Flu[X]'s cracking tutor #5 - A EXTREMELY easy keygen Tools -Softice 3.2+ -Uninstall manager v2.5 -Turbo Pascal 7 -Brain I HIGHLY RECOMEND YOU VIEW THIS IN NOTEPAD!!! -INTRO- Ok, in this tut ill teach you how to do a keygen.. THIS is a VERY easy example. Simple principals.. simple protection. This is probably the most simple protection IVE EVER seen! Ok, install and start out target. Find under the menus the register button. Enter a fake code.. i used: name: Fluxphrozen code: 121212 ok get into softice (Control-D) set a bpx on 44FD57 hopefully softice should break.. you will see the heart of the protection scheme.. Ok it is inportant to know at the start of this routine EDI contains ho many letters there are in out name. Also note, before the program gets to this point, it converts your name to total lowercase.. you can see that from tracing. I will just concentrate on the maths part of it. Note EBX is used as an accumulator.. the below function just adds up all the ascii values into one number. :0044FD57 mov edx, dword ptr [ebp-04] <-get name into edx :0044FD5A mov dl, byte ptr [edx+eax-01] <-get character :0044FD5E cmp dl, 20 <-compare character to a "spacebar" :0044FD61 je 0044FD6E <-if equal to "spacebar" skip the adding process :0044FD63 mov ecx, dword ptr [ebp-04] <-get name into ecx (usless instruction.. never used) :0044FD66 and edx, 000000FF <-basically does nothing to data (another unimportant step) :0044FD6C add ebx, edx <-add ascii value of character to accumulator :0044FD6E inc eax <-increase position in name to get next character :0044FD6F dec edi <-decrease # of letters left to process in your name :0044FD70 jne 0044FD57 <-if no more letters left continue or else bak to top of this process Ok that piece of code should be simple. i hope i explained it well enough.. ok now what happens with the number it makes? below is the code that processes it. :0044FD72 xor ebx, 00000089 <-XOR result by hex $89 :0044FD78 xor ebx, 00000033 <-Xor Result of above by $33 :0044FD7B lea edx, dword ptr [ebp-08] <-| :0044FD7E mov eax, dword ptr [esi+0000021C] <-| these functions get your fake :0044FD84 call 0041F8E0 <-| serial you put in the box :0044FD89 mov eax, dword ptr [ebp-08] <-| to check it :0044FD8C call 00407408 <-| :0044FD91 cmp ebx, eax <-Compare your fake one with real generated ebx= real eax= fake Now to make a keygenerator. I have included my source below. It is commented and should be easy to follow. ===Begin Source Code=== program umkeymaker; var name:string; {declare variables to use} secondc:integer; total:integer; pos,z:integer; begin writeln('Uninstall Manager v2.5 Keygen'); {write info to screen} writeln('Flu[X]/PC98'); writeln('7/06/98'); writeln(' '); write('Enter Name :'); readln(name); {read keyboard input} Write('Registration Key : '); total:=0; {initalize variables} secondc:=0; pos:=1; while pos <= length(name) do {change name to all lowercase} begin z:= ord(name[pos]); secondc:=ord(name[pos]); if ord(name[pos]) <= 90 then begin if ord(name[pos]) >= 65 then begin name[pos]:= char(ord(name[pos]) + 32); end; end; pos:=pos+1; end; secondc:=0; pos:=1; {reset counter variable} while pos <= length(name) do {add ascii values of lowercasr name together} begin if ord(name[pos]) <> $20 then {test to see if name has a space} begin secondc := secondc + ord(name[pos]); end; pos := pos +1; end; total := secondc XOR $89; {XOR total by 89 hex} secondc:= total; {copy resul;t from above to secondc} total := secondc XOR $33; {XOR the result by 33 hex} writeln(total); {print out total, which is your key} end. ===END Source Code=== I hope to see you again in Flu[X] tutor #6 As always if you like a program buy it! Thi essay is for educational purposes ONLY! Software authors deserve your support! Flu[X]/PC98