About this tutorial:
Tutorial:Total Reversing of Cover Your Tracks 3.5

Target:Cover Your Tracks 3.5(http://www.ffsoftware.com)

Tools:SoftIce 3.24(this is a good software, worth buying)

Date:2nd January 2000

Descriptions&Comments:Total Reversing of Cover Your Tracks 3.5. Hmm, well, almost, we still lack of clean way to unregister this program to totally reverse this program. Hopefully, someone can send me a clean way(I can but with mine is a dirty way) of unregistering so that we can really reverse this program totally and I will update this document giving full credit of the "Unregistering" section to that person. Not a matter to us now. We will ignore that, fish a serial first and code a keygen later. Thanks to a good friend of mine, ^tCM^ for the keygen's source.

Protections:Name/Serial, Nag, Keygen

Disclaimer:This file is used for educational purposes only. Any misuse of the information presented here is not my responsibility.

Copyright information:This tutorial is copyright © 1999 ManKind

Starting words:
Hello,welcome to my tutorial. I am ManKind, a newbie in cracking who want to share my cracking skills with other newbies. Contact me at mankind001@bigfoot.com


The process:
Part 1:Easy way of locating correct registration code
Nothing special here. This is the easiest serial fish experience that I have ever had, can be said as "10 second crack". Load up Cover Your Tracks, a nag comes out, press the Register button, a new register window pop up, enter some fake info(need at least 7 character for each text field), fill in something like below:

Name:ManKind/ImmortalDescendants
Registration Code:23199981

Go into SoftIce and set a breakpoint on hmemcpy like below:

bpx hmemcpy

Leave SoftIce, press the Register button, SoftIce will pop up, press F5 once to let SoftIce read the data at the other text field, press F11 once to go back to the code which called the hmemcpy function, press F12 11 times to RETurn to the main call, press F10 once to step over the current code and finally the white indicator of SoftIce will land on the following code:

:00457967 POP EAX

At this moment, EDX contains the real registration code for our name(refer to the code on top of the above code). Do the following command and you will see the real registration code in the data window:

d edx

What's in the data window? A long string. I saw the following for my name:

v9hAwhuwvvgsm9kuya3yhu9hma

No, though I know the above is the correct registration code, don't register with it because you will have trouble to unregister it and you will not be able to progress and do a keygen.


Part 2:Understanding the keygeneration routines
Well, you will ask that since we have already fished out a serial from Cover Your Tracks, why should we ever need to understand the keygeneration routines of it? The answers are simple, firstly, this may serve as a keygen tutorial, secondly, we do this because we want to reverse this program totally. What I mean by totally? Totally means we know how the correct registration code is generated based on the name we enter.

This part is also easy owing to the simple keygeneration routines. Now, I'll will just give you a brief idea on the keygeneration routines. By debugging like the first part, one letter at a time, I discovered this(or you can also go into Cover Your Tracks when SoftIce break on hmemcpy, disable hmemcpy breakpoint, set a breakpoint on address 00457967(refer to above), press F5 to let SoftICE runs and finally you will brought to the place where you can just type 'd edx' to view your correct registration code):

A=9, B=o, C=3, D=u, E=y, F=t, G=r, H=6, I=w, J=q, K=A, L=k, M=v, N=h, O=g, P=f, Q=d, R=s, S=a, T=m, U=8, V=b, W=eP, X=1, Y=x, Z=z, any other character including space=null

Condition:There are no difference between upper case alphabets with lower case alphabets, that mean A=9 then a=9 also. The name must at least contain 7 alphabets from A to Z or else it will be an invalid name. The code will be counted from left to right like for example:

M a n K i n d
v 9 h A w h u

With these informations, it will not be too hard for you to code a keygen. Well, after you understand the keygeneration routine, what should you do? You should really code a keygen. I have included a C++ source of a simple Cover Your Tracks keygen below written by tCM, a good friend of mine and slightly edited by myself. I compile it on my Visual C++ 6.0 but it should be able to compile on any other C++ compiler.

#include <ctype.h>
#include <stdio.h> //I only edited the introduction part!
#include <conio.h> //nothing special here, just playing a fool!
#include <string.h>

void main() {
    // Introduction
    printf("Cover Your Tracks 3.5 Keygen by ManKind/ImmortalDescendants \n");
    printf("===================================================\n");

    // Prompt the user
    printf("Please enter your name \n");
    fflush(stdout); // make sure the prompt is flushed from output buffer to the screen
    char UserName[100]; // Note: this may crash if you enter more than 100 characters
    gets(UserName);

    // Then I want to read his name and make the following substitution:
    // A=9, B=o, C=3, D=u, E=y, F=t, G=r, H=6, I=w, J=q, K=A, L=k, M=v, N=h, O=g, P=f, Q=d,
    // R=s, S=a, T=m, U=8, V=b, W=eP, X=1, Y=x, Z=z, any other character including space=null

    // define the new alphabet as a lookup table with an entry for
    // each caharcter.

        int i,k,temp,name_lenth;
    char name[100]={0},new_name[100]={0};
        char Lookup[] = "9o3uytr6wqAkvhgfdsam8be1xz";
        char W_ONLY[]= "eP";

        // Condition:There are no difference between upper case alphabets with
    // lower case alphabets, that mean A=9 then a=9 also.
    // Eliminate invalid letters by writing the translated
    // character at a different position.
    //char *P, *Q;
    //for (P = Q = UserName; *P; ++P) {
    // unsigned Index = toupper(*P) - 'A'; // place in lookup table
    // if (Index < sizeof Lookup) *Q++ = Lookup[Index]; // translate
    //}
    //*Q = '\0'; // terminate the translated string

       strcpy(name,UserName);
       strupr(name);
       name_lenth=strlen(name);

       for(i=0,k=0;i temp=name[i];
       if(temp>=0x41 && temp<=0x5A){
       if(temp==0x57){
       strcat(new_name,W_ONLY);
       k+=2;
       }
       else if(temp!=0x57){
       new_name[k]=Lookup[temp-0x41]; // if it dosent work use
       new_name[k]=Lookup[0x41-temp];
       k++;
       }
       }
       }

       printf("Registration Code = %s\n", new_name);
    // I want to display the new name after substitution to the user
    // Note: this will end as soon as a null character is found
    //printf("Registration Code = %s\n", UserName);

    // wait for a keypress before exiting
    getche();
}

That's all for now. Hope to see you soon on my next tutorial. As usual, contact me if I make any mistake, give me your feedback, comments, suggestions and opinions about this tutorial and my way of presenting it.

Extra notes:
I think you have noticed that I have modified the template(format) of my essay. We are in a new millenium, so, I guess I have to have a new template. I hope you like this new design. Thanks again to ^tCM^ for being kind, patient, coding the keygen and giving the source. Thanks to my reader who supported my work. In return of your support, I will continue to write more good essays. Thanks again!


Ending:
Thanks and greetz to:
+ORC, +HCU, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, Crackz, cLUSTER, LaZaRuS, mrfanatic, yes123, WhizKiD, Volatility, Acid Burn, Eternal Bliss, R!SC, MisterE, Shadow, ^tCM^, WaJ, Borna Janes, Lord Soth, Lucifer48, Neural, Latigo, Alpine, flag erratum, Nitrus, frogs print, Muad`Dib, Iczelion, Warezpup, Bomber Monkey, llama and other crackers, individuals and organisations who have helped me, either directly or indirectly.

Service for ManKind
ManKind
mankind001@bigfoot.com
m is coded in VB 5, I shall code the source in Visual Basic too and here's the calculation part source(comment highlighted in green as in VB itself):
For i = 1 to Len(Text1.Text) 'i is counter, Text1.Text refers to the name's text field, loop until byte of name finish
 name1 = Asc(Mid(Text1.Text, i, 1)) 'get a byte of name name2 = (name1 ^ 2) * i 'the main algo here(ascii of byte 'power by two multiple by current position of byte)
 name2 = (name1 ^ 2) * i 'main algo here(ascii of byte power by 2 and multiplied to current position of byte)
 name3 = name3 + name2 'sum up all the calculated values
Next i  'loop again 
Text2.Text = name3 'Text2.Text refers to the text field where you would show user his/her Unlock Code for the specified name, show user the final calculated value which is the correct Unlock Code

As a little note for the keygen, I would like to state that IF any other programming languages(probably not all, but I tried Assembly and QBasic) are used to code the keygen for Visi Font Gold other than Visual Basic(I tried VB5), it would be messed up when dealing with special characters like î, é and many more(that's why I choose to show you the calculation source in VB).

Lastly, my little opinion and comment on SmartCheck and its usage:
- could be VERY useful for cracking VB programs
- when trying to keygen, its totally different from SoftICE and normal approach where you got to see, feel and execute the asm instructions, while in here, you have to guess, think, try, figure out and so on...
- very good tool for crackers and programmers
- useful for newbies to do quick crack(serial fishing)...
- lame(its protections and the fact that it is developed by a company called Microsoft, hehe, joking only...)
- no more at the moment...

There, my first tutorial which totally relies on SmartCheck. I would really like to do more tutorials on using SmartCheck(which is pretty rare compared to those using SoftICE) especially on harder targets with harder protections and keygen algo(thanks to webm4sta for commenting:i know the algo of this target is pretty simple, but should be good enough for beginners to KNOW SmartCheck).That's all for now. Hope to see you soon on my next tutorial. As usual, contact me if I make any mistake, give me your feedback, comments, suggestions and opinions about this tutorial and my way of presenting it.


Ending:
Thanks and greetz to:
+ORC, +HCU, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, CrackZ, cLUSTER, LaZaRuS, mISTER fANATIC, yes123, WhizKiD, Volatility, ACiD BuRN, Eternal Bliss, R!SC, Kwazy Webbit, +Mammon, MisterE, Shadow, ^tCM^, WaJ, Borna Janes, Kathras, AB4DS(Death), douby, Steinowitz, Lord Soth, Latigo, Lucifer48, NeuRaL_NoiSE, Fravia+, Latigo, Duelist, Alpine, flag eRRatum, Nitrus, +Frog's Print, Muad`Dib, Iczelion, Razzia, Warezpup, Bomber Monkey, llama and other crackers, individuals and organisations who have helped me, either directly or indirectly.

Service for Mankind
ManKind
mankind001@bigfoot.com

ebp, byte ptr [eax+edx+00426264] 2.