Nov 2nd 1999 
SheeP140 [PGC] Keygen Algorithm (Tutorial 2)
Win '95 PROGRAM 
Win Code Reversing 
by SHeeP140 [PGC]
Code Reversing For Beginners 
Program Details
Program Name: ToDo V1.51
Program Type: Handy Reminder Tool 
Program Location:
Program Size: 109,568 bytes (tiny)

Tools Used:
W32Dasm and Softice


Easy ( X )  Medium ( X )  Hard (    )  Pro (    ) 
Potatoes have a very interesting life.

"A crack is a crack is a crack, unless its a keygen. :o)"


ToDo is a simple utility designed to help you keep track of things you need to get done. It provides a neat and handy little interface that is much tidier than hand-scribbled sticky notes, and sundry items scratched on the back of envelopes. I made this utility for myself, and decided it was handy enough to share, so here it is.
About this protection system

Nag Screen pops up after 30 days, the program is not disabled in any way, its just annoying.
The Essay

Even though this section is usually last, I feel that it should not be, therefore I am putting it at the begining.

Idea for this essay -----> WEBM4STA, a fine friend and a gentleman, not many left these days.
Page Layout -------------> KIK, I used KIK's TUTORial as a template (I hope you dont mind) :o).

There are so many tutorials out there that seem to go over the same old stuff, while this is all and good it doesnt give any new insite into new CRACKING techniques. In this TUTORial I will try and teach you something that has indeed been documented before but I feel not enough, this is the use of LOOK UP TABLES in keygen routines, there has to be thousands of (NEWBIE) tutorials which is one of the reasons I decided to write this one, even though this is not (ROCKET SCIENCE) it is very slightly more advanced than the usual (NEWBIE) tutorial.

Okay, here goes. 

I will try and purvey to you every stage of the crack as i have done it, this way you can judge for yourself about my methods and hopefully comment where I am going wrong. :o)


The first step on our journey is to try and gather as many details on the program as possible, this consists of... 

Reading ALL documentation and the about box to try and glean relevant information on the (CRACK) i.e

i) Time limits
ii) Registration details etc.

Its also nice to see who has written the software, whether it is a multi-million dollar company or just JOE SHMO in his bedroom.

The whole of STAGE 1 just gives you an idea of what you are dealing with.


Once all the relevant info had been collected from STAGE 1 I proceeded inside the little fella with my fave programming scalpel SOFTICE.

1. Load the little fella (ToDo V1.51) :o)
2. Goto the 'HELP' menu and click 'REGISTER' 
3. You will be presented with a standard REGISTRATION NAME/CODE box

As I only want to show you a certain aspect of this crack i.e the (SERIAL NUMBER ALGORITHM) I will send you directly to it, the other code involved has been explained hundreds of times in other TUTORials.

5. Type in your name and code, i used - Name: SHEEP140 CODE:1212121212 then click 'OK'
6. Press (F5), (F11) then press (F12) 28 times or until you come to the code point below.

:00409B49 mov dword ptr [ebp-10], eax--------------; You should land here
:00409B4C cmp dword ptr [ebp-10], 00000001
:00409B50 jne 00409C03
:00409B56 push ecx
:00409B57 mov ecx, esp
:00409B59 mov dword ptr [ebp-7C], esp
:00409B5C lea eax, dword ptr [ebp-18]
:00409B5F push eax
:00409B60 Call 0040E2D8
:00409B65 mov dword ptr [ebp+FFFFFF78], eax
:00409B6B mov ecx, dword ptr [ebp+FFFFFF7C]
:00409B71 mov ecx, dword ptr [ecx+00000684]
:00409B77 call 0040B670
:00409B7C push ecx
:00409B7D mov ecx, esp
:00409B7F mov dword ptr [ebp-80], esp
:00409B82 lea edx, dword ptr [ebp-14]
:00409B85 push edx
:00409B86 Call 0040E2D8
:00409B8B mov dword ptr [ebp+FFFFFF74], eax
:00409B91 mov eax, dword ptr [ebp+FFFFFF7C]
:00409B97 mov ecx, dword ptr [eax+00000684]
:00409B9D call 0040B610
:00409BA2 mov ecx, dword ptr [ebp+FFFFFF7C]
:00409BA8 mov ecx, dword ptr [ecx+00000684]
:00409BAE call 00402692---------------------------;Press (F10) until you reach here

7. When you reach the above point press f8 to enter the CALL 402692

As I said before I only want to show you the algorithm so I will explain what the code before the algorith does very briefly, All it does is..

1) Setup the 2 LOOK UP TABLES these are:

LOOK UP TABLE 1 'todo1todo1todo1t'
LOOK UP TABLE 2 '012345thefiveboxing-wizardsjumpedquickly6789'

2) Alters your username so that it equals 16 characters


sheep140 <------------> sheep140sheep140
s <-------------------> ssssssssssssssss
bob <-----------------> bobbobbobbobbobb

and so on, it does this so that the REAL code is 16 digits long.

And so now we carry on.

8. Press F10 until you come across the following code..

(username)---->The name you entered.
(LUT1)-------->Look up Table 1.
(LUT2)-------->Look up Table 2. if you had'nt have guessed. :o)
(cycle)------->number of times the routine has run.
(-)----------->the sentence continues to the next line.


When you have found the algorithm its a good idea to do a screen print and then write comments on the printout, this will enable you to have a hard copy, you can also dump it into a file but its not much use when your popping in and out of SOFTICE.

:0040279B mov ecx, dword ptr [ebp-10]------; Move (cycle) count into ECX
:0040279E add ecx, 00000001----------------; Add 1 to the (cycle) count
:004027A1 mov dword ptr [ebp-10], ecx------; Save (cycle) count to [ebp-10]
:004027A4 cmp dword ptr [ebp-10], 00000010-; Have we finished the code generation? - you will land here for the first letter

:004027A8 jge 004027F7---------------------; jump if yes (code = 16 digits)
:004027AA mov edx, dword ptr [ebp-50]------; Move offset of (username) into EDX
:004027AD add edx, dword ptr [ebp-10]------; Add number of (cycles) to (username) offset
:004027B0 mov al, byte ptr [edx]-----------; Move digit of (username) into al
:004027B2 mov byte ptr [ebp-6C], al--------; Save digit of (username) into [ebp-6c]
:004027B5 movsx ecx, byte ptr [ebp-6C]-----; Move digit of (username) into ECX
:004027B9 mov dword ptr [ebp-18], ecx------; Save digit of (username) again into [ebp-18]
:004027BC mov edx, dword ptr [ebp-4C]------; Move offset of (LUT1) into EDX
:004027BF add edx, dword ptr [ebp-10]------; Add number of (cycles) to (LUT1) offset
:004027C2 mov al, byte ptr [edx]-----------; Move digit of (LUT1) into al
:004027C4 mov byte ptr [ebp-70], al--------; Save digit of (LUT1) into [ebp-70]
:004027C7 movsx ecx, byte ptr [ebp-70]-----; Move digit of (LUT1) into ECX
:004027CB mov edx, dword ptr [ebp-18]------; Move digit of (username) into EDX
:004027CE add edx, ecx---------------------; Add digit of (username) to digit of (LUT1) -
:004027D0 mov dword ptr [ebp-18], edx------; Save the result in [ebp-18]
:004027D3 mov eax, dword ptr [ebp-18]------; Move result into EAX
:004027D6 cmp eax, dword ptr [ebp-14]------; Compare result with 2B (+) -
:004027D9 jle 004027E5---------------------; if less or equal jump out of routine
:004027DB mov eax, dword ptr [ebp-18]------; Move result back into EAX
:004027DE cdq------------------------------; ??????
:004027DF idiv [ebp-14]--------------------; Divides result in EAX with 2B(+) remainder is put into EDX 
:004027E2 mov dword ptr [ebp-18], edx------; Save remainder into [ebp-18]
:004027E5 mov ecx, dword ptr [ebp-18]------; Move remainder into ECX
:004027E8 mov dl, byte ptr [ecx+ebp-48]----; Move digit from (LUT2) into dl, this is the REAL code
:004027EC push edx-------------------------; Push digit of REAL code onto the stack
:004027ED lea ecx, dword ptr [ebp-54]------; Offset to place REAL code digit
:004027F0 Call 0040E326--------------------; Put REAL code digit into offset
:004027F5 jmp 0040279B---------------------; Start all over again


:004027F7 lea ecx, dword ptr [ebp-54]-----------; Load REAL code offset into ECX
:004027FA Call 0040E320-------------------------; Turn code around

well thats the algorithm......


Well, even though it seems a lot the above algorithm boils down to the following simple sum.

TEMP1 = name[cycle]
TEMP2 = lut1[cycle]
SUM2 = SUM1/2B the remainder is then saved in REMAINDER
DONT FORGET, the code is generated backwards so you will have to change it around when you display it.

I`ve given you all the info you need to write a keygen you have the algorithm and also the 2 LOOK UP TABLES.

Like I stressed earlier this is not (ROCKET SCIENCE) but at least it doesnt go over the same old stuff.

I hope that you could follow my TUTORial or at least gain some new knowledge that you can apply to other cracks.

I would like to thank you for taking the time to read my work and if you feel I have gone wrong somewhere along the way please dont hesitate to email me, or for that matter any other comments would be welcome also.


Ob Duh

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.


Essay by: SHeeP140
Page Created:  2nd Nov 1999