About this tutorial:
Tutorial:Total reversing of Open Sesame 3.1
Target:Open Sesame 3.1(http://www.geocities.com/SiliconValley/Vista/5610/)
Tools:SoftICE 3.34(this is a good software, worth buying)
Date:10th of September 1999(Last updated on 12 October 1999)
Descriptions&Comments:This is a simple program developed by some sixteen years old teen which can simplify your task of starting certain programs without using the Start menu. Quite easy to fish its registration code, took me less than 15 minutes!
Copyright information:This tutorial is copyright © 1999 ManKind

Starting words:
Hello,welcome to my tutorial. I am ManKind, a newbie in cracking who want to share my cracking skills with other newbies. Contact me at mankind001@bigfoot.com

Part 1:Easy way of locating correct registration code
The process:
Hello and welcome to my tutorial, as tKC always says, nothing is going to stop me now, except the GOD. First of all, let me tell you about me, actually I am not good in using SoftICE but I just try to fish out the registration code of Open Sesame and after some struggling for about 15 minutes I successfully fished out the code, I think I am not that bad or this target is just too easy.

When you start it, there is a splash screen and later a window. Press the 'Register' button on that window. Another smaller window will pop out and you should notice that the 'Register' button is disabled, fill in your name and code like for example, I fill in the following:

Name:Sample Copy
Registration Code:2319998

Next, after some filling of information, the 'Register' button will be enabled so now go into SoftICE and put a breakpoint on hmemcpy. For newbie, the command will look like the following:

bpx hmemcpy

Go back to the registration window and press the 'Register' button. SoftICE will pop up, so press F5 once and later press F12 7 times. After that, the center of the screen(where there is a green line across the screen) should change to LAUNCHP!CODE+xxxxxxxx, if not continue pressing F12. Clear the breakpoint of hmemcpy because we don't need it anymore by typing bc* or bd* and press enter. Next, trace through all the codes by pressing F10 until the white line of indicator is on top of the following code:

0177:004302CE                                                         CALL 004034CE

Now, press F8 to step into the call, and continue to step through until you reached here:

017:004034B3                                                           CMP EAX,EDX

Type d eax, press enter and you should see your false registration code in the data window(upper right hand side). Type d edx, press enter and you should see your correct or real registration code in the data window but you have to be smart to sort out the code out of the other useless data like for example after sorting out, my code for the name 'Sample Copy' is 'i92wbtjnwu'. Now, you have reversed Open Sesame 3.1, aren't you happy and satisfied?

Additional/Extra Part or Stuff(s):
If you want to unregister, you can go to the Windows directory folder such as C:\Windows\, open the file sesame.INI and edit the [Register] section of it like this:

Name=Sample Copy

Change to:


Although this first way of easy locating of correct registration code is useful, it can be messy in the data window after you do this way a few times with different names and fake registration codes, so as an alternative of locating the code in the CMP instruction at address 004034B3, you can locate it at address 004034B1(one line above the CMP instruction) with this command ->d edx because I think it will not be so messy in the data window. Note that the memory address given above may be a bit different or totally different on your computer, you just have to follow my way and don't worry the instruction will still be the same.

Part 2:Understanding the keygeneration routines
The process:
Well, you will ask that since we have already reversed Open Sesame, why should we ever need to understand the keygeneration routines of it? The answers are simple, firstly, this may serve as a keygen tutorial, secondly, we do this because we want to reverse Open Sesame totally. What I mean by totally? Totally means we know how the correct registration code is generated based on the name we enter.

This part is also easy owing to the simple keygeneration routines. Now, I'll will just give you a brief idea on the keygeneration routines. By debugging like the first part, one letter at a time, I discovered this(or you can also go into Open Sesame when SoftIce break on hmemcpy, disable hmemcpy breakpoint, set a breakpoint on address 004034B1(refer to above) or 004034B3(refer to above), press F5 to let SoftICE runs and finally you will brought to the place where you can just type 'd edx' to view your correct registration code):

A=9, B=x, C=j, D=4, E=t, F=5, G=p, H=y, I=c, J=3, K=v, L=b, M=2, N=e, O=n, P=w, Q=o, R=m, S=i, T=1, U=r, V=l, W=7, X=k, Y=u, Z=8, any other character including space=null
Condition:There are no difference betwwen upper case alphabets with lower case alphabets, that mean A=9 then a=9 also. The name must at least contain an alphabet from A to Z or else it will be an invalid name. The code will be counted from left to right like for example:

S a m p l e C o p y
i 9 2 w b t j n w u

With these informations, it will not be too hard for you to code a keygen. Well, after you understand the keygeneration routine, what should you do? You should really code a keygen. I have included a C++ source of a simple Open Sesame 3.1 keygen below written by a friend of mine and slightly edited by myself. I compile it on my Visual C++ 6.0 but it should be able to compile on any other C++ compiler.

#include <ctype.h> // toupper, isupper
#include <stdio.h> // printf, fflush
#include <conio.h> // getche

void main() {
      printf("======================== \n");
      printf("|        Open Sesame Keygen by      | \n");
      printf("|                    ManKind                  | \n");
      printf("======================== \n");
      // I want the user to input his name
      // Prompt the user
      printf("Please enter your name:");
      fflush(stdout); // make sure the prompt is flushed from output buffer to the screen
      // read the name into an array of characters
      char UserName[100]; // Note: this may crash if you enter more than 100 characters
      // Then I want to read his name and make the following above substitution
      // define the new alphabet as a lookup table with an entry for
      // each caharcter.
      char Lookup[] = "9xj4t5pyc3vb2enwomi1rl7ku8";
      // Condition:There are no difference between upper case alphabets with
      // lower case alphabets, that mean A=9 then a=9 also.
      // Eliminate invalid letters by writing the translated
      // character at a different position.
      char *P, *Q;
      for (P = Q = UserName; *P; ++P) {
           unsigned Index = toupper(*P) - 'A'; // place in lookup table
           if (Index < sizeof Lookup) *Q++ = Lookup[Index]; // translate
      *Q = '\0'; // terminate the translated string
      // I want to display the registration code after substitution of the user's name
      // Note: this will end as soon as a null character is found
      printf("Registration Code = %s\n", UserName);
      // wait for a keypress before exiting

Thanks to:+ORC, Sandman, HarvestR, tKC, ytc_, Kwai_Lo, Punisher, TORN@DO, Crackz and other crackers and individuals who provide me with their tutorials and tools.
Greetz to:HarvestR, tKC, ytc_, Kwai_Lo, Punisher, TORN@Do, CiA, Phrozen Crew, other cracking groups and all crackers.

Service for ManKind

3rd and 2nd byte of serial (that explains