Jasakom Community#------------------------------------------------- ------------------------------------------------#
It started when I was reading one magazine I bought a new computer, in this magazine I found writing more or less as follows: â € œBagaimana can (maybe), the code and algorithms that in fact is very confidential for a manufacturer of application-doers can be solved by the keygen ( cracker)? â €? (PCMedia edition 06/2006), maybe some people would be confused to find the answer, here there are 3 Â Â probably why we are confused in answering the questions above:1. The algorithms created by the software manufacturers are confidential, and not the manufacturer may meet the cracker at home to inform a new algorithm that he created.2. Application made by the manufacturers is very valuable, surely the producers will protect applications that are not easily hijacked.3. The asker has never looked the underworld (underground community) like this Jasakom,:-PLet me answer this question will pass this article.
What is Key Generator (keygen)?Actually, this question does not need to answer, because I'm sure 98% of computer users who entered Indonesia ranked the Top 5 largest software piracy in Asia or maybe even the world, would never see, wear, or feel that his name keygen!.
All right way better than most of us begin our cracking tutorial.
Cracking StartBefore we start I must ask maa € ™ af used on Khaled Mardam-Bey, because I will use his application to our experiments this time.For example I will just make mIRC application as a victim.
The tools should we use for our cracking are:1. W32dasm (Wind * ws 32 Disassembly).2. Calculator Wind * ws.3. Cheat Engine (I use version 4.4),  I'm not use SoftICE SoftICE because I can not   pathin XP. To download Cheat Engine: http://www.heijnen1.demon.nl/4. Application targets: recent mIRC version now is 6:16. <- Khaled Iâ € ™ m sory for this.5. UltraEdit (if necessary)6. Chocolate wafers (I love chocolate) :-)
Actually Cheat Engine is an application to cheat the game was made by dark_byte, but instead I was wrong to use for cracking ..he.he. because the application itself has a miraculous kelebihan not shared by other debuger programs, such as stealth to overcome anti-debug protection system. And more cool again this tool could be to bypass the password on some securtiy applications (author've been breaking a few computers in the apartment who use keys  password using this tool:-P)
Okay we start aja
Install mIRC v6.16, W32Dasm and Cheat Engine (all except a calculator).After the install is complete run mIRC, you're going to look in the windows nag (nag screen) which indicates that the application is still 30-day trial version, and expect you to buy it.Click â € œContinueâ €??,In the window œmIRC Optionsâ € â €? click â € œCancelâ €??.Click the â € œHelp> Registerâ €??.Now you can see a window containing two TextBox, one for username and one for the serial number.Enter the name of â € œ4NVIeâ €? on â € œFull Nameâ €? and enter œ12345â € â €? on â € œRegistration Codeâ €??.Click OK or press Enter, what happened?â € œThe registration name and number you have ENTERED are not valid. Please make sure you are enteringâ € | blah .. blah .. blah .. â €?
This paper appeared, supported by a red X symbol. Hiks, Relax do not worry.Now its run Cheat Engine. Then it will appear a window like this:
Click the computer image in the top left corner, Â after the windows process list look looking for a process called â € œmirc.exeâ €?
After the Cheat Engine to attach process € ~ â € ™ mirc.exeâ our next step is mendebugnya by clicking the â € œMemory viewâ €?in Cheat Engine. behold, the following window
Click the menu View> Enumerate Dllâ € ™ s and symbols, there will appear some symbol of the â € œDynamic Links Libraryâ €?Wind * ws-owned (DLL). Click on â €  € œUSER32â? and search functions â € œGetWindowTextAâ €??, he .. he .. would be difficult because not use alphabetical order (that lack Cheat Engine) after See you double-click on the function page and click â € œCloseâ €??.Memory Viewer will show the address they will function. Press F5 to make breakpoin, click OK on the registration window in mIRC, failed!. We'll try again with another function â € œGetDlgItemTextAâ €??, Remove the first breakpoin the first function by pressing the F5 key, ngulang search again DEHA €??, After making breakpoin on a second function, the contents of the name and serial number and press again on mIRC the OK button.Failed Again!, Damn!. Because many times fail, we run W32Dasm, click Disassembly menu> Open File to disassemblyâ € | mirc.exe locate the file in the directory you installed mIRC.After the loading process is complete Click the â € œSearch> Find textâ €? in the Find window, the contents of the text with œRegisterâ € â € | â €? not use quotation marks (this string I found on the body exenya that I go to use UltraEdit), Click œFind Nextâ € â €? 3 times, press â € œPage Upa €? 8 times, to appear:
: 004C764C 8D94240C010000 Â lea edx, dword ptr [esp +0000010 C]: 004C7653 8D4C2408Â Â Â Â Â Â lea ecx, dword ptr [esp +08]: 004C7657 E8A4FDFFFF Â Â Â Â call 004C7400: 004C765C 85C0Â Â Â Â Â Â Â Â Â Â test eax, eax: 004C765E 740EÂ Â Â Â Â Â Â Â Â Â je 004C766E
lea edx, dword ptr [esp +0000010 C] This assembly code will enter the address of the serial number that we had input into the register EDX.lea ecx, dword ptr [esp +08] if this one will enter the address of our name to the register ECX.call 004C7400 nah! This call calculates the name and number that we enter and will result in the return value in EAX register, if the name / serial number is valid, the EAX register will be worth 1, but if not valid then the EAX register will be worth 0 (zero).test eax, eax check whether EAX 0 / 1.je 004C766E if EAX = 0 then jump. We could have passed this leap with his way to the NOP, but in this way will change the CRC of files eksekutebelnya (crack rough), so not good, especially if the application that we will crack equipped CRC protection system, which is not the program will run if there is a change CRC!, or maybe we can not update because not use serial numbers!, so we use a way to make keygennya kelemubutan aja.
Continue!See the address 004C7657, because we already know where the address name and serial checking in, now we move into Cheat Engine, at the window œMemory Viewerâ € â €? right click on the first column,
On the popup menu click â € œGo to addressâ €??, On the window â € œGo to addressâ €? enter the address that we have had the â € œ004C7657â €? without the quotes, click â € œOKâ €??, it will tampakÂ:
Now make breakpoin on 004C7657 address by pressing the F5 key, move to mIRC, enter the name and serial number, click â € œOKâ €??, Process stopped, return to Cheat Engine, trace into the call 004c7400 procedure by pressing F7, after entering the trial  trace over by pressing the F8 key until you see
Lea ESI, [eax +10]; enter the effective address of the serial number that we enter into the ESIMov dl, [eax]; enter 1 character from the serial number into dlInc eax     Â; eax = eax +1Test dl, DLA       Â; whether the characters already out?Jne 004c7518 Â; if not jump into 004c7518 (looping)Sub eax, Esia Â; eax eax reduce the ESI results contains the number of characters of the serial number which we enter or equal to the VB command len (ESI)Cmp eax, ecx Â; whether the number of charactersJae 004c7532 Â; more than 4? If yes skip to 004c7532
Once we trace over to here go to the address 004c7532 by pressing the F7 key, after entry we will see the following code:
Mov ebx, [esp +10]; enter effectively address the serial number located to the EBX, if not believe in trying to trace so that the code is executed first then right click on the column to the bottom and on the popup menu click œGoto addressâ â € €??, Type â œebxâ € €? (Not use quotes) hit enter, it will show the serial number that we enter earlier.
Push 2dÂ; enter the stack of 2D (hexadecimal character from 45 = â € œ-â € œ)Push ebx; enter values into the stack EBXCall 00570260; regularly to check whether there is a character â € œ-â € œ on our serial number?Oops! Apparently there must be a sign of â € œ-â € œ on the serial number, is it possible serial format like this? :  € œ12345-12345â €??.Okay because there must be a sign of â € œ-â € œ on the serial number then we have to repeat the serial number input with the format as above, make breakpoin at address 004C7539 not let me re-trace (press F5), press F9 two times until the dialog box appears rejection , the contents of œFull Nameâ € â €? with â € œ4Nvieâ €? (Not use quotes) and â € œRegistration Codeâ €?with â € œ12345-12345â €? (Not use quotes), press Enter, the process stops, back to Cheat Engine, press F9Mov ESI, eaxAdd esp, 08Test ESI, ESIJe 004c7525Once the code is executed ESI register will contain the address of the character â € œ-â € œ on which we enter the serial number earlier.Push ebx; enter the value of ebx to the stackMov byte ptr [ESI], 00; change the character of â € œ-â € œ with a null byteCall 00570543; this routine will keep our first seriesAdd esp, 04Mov byte ptr [ESI], 2d; return the character â € œ-â € œESI Inc.; ESI +1Mov ebp, eaxCmp byte ptr [ESI], 00; whether the ESI is pointing at the end of the series?Je 004c7525; if yes jump into 004c7525Psuh ESI; enter values into the stack ESICall 00570543; not importantMov ecx, edi; EDI contains our nameAdd esp, 04Mov [esp +10], eaxLea edx, [ecx +01]Mov al, [ecx]; enter the 1 character of our name to ALEcx Inc.; ecx = ecx +1Test al, ala   Â; if al = 0Jne 004c7570; if not loop!Sub ecx, edx; subtract ECX EDX, ECX contains the number of characters results from our nameMov ESI, 00000003; ESI = 3Xor edx, edx  Â; clear EDXXor ebx, ebx; clear EBXCmp ecx, ESI; whether the number of characters in our name -Jle 004c75a8; less than or equal to 3? (Len (name) <= 3) if yes jump!Because the number of characters we name more than 3 then this would not happen leap.Trace and hold (do not remember pake pake F7 F8), in jmp 004c7590 we will jump a short, After the jump we landed on the following code:Movzx eax, byte ptr [ESI + edi]; enter a character in EAXImul eax, [esp + edx * 4 +14]; multiply EAX by .... (Maybe an array?), Let's look at the address of the ESP, is there a magic value there?, I click on the right hand column below and select â € œGoto addressâ €??, Type â € œesp + edx * 4 +14 â €? (Not use quotes) hit enter.Jreng!
He .. he .. he ..., it turns out I was right see in the picture above, it is an array! Which contains a magic number, well!, Now we need a calculator Bill to convert hexadecimal values to decimal values, (Bill pinjem kalulatornya dong!), The calculator click menu â € œView> Scientificâ €??, Select the radio button â € œHexâ €??, enter the magical and moving his radio buttons to œDecâ € â €?then we can know the decimal value:Konvertasi dec hex value to the array above is:
             1a 2a 3a 4a 5a 6a 7a 8a 9 10 11 12 13 14 15 16 17 18 19 20Hexadecimal: 06 11 0C 0B 0C 0E 05 0C 10 0B 0A 0B 06 0E 0E 04 06 0E 0E 04DECIMAL   Â: 11  6 17 12 12 5 12 16 10 14a 11a 14a 4 11 6 14 6 14 14a 4             21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39Hexadecimal: 0C 09 0B 0A 0B 0A 0A 08 10 08 04 06 0A 0A 0C 10 08 04 10DECIMAL   Â: 11A 9 12 11 8 10 10 16A 10A 4A 8A 6 10 12 16 08 10A 4 16
It turns out that there is a magic number 39 is summarized in the table array.So the command Imul eax, [esp + edx * 4 +14] together with the command in VB:
Asc (Mid $ (ESI, X, 1)) * NomorAjaib (EDX)
He .. he .. he .. The algorithm is simple is not it?, Okay, eat chocolate first ... ahUp here I've seen a bright spot. Continue!Add ebx, eax; added EBX value multiplication results in EAXÂ Â inc edx; EDX is countercmp edx, 26; whether it has been spinning as much as 38 times?(Really 38 not 39?, Yes because the first array to read starting from 0)jle 004c75a3; if less or equal to 38 jump!Xor edx, edxÂ; but if you've more than 38 sets of EDX to 0 (back to the magic number first)Esia Inc. Â Â Â Â; adds ESI to 1 (next character)Cmp ESI, Â ecx; whether the characters already out?Jnge 004c7590; if not back again (loop! Sampe exhausted characters)Well here until we certainly have understood the purpose of the above code, so illustration roughly like this:
Name -> split into two parts with serial 00000-00000 format -> calculated the first section -> calculate the second part-> serial numbers equate that we enter with the results of calculations on the EBX -> conclusion (valid / invalid code).Âwell now we make key generator, would be made use what? Relax do not panic I'm not going to make use Assembly anyway, we make use VB wrote that easy. Yup!, We start aja.
Prepare one TextBox and a CommandButton and then type the following source code:CUT HERE -------------------[ ]--------------------------- ----------------------Option Explicit
Private Sub Command1_Click ()Dim NomorAjaib (38) As LongDim EDX, EAX As LongDim Bagian1, Bagian2 As LongDim X As Long
â € ~ magic numbers we fill into arrayNomorAjaib (0) = 11: NomorAjaib (1) = 6:NomorAjaib (2) = 17: NomorAjaib (3) = 12NomorAjaib (4) = 12: NomorAjaib (5) = 14:NomorAjaib (6) = 5: NomorAjaib (7) = 12NomorAjaib (8) = 16: NomorAjaib (9) = 10:NomorAjaib (10) = 11: NomorAjaib (11) = 6NomorAjaib (12) = 14: NomorAjaib (13) = 14:NomorAjaib (14) = 4: NomorAjaib (15) = 11NomorAjaib (16) = 6: NomorAjaib (17) = 14:NomorAjaib (18) = 14: NomorAjaib (19) = 4NomorAjaib (20) = 11: NomorAjaib (21) = 9:NomorAjaib (22) = 12: NomorAjaib (23) = 11NomorAjaib (24) = 10: NomorAjaib (25) = 8:NomorAjaib (26) = 10: NomorAjaib (27) = 10NomorAjaib (28) = 16: NomorAjaib (29) = 8:NomorAjaib (30) = 4: NomorAjaib (31) = 6NomorAjaib (32) = 10: NomorAjaib (33) = 12:NomorAjaib (34) = 16: NomorAjaib (35) = 8NomorAjaib (36) = 10: NomorAjaib (37) = 4:NomorAjaib (38) = 16'Number of characters a name at least 4 charactersIf Len (Text1.Text) <4 Then   MsgBox "Name at least 4 characters!"   Text1.SetFocus   Exit SubEnd IfEDX = 0 'xor edx, edx'Create a serial number for the first part firstFor X = 4 To Len (Text1.Text)   EAX = Asc (Mid $ (Text1.Text, x, 1)) * NomorAjaib (EDX)   Bagian1 = Bagian1 + EAX   EDX = EDX + 1   If EDX> 38 Then EDX = 0X NextEDX = 0EAX = 0'For the second serial numberFor X = 4 To Len (Text1.Text)   EAX = Asc (Mid $ (Text1.Text, x - 1, 1)) * Asc (Mid $ (Text1.Text, x, 1))   Bagian2 = Bagian2 + EAX * NomorAjaib (EDX)   EDX = EDX + 1   If EDX> 38 Then EDX = 0X Next'The results of calculations show the MsgBoxMsgBox "Number serial loe:" & Trim $ (Str $ (Bagian1)) & "-" & Trim $ (Str $ (Bagian2)),, "mIRC 6:16 KEYGEN"End SubEOF -------------------[ ]---------------------------- ---------------------After dikompil try running and enter the name, then enter your name and serial number on windows œRegistrationâ € â €? mIRC, click œOKâ € â €? and ...
Huaaahmâ € |. Hours are shown at 3:30, finally finished also nih articles.By the way this is how I can find algorithms protection system on an application / software without the need to peek / request the source code on the developers!.
Last wordsThis is only for educational purposes only, therefore the author is not responsible if the science is misused for things that are harmful.Hopefully with this writing software developers to be more careful and pay more attention to the security on the application.