Cases in a KeyGEN
A simple introduction

Target: CyberClean 1.02
Author: The Limit Software
Protection: Name/Serial
Tools used - lcc
- SoftICE 3.2
Level (X) Beginner
(X) Intermediate
( ) Advanced
( ) Expert


Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. BTW, It's illegal to use cracked Software!

If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.

Well I'm bored today so I decided to use the time I have for something useful - teaching people how to crack. The target I only had on my HDD was CyberClean (hey you publishers of computer magazines, work harder so you NEVER publish magazines 2 weeks too late), which is worth the price it's sold at. Enough talking, let's start with the real work now :)

First of all you need to do what you always have to do (entering your registration details and setting the necessary breakpoint). After that the fun starts - tracing through the program's code to find the location we're looking for, which is quite easy in this target - nothing is really 'hidden' ... just a return from HMEMCPY and a few P RET's (F12) ...

   :00406713  66C745CC0800        MOV       WORD PTR [EBP-34],0008
   :00406719  33C0                XOR       EAX,EAX
   :0040671B  8945FC              MOV       [EBP-04],EAX
   :0040671E  8D55FC              LEA       EDX,[EBP-04]
   :00406721  FF45D8              INC       DWORD PTR [EBP-28]
   :00406724  8B86C8010000        MOV       EAX,[ESI+000001C8]
   :0040672A  E831B60000          CALL      00411D60
   :0040672F  8B55FC              MOV       EDX,[EBP-04]
   :00406732  8D45FC              LEA       EAX,[EBP-04]
   :00406735  03D3                ADD       EDX,EBX
   :00406737  4A                  DEC       EDX
   :00406738  0FBE0A              MOVSX     ECX,BYTE PTR [EDX]
   :0040673B  83E17F              AND       ECX,7F
   :0040673E  BA02000000          MOV       EDX,00000002
   :00406743  03F9                ADD       EDI,ECX
   :00406745  FF4DD8              DEC       DWORD PTR [EBP-28]
   :00406748  E89B110100          CALL      004178E8
   :0040674D  43                  INC       EBX
   :0040674E  8B86C8010000        MOV       EAX,[ESI+000001C8]
   :00406754  E8B7B50000          CALL      00411D10
   :00406759  3BD8                CMP       EBX,EAX
   :0040675B  7CB6                JL        00406713
   :0040675D  69D76B280400        IMUL      EDX,EDI,0004286B
   :00406763  89D7                MOV       EDI,EDX
   :00406765  83FF01              CMP       EDI,01
   :00406768  7D05                JGE       0040676F
   :0040676A  BFE4440000          MOV       EDI,000044E4
   :0040676F  66C745CC2000        MOV       WORD PTR [EBP-34],0020
   :00406775  33C0                XOR       EAX,EAX
   :00406777  8945F8              MOV       [EBP-08],EAX
   :0040677A  8D55F8              LEA       EDX,[EBP-08]
   :0040677D  FF45D8              INC       DWORD PTR [EBP-28]
   :00406780  8B86D4010000        MOV       EAX,[ESI+000001D4]
   :00406786  E8D5B50000          CALL      00411D60
   :0040678B  837DF800            CMP       DWORD PTR [EBP-08],00
   :0040678F  7405                JZ        00406796
   :00406791  8B5DF8              MOV       EBX,[EBP-08]
   :00406794  EB05                JMP       0040679B
   :00406796  BBB4514400          MOV       EBX,004451B4
   :0040679B  53                  PUSH      EBX
   :0040679C  E8DF4F0300          CALL      0043B780
   :004067A1  59                  POP       ECX
   :004067A2  8BD8                MOV       EBX,EAX
   :004067A4  FF4DD8              DEC       DWORD PTR [EBP-28]
   :004067A7  8D45F8              LEA       EAX,[EBP-08]
   :004067AA  BA02000000          MOV       EDX,00000002
   :004067AF  E834110100          CALL      004178E8
   :004067B4  66C745CC1400        MOV       WORD PTR [EBP-34],0014
   :004067BA  8BCF                MOV       ECX,EDI
   :004067BC  8BC1                MOV       EAX,ECX
   :004067BE  99                  CDQ
   :004067BF  33C2                XOR       EAX,EDX
   :004067C1  2BC2                SUB       EAX,EDX
   :004067C3  3BD8                CMP       EBX,EAX
   :004067C5  0F8537010000        JNZ       00406902
Well the serial is calculated from all the chars - execpt the last one of your name. So if your name is for instance BORED then the ASCII values of 'BORE' multiplicated by 4286B is the real serial. If your name is however 1 char long (or less), then no char can be used for the calculation of your Reg No, so your Reg No would be 0 (something multiplicated by 0 is ALWAYS 0 - as you OF COURSE should know). This is the reason why the coder of this program has included the following three lines:

   :00406765  83FF01              CMP       EDI,01
   :00406768  7D05                JGE       0040676F
   :0040676A  BFE4440000          MOV       EDI,000044E4
These lines just check the CASE your name was 1 char or less long (BTW, I don't know any name which could be 1 char long). So there's something you have to take care of:

   CASE 01 (name > 1 char):
      - Sum up all chars of the name expect the last one (0040672F up to 0040675B)
      - Multiply that sum by 4286B h (0040675D)

   CASE 02 (name <= 1 char):
      - Reg No is 44E4 h (0040676A)

Differing these cases is quite easy, since there were only two ... however you'll come accross targets where you have to differ a lot of cases, in this case I suggest you to print out the whole source of the calculation routine and use a marker. I really wish I I find a target (again) where I have to do so; if you know of one which's size is less than 2 MB, please contact me and I'll consider writing a tutorial for it.

As always, following is the source code of the calculation routine ...
   short int Calculate(HWND hDialog)
    unsigned char name[1024]    = {0};
    unsigned char serial[1024]  = {0};
    unsigned long ECX = 0;
    unsigned long EDX = 0;
    unsigned long EDI = 0;
    unsigned long i;
    static HWND hControl;
    hControl = GetDlgItem(hDialog, EDIT_NAME);
    GetWindowText(hControl, &name, 1024);
    if (strlen(name) <= 1)
         EDI = 0x44E4;
         for (i = 1; i <= (strlen(name) - 1); i++)
           ECX  = name[i-1];
           EDI += ECX;
         EDX = EDI * 0x4286B;
    wsprintf(serial, "%lu", EDX);
    hControl = GetDlgItem(hDialog, EDIT_CODE);
    SetWindowText(hControl, serial);
    return 0;
Feel free to e-mail me feedback, questions or whatever (NO crack requests!!). You can also talk to me on IRC (EFNet) at #ImmortalDescendants, #PhrozenCrew or #cracking4newbies.

Another lesson has just finished. Hopefully you have learned something useful from it! Feel free contacting me anytime ... till next time, I highly recommend you to visit (or better download completely) +Fravia's excellent site, which has unfortunately been frozen!

Greetings (no specific order):

+Aesculapius, +Fravia, +MaLaTTiA, +ORC, +wAj, ^TheDevil, /Miz, ACiD BuRN, adenozin, alpine, AntiMaterie, AppBusta, Artex, Black Check, BJanes, ByteBurn, cALiGo, CoRN2, Carpathia, CrackZ, Crashtest, Cruehead, Da GRiM ReaPeR, DEATH, DEZM, DnNuke, douby, duelist, Eternal Bliss, FireWorx, G-RoM, HarvestR, Icecream, Iczelion, Jeff, josephCo, Kaparo, knotty, Kwai_Lo, LagPRO, LaZaRuS, Lord Soth, Lucifer48, MisterE, MiZ, McCodEMaN, Mr. NOP, Mr. WhiTe (WKT), NeuRaL NoiSE, nIabI, NiKai, Nitrus, Noos, Northpole, pain, Pedro, PeeGee, PeeWee, ^PlAyEr^, Predator NLS, Prof. X, Quantico, r4lph, R!SC, Rhytm, rudeboy, Santa Clawz, Scribe, SiONiDE, Steinowitz, TaG^, TaMaMBoLo, The +Sandman, The AntiXryst, The OWL, Thesmurf, Tin, tKC, viny, VisionZ, Vladimir, Volatility, yAtEs, yosh, ytc, WarezPup, WhizKiD, widYa@cL 2011.

Copyright © 1999 by TORN@DO [ID/PC]. All Rights Reversed.
x, 05