About this tutorial

Tutorial : Keygenning with SmartCheck
Target : Visi Font Gold 2.0 (http://www.dcmsoftware.bizland.com/)

Tools : SoftICE 3.24, SmartCheck 6.xx (these are good software, worth buying)
Date : 6th April 2000 (Last updated on 8th April 2000)

Descriptions & Comments : In this tutorial, I will show you the power of SmartCheck as we will be making a keygen with SmartCheck as the only tool. This is a Microsoft Visual Basic 5 program. Please do register this program (and also other good programs by the author) because he seems to be a kind fellow who charges only $5.00 for each of his softwares. He is not greedy at all, and I think the $5.00 charge will only at most support his life. A little note to the author, if you happen to be reading this document, please do contact me and I would be more than willing to help you implement a better protections on your software.

Protection : Name/Serial, VB5

Disclaimer : This file is used for educational purposes only. Any misuse of the information presented here is not my responsibility. This tutorial is copyright © ManKind. Contact me at mankind001@bigfoot.com

The process - Serial fishing

Start Visi Font Gold. Choose Option -> Register and you will be presented with a small register window, enter your Name and Unlock Code in the text fields :-

Name : ManKind
Unlock Code : 23199981

We know that this a VB5 program. We will try to break in SoftICE when the program is comparing the fake Unlock Code to the real one to get the real Unlock Code and the most commonly used function to compare two or more strings in VB5 is __vbaStrCmp (note that there are two (2) underscores there). So let's go into SoftICE and set a breakpoint on that function so that we could proceed with our plan of fishing a real Unlock Code for our name like below :-

bpx __vbaStrCmp

Leave SoftICE, press the Unlock button, SoftICE will pop up due to the breakpoint we set on the __vbaStrCmp function. Press F11 once to return to the caller of the function and you will be thrown to the following code :-

:0042CAF6 CALL [MSVBVM50!__vbaStrCmp]
:0042CAFC MOV ESI,EAX <-- you land here

Let's see whether the strings that were compared is left in one of the registers, dump the content of the EDX register by doing the following command :-

d edx

What do you see in the data window of SoftICE? That looks like the real Unlock Code for our name in wide-char format (just ignore the dots). I didn't show the Unlock Code of my name here because I think that the author of this program is kind enough to offer his software at $5.00, so, everyone who wishes to use it MUST register it especially those lamers and the main purpose of this essay is not to destroy the author or his income.

Keygenning with SmartCheck

Unregister the program if you have registered it (use regedit, its in "My Computer\HKCU\Software\VB and VBA Program Settings\Visi Font Gold 2.0\Font Viewer\"). We can leave SoftICE alone now and proceed to use SmartCheck as our main tool because tracing with SoftICE inside VB programs is always an unpleasant experience. I use SmartCheck 6.01 but I think any version starting from 6.xx should work. Make sure you have configured SmartCheck correctly for cracking purposes before following this part, you should visit Eternal Bliss's site and get his tutorials if you haven't configured it (well, not only for configuration purpose actually, there are other priceless stuffs there by Eternal Bliss).

Let's start now. Start SmartCheck, open (load) the visigold.exe into SmartCheck (a window will pop up) and go to the menu Program -> Start (another window will pop up displaying events of the program, maximise it, we will work with this window). After some events, the main window of Visi Font Gold will pop up, so, go choose Options -> Register like the first part, enter ManKind as Name and 23199981 as Unlock Code into the text fields and finally press the Unlock button. The bad_cracker_message will pop up, just press Ok, switch back to SmartCheck and go to the menu Program -> End and the program will be terminated. Look at the Events and find the registration event (usually after a button is pressed, in this example, Unlock is that button, but SmartCheck will not refer it as the caption of the button but its internal name instead, like Command1). You should come to this (what you see in SmartCheck is highlighted in green while the black text is comment) :-

+  Command1_Click

Expand it by double-clicking on the plus (+) sign and more events will be shown :-

-  Command1_Click
  Text1.Text <-- input field of Name
  LTrim$ <-- get the Name
  Len returns LONG:7 <-- get the length of name
  Mid$ <-- get the first byte of name
  Asc returns Integer:77 <-- ascii of first byte
  Double (5929) --> Long (5929) <-- 77 * 77 = 5929
  Mid$ <-- get second byte of name
  Asc returns Integer:97 <-- ascii of second byte
  Double (24747) --> Long (24747) <-- (97 * 97 * 2) + 5929 = 24747
  Mid$ <-- get the third byte of name
  Asc returns Integer:110 <-- ascii of third byte
  Double (61047) --> Long (61047) <-- (110 * 110 * 3) + 24747 = 61047
  Mid$ <-- get the fourth byte
  Asc returns Integer:75 <-- ascii of fourth byte
  Double (83547) --> Long   (83547) <-- (75 * 75 * 4) + 61047 = 83547
  Mid$ <-- get the fifth byte of name
  Asc returns Integer:105 <-- ascii of fifth byte
  Double (138672) --> Long (138672) <-- (105 * 105 * 5) + 83547 = 138672
  Mid$ <-- get the sixth byte
  Asc returns Integer:110 <-- ascii of sixth byte
  Double (211272) --> Long (211272) <-- (110 * 110 * 6) + 138672 = 211272
  Mid$ <-- get the seventh byte of name
  Asc returns Integer:100 <-- ascii of seventh byte
  Double (281272) --> Long (281272) <-- (100 * 100 * 7) + 211272 = 281272
  MsgBox returns Integer:1 <-- bad_cracker_message

I think you've got the idea now but I will explain a little more. Here's the algorithm details, each ASCII must be squared and multiplied by its position and added to the previously calculated value to generate correct Unlock Code

Here a quick pointer :-

- if you do Show All Events in SmartCheck you will see that __vbaPowerR8 function is called after the "Asc returns Integer:77" line, thus the calculation for this is 77 * 77 * 1 = 5929.

The same thing happens to the other values. I think it is really clear to you now and I need not explain anymore. As usual, for my keygenning tutorial, I would include a keygen source but this time I would only show you the calculation part source. Since the program is coded in VB 5, I shall code the source in Visual Basic too and here's the calculation part :-

For i = 1 to Len(Text1.Text) 'i is counter, Text1.Text refers to the name's text field, loop until byte of name finish
 name1 = Asc(Mid(Text1.Text, i, 1)) 'get a byte of name name2 = (name1 ^ 2) * i 'the main algo here(ascii of byte 'power by two multiple by current position of byte)
 name2 = (name1 ^ 2) * i 'main algo here(ascii of byte power by 2 and multiplied to current position of byte)
 name3 = name3 + name2 'sum up all the calculated values
Next i  'loop again 
Text2.Text = name3 'Text2.Text refers to the text field where you would show user his/her Unlock Code for the specified name, show user the final calculated value which is the correct Unlock Code

As a little note for the keygen, I would like to state that IF any other programming languages (probably not all, but I tried Assembly and QBasic) are used to code the keygen for Visi Font Gold other than Visual Basic(I tried VB5), it would be messed up when dealing with special characters like î, é and many more (that's why I choose to show you the calculation source in VB).

Lastly, my little opinion and comment on SmartCheck and its usage :-
- could be VERY useful for cracking VB programs
- when trying to keygen, its totally different from SoftICE
- very good tool for crackers and programmers
- useful for newbies to do quick cracks (serial fishing)

That's all for now. Contact me if I've made any mistakes.


Thanks and greetz to :-

+ORC, +HCU, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, CrackZ, cLUSTER, LaZaRuS, mISTER fANATIC, yes123, WhizKiD, Volatility, ACiD BuRN, Eternal Bliss, R!SC, Kwazy Webbit, +Mammon, MisterE, Shadow, ^tCM^, WaJ, Borna Janes, Kathras, AB4DS(Death), douby, Steinowitz, Lord Soth, Latigo, Lucifer48, NeuRaL_NoiSE, Fravia+, Latigo, Duelist, Alpine, flag eRRatum, Nitrus, +Frog's Print, Muad`Dib, Iczelion, Razzia, Warezpup, Bomber Monkey, llama and other crackers, individuals and organisations who have helped me, either directly or indirectly.

Service for Mankind