Welcome to cheekey's Cracking Tutorial #2! This is the second tutorial ... rth asks me at #learn2crack for helping him with this proggie It's the 23rd december (midnight) and I'm finished with the 2nd tutorial for today, merry x-mas and a happy new year ! Target: SNCalc v2.0 (http://sn.amur.ru) Protection: Serial Solution: KeyGen Toolz: Softice 4.x, BCB 4 (for codin the Keygen) Ok i hope you know how to use softice (setting breakpoints, etc.) so let's start - set THE ;) breakpoint (bpx hmemcpy), and "push F12 until we reach 32bit code. You recognize 32bit code when the memory address has the following form: XXXX:XXXXXXXX When we reached it, we press F10 until you reach code where there's no "ret" in the next 5 lines. Now we have reached the part where it gets interesting." (snippet of one of LaZaRuS' tutz - get em all: www.learn2crack.org) :0047EF9D 8B45FC mov eax, dword ptr [ebp-04] :0047EFA0 E8334DF8FF call 00403CD8 :0047EFA5 83F804 cmp eax, 00000004 // compare namelength with 4 :0047EFA8 7C0D jl 0047EFB7 // if namelength < 4 jump to (1) :0047EFAA 8B45F8 mov eax, dword ptr [ebp-08] :0047EFAD E8264DF8FF call 00403CD8 :0047EFB2 83F804 cmp eax, 00000004 // compare serial length with 4 :0047EFB5 7D0C jge 0047EFC3 // if => 4 jump to the routine (2) :0047EFB7 8BC3 mov eax, ebx // (1) :0047EFB9 E892ACFCFF call 00449C50 :0047EFBE E9BB000000 jmp 0047F07E // jump to bad cracker :0047EFC3 8B45FC mov eax, dword ptr [ebp-04] // (2) eax = name :0047EFC6 0FB64001 movzx eax, byte ptr [eax+01] // eax = 2nd char of name :0047EFCA 8B55F8 mov edx, dword ptr [ebp-08] // edx = serial :0047EFCD 0FB65202 movzx edx, byte ptr [edx+02] // edx = 3rd char of serial :0047EFD1 33C2 xor eax, edx // xor these two values :0047EFD3 B90A000000 mov ecx, 0000000A -+ :0047EFD8 99 cdq | and save the last char of the result to edx :0047EFD9 F7F9 idiv ecx -+ :0047EFDB 83FA03 cmp edx, 00000003 // compare it with 3 :0047EFDE 0F859A000000 jne 0047F07E // if not equal jump to badcracker :0047EFE4 68E9030000 push 000003E9 * Reference To: kernel32.Sleep, Ord:0000h // hehe ;) Sleep that is what the programmer does ;) | :0047EFE9 E88676F8FF Call 00406674 :0047EFEE 8B45FC mov eax, dword ptr [ebp-04] // again getting the name :0047EFF1 0FB64002 movzx eax, byte ptr [eax+02] // now the 3rd char of name :0047EFF5 8B55F8 mov edx, dword ptr [ebp-08] // getting the serial :0047EFF8 0FB65201 movzx edx, byte ptr [edx+01] // and the 2nd char of the serial :0047EFFC 33C2 xor eax, edx // xor them again :0047EFFE B90A000000 mov ecx, 0000000A -+ :0047F003 99 cdq | and save the last char of the result to edx :0047F004 F7F9 idiv ecx -+ :0047F006 83FA05 cmp edx, 00000005 // and compare the result with 5 :0047F009 7573 jne 0047F07E // if not equal jump to bad cracker, if equal: "Thx for registering" :0047F00B 68E7030000 push 000003E7 first time you see it it looks quite simple ... but it isn't just a few lines compare code but a lot of more command for keygening it ok the basic thing is that the name and the serial have to be at elast 4 chars long ! if you enter something like "xyxy" (no numbers) a messagebox pops up, saying that no valid float was entered ... so we only can use values which got the Ascii-codes 48 to 57 (0 to 9). ok then it gets the 2nd char of the name and XORes it with the 3rd char of the entered serial if the last char of the result = 3 then go on. Same shit with the 3rd char of the name and the 2nd char of the serial ... Example: name: cheekey [l2c] fake serial = 123456 xor 104(h),51(3) = 91 edx = 1 cmp edx, 00000003 jump to badcracker so we have to find a value which results x3 if it is xored with 104(h) ... hmm which value is near 91 and ends with 3 ? 93 ! jep right so let's xor 104,93 the result is 53 ... the Ascii code of 5 so now we now got the first part of our serial ... xx5xxx (i dunno why i use a 6 chars long one ... xx5x would work as well !) ok now the second part xor 101(e),50(2) = 87 edx = 7 cmp edx, 00000005 jump to badcracker so we have to find a value which results x5 if it is xored with 101(e) ... hmm which value is near 87 and ends with 5 ? 85 ! so let's xor 104,85 the result is 48 ... the Ascii code of 0 so now we now got the second part of our serial ... x05xxx (or: x05x for example) now enter the values u want for x and you always get a valid serial for "cheekey [l2c]" (Example: 205234) and here is the win32c++ (i use the BCB 4 ) code-snippet for a keygen (create two textboxes, for other shit read the notes) ... //--------------------------------------------------------------------------- void __fastcall TForm1::Edit1Change(TObject *Sender) { AnsiString strSerial = Edit1->Text; //entered name AnsiString strTemp; int iFertig1 = 0; int iFertig2 = 0; int iFinal = 0; int iTemp = 0; if (strSerial.Length() > 3) // at least 4 chars ? { for (int i = 48; i <= 57; i++) // for 0 to 9 (Ascii codes) { iFertig1 = static_cast(strSerial[2]) ^ i; // 2nd char of name xor i strTemp = IntToStr(iFertig1); iTemp = strTemp.Length(); // length of the result if (strTemp[iTemp] == 51) // if last char = 3 ... iFertig2 = i-48; // ... save it for later use (x) } iFinal = iFertig2 * 1000 + 100000; // serial = 10x000 for (int i = 48; i <= 57; i++) { iFertig1 = static_cast(strSerial[3]) ^ i; // the second part ... 3rd char of name xor i strTemp = IntToStr(iFertig1); iTemp = strTemp.Length(); // length of result if (strTemp[iTemp] == 53) // if last char = 5 ... iFertig2 = i-48; // save it for later use (y) } iFinal = iFinal + (10+iFertig2) * 10000 + 234; // serial = 2yx234 Edit2->Text = iFinal; // serial output ... } else { Edit2->Text = "You have to enter at least 4 chars"; } } //--------------------------------------------------------------------------- you registered the prog and wanna unregister it ? change HKEY_LOCAL_MACHINE\Software\SN\SNCalc "RegCode2_0" and "RegName2_0" ok thats @ll folks ... how contact me: mail:cheekey99@hotmail.com efnet: #learn2crack