COOL HACKS
Cracking :
This is very difficult to read long tutorials like this but You have to read in order to know some thing
All the best for your patience.....
What is a keygen? A keygen, or key generator, it’s a program written for a specific program so the user can enter any name and then have the registration code for that name. That simple.
Why make a keygen when just a serial can be used? Well part of the fun of cracking is making your own creations. Also it is kinda lame to produce only one serial for a particular proggie ie: Myname [MY GROUP '97] SERIAL:1234-5678, when the user would like to have his/her name as the registered owner. It takes a bit more skill to write one, and as a cracker, if you code it in asm, you will find it is a little easier to crack. Besides it seems kind of “elite” to make a keygen
How do i make a keygen? Ahhh, good question…. This is asked quite a lot. Basically you need to know HOW the program verifies whether the serial number you entered is correct. To verify it, the proggie has to actually encrypt the users input data (whether it is serial number, name, or combination of both) and then compare that answer to the info you entered. If it is incorrect, then we get a messagebox that tells us so.
To start off, we need to know whether there is only one serial number that will work, or whether it depends on what information we enter. Only one serial number allowed doesn’t qualify for a keygen. If the program uses the information we enter to determine what the serial number is going to be, then that is where we need to start.
I always use basic numbers, or letters so i know what they are when i see them ie: 08642 or qazwsx. That way i don’t get them mixed up with some data that might be in memory at the time.. also when you use numbers, programs can take those numbers and convert them to hexidecimal and then store them in a register or memory location. When u enter your data, remember that the number could be converted to hexidecimal ie: 123 would be 7Bh. You may see that in a register, so watch out for it!!! Sometimes programs need a serial like: 1234-5678-9024. You should see an echo of it in memory, as with any other info you enter. The program may convert that to hexidecimal ( minus the dashes) and store it somewhere, or it might take each number and do its math on it… meaning that it might take the 1 (31h) and multiply it by a certain value, then loop untill all the numbers have gone through the cycle, or something similar. PLEASE REMEMBER that not every proggie uses the same tricks. Some will convert the 1234 to hex, while others might use ascii to hex (asm term) or ascii to integer (C term) to make eax=1234 instead of the hexidecimal value of 1234… just be wary when ur looking around.
Now for the stratagy: When we enter our info, we want to see what is done with it. The best way to do that is set a break point range (bpr) on the intended info. I usually type my info in, then bpx hmemcpy in sice, then hit enter, hit f5 untill all the data is read, but b/4 we get to the messagebox. Hit f12 untill your back to 32 bit code, or 16bit (depending on what the proggie is written in). Then i disable my bpx hmemcpy, and set a break point on a certain line (so i don’t have to go through the whole process of hmemcpy again), but if the program uses hmemcpy to move the serial some more, the bpr on the info usually picks it up. After i bpx a certain line, i s 0 l ffffffff ‘my info’ and when i find it, BPR rw (w/o the < > ) and the rw stands for read/write ie: bpr 013f:123 013f:129 rw. I set the range because some programs take only part of the serial and do something with it, whether that is read only part of it, or move it to another spot in memory. Now search for it again, by typing just S and then hit enter (this continues the last search done from the current position) and if you find it in the Cxxxxxxxx range, don’t bpr on it. Likewise if you find it in the 8xxxxxxx range, don’t set a bpr on it. This part of memory is windows video buffer i think (anyway windows uses it).
Some proggies take the users name and capitalize it, you should notice this, also notice whether certain characters are allowed ie: numbers, brackets, dashes, all the other characters… When the program capitalizes the name it may skip over certain characters and do nothing with them, or if you put a space in the name, it may convert the space to an underscore or some other character…TAKE NOTE OF WHAT GOES ON !!!!!!!!!!!
If the program doesn’t worry about the users name, it might concentrate on the serial number provided. This we also have to watch. Earlier i mentioned that proggies may convert the numbers to hex, or ascii to hex, or just read them from memory, YOU HAVE TO NOTICE WHAT IT DOES when it reads/modified the number. Sometimes this isn’t easy to see, or you might have caught part of the algo, and missed the first very important part. If so, you need to back track and find out what you missed… The key to understanding keygens it UNDERSTANDING HOW WHAT THE ALGORITHM DOES.. thus the name- keygens.
What is left out? Are there dashes in the serial still? Are certain characters no longer there? Do spaces equal spaces, or are they taken out, or replaced with underlines, or zero’s? This is the most important part. Pay close attention.. at this point the serial number might be in hex form, or ascii character to hex representation, also known as ascii/integer representation. Meaning.. in memory instead of seeing 31h 32h 33h 34h 2Dh 35h 36h 37h 38h you will see 01h 02h 03h 04h 2Dh 05h 06h 07h 08h (the dash may not be there). These are all questions that we should be asking ourselves. There are a million different things to do to the serial number, but remember we need to duplicate it.
All of this so far is done b/4 the algorithm is reached. When we finally ge to it, we want to write down (on paper) what it does. Do this line by line… but at the top have the serial number, or name it uses so you can easily look and see where it gets the info. Start out by explaining all the variables, like….. eax now holds our serial in hex form, ecx holds the total number of digits entered, or [esi+bx] is the buffer where our name is stored (after it is capitalized). make sure you know what all the variables are b/4 u start writing lines. If eax=100h b/4 it starts, make a note of it. Sometimes there are already numbers in the registers that are part of the algo. This is essential.
Now write every line down on our paper. I write them exactly as shown in sice. The only difference is i comment every line that causes a register to change. I put in perenthesis what the registers hold after the instruction i s executed, that way when i finish mine and need to debug it, i know what numbers should be where. This will tell me where i went wrong. Some algos use the Zero flag for special jumps.. when this happens i write that down too. When i see something like mov ecx,[eax+4] i write down what that memory location would be, whether its my serial or just the hex value of my serial. If it is the buffer where my name is stored, i write that down too. At the end of the algorithm, the correct serial number is either in memory or in a register. Make a special point to wite down how it is stored. The registration number could be in eax. If eax= 12c4328a, the registration could be the decimal value of eax, or it could actually be 12c4328a. Make sure you know what u have to do to be able to print it to the screen. When i have the full algorithm on paper, i sit down and sort out what i don’t need. If the program pushes something to the stack that isn’t important to me, I leave it out. (today i just found an algo that uses 57 lines of code, and i cut it down to 24)
By this time, you should have a basic understanding of how the program generates the serial. Now we duplicate it.
#1. get input
#2. make name all caps
#3. change all Q’s and Z’s to R’s
#4. get all letters of the name and do the math
#5. eax=hex value of our serial
#6. convert to decimal
#7. print to screen
#8. done!!!
OR:
#1. get input
#2. convert serial number to hex, and move into eax
#3. do math with serial number
#4. edx=23abc3e5…. and 23abc3e5 is our registration code…
#5. put edx into memory in ascii form
#6. print to screen
#7. done!!!
Whatever u do, make sure u have your outline. That way when you start writing it, you will know what is needed.
—————————————————————————-
NOW is the time for OUR keygen… i’ve provided some code you can track down and break on.
For this example i am going to use the Name: stickless (no caps) and the registration number 987654.
First of all, enter your name, and serial number in the spaces provided. Don’t hit enter.
1. In sice set bpx hmemcpy, and exit again
2. Hit enter, and hit f5 1 time
3. Now hit f12 untill you are back into the w32filer code
4. Search for 33 d2 33 c0 3b c8 7e 17 0f be and set a break point on that location.
5. Search for 0f be 0a 83 f9 20 74 0d 8a 0a and also set a break point on that address. ( s 0 l ffffffff 0a 83 f9 20 74 0d 8a 0a ) is how
6. Now on the first line after you enter w3filer code, set a bpx on it.
Also bd the bpx hmemcpy. (I do that so i don’t have to go back through hmemcpy if i mess up.)
7. If all goes well you can hit f5 and it will break on the line that starts moving your serial to another place, then capitalizes it.
(if not, then exit select ok and follow the first call after writeprivatprofilestringa, and you will find it.) Single step through this part of the program so you can see what happens.
8. REMEMBER to write down on a piece of paper exactly what we see the program doing. We will need this for our keygen.
8a. You should see each character being loaded, then compared to see if it is a captial letter already, if not, then it is checked to see if it is a space. If it is, then it skips over it to the next letter.
9. after this is done, there is another call. This one calculates the total number of letters that are in the name. It is then compared to 4, to see if there were enough characters entered.
10. You may be able to see the next break point we searched for. If not, set a temporary break point on a line where you are at, then hit f5. If we found the correct bytes and set a bpx on them, then we should stop at the actual algorithm. If not, then we’ll have to hit ok and go through this process again.
11. When we break on the algorithm we will see these lines:
xor edx,edx -clears edx for a new start
xor eax,eax -new start
cmp ecx,eax -ecx holds the total number of digits we entered
jle xxxxxxxx -xxxxxxxx is some line number that continues the algo
loop: movsx ebx,byte ptr [eax+esi] -gets the first letter, then next
shl ebx,03 -shifts the value of the letter left 3 times
movsx edi,byte ptr [esi+esi] -gets same letter in edi
imul edi,eax -eax holds the spot in our name. first letter = 0
add ebx,edi -add the hex value of the letter to ebx
add edx,ebx -now add that number to edx
inc eax -increase our counter (for our name)
cmp ecx,eax -does the counter equal the total number of digits?
jg loop -if it is greater than our total digits, then go on
-the program loops untill all letters of our name -have been read and converted
mov eax,[00416720] -this is the hexidecimal representaion of the
-serial number provided. If you ? eax, you
-will see the serial number
sar eax,03 -shift arithmatic right
add edx,eax -at this point edx now holds our serial number..
-however, there is a little twist to the story
-edx=6856d39.. if you ? edx you get 0109407545..
-however if you enter that number, it won’t work
-the reg code IS 6856d39
*********** REALLY BIG NOTE HERE!! DON’T IGNORE THIS*******************
WRITE ALL OF THIS DOWN ON PAPER WHILE YOUR DOING IT.
I write it exactly as i see it, and put comments on every line.
You can never have too many comments, unless they don’t make sense.
In the place of [eax+esi] i write “points to my name” behind it.
Remember, to make your keygen, you need to know what to put in it,
and what order. Currently i have this written down on paper:
1. Enter name
2. Move it and take out the spaces
3. Capitalize it
4. Get the number of characters entered
5. Cmp that number to 4
6. Enter algorithm
7. I have the algo on paper and have it commented
8. After algo is over with, edx hold the hexidecimal represention of my serial number
WRITE EVERYTHING DOWN AND COMMENT IT!!!!!!
*******************************ok ur done***********************************
If you trace a little while longer, then you will see that number being compared to the number you entered. There is a return and eax=0 if all is well. If not, then we go to the messagebox.
I am done with my tutorial. All that is left is the source for my keygen.
Study it, and duplicate it, steal any code u need, or modify it all you want. I don’t care, as long as you learn how things work.
Encluded should be the program, and another copy of the source. I suggest you compile it with the int3’s included and set a bpint 3 in sice, and single step through all of it. You will learn a lot more by doing that than just reading the code. I know i have rambled on for a long time now so i’ll stop.
I hope this brought a few of you closer to understanding keygens and how to make them. I have plans for another tutorial on them, but ran out of time to put it in here. This next one will use a different type of algorithm, and i’ll show u some more asm code. Using the two tutes, you should be able to write your own for most programs. have fun and stay happy
*
*
*
This is the basic format for making a keygen for wfiler32.. the following is an example of how to do it.
————-cut and paste the rest so you don’t have to type it————
;keygen for wfiler32
;made by #cracking4newbies for newbies
.model small
.stack 100h
.386
.data
hello db ‘Please enter your name here : $’
ask_serial db 0dh,0ah,0dh,0ah, ‘Enter The serial number (in the registration box) : $’
uprint db 0dh,0ah,0dh,0ah,’Your registration code is : $’
infa db 0dh,0ah,0dh,0ah,’#cracking4newbies keygen for wfiler32 $’
;the next 3 lines are for getting input and the params it has to meet
;maxkey db 20 ;maximum characters-set to 20
;charinp db ? ;not surehow many characters we are going to type
serinum db 20
serinp db ?
buffer db 20 dup(0) ;characters r stored-there are 20 max
note db 0dh,0ah,0dh,0ah,’Please enter more than 8 characters for your name.$’
key db 11 dup(0)
bufferb db 20 dup(0)
nametotal db 20
namehow db ?
bufferc db 20 dup(0)
key2 db 11 dup(0)
.code ;my code begins here
start:
main proc ;sets up procedure/is also the starting point
mov ax, @data ;canпt modify ds directly
mov ds, ax ;move it into another reg first
mov ah,7 ;attrib to scroll window, 7 scroll down
mov al,0 ;do the entire window
mov ch,0 ;this points to the upper left row
mov cl,0 ;this points to the upper left column
mov dh,24 ;this points to the lower right row
mov dl,79 ;this points to the lower right column
mov bh,7 ;normal attrib for blank lines
int 10h ;call bios
xor ax,ax ;make sure that ax(ah+al) are clear
;this next section is to set the cursor upwards in the screen
mov ah,2 ;ah=2/int10h set the cursor position
mov bh,0 ;select video page 0
mov dx,0501h ;cursor 5 rows down in the first column
int 10h ;call bios
mov ah,09h ;ah=9/int21=dos function print to screen
mov dx,offset infoa ;points to where data infoa is stored
int 21h ;call dos int 21
mov ah,09h ;ah=9/int21 dos function print to screen
mov dx,offset hello ;points to where data hello is stored
int 21h ;dx points to it or it wonпt print
mov ah, 0ah ;ah=0ah/int21 dos procedure for asking
mov dx, offset nametotal ;dx has to point to the first of the
int 21h ;paramaters-starts with max keys allowed
;int 3h ;take the semi-colon out to debug the source
call checknum ;check to see if enough letters were entered
mov ah,09h ;as for the serial number
mov dx,offset ask_serial ;dx points to the location in memory of the txt
int 21H ;call dos interupt
mov ah, 0aH ;ah=0ah/int21 gets buffered input
mov dx, offset serinum ;store the input in a buffer named serinum
int 21h ;execute ah=0ah
;int 3h ;remove semicolon and recompile to debug it
call caps ;call the capitalize procedure
call str2num ;this converts a string of numbers to hexidecimal value
call calc ;this is the actual algo for w32filer
mov ax,4c00h ;termination string
int 21h ;go bye bye
main endp
;this section checks to see how many characters were entered
;if less than 4 then no good
checknum proc
mov si, offset namehow ;total number of characters entered
mov cl,byte ptr [si] ;mov 1 byte (cl only holds 1 byte)
cmp cl,04h ;cmp the total number to 4
jle nogood ;if less than 4 then let user know
ret ;if it is more than 4, then return from call
nogood: mov dx,offset note ;there are too few letters in the name
mov ah,09h ;so we have to let the user know
int 21h
mov ax,4c00h ;lets kill the program
int 21h ;ax=4c00h/int21h end the program
checknum endp
;this section checks the name for caps and if already capital, then it leaves
;it alone, otherwise it converts it…also i checked for a space… didn’t ;want
;that to get captialized too
caps proc
push ecx ;save data
push edx ;save data
push esi ;save data
xor edx,edx ;we clear all to get a fresh start
xor ecx,ecx ;we clear all to get a fresh start
mov si, offset bufferc ;point to name
mov cl,[si] ;lets load it up and do some checking
all: cmp cl,61h ;is the letter less than “a” (if less than, it is a capital letter)
jl g02 ;yes then lets just print it and not make it ;uppercase
cmp cl,7ah ;is it greater than “z”
jg g02 ;yes then lets just print it
sub cl,20h
mov [si],cl ;[si] is where we got the letter from, now ;lets replace it with a capital one
g02: mov cl,[si+1] ;get next character
inc si ;point to next character
cmp cl,0dh ;is this the code for the return?
jnz all ;no, then lets do this stuff again
alldon: pop esi ;restore data
pop edx ;restore data
pop ecx ;restore data
ret
caps endp
This is very difficult to read long tutorials like this but You have to read in order to know some thing
All the best for your patience.....
What is a keygen? A keygen, or key generator, it’s a program written for a specific program so the user can enter any name and then have the registration code for that name. That simple.
Why make a keygen when just a serial can be used? Well part of the fun of cracking is making your own creations. Also it is kinda lame to produce only one serial for a particular proggie ie: Myname [MY GROUP '97] SERIAL:1234-5678, when the user would like to have his/her name as the registered owner. It takes a bit more skill to write one, and as a cracker, if you code it in asm, you will find it is a little easier to crack. Besides it seems kind of “elite” to make a keygen
How do i make a keygen? Ahhh, good question…. This is asked quite a lot. Basically you need to know HOW the program verifies whether the serial number you entered is correct. To verify it, the proggie has to actually encrypt the users input data (whether it is serial number, name, or combination of both) and then compare that answer to the info you entered. If it is incorrect, then we get a messagebox that tells us so.
To start off, we need to know whether there is only one serial number that will work, or whether it depends on what information we enter. Only one serial number allowed doesn’t qualify for a keygen. If the program uses the information we enter to determine what the serial number is going to be, then that is where we need to start.
I always use basic numbers, or letters so i know what they are when i see them ie: 08642 or qazwsx. That way i don’t get them mixed up with some data that might be in memory at the time.. also when you use numbers, programs can take those numbers and convert them to hexidecimal and then store them in a register or memory location. When u enter your data, remember that the number could be converted to hexidecimal ie: 123 would be 7Bh. You may see that in a register, so watch out for it!!! Sometimes programs need a serial like: 1234-5678-9024. You should see an echo of it in memory, as with any other info you enter. The program may convert that to hexidecimal ( minus the dashes) and store it somewhere, or it might take each number and do its math on it… meaning that it might take the 1 (31h) and multiply it by a certain value, then loop untill all the numbers have gone through the cycle, or something similar. PLEASE REMEMBER that not every proggie uses the same tricks. Some will convert the 1234 to hex, while others might use ascii to hex (asm term) or ascii to integer (C term) to make eax=1234 instead of the hexidecimal value of 1234… just be wary when ur looking around.
Now for the stratagy: When we enter our info, we want to see what is done with it. The best way to do that is set a break point range (bpr) on the intended info. I usually type my info in, then bpx hmemcpy in sice, then hit enter, hit f5 untill all the data is read, but b/4 we get to the messagebox. Hit f12 untill your back to 32 bit code, or 16bit (depending on what the proggie is written in). Then i disable my bpx hmemcpy, and set a break point on a certain line (so i don’t have to go through the whole process of hmemcpy again), but if the program uses hmemcpy to move the serial some more, the bpr on the info usually picks it up. After i bpx a certain line, i s 0 l ffffffff ‘my info’ and when i find it, BPR rw (w/o the < > ) and the rw stands for read/write ie: bpr 013f:123 013f:129 rw. I set the range because some programs take only part of the serial and do something with it, whether that is read only part of it, or move it to another spot in memory. Now search for it again, by typing just S and then hit enter (this continues the last search done from the current position) and if you find it in the Cxxxxxxxx range, don’t bpr on it. Likewise if you find it in the 8xxxxxxx range, don’t set a bpr on it. This part of memory is windows video buffer i think (anyway windows uses it).
Some proggies take the users name and capitalize it, you should notice this, also notice whether certain characters are allowed ie: numbers, brackets, dashes, all the other characters… When the program capitalizes the name it may skip over certain characters and do nothing with them, or if you put a space in the name, it may convert the space to an underscore or some other character…TAKE NOTE OF WHAT GOES ON !!!!!!!!!!!
If the program doesn’t worry about the users name, it might concentrate on the serial number provided. This we also have to watch. Earlier i mentioned that proggies may convert the numbers to hex, or ascii to hex, or just read them from memory, YOU HAVE TO NOTICE WHAT IT DOES when it reads/modified the number. Sometimes this isn’t easy to see, or you might have caught part of the algo, and missed the first very important part. If so, you need to back track and find out what you missed… The key to understanding keygens it UNDERSTANDING HOW WHAT THE ALGORITHM DOES.. thus the name- keygens.
What is left out? Are there dashes in the serial still? Are certain characters no longer there? Do spaces equal spaces, or are they taken out, or replaced with underlines, or zero’s? This is the most important part. Pay close attention.. at this point the serial number might be in hex form, or ascii character to hex representation, also known as ascii/integer representation. Meaning.. in memory instead of seeing 31h 32h 33h 34h 2Dh 35h 36h 37h 38h you will see 01h 02h 03h 04h 2Dh 05h 06h 07h 08h (the dash may not be there). These are all questions that we should be asking ourselves. There are a million different things to do to the serial number, but remember we need to duplicate it.
All of this so far is done b/4 the algorithm is reached. When we finally ge to it, we want to write down (on paper) what it does. Do this line by line… but at the top have the serial number, or name it uses so you can easily look and see where it gets the info. Start out by explaining all the variables, like….. eax now holds our serial in hex form, ecx holds the total number of digits entered, or [esi+bx] is the buffer where our name is stored (after it is capitalized). make sure you know what all the variables are b/4 u start writing lines. If eax=100h b/4 it starts, make a note of it. Sometimes there are already numbers in the registers that are part of the algo. This is essential.
Now write every line down on our paper. I write them exactly as shown in sice. The only difference is i comment every line that causes a register to change. I put in perenthesis what the registers hold after the instruction i s executed, that way when i finish mine and need to debug it, i know what numbers should be where. This will tell me where i went wrong. Some algos use the Zero flag for special jumps.. when this happens i write that down too. When i see something like mov ecx,[eax+4] i write down what that memory location would be, whether its my serial or just the hex value of my serial. If it is the buffer where my name is stored, i write that down too. At the end of the algorithm, the correct serial number is either in memory or in a register. Make a special point to wite down how it is stored. The registration number could be in eax. If eax= 12c4328a, the registration could be the decimal value of eax, or it could actually be 12c4328a. Make sure you know what u have to do to be able to print it to the screen. When i have the full algorithm on paper, i sit down and sort out what i don’t need. If the program pushes something to the stack that isn’t important to me, I leave it out. (today i just found an algo that uses 57 lines of code, and i cut it down to 24)
By this time, you should have a basic understanding of how the program generates the serial. Now we duplicate it.
#1. get input
#2. make name all caps
#3. change all Q’s and Z’s to R’s
#4. get all letters of the name and do the math
#5. eax=hex value of our serial
#6. convert to decimal
#7. print to screen
#8. done!!!
OR:
#1. get input
#2. convert serial number to hex, and move into eax
#3. do math with serial number
#4. edx=23abc3e5…. and 23abc3e5 is our registration code…
#5. put edx into memory in ascii form
#6. print to screen
#7. done!!!
Whatever u do, make sure u have your outline. That way when you start writing it, you will know what is needed.
—————————————————————————-
NOW is the time for OUR keygen… i’ve provided some code you can track down and break on.
For this example i am going to use the Name: stickless (no caps) and the registration number 987654.
First of all, enter your name, and serial number in the spaces provided. Don’t hit enter.
1. In sice set bpx hmemcpy, and exit again
2. Hit enter, and hit f5 1 time
3. Now hit f12 untill you are back into the w32filer code
4. Search for 33 d2 33 c0 3b c8 7e 17 0f be and set a break point on that location.
5. Search for 0f be 0a 83 f9 20 74 0d 8a 0a and also set a break point on that address. ( s 0 l ffffffff 0a 83 f9 20 74 0d 8a 0a ) is how
6. Now on the first line after you enter w3filer code, set a bpx on it.
Also bd the bpx hmemcpy. (I do that so i don’t have to go back through hmemcpy if i mess up.)
7. If all goes well you can hit f5 and it will break on the line that starts moving your serial to another place, then capitalizes it.
(if not, then exit select ok and follow the first call after writeprivatprofilestringa, and you will find it.) Single step through this part of the program so you can see what happens.
8. REMEMBER to write down on a piece of paper exactly what we see the program doing. We will need this for our keygen.
8a. You should see each character being loaded, then compared to see if it is a captial letter already, if not, then it is checked to see if it is a space. If it is, then it skips over it to the next letter.
9. after this is done, there is another call. This one calculates the total number of letters that are in the name. It is then compared to 4, to see if there were enough characters entered.
10. You may be able to see the next break point we searched for. If not, set a temporary break point on a line where you are at, then hit f5. If we found the correct bytes and set a bpx on them, then we should stop at the actual algorithm. If not, then we’ll have to hit ok and go through this process again.
11. When we break on the algorithm we will see these lines:
xor edx,edx -clears edx for a new start
xor eax,eax -new start
cmp ecx,eax -ecx holds the total number of digits we entered
jle xxxxxxxx -xxxxxxxx is some line number that continues the algo
loop: movsx ebx,byte ptr [eax+esi] -gets the first letter, then next
shl ebx,03 -shifts the value of the letter left 3 times
movsx edi,byte ptr [esi+esi] -gets same letter in edi
imul edi,eax -eax holds the spot in our name. first letter = 0
add ebx,edi -add the hex value of the letter to ebx
add edx,ebx -now add that number to edx
inc eax -increase our counter (for our name)
cmp ecx,eax -does the counter equal the total number of digits?
jg loop -if it is greater than our total digits, then go on
-the program loops untill all letters of our name -have been read and converted
mov eax,[00416720] -this is the hexidecimal representaion of the
-serial number provided. If you ? eax, you
-will see the serial number
sar eax,03 -shift arithmatic right
add edx,eax -at this point edx now holds our serial number..
-however, there is a little twist to the story
-edx=6856d39.. if you ? edx you get 0109407545..
-however if you enter that number, it won’t work
-the reg code IS 6856d39
*********** REALLY BIG NOTE HERE!! DON’T IGNORE THIS*******************
WRITE ALL OF THIS DOWN ON PAPER WHILE YOUR DOING IT.
I write it exactly as i see it, and put comments on every line.
You can never have too many comments, unless they don’t make sense.
In the place of [eax+esi] i write “points to my name” behind it.
Remember, to make your keygen, you need to know what to put in it,
and what order. Currently i have this written down on paper:
1. Enter name
2. Move it and take out the spaces
3. Capitalize it
4. Get the number of characters entered
5. Cmp that number to 4
6. Enter algorithm
7. I have the algo on paper and have it commented
8. After algo is over with, edx hold the hexidecimal represention of my serial number
WRITE EVERYTHING DOWN AND COMMENT IT!!!!!!
*******************************ok ur done***********************************
If you trace a little while longer, then you will see that number being compared to the number you entered. There is a return and eax=0 if all is well. If not, then we go to the messagebox.
I am done with my tutorial. All that is left is the source for my keygen.
Study it, and duplicate it, steal any code u need, or modify it all you want. I don’t care, as long as you learn how things work.
Encluded should be the program, and another copy of the source. I suggest you compile it with the int3’s included and set a bpint 3 in sice, and single step through all of it. You will learn a lot more by doing that than just reading the code. I know i have rambled on for a long time now so i’ll stop.
I hope this brought a few of you closer to understanding keygens and how to make them. I have plans for another tutorial on them, but ran out of time to put it in here. This next one will use a different type of algorithm, and i’ll show u some more asm code. Using the two tutes, you should be able to write your own for most programs. have fun and stay happy
*
*
*
This is the basic format for making a keygen for wfiler32.. the following is an example of how to do it.
————-cut and paste the rest so you don’t have to type it————
;keygen for wfiler32
;made by #cracking4newbies for newbies
.model small
.stack 100h
.386
.data
hello db ‘Please enter your name here : $’
ask_serial db 0dh,0ah,0dh,0ah, ‘Enter The serial number (in the registration box) : $’
uprint db 0dh,0ah,0dh,0ah,’Your registration code is : $’
infa db 0dh,0ah,0dh,0ah,’#cracking4newbies keygen for wfiler32 $’
;the next 3 lines are for getting input and the params it has to meet
;maxkey db 20 ;maximum characters-set to 20
;charinp db ? ;not surehow many characters we are going to type
serinum db 20
serinp db ?
buffer db 20 dup(0) ;characters r stored-there are 20 max
note db 0dh,0ah,0dh,0ah,’Please enter more than 8 characters for your name.$’
key db 11 dup(0)
bufferb db 20 dup(0)
nametotal db 20
namehow db ?
bufferc db 20 dup(0)
key2 db 11 dup(0)
.code ;my code begins here
start:
main proc ;sets up procedure/is also the starting point
mov ax, @data ;canпt modify ds directly
mov ds, ax ;move it into another reg first
mov ah,7 ;attrib to scroll window, 7 scroll down
mov al,0 ;do the entire window
mov ch,0 ;this points to the upper left row
mov cl,0 ;this points to the upper left column
mov dh,24 ;this points to the lower right row
mov dl,79 ;this points to the lower right column
mov bh,7 ;normal attrib for blank lines
int 10h ;call bios
xor ax,ax ;make sure that ax(ah+al) are clear
;this next section is to set the cursor upwards in the screen
mov ah,2 ;ah=2/int10h set the cursor position
mov bh,0 ;select video page 0
mov dx,0501h ;cursor 5 rows down in the first column
int 10h ;call bios
mov ah,09h ;ah=9/int21=dos function print to screen
mov dx,offset infoa ;points to where data infoa is stored
int 21h ;call dos int 21
mov ah,09h ;ah=9/int21 dos function print to screen
mov dx,offset hello ;points to where data hello is stored
int 21h ;dx points to it or it wonпt print
mov ah, 0ah ;ah=0ah/int21 dos procedure for asking
mov dx, offset nametotal ;dx has to point to the first of the
int 21h ;paramaters-starts with max keys allowed
;int 3h ;take the semi-colon out to debug the source
call checknum ;check to see if enough letters were entered
mov ah,09h ;as for the serial number
mov dx,offset ask_serial ;dx points to the location in memory of the txt
int 21H ;call dos interupt
mov ah, 0aH ;ah=0ah/int21 gets buffered input
mov dx, offset serinum ;store the input in a buffer named serinum
int 21h ;execute ah=0ah
;int 3h ;remove semicolon and recompile to debug it
call caps ;call the capitalize procedure
call str2num ;this converts a string of numbers to hexidecimal value
call calc ;this is the actual algo for w32filer
mov ax,4c00h ;termination string
int 21h ;go bye bye
main endp
;this section checks to see how many characters were entered
;if less than 4 then no good
checknum proc
mov si, offset namehow ;total number of characters entered
mov cl,byte ptr [si] ;mov 1 byte (cl only holds 1 byte)
cmp cl,04h ;cmp the total number to 4
jle nogood ;if less than 4 then let user know
ret ;if it is more than 4, then return from call
nogood: mov dx,offset note ;there are too few letters in the name
mov ah,09h ;so we have to let the user know
int 21h
mov ax,4c00h ;lets kill the program
int 21h ;ax=4c00h/int21h end the program
checknum endp
;this section checks the name for caps and if already capital, then it leaves
;it alone, otherwise it converts it…also i checked for a space… didn’t ;want
;that to get captialized too
caps proc
push ecx ;save data
push edx ;save data
push esi ;save data
xor edx,edx ;we clear all to get a fresh start
xor ecx,ecx ;we clear all to get a fresh start
mov si, offset bufferc ;point to name
mov cl,[si] ;lets load it up and do some checking
all: cmp cl,61h ;is the letter less than “a” (if less than, it is a capital letter)
jl g02 ;yes then lets just print it and not make it ;uppercase
cmp cl,7ah ;is it greater than “z”
jg g02 ;yes then lets just print it
sub cl,20h
mov [si],cl ;[si] is where we got the letter from, now ;lets replace it with a capital one
g02: mov cl,[si+1] ;get next character
inc si ;point to next character
cmp cl,0dh ;is this the code for the return?
jnz all ;no, then lets do this stuff again
alldon: pop esi ;restore data
pop edx ;restore data
pop ecx ;restore data
ret
caps endp
