Do it yourself !
by +TsehP

This is a harder essay, not really intended for newbies, but if someone of you thinks he's ready to do something more this is a good starting point. This is about a keygen (my favourite subject, as you know ;)) and has both a well commented code and a source that will help you to bettern learn keygen programming.

This essay will help to get inside the core of the algorythm to generate a
serial for realplus g2. Don't expect me to explain everything to you in this
essay 'cause it's designed to be read by intermediate crackers. I will only
guide you to make you understand how it works and if you know how to program
in C or another language, you'll build your own keygenenerator. A source of
my own program is appended at this essay.


Well thanks to Hellraiser and spirit for their previous essay on realplus 4.0;
I just wanted this essay to make a deeper approach, the purpose is to write a
keygen and not use the original routines taken from the prog.

Why is this, because if the program evolves, you will be able easily to change
your own soft !

                                Tools required 

Tools used:

    Softice 3.22
    Windasm 8.9
    Microsoft visual c++ compiler (or any other)
    Aspirin brain++ (Viagra tablets doesn't work here ;-) )

                               Target's URL/FTP

Realplayer plus G2,downloadable if you make a ftpsearch with r32ppg2(xxx)
(read +fravia's tips for search)
I will not give the link I used 'cause it will surely not be available at the
time you will practice my essay, learn to search with fravia's essays:

                               Program History 

Realplayers are king of old, previous versions were 1.0 2.0 and so until 5.0
Now G2 with improved sound and video, the world's most important player on


To start :
fire Sice, bpx getwindowtexta and follow the code you entered with various
bpm xxxx.

Watch out it is copied in memory several times, to remove the '-' for

If you make a good work, you will land here in sete3260.dll if you are in
installation process.

You can do it by enter serial option when realplus is installed in demo mode
but the adresses will not be correct.

You can bpx on 10009e9e to shorten all the easy part...

You land here :

:10009E9E FFD5          call ebp ;ascii to bin code conversion
:10009EA0 833822        cmp dword ptr [eax], 00000022 ;beggar of if your code > 0x19999999
:10009EA3 7457          je 10009EFC
:10009EA5 53            push ebx ;push offset to hex code
:10009EA6 E865020000    call 1000A110 ;encrypt + check routine
:10009EAB 8B742418      mov esi, dword ptr [esp+18]
:10009EAF 83C404        add esp, 00000004
:10009EB2 85C0          test eax, eax ;if eax=0 beggar off !
:10009EB4 8906          mov dword ptr [esi], eax
:10009EB6 7436          je 10009EEE
:10009EB8 3DBFEA2101    cmp eax, 0121EABF ;first limit of crypted result
:10009EBD 772F          ja 10009EEE ;must be lower (not the right limit)
:10009EBF 8B17          mov edx, dword ptr [edi]
:10009EC1 52            push edx
:10009EC2 50            push eax
:10009EC3 E8E8000000    call 10009FB0 ;second check with tables
:10009EC8 83C408        add esp, 00000008
:10009ECB 85C0          test eax, eax ;eax=1 good guy!
:10009ECD 7411          je 10009EE0

the first place to go is call 1000a110, this is the most interesting part.
This routine use the hex conversion of your entered code to generate a number
that will be checked at the second call with lookup tables. Well lets go to
this part that was kind of complicated to me.

I will not explain to you all the details of this check 'cause this is left
as an exercise to the reader, you will have the complete source of my keygen
at the end of my project but I'll leave you some spots to help you build your
own keygenerator or/and to improve mine (that is an great example of poor C
programming !).

* Referenced by a CALL at Addresses:
|:10009EA6 , :10009F28 
:1000A110 83EC14        sub esp, 00000014
:1000A113 53            push ebx
:1000A114 55            push ebp
:1000A115 56            push esi
:1000A116 8B742424      mov esi, dword ptr [esp+24]
:1000A11A 81FEE8CD9A3B  cmp esi, 3B9ACDE8 ;fake dummy hex code
                                    ;this was present in versions 4.0 and 5.0
                                    ;this returns eax=1 but it's a fake check
                                    ;to loose newbies ! 
:1000A120 57            push edi
:1000A121 750D          jne 1000A130 ;we go there !

* Possible Reference to String Resource ID=00001: "Configuration file
RNSETUP.CFG is missing or corrupted. Setu"
:1000A123 B801000000    mov eax, 00000001
:1000A128 5F            pop edi
:1000A129 5E            pop esi
:1000A12A 5D            pop ebp
:1000A12B 5B            pop ebx
:1000A12C 83C414        add esp, 00000014
:1000A12F C3            ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:1000A130 33C9          xor ecx, ecx
:1000A132 3BF1          cmp esi, ecx
:1000A134 750A          jne 1000A140 ;we go there !
:1000A136 33C0          xor eax, eax
:1000A138 5F            pop edi
:1000A139 5E            pop esi
:1000A13A 5D            pop ebp
:1000A13B 5B            pop ebx
:1000A13C 83C414        add esp, 00000014
:1000A13F C3            ret

ATTENTION ! This is the real part.Study this place very carefully because
there's a lot of fake checks a a few good ones.

To explain how it works, roughly, here's an example of code :1000666000
each digit is analysed from right to left (follow it with softice)
and you've got a number generated with their hex value and two counters (one
that is the sum of them, progressive and another thats like a=a*8+a.

You'll have to discover the mathematical process and write it to make your
keygen !

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:1000A140 83C8FF        or eax, FFFFFFFF
:1000A143 894C2418      mov dword ptr [esp+18], ecx
:1000A147 894C2414      mov dword ptr [esp+14], ecx

* Possible Reference to String Resource ID=00001: "Configuration file
RNSETUP.CFG is missing or corrupted. Setu"
:1000A14B BB01000000    mov ebx, 00000001
:1000A150 894C2410      mov dword ptr [esp+10], ecx ;various inits of vars
:1000A154 894C2428      mov dword ptr [esp+28], ecx ;used to generate the
:1000A158 8944241C      mov dword ptr [esp+1C], eax ;magic number...
:1000A15C 89442420      mov dword ptr [esp+20], eax
:1000A160 8D7C241C      lea edi, dword ptr [esp+1C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:1000A164 8BC6          mov eax, esi
:1000A166 33D2          xor edx, edx

* Possible Reference to String Resource ID=00010: "Configuring system..."
:1000A168 BD0A000000    mov ebp, 0000000A
:1000A16D F7F5          div ebp
:1000A16F 80FA06        cmp dl, 06 ;check if code digit <>6
:1000A172 751E          jne 1000A192
:1000A174 837C242802    cmp dword ptr [esp+28], 00000002 ;is there more than
                                                        ;2 6 in your code ?
:1000A179 0F8D84000000  jnl 1000A203 ;if yes beggar off !
:1000A17F 8B542428      mov edx, dword ptr [esp+28]
:1000A183 0FBEC1        movsx eax, cl
:1000A186 42            inc edx
:1000A187 8907          mov dword ptr [edi], eax
:1000A189 89542428      mov dword ptr [esp+28], edx ;it's a count of occurences of 6.
:1000A18D 83C704        add edi, 00000004
:1000A190 EB27          jmp 1000A1B9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:1000A192 8B6C2410      mov ebp, dword ptr [esp+10]
:1000A196 0FBEC2        movsx eax, dl
:1000A199 03E8          add ebp, eax
:1000A19B 80FA06        cmp dl, 06 ;check for 6 again !
:1000A19E 896C2410      mov dword ptr [esp+10], ebp
:1000A1A2 7E02          jle 1000A1A6
:1000A1A4 FECA          dec dl ;hex code -1 if above
                                ;used to generate the number
                                ;with a multiplication later.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:1000A1A6 0FBED2        movsx edx, dl
:1000A1A9 0FAFD3        imul edx, ebx
:1000A1AC 8B442414      mov eax, dword ptr [esp+14]
:1000A1B0 8D1CDB        lea ebx, dword ptr [ebx+8*ebx] ;a=a*8+a var used in the algo...
:1000A1B3 03C2          add eax, edx
:1000A1B5 89442414      mov dword ptr [esp+14], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:1000A1B9 B8CDCCCCCC     mov eax, CCCCCCCD ;this is no encryption
:1000A1BE F7E6           mul esi ;provided to check your code
:1000A1C0 C1EA03         shr edx, 03 ;digit by digit, stored in edx (see with sice)
:1000A1C3 FEC1           inc cl
:1000A1C5 8BF2           mov esi, edx
:1000A1C7 80F90A         cmp cl, 0A ;0x0a stands for lenght of your code
:1000A1CA 7C98           jl 1000A164
:1000A1CC 8B4C2410       mov ecx, dword ptr [esp+10]
:1000A1D0 8B048D30410110 mov eax, dword ptr [4*ecx+10014130] ;very important, look in
:1000A1D7 8B0C8D50420110 mov ecx, dword ptr [4*ecx+10014250] ;2 tables with an index
                    ; to help ecx stores the sum of all the digits 1+1+0+6 etcc...
:1000A1DE 3BC1           cmp eax, ecx
:1000A1E0 8BD0           mov edx, eax
:1000A1E2 7C02           jl 1000A1E6
:1000A1E4 8BD1           mov edx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:1000A1E6 3BC1          cmp eax, ecx
:1000A1E8 7F02          jg 1000A1EC
:1000A1EA 8BC1          mov eax, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:1000A1EC 3954241C      cmp dword ptr [esp+1C], edx ;esp+1c contains the index of
                                                ;first '6' encountered in your code...
:1000A1F0 7511          jne 1000A203 ;must be egal to table value,otherwise beggar off!
:1000A1F2 39442420      cmp dword ptr [esp+20], eax ;idem for the second 6.
:1000A1F6 750B          jne 1000A203
:1000A1F8 8B442414      mov eax, dword ptr [esp+14]
:1000A1FC 3DBFEA2101    cmp eax, 0121EABF ;not the final check but made to confuse you !
:1000A201 7604          jbe 1000A207 ;if greater, beggar off,first purpose of algorythm.

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000A179(C), :1000A1F0(C), :1000A1F6(C)
:1000A203 8B442418      mov eax, dword ptr [esp+18];sets eax to 0 and beggar off.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:1000A207 5F            pop edi ;good if you land here !
:1000A208 5E            pop esi ;but that's not finished yet.
:1000A209 5D            pop ebp
:1000A20A 5B            pop ebx
:1000A20B 83C414        add esp, 00000014
:1000A20E C3            ret

Ok we're almost finished.Now you've got in eax the value generated by the
algo that will be tested in the second call that we have there:

* Referenced by a CALL at Addresses:
|:10009DB4 , :10009EC3 , :10009F46 
:10009FB0 8B442408 mov eax, dword ptr [esp+08]
:10009FB4 50 push eax

* Possible Indirect StringData Ref from Data Obj ->"PlayerPlus"
:10009FB5 68E0400110    push 100140E0 ;this is used as an index for the final check.
:10009FBA E821000000    call 10009FE0 ;not very important...
:10009FBF 83C408        add esp, 00000008
:10009FC2 85C0          test eax, eax
:10009FC4 7416          je 10009FDC
:10009FC6 8B4C2404      mov ecx, dword ptr [esp+04]
:10009FCA 8B5008        mov edx, dword ptr [eax+08]
:10009FCD 3BCA          cmp ecx, edx
:10009FCF 720B          jb 10009FDC
:10009FD1 3B480C        cmp ecx, dword ptr [eax+0C] ;this is the final check
                                            ;it looks if the generated number
                                            ;is greater than 9999999, this is
                                            ;a fixed value.
:10009FD4 7706 ja 10009FDC ;beggar off !

* Possible Reference to String Resource ID=00001: "Configuration file
RNSETUP.CFG is missing or corrupted. Setu"
|                                           ;an example of windasm trash, if ida
|                                           ;was more window based...sic...
:10009FD6 B801000000    mov eax, 00000001 ;if you're here so everything is OK and
                                            ;your code is fine
:10009FDB C3 ret

Why do you have to write a Keygen ?

Because If you patch this code,it will install realplus ok but when the
program will load it will see that the code you typed is wrong and will stay
in demo mode. So you could check to patch this crap again but believe me, it
will not work when you will automatically upgrade without asking you anything!
I know this is difficult work so I provide you my keygen in C so you will
study it and maybe improve it.

Courtesy of +TsehP from Paris 24/08/1998


int tab1[200] =

int tab2[200] =

// a "satanic" way to make lamerz' life less easy... try to compile THIS! >:-)


srand( (unsigned)time( NULL ) );
unsigned long val=0,a=1,sum=0,c;
char key[20],trav[20],*e,buf[2],rep[2];
int i,k=0,d=0,r=0,g,pos1,pos2,nb6=0,al,ok=0,res6;

cout << "Realplayer plus g2 keygenerator" << endl;
cout << " By +TsehP " << endl;
cout << "To find it, try ftpsearch with " << endl;
cout << "R32PPG2xxx as a file... " << endl;
cout << "or download on " << endl;
cout << " Finished the 24/08/1998 " << endl;
cout << endl;
cout << "Press Return to generate a serial." << endl;

gets (key);
do {
for (i=1;i<11;i++)
do {
al = rand() % 10;
} while (al!=0 & al!=1) ;
_itoa (al,buf,10);
strncpy (key+i-1,buf,1);
for (i=1;i<3;i++)
do {al = rand() %10;} while (al==0 & al==10 & al==res6);
_itoa (6,buf,10);
strncpy (key+al,buf,1);
for (i=1;i<11;i++)
strcpy (trav,key);
val = atoi (e);
if (c==6 & nb6==0) {pos1=i;nb6++;}
else if (c==6 & nb6==1) {pos2=i;nb6++;};
if (c!=6)
if (c>6) c-=1;
if (r<<9999999) 
printf ("Et voila !!!\n");
strcpy (trav,key);
if ((d+1)!=pos1){strncpy
strcpy (key,trav);
if ((g+1)!=pos2){strncpy
printf ("Enter this serial : ");
puts (trav);
cout << "Do you want another one ? (Y/N)" << endl;
gets (rep);
if (*rep=='n') ok=1;
else {r=0;};
while (!ok);
return 0;

>                                 Final Notes 

Legal stuff : This is made for educationnal purpose, I'm not responsible if
this is used to avoid paying for this program, I'm not either responsible of
what I write, of me and Monica Lewinsky loss of virginity . 

Courtesy of +TsehP from Paris 24/08/1998

(c) +TsehP 1998.
WARNING: this tutorial is published for EDUCATIONAL PURPOSES only! Nobody except you is responsible for what you do with the things you read here. Also, if you intend to use shareware programs for a period longer than the allowed one remember that you have to BUY them!