|
|

He today we keygen Hang2000 ist a Win32 based Game, in my opinion ah ugly one.
But we dont like to game it couse we like to crack it.

Complete the Registration Dialog and before you hit the Register Button, set a Breakpoint on getdlgitemtexta

After you hit Register Softice Pops up again and went to code by F5, F12
HANG2000!.text+5A2F

:00406A31 8D44240C                lea eax, dword ptr [esp+0C]

:00406A35 8D8C248C000000          lea ecx, dword ptr [esp+0000008C]

:00406A3C 50                      push eax

:00406A3D 51                      push ecx

:00406A3E E88D020000              call 00406CD0
Step into the Call by F8,

:00406CD0 8B4C2404                mov ecx, dword ptr [esp+04]

:00406CD4 81EC80000000            sub esp, 00000080

:00406CDA 8D442400                lea eax, dword ptr [esp]

:00406CDE 50                      push eax

:00406CDF 51                      push ecx

:00406CE0 E8CBFEFFFF              call 00406BB0

Again into the Call

Some steps further you`ll be here:




:00406C3B 8A01                    mov al, byte ptr [ecx] // get first Char of Name and Convert to ANSI

:00406C3D 3C41                    cmp al, 41  // Compare the ANSI Value with 41, = ANSI Value 65 = A

:00406C3F 7C15                    jl 00406C56 // If first Char = A then Jump

:00406C41 3C5A                    cmp al, 5A // Campare the ANSI Value with 5A, = ANSI Value 90 = Z

:00406C43 7F11                    jg 00406C56 // If first Char = Z then Jump

:00406C45 0FBEF0                  movsx esi, al // Move ANSI of first Char from AL to ESI

:00406C48 03EE                    add ebp, esi // EBP = 0 add to ESI 

:00406C4A 3C45                    cmp al, 45 // Compare first Char of Name with 45 = ANSI Value  69 = E

:00406C4C 7505                    jne 00406C53 // If E then Jump to  add ebp, 00000005  else add ebp, 00000003

:00406C4E 83C505                  add ebp, 00000005  // Here it add 5 to ANSI Value of CHAR but only if the Char = E

:00406C51 EB03                    jmp 00406C56

:00406C53 83C503                  add ebp, 00000003 // Here it add 3 to ANSI Value of CHAR if the Char not E

:00406C56 41                      inc ecx // Test Len of Name 

:00406C57 4A                      dec edx // 

:00406C58 75E1                    jne 00406C3B // Loop 00406C3B




After the calculation be finishd so some lines later the Value of Calculation add to 13131
and add LJBEPC- in front, LJBEPC-[Value of 13131 + Calculation] = Finishd Serial

EAX = 0  
N = 78 // 78 + EAX + 3 = 81 // write 81 to EAX
U = 85 // EAX + 85 + 3 = 169 // write 169 to EAX
K = 75 // EAX + 75 + 3 = 247 // write 247 to EAX
E = 69 // EAX + 69 + 5 = 321 // write 321 to EAX
M = 77 // EAX + 77 + 3 = 401 // write 401 to EAX

EAX + 13131 = 13532 // write to EDX
ESI & EDX  // ESI = LJBEPC- // EDX = 13532 = "LJBEPC-13532" 

But only if a E into the Name we type in then the calculation add a 5 as a 3.

N = 78 // 78 + EAX + 3 = 81 // write 81 to EAX
U = 85 // EAX + 85 + 3 = 169 // write 169 to EAX
K = 75 // EAX + 75 + 3 = 247 // write 247 to EAX
K = 75 // EAX + 69 + 3 = 319 // write 319 to EAX
M = 77 // EAX + 77 + 3 = 401 // write 499 to EAX
So i hope you understand the Routine :-)

Cya NUKEM

Greets to:

ploppy, Manycracker, DYCUS, FuzzyCat, draXXter, Mr.White[WKT], fREaKaZoiD, rAidri, gloryx, Kylock, Kelly, cELTICa, figugegl, notice!, Milhouse, WAHNS, Hamst,
Cassandra, +fravia, PlAyEr, Satanic_Brain, ManKind, Savatage, |NEO|, uzZi, SiNa, |-SHI-|, Shockwave, s@nDOk@n, ScareByte, VandalJax, pHAT_tEQ, dazm, viruz666,
KeNkAnIfF, draXXter.