New 2 Cracking
~~~~~~~~~~~~~~

Tutroial Type  : Essay
Tutorial Topic : How To Turn a Program into its own keygen (Keygen Injection over Strings)
Utilites       : Debugger (what ever you like..)/W32Dasm/Hex Editor/Digi-Watcher 1.32
Music          : Silence, any Version will do (even if its real silence ;])
Written by     : ParaBytes
Date           : Nov. 23rd, 2001
Remarks        : Digi-Watcher is avilible in www.Digi-Watcher.com

 Intro :
\_______/

Well, i wanted to make a keygen on nag patching, so i took this program,
i remeber that when i cracked Watcher 1.1 (i was the 1st :))
i did a patch that came over all the routines, nags-serial-limit
so, i downloaded this version and started the cracking, well...
i couldnt find this thing so i said, hey, lets keygen it or something..
but i got better idea !
keygen injection...

lets make clear what keygen injection is,
k.i. (its shorter, i'll use it in the rest k.i. = keygen injection) is making
a program the keygen of its self, so when insert a bad reg code, you'll get
the real code instead of 'regiter code is bad' error...

Start Here (if you read the intro before...)
~~~~~~~~~~

Lets wave ;p

well, this is the start..
lets run the exe as start...
hmmm, nag screen ?
machine ID ??
oh my !
lets insert some code, like 'ParaBytes0wnzDigiWatcher4Life' and click register,
hmmm, error message, write it down. close the program...
(you have 1 error for short serial, one for bad serial, we will disscuss on it later)
lets run this exe file into w32dasm, lets look in the String References for our message,
hey, i see "Thank you!",
well, if they knew me, they wouldnt thanking me so much, but they dont...
lets click on it and get the place of that string,
wow, under this string we see a whole thanks for registring message, we are in the right place...

lets go up,
hmmm, conditional jump from offset close, scroll up toward this offset, hmmm register code is wrong ?

ok, we are really in the right place...

so, we see above the coditional jump (004245F6 - the jump offset)
reference to strncmp, well, 
Str is string,
Cmp is compare, 
that mean that we are dealing with comparing string event, and right after we get the 
error message ?? 
hmm, (m*c^2=E ;p)
that mean we found a place where the serials are probably getting compared.
load this file into your favorate debugger (SoftICE/W32Dasm/OllyDbger/TRW2000/Etc...)
and set bpx in the offset that before the call (004245E6)
run the file, enter the serial you want (fake one..)
and register (now, if you breaked, follow to the next step - understanding, if not, continue)
hmmm... Re-Enter my code ??                                                        |
no break ??                                                                        |
well, its must be because we entered a serial that doesnt stand the conditions,    |
it might be only hex digits, or only numbers, we dont know,                        |
lets seek for the Re-Enter string in w32dasm and what do we find ? just above this |
string ? cmp ecx,1B --> jnb checkserials                                           |
that mean that it should be longer then 26 chars... lets remember this for now     |
re-enter 27 chars code, and now, its breaking !                                   \|/

Understanding the part of the K.I.
----------------------------------

what the program is doing is :

push serial1     <-- set the 1st (usually the good) into stack
push serial2     <-- set the 2nd (usually our fake) into stack
Call StrCmp      <-- call the function (there are lots of StrCmp's)
test al,al       <-- if they are equal, al=0
je goodBoy       <-- if zero, good boy !

and the message is messagebox, its works like that :

push buttons     <-- set the buttons (0 is just OK box)
push caption     <-- set messagebox caption
push text        <-- set the text inside the messagebox
call MessageBoxA <-- the call

so, what we should do is somehow, when you have the
badboy message, replace the message text with the serial location
and re-edit the caption to something like : 'This is your real key :'

and so the badboy message will look like this :

push 0           <-- set the OK button
push Caption     <-- set our changed caption
push serial1     <-- push the real serial
Call MessageBoxA <-- execute the message

ok...
lets get patching...

open the hex editor, goto the string check location and copy the code of

push serial1 

in our code its :

push 00490720

so, lets copy the code (6820074900)
and goto the 

push text

in our code its :

push 00442660

replace the push text with push serial,
now seek the Caption ( "Regitsration Error" )
and change it to what you like (i did to "This is your real key :")
and MAKE SURE YOU USE THE SAME NUMBERS OF LETTERS, IF YOU USE LESS, FILL WITH SPACES,
IF YOU USE MORE THE PROGRAM WILL CRASH.

and save, run, press register, and ?

ohh damn ! the check for the length, write this error, re-open in w32dasm,
look for this string, right above we see the 
jnb goodLenght

lets change it to jmp, so, open the hex editor, goto this code location,
you'll see 7316 - 73 means jnb, change it to EB16 and it will be jmp.
save, run, tada !

 Ending :
+--------+

We learnt today that k.i. over strcmp is not hard, atleast with this basic program :)
we need to push and edit, that all :))

Greetingz :
~~~~~~~~~~~

tKC, your tutorial of k.i. on delphi made me realise how easy this whole k.i. thing is
Invoker, thanks for being such a good friend.
shockz, for being an excellent student and nagging me until you understood the WinZip tut
Anvile, DarkMoon, Invoker, d4d0, ChibiHime, PhANt0m, the current and past N2C staff,
you 0wnz !
all the people who help me, irl and virtally, ThE-SAiNT, i really appichiate your help..
thanks to all the newbies i ever met, they made me realise that you on your 0wn, and i started
to be a teacher
iNSiGHT, Embrace, Digital Reality ppl, new sk00l and 0ld sk00l, tnx all, without you i'd never
made it in cracking...
tnx to everyone who help newbies, love ya all
and ofcourxe, who ever publish this tut, read this tut and learning from it...

love ya,
ParaBytes.

Contact me :
~~~~~~~~~~~~
E-Mail : Lewsers@Hotmail.com
IRC    : EFNet - #New2Cracking
Here ;p

ParaBytes.






