Dedication Fly to

Intoduction & Protection

iNTROdUCTION :

hi there !!! it has been along ... long time ... since my last tutorial !! , but here i am again !! ....
You know something , it is strange how sometimes we act like we know everything !! , and at the end what we now is nothin' , for example lsn to this story, before i wrote this tutorial , i installed the prog. and started cracking it, the thing is i couldn't crack it !! can u believe it !! , i just couldn't, but then for some strange reason i did , and guess what, i cracked it using a diff. approach than the first time i cracked it !! , so my point here !!! NEVER EVER think that u know everything !!

pROTEcTION :

This program is like any other !! , it needs an email address and a registration key , so our job here is to find the correct registration key for our email and then make a keygen for this program !!

The Essay

o.k let's start !! , now after u install the program, run it to take a look at it !! , you will see on the menu something like this '?', click it , then click about [ mp3 .... , now as u can see we have found were to put our info , click on the registration tab then click on enter registration info , let's enter our info in my case i wrote :

E-mail address : FaTzBiT@tntcrackers.ws
Registation Key : 1234567890

now click on the o.k button and u will be hit by this messagebox :

now you know what to do !! , that's right let's dasm the exe file , and look for our message , now i know some of you don't like to dasm the exe file , but you like the live approach , hmm !! if that's what u want then skip ahead to were i start using softice in this tutorial , but remember if you were a newbie , then i think this is the best approach !! , anyway after we dasm the file, we look for our error message in the SDR ref . and look ... above the error message u will find our thank u message !! let's double click on it and u will see something like this code :

* Possible Reference to String Resource ID=00153: "Thanks for registering [ m p 3 - e x p l o r e r ] !" <-- good boy

:00401B0C 6899000000              push 00000099
:00401B11 8D4C2410                lea ecx, dword ptr [esp+10]

* Possible Ref to Menu: MenuID_0080, Item: ""

:00401B15 C7052C354B0001000000    mov dword ptr [004B352C], 00000001
:00401B1F E8D0430500              call 00455EF4
:00401B24 8B44240C                mov eax, dword ptr [esp+0C]
:00401B28 6A40                    push 00000040
:00401B2A 6A00                    push 00000000
:00401B2C 50                      push eax
:00401B2D EB17                    jmp 00401B46

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401AA4(C) <-- hmmm !!! let's check this out

* Possible Reference to String Resource ID=00154: "Registration info are not correct ! Please try again." <-- bad boy

:00401B2F 689A000000              push 0000009A
:00401B34 8D4C2410                lea ecx, dword ptr [esp+10]

o.k i think eveything is clear right , the error message is displayed cuz of the jump at 00401AA4 let's check it out , click on search/find and enter 00401AA4 and make sure that the direction is set to up , and we will be at this code in no time :

:00401A90 B918334B00              mov ecx, 004B3318
:00401A95 C684248C00000001        mov byte ptr [esp+0000008C], 01
:00401A9D E83E6A0100              call 004184E0 <-- our algo ...
:00401AA2 85C0                    test eax, eax <-- our test ...
:00401AA4 0F8485000000            je 00401B2F <-- our jump if zero ...
:00401AAA 8D4C2474                lea ecx, dword ptr [esp+74]

now i think we have to step into this call , to see what is in it . but we will do it with softice this time !! now run the program !! , enter ur info and before u click on the o.k button , fire softice [ctrl + d] and set a breakpoint like this one !!

Bpx Hmemcpy

then press F5 and we are back , now press the o.k buttn softice will break !! , press F11 once then press F12 for (7) times now clear alll the breakpoints and set a new one on address 00401A9D , then press F5 , softice will break again at the call now press F8 , and we are inside the call , with F10 trace the code until u are here :

:00418535 83FF04                  cmp edi, 00000004 <-- the length of our email in edi
:00418538 7D35                    jge 0041856F <-- compare it with 4, jump if greater or equal

o.k now continue with the trace until u r at this code :

:00418573 8B442420                mov eax, dword ptr [esp+20] <-- eax point to our email
:00418577 0FBE0C06                movsx ecx, byte ptr [esi+eax] <-- ecx has our 1st char in email
:0041857B 51                      push ecx <-- store ecx
:0041857C E871490200              call 0043CEF2 <-- convert the char. from small letter to capital
:00418581 83C404                  add esp, 00000004
:00418584 03E8                    add ebp, eax <-- add the char. to ebp
:00418586 46                      inc esi <-- add 1 to esi (counter)
:00418587 3BF7                    cmp esi, edi <-- check if the counter="email" string length
:00418589 7CE8                    jl 00418573 <-- if less loop again (take next char)
:0041858B 8B4C240C                mov ecx, dword ptr [esp+0C] <-- ecx has our fake key
:0041858F BAC0D40100              mov edx, 0001D4C0 <-- put in edx 1D4C0h="120000"
:00418594 2BD5                    sub edx, ebp <-- subtract our email sum from edx
:00418596 33C0                    xor eax, eax
:00418598 3BCA                    cmp ecx, edx <-- compare it with our fake key

now i know some of u will not look at the code , so i'll explain it again .... the algo. is simple , first our string (email address) must be 4 char and more , then it takes our first char. from our email and see if it's small letter, if it is small , it convert it to capital letter and add it ebp register , then take the 2nd char. and do the same , until it finish our email address string , then put in edx the value of 120000 and subtract our char. sumation from edx , and compare it with our fake key , now at address 00418598 , write in softice '? edx' write down the value cuz this is our real key , then clear all breakpoints and try and there u go !! our thank u message !!

but wait a min here i think this alog. it to simple so let's code a keygen for it ... here is my source code, it is written in C , and compiled in Turbo C++ v3.0 , if u want to try it :

// a keygen for mp3-explorer v4.3.0 by FaT[BiT] \ TNT!

#include <stdio.h>
#include <conio.h>

int main (void)
 {
   long i, emailchsum = 0;
   long code = 120000;
   char ch;
   unsigned char email[50];

   clrscr();
   printf("------------------------------------------------------------------\n");
   printf("[ m p 3 - e p l o r e r ] v 4.3.0 - Keymaker - by FaT[BiT] \\ TNT!\n");
   printf("------------------------------------------------------------------\n\n");
   printf("E-Mail address : ");
   gets (email);
   if (strlen (email)<4) {
     printf("Err : E-Mail address is too short.");
     exit (1);
    }
   for(i=0;i<=strlen(email);i++) {
     ch = email[i];
     if ((ch >= 97 ) && (ch <= 122)) ch = ch - 32;
     emailchsum += ch ;
    }

   code -= emailchsum;
   printf("Registration key : %ld", code);
   return 0 ;
  }

o.k there u have it !!
compile this code , then run it and enter ur email , to have ur code and try it !!!, and ...

Final Wordz