razzia's Tutorial on Key Generators
(second part, for the first part see here)

by Razzia

(22 August 1997)


Courtesy of fravia's page of reverse engineering

Well, another great contribution of master Razzia... read and enjoy!

razzia's Tutorial on Key Generators (second part)
Tools! For tools you need a minimum of debugger like SoftIce for Windows (hence WinIce), and a C compiler with its Dos libraries. Content! In this tutorial I will show how to make a key-gen for Ize and Swiftsearch. The protection that these programs use is the wellknown Enter-Name-and-Registration-Number method. After selecting 'register', a window pops up where you can enter your name and your registration number. The strategy here is to find out where in memory the data you enter is stored and then to find out what is done with it. Before you go on make sure you configure the SoftIce dat file according to my PWD tutorial #1. Part 1: Scanline Swiftsearch 2.0! Swiftsearch is a useful little program that you can use to search on the web. I will explain step by step how to crack it. step 1. Start the program :) step 2: Choose register from the menus. You will now get a window where you can enter your name and your registration number. step 3: Enter SoftIce (ctrl-d) step 4: We will now set a breakpoint on functions like GetWindowText(a) and GetDlgItemText(a) to find out where in memory the data that we just entered is stored. The function that is used by this program is GetDlgItemTexta (trial and error, just try yourself :). So, in SoftIce type BPX GetDlgItemTexta and then exit SoftIce with the g command. step 5: Now type a name and a registration number (I used razzia and 12345) and press OK, this will put you back in SoftIce. Since you are now inside the GetDlgItemTexta function press F11 to get out of it. You should see the following code: lea eax, [ebp-2C] : Case 2 Ize 2.04 from Gadgetware Ize from Gadgetware is a cute little program that will put a pair of eyes on your screen which will follow your mousepointer. It has a register function where you can enter your name and a registration number. The strategy in this case is still the same : Find out where in memory the entered information is stored and then find out what is done with that information. Step 1: Start Ize. Chose register and enter a name and a number. I used 'razzia' and '12345'. Step 2: Enter (CTRL-D) Softice and set a breakpoint on GetDlgItemTextA. Step 3: Leave SoftIce and press OK. This will put you back in Softice. You will be inside the GetDlgItemTextA function. To get out of it press F11. You should see the following code : mov esi, [esp + 0C] push 00000064 push 0040C3A0 :>10 :00404489 ret The above code consists of a loop that goes trough all the letters of the name we entered. With each letter some value is calculated, all these values are added up together (in EBP). Then this value is stored in EAX and the function RETurns. And that was what we were looking for, we wanted to know how EAX got its value! Step 6: Now to make a key-gen we have to translate the above method of calculating the right reg# into a c program. It could be done in the following way : (Note : I am a bad c programmer ) #include <stdio.h> #include <string.h> main() { char Name[100]; int NameLength,Offset; unsigned long Letter,DummyA; unsigned long Key = 0xa4cc; unsigned long Number = 0; printf("Ize 2.04 crack by razzia\n"); printf("Enter your name: "); gets(Name); NameLength=strlen(Name); for (Offset=0;Offset<NameLength;Offset=Offset+1) { Letter=Name[Offset]; DummyA=Key; DummyA=DummyA*0x15a4e35; DummyA=DummyA+1; Key=DummyA; DummyA=DummyA & 0x7fff0000; DummyA=DummyA >> 0x10; Letter=Letter*DummyA; DummyA=Key; DummyA=DummyA*0x15a4e35; DummyA=DummyA+1; Key=DummyA; DummyA=DummyA & 0x7fff0000; DummyA=DummyA >> 0x10; Letter=Letter*DummyA; Letter=Letter*(Offset+1); Number=Number+Letter; } printf("\nYour registration number is : %lu\n",Number); }
Final Notes For feedback and suggestions pls contact me :) january 1997 - razzia
(c) razzia 1997. All rights reserved
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia
Is reverse engineering illegal?

raZZia