razzia's Tutorial on Key Generators
(second part, for the first part see here)
by Razzia
(22 August 1997)
Courtesy of fravia's page
of reverse engineering
Well, another great contribution of
master Razzia... read and enjoy!
razzia's Tutorial on Key Generators
(second part)
Tools!
For tools you need a minimum of debugger like SoftIce for Windows
(hence WinIce), and a C compiler with its Dos libraries.
Content!
In this tutorial I will show how to make a key-gen for Ize and
Swiftsearch. The protection that these programs use is the wellknown
Enter-Name-and-Registration-Number method. After selecting 'register',
a window pops up where you can enter your name and your registration
number.
The strategy here is to find out where in memory the data you
enter is stored and then to find out what is done with it. Before
you go on make sure you configure the SoftIce dat file according to
my PWD tutorial #1.
Part 1: Scanline Swiftsearch 2.0!
Swiftsearch is a useful little program that you can use to search
on the web. I will explain step by step how to crack it.
step 1. Start the program :)
step 2: Choose register from the menus. You will now get a window
where you can enter your name and your registration number.
step 3: Enter SoftIce (ctrl-d)
step 4: We will now set a breakpoint on functions like GetWindowText(a)
and GetDlgItemText(a) to find out where in memory the data that we
just entered is stored. The function that is used by this program
is GetDlgItemTexta (trial and error, just try yourself :).
So, in SoftIce type BPX GetDlgItemTexta and then exit SoftIce
with the g command.
step 5: Now type a name and a registration number (I used razzia
and 12345) and press OK, this will put you back in SoftIce. Since
you are now inside the GetDlgItemTexta function press F11 to get out
of it. You should see the following code:
lea eax, [ebp-2C] :
Case 2 Ize 2.04 from Gadgetware
Ize from Gadgetware is a cute little program that will put a pair of
eyes on your screen which will follow your mousepointer. It has a
register function where you can enter your name and a registration
number.
The strategy in this case is still the same : Find out where in memory
the entered information is stored and then find out what is done with
that information.
Step 1: Start Ize. Chose register and enter a name and a number. I
used 'razzia' and '12345'.
Step 2: Enter (CTRL-D) Softice and set a breakpoint on GetDlgItemTextA.
Step 3: Leave SoftIce and press OK. This will put you back in Softice.
You will be inside the GetDlgItemTextA function. To get out of it
press F11. You should see the following code :
mov esi, [esp + 0C]
push 00000064
push 0040C3A0 :>10
:00404489 ret
The above code consists of a loop that goes trough all the letters of
the name we entered. With each letter some value is calculated, all these
values are added up together (in EBP). Then this value is stored in EAX
and the function RETurns.
And that was what we were looking for, we wanted to know how EAX got
its value!
Step 6: Now to make a key-gen we have to translate the above method
of calculating the right reg# into a c program. It could be done in the
following way :
(Note : I am a bad c programmer )
#include <stdio.h>
#include <string.h>
main()
{
char Name[100];
int NameLength,Offset;
unsigned long Letter,DummyA;
unsigned long Key = 0xa4cc;
unsigned long Number = 0;
printf("Ize 2.04 crack by razzia\n");
printf("Enter your name: ");
gets(Name);
NameLength=strlen(Name);
for (Offset=0;Offset<NameLength;Offset=Offset+1)
{
Letter=Name[Offset];
DummyA=Key;
DummyA=DummyA*0x15a4e35;
DummyA=DummyA+1;
Key=DummyA;
DummyA=DummyA & 0x7fff0000;
DummyA=DummyA >> 0x10;
Letter=Letter*DummyA;
DummyA=Key;
DummyA=DummyA*0x15a4e35;
DummyA=DummyA+1;
Key=DummyA;
DummyA=DummyA & 0x7fff0000;
DummyA=DummyA >> 0x10;
Letter=Letter*DummyA;
Letter=Letter*(Offset+1);
Number=Number+Letter;
}
printf("\nYour registration number is : %lu\n",Number);
}
Final Notes
For feedback and suggestions pls contact me :)
january 1997 - razzia
(c) razzia 1997. All rights reserved
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering illegal?