razzia's Tutorial on Key Generators

by Razzia

(22 August 1997)

Courtesy of fravia's page of reverse engineering

Well, another great contribution of Razzia... read and enjoy!
razzia's  Tutorial on Key Generators

							      
                          Tools!

  For tools you need a minimum of debugger like SoftIce for Windows
(hence WinIce), and a C compiler with its Dos libraries.


                         Content!

  In this tutorial I will show how to make a key-gen for Ize and
Swiftsearch. The protection that these programs use is the wellknown
Enter-Name-and-Registration-Number method. After selecting 'register',
a window pops up where you can enter your name and your registration 
number. 
  The strategy here is to find out where in memory the data you
enter is stored and then to find out what is done with it. Before
you go on make sure you configure the SoftIce dat file according to
my PWD tutorial #1. 


                Part 1: Scanline Swiftsearch 2.0!

  Swiftsearch is a useful little program that you can use to search 
on the web. I will explain step by step how to crack it.

  step 1. Start the program :) 

  step 2: Choose register from the menus. You will now get a window 
where you can enter your name and your registration number.

  step 3: Enter SoftIce (ctrl-d)

  step 4: We will now set a breakpoint on functions like GetWindowText(a)
and GetDlgItemText(a) to find out where in memory the data that we
just entered is stored.  The function that is used by this program
is GetDlgItemTexta (trial and error, just try yourself :).
  So, in SoftIce type BPX GetDlgItemTexta  and then exit SoftIce 
with the g command.

  step 5: Now type a name and a registration number  (I used razzia 
and 12345) and press OK, this will put you  back in  SoftIce. Since 
you are now inside the GetDlgItemTexta function press F11 to get out
of it.  You should see the following code:

  lea eax, [ebp-2C]           :
                Case 2 Ize 2.04 from Gadgetware
	
  Ize from Gadgetware is a cute little program that will put a pair of
eyes on your screen which will follow your mousepointer. It has a 
register function where you can enter your name and a registration
number.
  The strategy in this case is still the same : Find out where in memory 
the entered information is stored and then find out what is done with 
that information.

  Step 1:   Start Ize. Chose register and enter a name and a number. I 
used 'razzia' and '12345'.

  Step 2: Enter (CTRL-D) Softice and set a breakpoint on GetDlgItemTextA.

  Step 3:  Leave SoftIce and press OK. This will put you back in Softice. 
You will be inside the GetDlgItemTextA function. To get out of it 
press F11. You should see the following code : 

  mov esi, [esp + 0C] 
  push 00000064
  push 0040C3A0      :>10
:00404489 ret


  The above code consists of a loop that goes trough all the letters of 
the name we entered. With each letter some value is calculated, all these 
values are added up together (in EBP). Then this value is stored in EAX
and the function RETurns.
  And that was what we were looking for, we wanted to know how EAX got 
its value! 

  Step 6: Now to make a key-gen we have to translate the above method
of calculating the right reg# into a c program. It could be done in the 
following way : 
(Note : I am a bad c programmer ) 

#include	<stdio.h>
#include	<string.h>
main()
{
    char Name[100];
    int NameLength,Offset;
    unsigned long Letter,DummyA;
    unsigned long Key = 0xa4cc;
    unsigned long Number = 0;

    printf("Ize 2.04 crack by razzia\n");
    printf("Enter your name: ");
    gets(Name);
    NameLength=strlen(Name);
    for (Offset=0;Offset<NameLength;Offset=Offset+1)
        { 
         Letter=Name[Offset];
           DummyA=Key;
           DummyA=DummyA*0x15a4e35;
           DummyA=DummyA+1;
           Key=DummyA;
           DummyA=DummyA & 0x7fff0000;
           DummyA=DummyA >> 0x10;
         Letter=Letter*DummyA; 
           DummyA=Key;
           DummyA=DummyA*0x15a4e35;
           DummyA=DummyA+1;
           Key=DummyA;
           DummyA=DummyA & 0x7fff0000;
           DummyA=DummyA >> 0x10;                 
         Letter=Letter*DummyA; 
         Letter=Letter*(Offset+1);
         Number=Number+Letter;
        }         	                   
    printf("\nYour registration number is : %lu\n",Number);
}


                      Final Notes
     
  For feedback and suggestions pls contact me :)


  january 1997 - razzia
(c) razzia 1997. All rights reserved
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia
Is reverse engineering illegal?
raZZia