Key
Generators Return
to Main IndexSound Gadget Pro is a wav recorder and editor. I wrote a crack when I first found it but I thought it was time for me to make my first keygen, and here it is. The protection scheme uses XORs between letters of the name and the serial, the resulting values are compared to bytes found in the file SGPRO.EXE which itself depends on the first two chars of the serial and the first char of the name.
The protection scheme can easily be found at 0041A5D0. It's pretty big, so I'll show you only the end (crucial point) of this code. The name and serial must have at least 6 chars to reach this point. For example, we can enter:
Name: ABCDEF
Serial: 12345678
By stepping through all the code, you should note these important places in memory.
[ESP+50] -> Bytes made with each pair of chars of the serial.
e.g 12h,34h,56h,78h
[ESP+1C] -> A string made with the chars of even positions
in the name.
e.g BDF
[ESP+18] -> NameLetter1 MOD 15h
e.g 02h
:0041A6F7 MOV CL, 0D
:0041A6F9 MOV AL, BYTE PTR [ESP+50]
:0041A6FD SUB AH,AH
:0041A6FF XOR ESI,ESI
:0041A701 XOR EBX,EBX
:0041A703 LEA EDI, DWORD PTR [ESP+1C]
:0041A707 DIV CL
:0041A709 XOR ECX,ECX
:0041A70B MOV CL,AH
:0041A70D SUB EAX,EAX
:0041A70F MOV DWORD PTR [ESP+14], ECX
:0041A713 MOV ECX, FFFFFFFF
:0041A718 REPNZ
:0041A719 SCASB
:0041A71A NOT ECX
:0041A71C DEC ECX
:0041A71D JZ 0041A75D
:0041A71F MOV ECX, DWORD PTR [ESP+18]
:0041A723 LEA EAX, DWORD PTR [ECX+2*ECX]
:0041A726 LEA EBP, DWORD PTR [ECX+4*EAX]
EBP = 02h*13 = 1Ah, this value is used to get the byte that the XORs will have to match. Here we arrive at the crucial test, each byte at [ESP+51] (calculated from the serial) will be XORed with each byte at [ESP+1C] (calculated from the name). The result will have to match the byte at [EBP+004351D8] (since EBX=0).
:0041A729 MOV AL, BYTE PTR [ESP+ESI+51] <-- AL from
the serial.
:0041A72D XOR AL, BYTE PTR [ESP+ESI+1C] <-- XOR with the corresponding
letter.
:0041A731 CMP AL, BYTE PTR [EBP+EBX+004351D8]
:0041A738 JNZ 0041A76A
:0041A73A MOV ECX, 0000000D
:0041A73F MOV EAX, DWORD PTR [ESP+14]
:0041A743 INC ESI
:0041A744 LEA EDI, DWORD PTR [ESP+1C]
:0041A748 CDQ
:0041A749 IDIV ECX
:0041A74B ADD EBX,EDX
The ADD EBX,EDX makes things harder: the XOR result is modified for each test. But we can see that the first 2 chars of the serial are only used to calculate where the good result is be. So if we choose 0Dh (for example), EBX=0 and the location of the good result will stay constant (since 0Dh MOD 0Dh = 0).
:0041A74D MOV ECX, FFFFFFFF
:0041A752 SUB EAX,EAX
:0041A754 REPNZ
:0041A755 SCASB
:0041A756 NOT ECX
:0041A758 DEC ECX
:0041A759 CMP ECX, ESI
:0041A75B JA 0041A729
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:0041A71D(C)
|
:0041A75D MOV EAX, 00000001
:0041A769 RET
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:0041A738(C)
|
:0041A76A XOR EAX, EAX <-- Guess what this means.
:0041A773 RET
Finally, we can calculate our code:
We choose ODh for the first 2 chars of the code.
We note the letter T is the byte
at 004351D8+(NameLetter1 MOD 0Dh)
(004351D8 = 335D8 in SGPro.exe)
We must have:
(NameLetter2 XOR CodeChar3CodeChar4) = T
(NameLetter4 XOR CodeChar5CodeChar6) = T
(NameLetter6 XOR CodeChar7CodeChar8) = T
And thus we have:
Name: PcNinJa
Serial: 0D676D4E
Note that you must run my keygen in the same directory as SGPro.exe because certain values are used from this file.
Contact: pcninja@hotmail.com
Key
Generators Return
to Main Index