|
About this tutorial Tutorial : Keygenning with SmartCheck Tools : SoftICE 3.24, SmartCheck 6.xx (these are good software,
worth buying) Descriptions & Comments : In this tutorial, I will show you the power of SmartCheck as we will be making a keygen with SmartCheck as the only tool. This is a Microsoft Visual Basic 5 program. Please do register this program (and also other good programs by the author) because he seems to be a kind fellow who charges only $5.00 for each of his softwares. He is not greedy at all, and I think the $5.00 charge will only at most support his life. A little note to the author, if you happen to be reading this document, please do contact me and I would be more than willing to help you implement a better protections on your software. Protection : Name/Serial, VB5 Disclaimer : This file is used for educational purposes only. Any misuse of the information presented here is not my responsibility. This tutorial is copyright © ManKind. Contact me at mankind001@bigfoot.com |
Start Visi Font Gold. Choose Option -> Register and you will be presented with a small register window, enter your Name and Unlock Code in the text fields :-
Name : ManKind
Unlock Code : 23199981
We know that this a VB5 program. We will try to break in SoftICE when the program is comparing the fake Unlock Code to the real one to get the real Unlock Code and the most commonly used function to compare two or more strings in VB5 is __vbaStrCmp (note that there are two (2) underscores there). So let's go into SoftICE and set a breakpoint on that function so that we could proceed with our plan of fishing a real Unlock Code for our name like below :-
bpx __vbaStrCmp
Leave SoftICE, press the Unlock button, SoftICE will pop up due to the breakpoint we set on the __vbaStrCmp function. Press F11 once to return to the caller of the function and you will be thrown to the following code :-
:0042CAF6 CALL [MSVBVM50!__vbaStrCmp]
:0042CAFC MOV ESI,EAX <-- you land here
Let's see whether the strings that were compared is left in one of the registers, dump the content of the EDX register by doing the following command :-
d edx
What do you see in the data window of SoftICE? That looks like the real Unlock Code for our name in wide-char format (just ignore the dots). I didn't show the Unlock Code of my name here because I think that the author of this program is kind enough to offer his software at $5.00, so, everyone who wishes to use it MUST register it especially those lamers and the main purpose of this essay is not to destroy the author or his income.
Keygenning with SmartCheck
Unregister the program if you have registered it (use regedit,
its in "My Computer\HKCU\Software\VB and VBA Program Settings\Visi
Font Gold 2.0\Font Viewer\"). We can leave SoftICE alone
now and proceed to use SmartCheck as our main tool because tracing
with SoftICE inside VB programs is always an unpleasant experience.
I use SmartCheck 6.01 but I think any version starting from 6.xx
should work. Make sure you have configured SmartCheck correctly
for cracking purposes before following this part, you should visit
Eternal Bliss's site and get his tutorials if you haven't configured
it (well, not only for configuration purpose actually, there are
other priceless stuffs there by Eternal Bliss).
Let's start now. Start SmartCheck, open (load) the visigold.exe into SmartCheck (a window will pop up) and go to the menu Program -> Start (another window will pop up displaying events of the program, maximise it, we will work with this window). After some events, the main window of Visi Font Gold will pop up, so, go choose Options -> Register like the first part, enter ManKind as Name and 23199981 as Unlock Code into the text fields and finally press the Unlock button. The bad_cracker_message will pop up, just press Ok, switch back to SmartCheck and go to the menu Program -> End and the program will be terminated. Look at the Events and find the registration event (usually after a button is pressed, in this example, Unlock is that button, but SmartCheck will not refer it as the caption of the button but its internal name instead, like Command1). You should come to this (what you see in SmartCheck is highlighted in green while the black text is comment) :-
+ Command1_Click
Expand it by double-clicking on the plus (+) sign and more events will be shown :-
- Command1_Click
Text1.Text <-- input field of Name
LTrim$ <-- get the Name
Len
returns LONG:7 <-- get the length
of name
Mid$ <-- get the first byte of name
Asc
returns Integer:77 <-- ascii of
first byte
Double
(5929) --> Long (5929) <--
77 * 77 = 5929
Mid$ <-- get second byte of name
Asc
returns Integer:97 <-- ascii of
second byte
Double
(24747) --> Long (24747) <--
(97 * 97 * 2) + 5929 = 24747
Mid$ <-- get the third byte of name
Asc
returns Integer:110 <-- ascii
of third byte
Double
(61047) --> Long (61047) <--
(110 * 110 * 3) + 24747 = 61047
Mid$ <-- get the fourth byte
Asc
returns Integer:75 <-- ascii of
fourth byte
Double
(83547) --> Long (83547)
<-- (75 * 75 * 4) + 61047 = 83547
Mid$ <-- get the fifth byte of name
Asc
returns Integer:105 <-- ascii
of fifth byte
Double
(138672) --> Long (138672) <--
(105 * 105 * 5) + 83547 = 138672
Mid$ <-- get the sixth byte
Asc
returns Integer:110 <-- ascii
of sixth byte
Double
(211272) --> Long (211272) <--
(110 * 110 * 6) + 138672 = 211272
Mid$ <-- get the seventh byte of name
Asc
returns Integer:100 <-- ascii
of seventh byte
Double
(281272) --> Long (281272) <--
(100 * 100 * 7) + 211272 = 281272
Text3.Text
LTrim$
LTrim$
MsgBox returns Integer:1
<-- bad_cracker_message
Command1_Click
I think you've got the idea now but I will explain a little more. Here's the algorithm details, each ASCII must be squared and multiplied by its position and added to the previously calculated value to generate correct Unlock Code
Here a quick pointer :-
- if you do Show All Events in SmartCheck you will see that __vbaPowerR8 function is called after the "Asc returns Integer:77" line, thus the calculation for this is 77 * 77 * 1 = 5929.
The same thing happens to the other values. I think it is really clear to you now and I need not explain anymore. As usual, for my keygenning tutorial, I would include a keygen source but this time I would only show you the calculation part source. Since the program is coded in VB 5, I shall code the source in Visual Basic too and here's the calculation part :-
|
For i = 1 to Len(Text1.Text) 'i is counter,
Text1.Text refers to the name's text field, loop until byte of
name finish name1 = Asc(Mid(Text1.Text, i, 1)) 'get a byte of name name2 = (name1 ^ 2) * i 'the main algo here(ascii of byte 'power by two multiple by current position of byte) name2 = (name1 ^ 2) * i 'main algo here(ascii of byte power by 2 and multiplied to current position of byte) name3 = name3 + name2 'sum up all the calculated values Next i 'loop again Text2.Text = name3 'Text2.Text refers to the text field where you would show user his/her Unlock Code for the specified name, show user the final calculated value which is the correct Unlock Code |
As a little note for the keygen, I would like to state that IF any other programming languages (probably not all, but I tried Assembly and QBasic) are used to code the keygen for Visi Font Gold other than Visual Basic(I tried VB5), it would be messed up when dealing with special characters like î, é and many more (that's why I choose to show you the calculation source in VB).
Lastly, my little opinion and comment on SmartCheck and its
usage :-
- could be VERY useful for cracking VB programs
- when trying to keygen, its totally different from SoftICE
- very good tool for crackers and programmers
- useful for newbies to do quick cracks (serial fishing)
That's all for now. Contact me if I've made any mistakes.
Ending
Thanks and greetz to :-
+ORC, +HCU, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO,
CrackZ, cLUSTER, LaZaRuS, mISTER fANATIC, yes123, WhizKiD, Volatility,
ACiD BuRN, Eternal Bliss, R!SC, Kwazy Webbit, +Mammon, MisterE,
Shadow, ^tCM^, WaJ, Borna Janes, Kathras, AB4DS(Death), douby,
Steinowitz, Lord Soth, Latigo, Lucifer48, NeuRaL_NoiSE, Fravia+,
Latigo, Duelist, Alpine, flag eRRatum, Nitrus, +Frog's Print,
Muad`Dib, Iczelion, Razzia, Warezpup, Bomber Monkey, llama and
other crackers, individuals and organisations who have helped
me, either directly or indirectly.