length(username) do
begin
serial:=serial+(ord(username[i])*magictable[j*4]) ;
inc (j) ; if j>$26 then j:=0 ;
end;

write('Your Serial is : ',serial,'-') ; serial:=0 ; j:=0 ;

for i:=4 to length(username) do
begin
k:=ord(username[i]) * ord(username[i-1]) ;
serial:=serial+(k * magictable[j*4]) ;
inc(j) ; if j>$26 then j:=0 ;
end ;

writeln(serial) ; textcolor(lightred) ;

end.

Very Easy, eh ? Any comments/question ? ;)