home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
Mendoza
/
flux5.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
5KB
|
135 lines
Flu[X]'s cracking tutor #5 - A EXTREMELY easy keygen
Tools
-Softice 3.2+
-Uninstall manager v2.5
-Turbo Pascal 7
-Brain
I HIGHLY RECOMEND YOU VIEW THIS IN NOTEPAD!!!
-INTRO-
Ok, in this tut ill teach you how to do a keygen.. THIS
is a VERY easy example. Simple principals.. simple protection.
This is probably the most simple protection IVE EVER seen!
Ok, install and start out target. Find under the menus the
register button. Enter a fake code.. i used:
name: Fluxphrozen
code: 121212
ok get into softice (Control-D) set a bpx on 44FD57
hopefully softice should break.. you will see the heart of
the protection scheme..
Ok it is inportant to know at the start of this routine
EDI contains ho many letters there are in out name.
Also note, before the program gets to this point, it converts
your name to total lowercase.. you can see that from tracing.
I will just concentrate on the maths part of it.
Note EBX is used as an accumulator.. the below function
just adds up all the ascii values into one number.
:0044FD57 mov edx, dword ptr [ebp-04] <-get name into edx
:0044FD5A mov dl, byte ptr [edx+eax-01] <-get character
:0044FD5E cmp dl, 20 <-compare character to a "spacebar"
:0044FD61 je 0044FD6E <-if equal to "spacebar" skip the adding process
:0044FD63 mov ecx, dword ptr [ebp-04] <-get name into ecx (usless instruction.. never used)
:0044FD66 and edx, 000000FF <-basically does nothing to data (another unimportant step)
:0044FD6C add ebx, edx <-add ascii value of character to accumulator
:0044FD6E inc eax <-increase position in name to get next character
:0044FD6F dec edi <-decrease # of letters left to process in your name
:0044FD70 jne 0044FD57 <-if no more letters left continue
or else bak to top of this process
Ok that piece of code should be simple. i hope i explained it well
enough.. ok now what happens with the number it makes? below is the
code that processes it.
:0044FD72 xor ebx, 00000089 <-XOR result by hex $89
:0044FD78 xor ebx, 00000033 <-Xor Result of above by $33
:0044FD7B lea edx, dword ptr [ebp-08] <-|
:0044FD7E mov eax, dword ptr [esi+0000021C] <-| these functions get your fake
:0044FD84 call 0041F8E0 <-| serial you put in the box
:0044FD89 mov eax, dword ptr [ebp-08] <-| to check it
:0044FD8C call 00407408 <-|
:0044FD91 cmp ebx, eax <-Compare your fake one with real generated
ebx= real eax= fake
Now to make a keygenerator. I have included my source below. It
is commented and should be easy to follow.
===Begin Source Code===
program umkeymaker;
var
name:string; {declare variables to use}
secondc:integer;
total:integer;
pos,z:integer;
begin
writeln('Uninstall Manager v2.5 Keygen'); {write info to screen}
writeln('Flu[X]/PC98');
writeln('7/06/98');
writeln(' ');
write('Enter Name :');
readln(name); {read keyboard input}
Write('Registration Key : ');
total:=0; {initalize variables}
secondc:=0;
pos:=1;
while pos <= length(name) do {change name to all lowercase}
begin
z:= ord(name[pos]);
secondc:=ord(name[pos]);
if ord(name[pos]) <= 90 then
begin
if ord(name[pos]) >= 65 then
begin
name[pos]:= char(ord(name[pos]) + 32);
end;
end;
pos:=pos+1;
end;
secondc:=0;
pos:=1; {reset counter variable}
while pos <= length(name) do {add ascii values of lowercasr name together}
begin
if ord(name[pos]) <> $20 then {test to see if name has a space}
begin
secondc := secondc + ord(name[pos]);
end;
pos := pos +1;
end;
total := secondc XOR $89; {XOR total by 89 hex}
secondc:= total; {copy resul;t from above to secondc}
total := secondc XOR $33; {XOR the result by 33 hex}
writeln(total); {print out total, which is your key}
end.
===END Source Code===
I hope to see you again in Flu[X] tutor #6
As always if you like a program buy it! Thi essay is for
educational purposes ONLY! Software authors deserve your support!
Flu[X]/PC98
