|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Hola !! dudes ... back again with another tutorial !! , and i hope you like it this time !! , especially if you like KeyMakers cuz in this tutorial i will show you how to make one ........ now the keymaker is for a single product by rkssoftware but if you want to do a keymaker for other product you can use the same method that is implemented here and it will work just fine ...
I have chossed Tray Calendar v2.8d for this tutorial , now if you wish to do the same it is allright , and if you wish to choose other products then it is also allright , so let's begin !!
pROTEcTION
the protection is like allways , a Name and a SerialNumber , and after you enter the serial number correctly , it will be saved in *.ini file in the same installed directory , so i think you got the picture let's now make a keyMaker but first we have to found the algo ... o.k what ever we're gona do .... let's begin !!
|
|
o.k there is two method to crack this program , but before i tell you what they are , i will give a TIP when you want to crack any software , allways ... do you hear me ... ALLWAYS , try to enter your info , with a dummy code and take a good look at the error message cuz it is sometimes useful . let's say the error message is a messagebox , so by this you know what api the prog uses to display this error message ....
The Easy Way
Now ... i have installed Tray Calendar , and run it , you should do the same offcourse (DUH !!! ) , now you will be hit with a scrren that has NO title bar but has 3 buttons one of these button is Enter Serial Number , HELL let's click it ! o.k enter your name and any dummy Serial you want in my case i entered :
Name : FaT[BiT] \ TNT!
Serial Number : 2462000
Then click on the o.k button ... and ther you go our error message is here ... WOW !! it is a very large message let's read what it says ... hmm !! blah blah !!! STOP ... did you just saw what i saw ..... look !! at this line ....
make sure the serial number start's with "RKS-"
make sure there is a dash (-) between "RKS" and the number
This is probley the Stupid Error Message i have ever seen in my whole life ... do you know what this means ... i think you got the pic ... this means that we only have to serach in the memeory for the string "RKS-" , and once we find it , we will write it down and try it and *B00M* we registered !!! (could this be true !! ) hell let's try it !!
o.k again enter your name and number but with out the "RKS-" so we wouldn't end up with alot of choices and before you click the o.k button ... press [Ctrl]+d and set a bpx (breakpoint) like this one :
bpx hmemcpy
And here is also another tip since we have 2 edit boxes one for the name and one the serial number the first break that is made by SoftIce can be ignored ... we only have to focus our self on the 2nd one ... now press the o.k button SoftIce will break , press F5 , SoftIce break again , now Press F11 , then press F12 about 7 times , now with the F10 trace until you finish all the RET commands , now when we finish (the RET commands) also press F10 about 5 time and then do a serach on the serial like this :
S 0 L FFFFFFFF "RKS-"
ahh .. mind the spaces ... o.k at first it will give something like this 'RKS-' but without an serial next to it ... now type only S to make SoftIce find the next match ... do it like this i think about 4 times tops and Yes !!! you will find a serial ... try it and the thank you message is saying "Thanx yeah what ever blah blah !!!! "
hehehehehe ..... i'm really surprized .... so when i cracked it at first time i thought ... come on man this is way to easy so hmmm ... let's get down in the code to know how the program calcualte our serial !!! ... but before that as i say allways if you are reading to find your serial number i think you have done a good job reading this far ... so thanx but if you want to know how the program calculate the serial !!! you might wana stick around !!!
|
|
Now before when i showed you the easy method i didn't list any code so i don't have to write it again !!! but here i will list some code so don't wet your .........
o.k now i can't tell you where to find this code that i'm gona list cuz i think i spend about 15 min. or so tracing the code until i got to the algo. that calculate the serial number and offcourse using softice ... what i want to say here , or let's say give you a tip on how to find where the algo starts , is by doing the following :
Run the program enter your name with a dummy serial , now before you press the o.k button , get into softice , and set a bpx on the hmemecpy (just like the one in the easy method !!) and then press F5 to exit softice , now press the o.k button ... softice will break ... press F5 one more time cuz the first one is for reading our name ... and the second one is for reading our serial and then calculate our real serial ... depending on your name and compare it with the one you have enterd ... so.. the 2nd break is our point (i hope you got the picture !! ) , now we are at the 2nd break press F11 to get the caller then press F12 about 7 times , then keep pressing F10 until you finish all the return commands , now from here you are at your own ... what you have to do it using the F10 and F8 to step thought every call and trace evey command until finally you reach like this code ..
but before i lise the code , i will tell you something that you will see while you are tracing ... you will see that eax will have the value of TC and compared by another values like IP , SS , VBC ... now you might wonder what these values are in fact it is easy ... the program that i'm cracking is Tray Calender , in other words it is TC , hehehe easy ha !! (but what about the other !!) will this is a simple Q that have a simple A , take a look at the rkssoftware site and see all the products take the first letters and there you have it (i.e VBC = Visual Business Card ) ... (but y the prog do this !!! ) heheh you will see in a moment y !!! ... let's get back to the tutorial ... as i said your are now on your own and by the way here is another tip while you are tracing , you will see your name turing into capital letters ... will i think i gave alot of tips ... so let's list the algo to explain it , to get the hell outa here !!!
:0043A8AC 8B45F4 mov eax, dword ptr [ebp-0C] <-- EAX has our name (point to it !! )
:0043A8AF 8A4408FF mov al, byte ptr [eax+ecx-01] <-- AL has our fisrt char , (i.e chars. of our name )
:0043A8B3 3C20 cmp al, 20 <-- Comapre it with 20h = space
:0043A8B5 740C je 0043A8C3 <-- if equal inc the counter ( i.e don't calculate it !!)
:0043A8B7 25FF000000 and eax, 000000FF <-- else and it with 000000FF (i.e i will expalin this later )
:0043A8BC 0FAF45F0 imul eax, dword ptr [ebp-10] <-- Multiply it by the valus in ebp-10
:0043A8C0 48 dec eax <-- Subtract the result by one
:0043A8C1 03F0 add esi, eax <-- add the result to esi (i.e : esi will have our serial at the end )
:0043A8C3 41 inc ecx <-- Add eax one
:0043A8C4 4A dec edx <-- Subtract the counter by one
:0043A8C5 75E5 jne 0043A8AC <-- jump if the counter is not zero (loop again)
will right now i'm too fuckin' sleepy !!! i will go to sleep and finish it later !!! cya ZZzzzZZZzzzZZZzzzZZZzzzZZZzzzZZZ
O.k i'm back !!! let's continue !!
o.k to save some Q's i will explain each line to DETH so you will end up in NO QUESTIONS AT ALL
What is happing at address 0043A8AC ?
o.k ... now we are standing at this line but yet we didn't press F10 to execute it , so what the hell are you waitin' for XMASX .... k00l you have pressed F10 , now let's see what is inside eax by typing d eax ... hmmm it is our name , but it is not like we have entered it , it is all in captial letters ... so we now know what this command or this line do .... good !!
What is happing at address 0043A8AF ?
o.k we are now standing at this address , press F10 , and let's see what the prog puts in AL , you can do that by typeing ? al , and look it have our first char. of our name , in my case it was "F" ... kool so this command moves the first char or let's say the char. of our name to al .... good !!
What is happing at address 0043A8B3 and 0043A8B5 ?
o.k now we are at this address , let's press F10 to execute it , but i don't think it is hard to know what it dose , o.k o.k i'll tell you , these two lines is checking if the char in al is space , if it is , it will jump to 0043A8C3 to subtract the counter ,so that spaces will not be included in the calculation of the serial number ... easy right ... good !!
What is happing at address 0043A8B7 ?
now ... if we didn't make the jump .. then the char is not a space .. right !! , so this command will do the following , before you press F10 to execute this command take a look at the value of eax you don't have to type anything ... just look at it in the left upper corner in softice and what do you see , in my case it was FFFFFF46 , now after i pressed the F10 it became 00000046 so the command made a clearing for the eax register to make the content of eax = 46h which is equal to 'F' ... now in your case it will be diffrent depending on the Name you enter ... so now we have the value of 46h in eax .... plz pay attension here ... cuz this is important ....
What is happing at address 0043A8BC , 0043A8C0 & 0043A8C1?
Now we are at this address ... now press F10 ... the command here IMUL is multiplying some number in ebp-10 by eax which eax is equal to 46h = 70 in decimal ... and the reslut is in eax ... then at 0043A8C0 the content of eax is Subtracted by one ... and if you type the command ? eax after the address 0043A8C0 has been executed you will see the result of the opration which is caused by only the first char in your name .... i know you feel kind lost here but i will explain it more and also find what eax has been multiplyed by ..
o.k ... again ... in eax is our first char of our name , in my case it is 70 (i.e 46h = 70d = 'F') ... o.k ... then eax is mutilpyed by the content of ebp-10 then the result is subtracted by one .... woof !!! i don't know how to say it in much easier way ....
but what is the number that eax have been multiplyed by ... hmmm ... now we are at address 0043A8C1 right ...will if you are not there then press F10 , to execute it now the whole result is in eax now type like this ? eax and take a look at eax , you will see two values one in hexa which is the one at the left most , and the one next to it is in decimal , in my case it is 629369 but how come F be like this ... hmmm let's do a little bit of math .
Now we have the value of 629369 and the command at address 0043A8C0 has subtract our value by one right so what we do is that we add this one to 629369 it will be 629370 now this value we got by mutliplying 70 with a number which we are trying to find so :
70 * X := 629370 ... so ... X := 629370 / 70 ... and we find that X := 8991 ... YES !!! THERE IS A GOD !!!!
Wow .. so our char. is multiplyed by 8991 then the result is subtracted by 1 ....
but this is not over yet ... now we are standing at address 0043A8C1 ... the command is adding the content of eax to esi .... let's move on by pressing F10 , the next command is adding one to eax , then the one after it is subtracting the counter of our name length ... and the jump check if the counter is zero ... if not it loop again to take the next char. of our name and multiply it by 8991 then subtract the result by one ...
Then it adds the content of eax to esi , but wait a min here esi contain the value of our first char. and now it adds the value of the 2nd char to it . and the thrid and so on ..... so after we finish the loop if we do ? esi we will find our serial number , and as it said in the help the serial number must start with 'RKS-' , so in my case it was RKS-8964014 ...
O.k o.k .... i know you may now have some headache . but i will write it again in steps maybe you will find this way is easier :
1. get the length of our name .
2. make our name all in Captial Letter.
3. start a loop from 1 to the length of our name with spaces
4. get the char in name .
5. Check if it's a space if yes get the next char and sub the counter
6. else multiply it by 8891 then subtract result by 1 add the the whole result to esi
7. get the next char .
8. check if counter is equal to zero if not got to step 4
and since i really want you to learn something out of this tutorial , i thought i write some of the code in Turbo Pascal v7.0 so here you go ....
For counter:=1 to length(your_name) do
begin
ch := your_name[counter];
if ( ch <> ' ')
then begin
ascii := ord(ch);
if ((ascii >=97) and (ascii <=122)) then
Serial_no := Serial_no + (((ascii-32) * 8991)-1))
else
Serial_no := Serial_no + ((ascii * 8991)-1)) ;
end;
end;
i really hope you got it , cuz i don't know any other easier way to explain this algo. it is easy and plz if you didn't understand it plz read it again !! i'm sure you will get it at the end , and don't blame me .......
|
|
Well the others is totaly the same , the only diff. that they have is the value that a single char. is multiplyed by ... there is offcourse and easier way to find the algo now that you know how it calculates a serial , but i will give kinda small hint to find the algo for other products ...
as you have seen our name is allways changed to captial letters inside the algo right !!! so try to find a serial number for this name , which is (a) and also (A) and also (B) ... i think you'll find the algo right away when you find a serial number for (A) and (B) .....
|
|
tKC ( you really Showed us the LIGHT !!! thanx alot )
LW2000 ( Thanx !!! i now use my brain !!)
Xasx ( what do u think !! ... is it good !!! )
Sir_dReAm ( here is mine ... where is yours ..... hehehehehehehe)
Bonez (Thanx for the support !! )
and to all TNT!CRACK!TEAM! members