Turning File Shredder v2.2 into its own Keygen by Flu[X]/PC98
A Second Look at the keygen-patch approach.

Items needed for this tutorial:
  Hiew     5.xx
  W32 Dasm 8.7+
  SoftICE  3.2+
  File Shredder v2.2 (http://www.execpc.com/~sbd/SHREDDER.ZIP)
  Basic asm knowlodge...

Ok, after you have all of these items your ready

If you read my first tutor you will be familiar with this method
otherwise, i suggest you download it ant read it..

Again im going to concentrate on how to make a program store
the correct registration info without user intervention.
Ok start SoftICE and load in the standard breakpoints.
(you should know these) Enter in some random information
and try to register it.

Ok, were interested in what it does with the code we have entered
so since there are 3 boxes we hit F5 twice. After a while of tracing
you will come to this:


:004014AC 55                      push ebp
:004014AD 57                      push edi
:004014AE E86D190000              call 00402E20
:004014B3 83C408                  add esp, 00000008
:004014B6 3BC3                    cmp eax, ebx <--compare the two values
                                               eax= real  ebx=your fake
:004014B8 741E                    je 004014D8  <-- if they are same goto registered
:004014BA 68CFEA0000              push 0000EACF


so how would we go about fixing this? ok now lets see...
we know eax has the real serial# (from doing a ? eax)
so thats already good... now how can we fix the value in ebx..
maybe if we change  cmp eax, ebx  TO  mov ebx, eax.
that will "overwrite" our fake serial#..now how about
that jump? well since it will go there if registered
and we have fixed it so it will always get registered we
just change it to JMP.

ok lets try it, new code should look like this:


:004014AE E86D190000              call 00402E20
:004014B3 83C408                  add esp, 00000008
:004014B6 8BD8                    mov ebx, eax <-- move real ser# to
                                                  where our fake is.
:004014B8 EB1E                    jmp 004014D8 <-- always jump to registered

ok patch the file, now try it, hey it registers...
the program will shut down..
ok start it again, hey look it works, our name is in the box
click on the register key, hey look in the box is what
the serial *should* have been.

now we have 2 "cracks" for this program, a serial# and a
program that makes its own keys.. so go ahead and generate
as many valid serial#'s as you want!

Anyways, i dont have to say this as it should be understood, if you
like thes program and continue to use it you should purchase a copy.


Flu[X] - Phrozen Crew 98

EOF