Nov 2nd 1999
SheeP140 [PGC] Keygen
Algorithm (Tutorial 2)
Win '95 PROGRAM
Win Code Reversing
by SHeeP140 [PGC]
Code Reversing For Beginners
Program Name: ToDo V1.51
Program Type: Handy Reminder Tool
Program Location: http://www.dache.com
Program Size: 109,568 bytes (tiny)
W32Dasm and Softice
( X ) Medium ( X ) Hard ( ) Pro (
have a very interesting life.
"A crack is a crack is a
crack, unless its a keygen. :o)"
ToDo is a simple utility designed to help you keep track of things you
need to get done. It provides a neat and handy little interface that is
much tidier than hand-scribbled sticky notes, and sundry items scratched
on the back of envelopes. I made this utility for myself, and decided it
was handy enough to share, so here it is.
About this protection system
Nag Screen pops up after 30 days, the program is not disabled in any
way, its just annoying.
Even though this section is usually last, I feel that it should not be,
therefore I am putting it at the begining.
Idea for this essay -----> WEBM4STA, a fine friend and a gentleman, not
many left these days.
Page Layout -------------> KIK, I used KIK's TUTORial as a template (I
hope you dont mind) :o).
There are so many tutorials out there that seem to go over the same old
stuff, while this is all and good it doesnt give any new insite into new
CRACKING techniques. In this TUTORial I will try and teach you something
that has indeed been documented before but I feel not enough, this is the
use of LOOK UP TABLES in keygen routines, there has to be thousands of
(NEWBIE) tutorials which is one of the reasons I decided to write this
one, even though this is not (ROCKET SCIENCE) it is very slightly more
advanced than the usual (NEWBIE) tutorial.
Okay, here goes.
I will try and purvey to you every stage of the crack as i have done it,
this way you can judge for yourself about my methods and hopefully comment
where I am going wrong. :o)
The first step on our journey is to try and gather as many details on the
program as possible, this consists of...
Reading ALL documentation and the about box to try and glean relevant information
on the (CRACK) i.e
i) Time limits
ii) Registration details etc.
Its also nice to see who has written the software, whether it is a multi-million
dollar company or just JOE SHMO in his bedroom.
The whole of STAGE 1 just gives you an idea of what you are dealing with.
Once all the relevant info had been collected from STAGE 1 I proceeded
inside the little fella with my fave programming scalpel SOFTICE.
1. Load the little fella (ToDo V1.51) :o)
2. Goto the 'HELP' menu and click 'REGISTER'
3. You will be presented with a standard REGISTRATION NAME/CODE box
As I only want to show you a certain aspect of this crack i.e the (SERIAL
NUMBER ALGORITHM) I will send you directly to it, the other code involved
has been explained hundreds of times in other TUTORials.
4. type BPX GETWINDOWTEXTA
5. Type in your name and code, i used - Name: SHEEP140 CODE:1212121212
then click 'OK'
6. Press (F5), (F11) then press (F12) 28 times or until you come to the
code point below.
:00409B49 mov dword ptr [ebp-10], eax--------------;
You should land here
:00409B4C cmp dword ptr [ebp-10], 00000001
:00409B50 jne 00409C03
:00409B56 push ecx
:00409B57 mov ecx, esp
:00409B59 mov dword ptr [ebp-7C], esp
:00409B5C lea eax, dword ptr [ebp-18]
:00409B5F push eax
:00409B60 Call 0040E2D8
:00409B65 mov dword ptr [ebp+FFFFFF78], eax
:00409B6B mov ecx, dword ptr [ebp+FFFFFF7C]
:00409B71 mov ecx, dword ptr [ecx+00000684]
:00409B77 call 0040B670
:00409B7C push ecx
:00409B7D mov ecx, esp
:00409B7F mov dword ptr [ebp-80], esp
:00409B82 lea edx, dword ptr [ebp-14]
:00409B85 push edx
:00409B86 Call 0040E2D8
:00409B8B mov dword ptr [ebp+FFFFFF74], eax
:00409B91 mov eax, dword ptr [ebp+FFFFFF7C]
:00409B97 mov ecx, dword ptr [eax+00000684]
:00409B9D call 0040B610
:00409BA2 mov ecx, dword ptr [ebp+FFFFFF7C]
:00409BA8 mov ecx, dword ptr [ecx+00000684]
:00409BAE call 00402692---------------------------;Press
(F10) until you reach here
7. When you reach the above point press f8 to enter the CALL 402692
As I said before I only want to show you the algorithm so I will explain
what the code before the algorith does very briefly, All it does is..
1) Setup the 2 LOOK UP TABLES these are:
LOOK UP TABLE 1 'todo1todo1todo1t'
LOOK UP TABLE 2 '012345thefiveboxing-wizardsjumpedquickly6789'
2) Alters your username so that it equals 16 characters
sheep140 <------------> sheep140sheep140
s <-------------------> ssssssssssssssss
bob <-----------------> bobbobbobbobbobb
and so on, it does this so that the REAL code is 16 digits long.
And so now we carry on.
8. Press F10 until you come across the following code..
KEY FOR ALGORITHM COMMENTS
(username)---->The name you entered.
(LUT1)-------->Look up Table 1.
(LUT2)-------->Look up Table 2. if you had'nt have guessed. :o)
(cycle)------->number of times the routine has run.
(-)----------->the sentence continues to the next line.
<-- THIS IS THE ALGORITHM -->
When you have found the algorithm its a good idea to do a screen print
and then write comments on the printout, this will enable you to have a
hard copy, you can also dump it into a file but its not much use when your
popping in and out of SOFTICE.
:0040279B mov ecx, dword ptr [ebp-10]------; Move
(cycle) count into ECX
:0040279E add ecx, 00000001----------------; Add
1 to the (cycle) count
:004027A1 mov dword ptr [ebp-10], ecx------; Save
(cycle) count to [ebp-10]
:004027A4 cmp dword ptr [ebp-10], 00000010-; Have
we finished the code generation? - you will land here for the first
:004027A8 jge 004027F7---------------------; jump
if yes (code = 16 digits)
:004027AA mov edx, dword ptr [ebp-50]------; Move
offset of (username) into EDX
:004027AD add edx, dword ptr [ebp-10]------; Add
number of (cycles) to (username) offset
:004027B0 mov al, byte ptr [edx]-----------; Move
digit of (username) into al
:004027B2 mov byte ptr [ebp-6C], al--------; Save
digit of (username) into [ebp-6c]
:004027B5 movsx ecx, byte ptr [ebp-6C]-----; Move
digit of (username) into ECX
:004027B9 mov dword ptr [ebp-18], ecx------; Save
digit of (username) again into [ebp-18]
:004027BC mov edx, dword ptr [ebp-4C]------; Move
offset of (LUT1) into EDX
:004027BF add edx, dword ptr [ebp-10]------; Add
number of (cycles) to (LUT1) offset
:004027C2 mov al, byte ptr [edx]-----------; Move
digit of (LUT1) into al
:004027C4 mov byte ptr [ebp-70], al--------; Save
digit of (LUT1) into [ebp-70]
:004027C7 movsx ecx, byte ptr [ebp-70]-----; Move
digit of (LUT1) into ECX
:004027CB mov edx, dword ptr [ebp-18]------; Move
digit of (username) into EDX
:004027CE add edx, ecx---------------------; Add
digit of (username) to digit of (LUT1) -
:004027D0 mov dword ptr [ebp-18], edx------; Save
the result in [ebp-18]
:004027D3 mov eax, dword ptr [ebp-18]------; Move
result into EAX
:004027D6 cmp eax, dword ptr [ebp-14]------; Compare
result with 2B (+) -
:004027D9 jle 004027E5---------------------; if
less or equal jump out of routine
:004027DB mov eax, dword ptr [ebp-18]------; Move
result back into EAX
:004027DE cdq------------------------------; ??????
:004027DF idiv [ebp-14]--------------------; Divides
result in EAX with 2B(+) remainder is put into EDX
:004027E2 mov dword ptr [ebp-18], edx------; Save
remainder into [ebp-18]
:004027E5 mov ecx, dword ptr [ebp-18]------; Move
remainder into ECX
:004027E8 mov dl, byte ptr [ecx+ebp-48]----; Move
digit from (LUT2) into dl, this is the REAL code
:004027EC push edx-------------------------; Push
digit of REAL code onto the stack
:004027ED lea ecx, dword ptr [ebp-54]------; Offset
to place REAL code digit
:004027F0 Call 0040E326--------------------; Put
REAL code digit into offset
:004027F5 jmp 0040279B---------------------; Start
all over again
THE SECTION BELOW IS AFTER THE REAL CODE HAS BEEN GENERATED
:004027F7 lea ecx, dword ptr [ebp-54]-----------; Load REAL code offset
:004027FA Call 0040E320-------------------------; Turn code around
well thats the algorithm......
Well, even though it seems a lot the above algorithm boils down to the
following simple sum.
TEMP1 = name[cycle]
TEMP2 = lut1[cycle]
SUM1 = TEMP1+TEMP2
SUM2 = SUM1/2B the remainder is then saved in REMAINDER
CODE = LUT2[REMAINDER]
DONT FORGET, the code is generated backwards so you will have to change
it around when you display it.
I`ve given you all the info you need to write a keygen you have the algorithm
and also the 2 LOOK UP TABLES.
Like I stressed earlier this is not (ROCKET SCIENCE) but at least it doesnt
go over the same old stuff.
I hope that you could follow my TUTORial or at least gain some new knowledge
that you can apply to other cracks.
I would like to thank you for taking the time to read my work and if you
feel I have gone wrong somewhere along the way please dont hesitate to
email me, or for that matter any other comments would be welcome also.
EMAIL - SHEEP140@OPERAMAIL.COM
Do I really have to remind you all that
by buying and NOT stealing the software you use will ensure that these
software houses will continue to produce even *better* software for
us to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems.
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
Essay by: SHeeP140
Page Created: 2nd