Results 1 to 30 of 30
  1. #1
    Valac's Avatar
    Valac is offline Member
    Join Date
    Mar 2007
    Location
    AUSTRALIA FTW!
    Posts
    604

    Cool how to make a keygen

    hey guys, thought id help some u out with gettin prgms for nothin if this isnt allowed on this forum just close it.
    heres the tut:

    How to make a Key Generator.

    Long and detailed tutorial :



    Tools!
    For tools you need a minimum of debugger like SoftIce for Windows (hence WinIce), and a C compiler with Dos libraries.


    Content!
    In this tutorial I will show how to make a key-gen for Ize and Swiftsearch. The protection that these programs use is the well known Enter-Name-and-Registration-Number method. After selecting 'register', a window pops up where you can enter your name and your registration number. The strategy here is to find out where in memory the data you enter is stored and then to find out what is done with it. Before you go on make sure you configure the SoftIce dat file according to the PWD tutorial #1.


    Part 1: Scanline Swiftsearch 2.0!

    Swiftsearch is a useful little program that you can use to search on the web. I will explain step by step how to crack it.

    step 1. Start the program

    step 2: Choose register from the menus. You will now get a window where you can enter your name and your registration number.

    step 3: Enter SoftIce (ctrl-d)

    step 4: We will now set a breakpoint on functions like GetWindowText(a) and GetDlgItemText(a) to find out where in memory the data that we just entered is stored. The function that is used by this program is GetDlgItemTexta (trial and error, just try yourself so, in SoftIce type BPX GetDlgItemTexta and exit SoftIce with the g command.

    step 5: Now type a name and a registration number (I used razzia and 12345) and press OK, this will put you back in SoftIce. Since you are now inside the GetDlgItemTexta function press F11 to get out of it. You should see the following code:

    lea eax, [ebp-2C] :<--- we are looking for this location
    push eax
    push 00000404
    push [ebp+08]
    call [USER32!GetDlgItemTextA]
    mov edi, eax :<--- eax has the length of the string
    and is stored in edi for later usage.

    We see that EAX is loaded with a memory address and then pushed to the stack as a parameter for the function GetDlgItemTextA. Since the function GetDlgItemTextA is already been run we can look at EBP-2c (with ED EDP-2c) and see that the name we entered is there. Now we know where the name is stored in memory, normally it would be wise to write that address down, but we will see that in this case it wont be necessary.

    So, what next? Now we have to allow the program to read the registration number we entered. Just type g and return and when back in SoftIce press F11. You should see the following code:

    push 0000000B
    lea ecx, [ebp-18] : <--So, ebp-18 is where the reg. number
    push ecx : is stored.
    push 0000042A
    push [ebp+08]
    call [USER32!GetDlgItemTextA]
    mov ebx, eax : <--save the lenght of string in EBX
    test edi, edi : <--remember EDI had the lenght of the
    jne 00402FBF : name we entered?

    We see that the registration number is stored at location EBP-18 , check it with ED EBP-18. Again, normally it would be wise to note that address down. Also we see that it is checked if the length of the name we gave was not zero. If it is not zero the program will continue.

    Step 6: Ok, now we know where the data we entered is stored in memory. What next?
    Now we have to find out what is DONE with it. Usually it would we wise to put breakpoints on those memory locations and find out where in the program they are read. But in this case the answer is just a few F10's away. Press F10 until you see the following code :

    cmp ebx, 0000000A :<--remember EPX had the length of the
    je 00402FDE : registration code we entered?

    These two lines are important. They check if the length of the registration code we entered is equal to 10. If not the registration number will be considered wrong already. The program wont even bother to check it. Modify EBX or the FLAG register in the register window to allow the jump. Continue Pressing F10 until you get to the following code (note that the adresses you will see could be different) :

    :00402FDE xor esi, esi :<-- Clear ESI
    :00402FE0 xor eax, eax :<-- Clear EAX
    :00402FE2 test edi, edi
    :00402FE4 jle 00402FF2
    :00402FE6 movsx byte ptr ecx, [ebp + eax - 2C] :<-- ECX is loaded with a letter of the name we entered.
    :00402FEB add esi, ecx :<-- Add the letter to ESI
    :00402FED inc eax :<-- Increment EAX to get next letter
    :00402FEE cmp eax, edi :<-- Did we reach the end of the string?
    :00402FF0 jl 00402FE6 :<-- If not, go get the next letter.

    Well, we see that the program adds together all the letters of the name we entered. Knowing that ESI contains the sum of the letters, lets continue and find out what the program does with that value :

    :00402FF2 push 0000000A
    :00402FF4 lea eax, [ebp-18] :<-- Load EAX with the address of the reg. number we entered
    :00402FF7 push 00000000
    :00402FF9 push eax :<-- Push EAX (as a parameter for the following function)
    :00402FFA call 00403870 :<-- Well, what do you think this function does?
    :00402FFF add esp, 0000000C
    :00403002 cmp eax, esi :<-- Hey!
    :00403004 je 00403020

    We see that a function is called and when RETurned ESI is compared with EAX. Hmm, lets look at what's in EAX. A '? EAX' reveals :

    00003039 0000012345 "09"

    Bingo. That's what we entered as the registration number. It should have been what's inside ESI. And we know what's inside ESI, the sum of the letters of the name we entered!

    Step 7: Now we know how the program computes the registration code we can make a key-gen.
    But we should not forget that the program checks also that the registration number has 10
    digits.
    A simple C code that will compute the registration number for this program could look like this:


    #include <stdio.h>
    #include <string.h>
    main()
    {
    char Name[100];
    int NameLength,Offset;
    long int Reg = 0, Dummy2 = 10;
    int Dummy = 0;
    int LengtDummy = 1;
    int Lengt , Teller;
    printf("Scanline SwiftSearch 2.0 crack by raZZia.\n");
    printf("Enter your name: ");
    gets(Name);
    NameLength=strlen(Name);

    /* the for lus calculates the sum of the letters in Name */
    /* and places that value in Reg */
    for (Offset=0;Offset<NameLength;Offset=Offset+1)
    {
    Reg=Reg+Name[Offset];
    }
    /* the while lus calculates the lenght of the figure in */
    /* Reg and places it in Lengt */
    while (Dummy != 1)
    {
    if ( Reg < Dummy2 )
    { Lengt = LengtDummy ; Dummy =1;
    }
    else
    { LengtDummy=LengtDummy + 1; Dummy2=Dummy2*10;
    }
    };
    printf("\nYour registration number is : " );
    /* First print 10-Lengt times a 0 */
    Lengt=10-Lengt;
    for (Teller=1;Teller<=Lengt;Teller=Teller+1) printf("0");
    /* Then print the registration number */
    printf("%lu\n",Reg);
    }




    Case 2 Ize 2.04 from Gadgetware

    Ize from Gadgetware is a cute little program that will put a pair of eyes on your screen which will
    follow your mousepointer. It has a register function where you can enter your name and a registration
    number. The strategy in this case is still the same : Find out where in memory the entered information
    is stored and then find out what is done with that information.

    Step 1: Start Ize. Chose register and enter a name and a number. I used 'razzia' and '12345'.

    Sterp 2: Enter (CTRL-D) Softice and set a breakpoint on GetDlgItemTextA.

    Step 3: Leave SoftIce and press OK. This will put you back in Softice. You will be inside the GetDlgItemTextA
    function. To get out of it press F11. You should see the following code :

    mov esi, [esp + 0C]
    push 00000064
    push 0040C3A0 :<--On this memory location the NAME we entered will be stored.
    mov edi, [USER32!GetDlgItemTextA] :<--Load edi with adress of GetDlgItemTextA
    push 00004EE9
    push esi
    call edi :<-- Call GetDlgItemTextA
    push 00000064 :<-- (you should be here now)
    push 0040C210 :<--On this memory location the NUMBER we entered will be stored
    push 00004EEA
    push esi
    call edi :<-- Call GetDlgItemTextA

    We see that the function GetDlgItemTextA is called twice in this code fragment. The first call has
    already happened. With ED 40C3A0 we can check that the name we entered is stored on that location.
    To allow the program to read in the number we entered we type G and enter. Now we are inside the Get-
    DlgItemTextA function again and we press f11 to get out of it. We check memory location 40C210 and
    we see the number we entered is stored there.
    Now we know the locations were the name and the number are stored,we note those down!

    Step 4: Ok, what next? We now know where in memory the name and the number are stored. We need to find out
    what the program does with those values. In order to do that we could set breakpoints on those memory
    locations to see where they are read. But in this case it wont be necessary. The answer is right after the
    above code :

    push 0040C210 :<--save the location of the number we entered (as a parameter for the next call)
    call 00404490 :<-- call this unknown function
    add esp, 00000004
    mov edi, eax :<-- save EAX (hmmmm)

    We see a function being called with the number-location as a parameter. We could trace into the function and see what it does, but that is not needed. With your experience of the Swiftsearch
    example you should be able to guess what this function does. It calculates the numerical value of the registration number and puts it in EAX. To be sure we step further using F10 untill we are past the call and check the contents of EAX (with ? EAX). In my case it showed : 00003039 0000012345 "09".

    Knowing that EDI contains our registration number we proceed:

    push 0040C3A0 :<-- save the location of the name we entered (as a parameter for the next call)
    push 00409080 :<-- save an unknown memory-location (as a parameter for the next call)
    call 004043B0 :<--call to an unknown function
    add esp, 00000008
    cmp edi, eax :<--compare EDI (reg # we entered) with EAX (unknown, since the previous call changed it)
    jne 004018A1 :<--jump if not equal

    We see that a function is called with two parameters. One of the parameters is the location of the name
    we entered. The other we dont know, but we can find out with ED 409080. We see the text 'Ize'.
    This function calculates the right registration number using those two parameters. If you just want to
    crack this program, you can place a breakpoint right after the call and check the contents of EAX. It will
    contain the right registration number. But since we want to know HOW the reg. # is calculated we will trace inside the function (using T). We will then try to find out HOW the contents of EAX got in there.

    Step 5: Once inside the interesting function you will see that we are dealing with a rather long function. It wont be necessary for me to include the complete listing of this function, because we wont need all of it to make our key-gen.
    But in order find out which part of the code is essential for the computation of the right registration number, you have to trace STEP by STEP and figure out what EXACTLY is going on!

    Afther doing this i found out that the first part of the function computes some kind of "key". Then this
    "key" is stored in memory and in that way passed on to the second part of the function.
    The second part of the function then computes the right registration number, based on this "key" AND
    the name we entered.

    The code that is essential and that we need for our key-gen is the following:

    ( Note that before the following code starts, the registers that are used will have the following values:
    EBX will point to the first letter of the name we entered,
    EDX will be zero,
    EBP will be zero,
    The "key" that we talked about earlier is stored in memory location 0040B828 and will
    have 0xA4CC as its initial value. )


    :00404425 movsx byte ptr edi, [ebx + edx] :<-- Put first letter of the name in EDI
    :00404429 lea esi, [edx+01] :<-- ESI gets the "letter-number"
    :0040442C call 00404470 :<-- Call function
    :00404431 imul edi, eax :<-- EDI=EDI*EAX (eax is the return value of the the previous call)
    :00404434 call 00404470 :<-- Call function
    :00404439 mov edx, esi
    :0040443B mov ecx, FFFFFFFF
    :00404440 imul edi, eax :<-- EDI=EDI*EAX (eax is the return value of the previous call)
    :00404443 imul edi, esi :<-- EDI=EDI*ESI ( esi is the number of the letter position)
    :00404446 add ebp, edi :<-- EBP=EBP+EDI (beware that EBP will finally contain the right reg#)
    :00404448 mov edi, ebx :<--these lines compute the lenght of the name we entered
    :0040444A sub eax, eax :<--these lines compute the lenght of the name we entered
    :0040444C repnz :<--these lines compute the lenght of the name we entered
    :0040444D scasb :<--these lines compute the lenght of the name we entered
    :0040444E not ecx :<--these lines compute the lenght of the name we entered
    :00404450 dec ecx :<-- ECX now contains the lenght of the name
    :00404451 cmp ecx, esi
    :00404453 ja 00404425 :<-- If its not the end of the name , go do the same with the next letter
    :00404455 mov eax, ebp :<-- SAVE EBP TO EAX !!!!
    :00404457 pop ebp
    :00404458 pop edi
    :00404459 pop esi
    :0040445A pop ebx
    :0040445B ret
    _____

    :00404470 mov eax, [0040B828] :<-- Put "key" in EAX
    :00404475 mul eax, eax, 015A4E35 :<-- EAX=EAX * 15A4E35
    :0040447B inc eax :<-- EAX=EAX + 1
    :0040447C mov [0040B828], eax :<-- Replace the "key" with the new value of EAX
    :00404481 and eax, 7FFF0000 :<-- EAX=EAX && 7FFF0000
    :00404486 shr eax, 10 :<-- EAX=EAX >>10
    :00404489 ret


    The above code consists of a loop that goes trough all the letters of the name we entered. With each
    letter some value is calculated, all these values are added up together (in EBP). Then this value is stored
    in EAX and the function RETurns. And that was what we were looking for, we wanted to know how EAX got its value!

    Step 6: Now to make a key-gen we have to translate the above method of calculating the right reg# into a
    c program. It could be done in the following way :
    (Note : I am a bad c programmer

    #include <stdio.h>
    #include <string.h>
    main()
    {
    char Name[100];
    int NameLength,Offset;
    unsigned long Letter,DummyA;
    unsigned long Key = 0xa4cc;
    unsigned long Number = 0;
    printf("Ize 2.04 crack by razzia\n");
    printf("Enter your name: ");
    gets(Name);
    NameLength=strlen(Name);
    for (Offset=0;Offset<NameLength;Offset=Offset+1)
    {
    Letter=Name[Offset];
    DummyA=Key;
    DummyA=DummyA*0x15a4e35;
    DummyA=DummyA+1;
    Key=DummyA;
    DummyA=DummyA & 0x7fff0000;
    DummyA=DummyA >> 0x10;
    Letter=Letter*DummyA;
    DummyA=Key;
    DummyA=DummyA*0x15a4e35;
    DummyA=DummyA+1;
    Key=DummyA;
    DummyA=DummyA & 0x7fff0000;
    DummyA=DummyA >> 0x10;
    Letter=Letter*DummyA;
    Letter=Letter*(Offset+1);
    Number=Number+Letter;
    }
    printf("\nYour registration number is : %lu\n",Number);
    }


    well thats it, lol goodluck

  2. #2
    ebjack's Avatar
    ebjack is offline Senior Member
    Join Date
    Jun 2006
    Location
    In Jessica Alba's bagina
    Posts
    1,905
    looks real simple

  3. #3
    Bryan2's Avatar
    Bryan2 is offline Supplement Guru
    Join Date
    Jun 2004
    Posts
    3,592
    Quote Originally Posted by ebjack
    looks real simple



  4. #4
    zimmy's Avatar
    zimmy is offline Anabolic Member
    Join Date
    Jan 2006
    Location
    Houston
    Posts
    4,225
    it doens't work for all. There are other variables involved for certain programs that expect certain formats to be a valid key. Things like symantec antivirus. But it's a nice lil how to for some of the basic sh*t that is borderline freeware :P

  5. #5
    Coop77's Avatar
    Coop77 is offline Senior Member
    Join Date
    Jul 2006
    Location
    Venice CA
    Posts
    1,375
    this is pretty technical for this board

  6. #6
    HORSE~'s Avatar
    HORSE~ is offline yeah
    Join Date
    Feb 2006
    Location
    ZIMBOBWAY!!!!
    Posts
    6,329
    Blah....Blah....Blah.Blah.Blah....

    In simple english WTF does this mean /Do????

  7. #7
    spywizard's Avatar
    spywizard is offline AR-Elite Hall of Famer~
    Join Date
    Dec 2003
    Location
    In the Gym, if i could
    Posts
    15,929
    that's cool.. thanks man..
    The answer to your every question

    Rules

    A bigot is a person obstinately or intolerantly devoted
    to his or her own opinions and prejudices, especially
    one exhibiting intolerance, and animosity toward those of differing beliefs.


    If you get scammed by an UGL listed on this board or by another member here, it's all part of the game and learning experience for you,
    we do not approve nor support any sources that may be listed on this site.
    I will not do source checks for you, the peer review from other members should be enough to help you make a decision on your quest. Buyer beware.
    Don't Let the Police kick your ass

  8. #8
    Valac's Avatar
    Valac is offline Member
    Join Date
    Mar 2007
    Location
    AUSTRALIA FTW!
    Posts
    604
    np i hope it helps even atleast 1 person. HORSE: it means u dont have to pay for certain prgms like zimmy said it doesnt work for all prgms but u can get a few helpful prgms by doin this.

  9. #9
    shrpskn is offline Anabolic Member
    Join Date
    Aug 2005
    Location
    Den sitta på huk ställ
    Posts
    3,476
    Forget it.....
    Last edited by shrpskn; 04-06-2007 at 06:24 AM.

  10. #10
    finny is offline Associate Member
    Join Date
    Dec 2006
    Location
    Ontario, Canada
    Posts
    277
    Quote Originally Posted by shrpskn
    More!...More!!...More!!!....I want keygen's for bigger and better things!
    What did you have in mind?

  11. #11
    Valac's Avatar
    Valac is offline Member
    Join Date
    Mar 2007
    Location
    AUSTRALIA FTW!
    Posts
    604
    there's usually always away to avoid having to pay for a prgm, either u just have to extract the key or simply find a key on the net lol. theres a few good sites that have a lot of keys that are valid

  12. #12
    finny is offline Associate Member
    Join Date
    Dec 2006
    Location
    Ontario, Canada
    Posts
    277
    Quote Originally Posted by Valac
    there's usually always away to avoid having to pay for a prgm, either u just have to extract the key or simply find a key on the net lol. theres a few good sites that have a lot of keys that are valid
    Yeah, I know. That's what I meant. I thought ShrpSkn was looking for something specific. I usually can get most things.

  13. #13
    Valac's Avatar
    Valac is offline Member
    Join Date
    Mar 2007
    Location
    AUSTRALIA FTW!
    Posts
    604
    sticky?

  14. #14
    Gear's Avatar
    Gear is offline HGH/IGF/Insulin Forum ~ AR-Hall of Famer
    Join Date
    Jul 2003
    Posts
    7,795
    Quote Originally Posted by Valac
    sticky?
    Stickies are usually board rules related, or forum related. What you posted is great info, however what you posted has nothing to do with board rules nor does it have anything to do with "computer security" (which is what this forum is mostly about).

    -Gear

  15. #15
    Valac's Avatar
    Valac is offline Member
    Join Date
    Mar 2007
    Location
    AUSTRALIA FTW!
    Posts
    604
    lol it was worth a shot. ill be sure to post some more good info soon.

  16. #16
    Gear's Avatar
    Gear is offline HGH/IGF/Insulin Forum ~ AR-Hall of Famer
    Join Date
    Jul 2003
    Posts
    7,795
    Quote Originally Posted by Valac
    lol it was worth a shot. ill be sure to post some more good info soon.
    Thanx for the info man, still trying to understand more than 1/2 of it. Good to see an active Aussie here.

    -Gear

  17. #17
    Valac's Avatar
    Valac is offline Member
    Join Date
    Mar 2007
    Location
    AUSTRALIA FTW!
    Posts
    604
    before i got addict to this forum i was heavily into hackin/crackin/programming/script writing etc. i love being able to get games playin em selfs while i go work on gettin huge. :P

  18. #18
    Lexed's Avatar
    Lexed is offline Anabolic Member
    Join Date
    Apr 2007
    Location
    source check [email protected]
    Posts
    8,774
    Blog Entries
    1
    tried alot of key generators never work

  19. #19
    S.P.G's Avatar
    S.P.G is offline AR Workout Scientist
    Join Date
    Mar 2005
    Location
    uk/ south east
    Posts
    4,535
    nice thanks!! thats my Privacy Eraser Pro cracked.

  20. #20
    SVTMuscle* is offline Banned
    Join Date
    Dec 2005
    Location
    Massachusetts
    Posts
    7,379
    how about a porn password generator

  21. #21
    HSFootball's Avatar
    HSFootball is offline Associate Member
    Join Date
    Feb 2007
    Posts
    235
    Lol... simpler way. www.torrentz.com Type in anything you want. Programs, Music, Movies that are still in theatres or already out ANYTHING. It's FREE!!!!! Your welcome.

  22. #22
    Valac's Avatar
    Valac is offline Member
    Join Date
    Mar 2007
    Location
    AUSTRALIA FTW!
    Posts
    604
    HS: That's no fun but, thats the easy way out. there's heaps of sites out there u can just download pre-cracked versions of just about everything.

  23. #23
    HSFootball's Avatar
    HSFootball is offline Associate Member
    Join Date
    Feb 2007
    Posts
    235
    Boo! Computers make me lazy.

  24. #24
    collar's Avatar
    collar is offline Anabolic Member
    Join Date
    Jun 2005
    Posts
    6,150
    Quote Originally Posted by ebjack
    looks real simple

  25. #25
    ducis is offline New Member
    Join Date
    Apr 2007
    Posts
    1
    I have a software for heraldic design, but it requires an access code when I start the program. What could I do? Thank you.

  26. #26
    mojo_fit is offline New Member
    Join Date
    Aug 2007
    Posts
    21

    gj

    Very nice, gj

  27. #27
    SwiftMove83 is offline Associate Member
    Join Date
    Jul 2006
    Location
    US, Wisconsin
    Posts
    195
    Cool, looks interesting. Not anyone will be able to branch off and change the assemble language code, but good for getting a look at how it all works together.

  28. #28
    DSM4Life's Avatar
    DSM4Life is offline Snook~ AR Lounge Monitor
    Join Date
    Jan 2005
    Location
    PA
    Posts
    30,963
    Blog Entries
    1
    You don't even need skills anymore for free programs. All you need are Bittorrents

  29. #29
    batlin's Avatar
    batlin is offline Associate Member
    Join Date
    Oct 2006
    Location
    one of the 50 states....
    Posts
    389
    Cool man thanks, I always love playing with this sort of sh*t

  30. #30
    SwiftMove83 is offline Associate Member
    Join Date
    Jul 2006
    Location
    US, Wisconsin
    Posts
    195
    Quote Originally Posted by DSM4Life
    You don't even need skills anymore for free programs. All you need are Bittorrents
    Well..ok, but you need some searching skills to find those torrents

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •