Original URL: http://krobar.yates2k.net/other/key11.htm
Title : 12Ghosts Universal Keygen With C Source
Author : Kwai_Lo
Date Written : 12-13-98
Leval : Intermediate (Not For Newbies)
Url : http://www.12ghosts.com
Tools needed : - SoftICE 2.0 And Above
- W32Dasm 8.9 (any version will do)
*****************************************************************************
12 Ghosts Universal Keygen By Kwai_Lo
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ello This Is My First Tut I Have Written.Mind Me For My Bad English and
Grammartical Errors.Why I Called It Universal Keygen ,Itz Because It Calc's A
Valid Serial That Registeres All Of The 12ghosts.com Software's At 1 Go.So
Lest Start With Our Keygen.We Get The Program From 12ghosts.com And We
Install It.I Got Pact ShutDown 1.99b.Ok Now Run The Program.U Will See A
Screen With A Licence Agrement.Now We Click On Enter Registration Code.We
Now See A Place To Put The Name And Serial.I Will Use Kwai_Lo For Name And
9999999999 For Serial.
Now We Do Sum Tracing In S-ice.Put A Bpx On GetDlgItemTextA.Now Press F5.
We R Now Back In The Windows.Click OK And We Will Be Kicked Back Into S-ice.
Hit F11 To Return To Where It Was Called From We ,Trace Un Till 4037D5.Heres A
Snipet Of The Code
* Reference To: USER32.GetDlgItemInt, Ord:00F4h <------ U Land Here
|
:0040378E FF156CF44000 Call dword ptr [0040F46C]
:00403794 894510 mov dword ptr [ebp+10], eax
:00403797 8D8504FDFFFF lea eax, dword ptr [ebp+FFFFFD04]
* Possible StringData Ref from Data Obj ->"RegName"
|
:0040379D BF70AB4000 mov edi, 0040AB70
:004037A2 50 push eax
:004037A3 BE01000080 mov esi, 80000001
:004037A8 57 push edi
:004037A9 56 push esi
:004037AA E8AEF1FFFF call 0040295D <-- Checks Sumptin
:004037AF 83C40C add esp, 0000000C
:004037B2 395D10 cmp dword ptr [ebp+10], ebx
:004037B5 7611 jbe 004037C8
:004037B7 FF7510 push [ebp+10]
* Possible StringData Ref from Data Obj ->"RegNumber"
|
:004037BA 6864AB4000 push 0040AB64
:004037BF 56 push esi
:004037C0 E8B5F2FFFF call 00402A7A <-- Checks Sumptin Else
:004037C5 83C40C add esp, 0000000C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004037B5(C)
|
:004037C8 53 push ebx
:004037C9 891D10DA4000 mov dword ptr [0040DA10], ebx
:004037CF 891D00DA4000 mov dword ptr [0040DA00], ebx
:004037D5 E8B4F3FFFF call 00402B8E <-- Ok We Step Into Here
:004037DA 85C0 test eax, eax
:004037DC 59 pop ecx
:004037DD 0F840C010000 je 004038EF
:004037E3 391D10DA4000 cmp dword ptr [0040DA10], ebx
:004037E9 0F84B0000000 je 0040389F
:004037EF 8D45FC lea eax, dword ptr [ebp-04]
:004037F2 C745FC04010000 mov [ebp-04], 00000104
..................
..................
ThisIs Just The Beggining.Once We Step In The Call.We Gotta Trace A Tonns.
Heres The Continuation
Referenced by a CALL at Addresses:
|:004037D5 , :00403CB2
|
:00402B8E 55 push ebp <-- We Land Here ,
Keep Tracing,F10
..............
..............
..............
:00402BB8 744D je 00402C07
* Reference To: KERNEL32.lstrlenA, Ord:02A1h
|
................
................
* Reference To: KERNEL32.IsBadWritePtr, Ord:0186h
|
..................
..................
* Reference To: KERNEL32.lstrcpyA, Ord:029Bh
|
:00402BF2 FF1538F34000 Call dword ptr [0040F338]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402BD4(C), :00402BEC(C)
|
.................
.................
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402BB8(C)
|
:00402C07 6A64 push 00000064
* Reference To: KERNEL32.Sleep, Ord:023Fh
|
:00402C09 FF1528F34000 Call dword ptr [0040F328]
:00402C0F 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0]
* Possible StringData Ref from Data Obj ->"RegName"
|
...................
...................
:00402C38 E887FCFFFF call 004028C4 <-- Call ,Not Important
:00402C3D 83C40C add esp, 0000000C
:00402C40 85C0 test eax, eax
:00402C42 0F84D2000000 je 00402D1A
* Possible StringData Ref from Data Obj ->"RegNumber"
|
:00402C48 6864AB4000 push 0040AB64
:00402C4D 56 push esi
:00402C4E E8B0FDFFFF call 00402A03
:00402C53 59 pop ecx
:00402C54 83F8FF cmp eax, FFFFFFFF
:00402C57 59 pop ecx
:00402C58 8945FC mov dword ptr [ebp-04], eax
:00402C5B 0F84B9000000 je 00402D1A
:00402C61 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0]
:00402C67 C70504DA4000D469C4FC mov dword ptr [0040DA04], FCC469D4
:00402C71 50 push eax
:00402C72 C70508DA400059B34BFC mov dword ptr [0040DA08], FC4BB359
:00402C7C C7050CDA400013D88B73 mov dword ptr [0040DA0C], 738BD813
:00402C86 E89E010000 call 00402E29 <-- Ok This Gens A Serial For
:00402C8B 3BC3 cmp eax, ebx Each Prog,We R Going For
:00402C8D 59 pop ecx A Uni Keygen,So Trace On
:00402C8E 0F8486000000 je 00402D1A
:00402C94 3B45FC cmp eax, dword ptr [ebp-04]
:00402C97 7549 jne 00402CE2
:00402C99 395D08 cmp dword ptr [ebp+08], ebx
* Reference To: KERNEL32.lstrcpyA, Ord:029Bh
|
...............
...............
* Reference To: KERNEL32.lstrlenA, Ord:02A1h
|
..............
..............
* Reference To: KERNEL32.IsBadWritePtr, Ord:0186h
|
..............
..............
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402CA2(C), :00402CBE(C)
|
............
............
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402C02(U)
|
.................
.................
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402C97(C)
|
:00402CE2 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0]
:00402CE8 C70504DA4000D63332CC mov dword ptr [0040DA04], CC3233D6<-Special Buffer
:00402CF2 50 push eax
:00402CF3 C70508DA4000F98EE9D1 mov dword ptr [0040DA08], D1E98EF9<-Special Buffer 2
:00402CFD C7050CDA400083E9FB4E mov dword ptr [0040DA0C], 4EFBE983<-Special Buffer 3
:00402D07 E81D010000 call 00402E29 <-- This Is Where It Calc The
:00402D0C 3BC3 cmp eax, ebx Uni Key Worth $200+,Ya Can
:00402D0E 59 pop ecx Serial Fish The Serial Here
:00402D0F 7409 je 00402D1A Or Step Into Call 00402E29
:00402D11 3B45FC cmp eax, dword ptr [ebp-04]
:00402D14 0F84B0000000 je 00402DCA
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402C42(C), :00402C5B(C), :00402C8E(C), :00402D0F(C)
|
..............
..............
..............
..............
Ok Now Heres The Snippet Of Call 00402E29 Where It Calc's The Uni Key.
It Is Kinda Long,Tracing Will Take Sum Time.
* Referenced by a CALL at Addresses:
|:00402C86 , :00402D07 , :00402DBB
|
.............
.............
* Reference To: KERNEL32.Sleep, Ord:023Fh
|
...........
...........
* Reference To: KERNEL32.IsBadReadPtr, Ord:0183h
|
...........
...........
* Reference To: KERNEL32.lstrlenA, Ord:02A1h
|
...........
...........
* Reference To: KERNEL32.lstrcmpA, Ord:0295h
|
:00402E6D 8B35F0F24000 mov esi, dword ptr [0040F2F0]
* Possible StringData Ref from Data Obj ->"John Covington"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402E7D(C)
|
* Possible StringData Ref from Data Obj ->"Clara Post"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402E8C(C)
|
* Possible StringData Ref from Data Obj ->"Team PGC" <-- Pcg Got Blacklisted
| hehehehehe
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402E9B(C)
|
* Possible StringData Ref from Data Obj ->"Carol Swafford"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EAA(C)
|
* Possible StringData Ref from Data Obj ->"TRPS ROCKS" <-- TRPS SUX Big Time
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EB9(C)
|
* Possible StringData Ref from Data Obj ->"mr.f0x"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EC8(C)
|
* Possible StringData Ref from Data Obj ->"Riz la+" <-- hmmmmmmmmm
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402ED7(C)
|
* Possible StringData Ref from Data Obj ->"SiLicon Surfer [PC]"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EE6(C)
|
* Possible StringData Ref from Data Obj ->"JUANDA"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EF5(C)
|
* Possible StringData Ref from Data Obj ->"PC98" <-- The Famous Group
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F04(C)
|
* Possible StringData Ref from Data Obj ->"Tom Jones"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F13(C)
|
* Possible StringData Ref from Data Obj ->"Linda Georgie"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F22(C)
|
* Possible StringData Ref from Data Obj ->"Chen Borchang"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F31(C)
|
* Possible StringData Ref from Data Obj ->"Registered Uzer"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F40(C)
|
* Possible StringData Ref from Data Obj ->"teraphy"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F4F(C)
|
* Possible StringData Ref from Data Obj ->"STaRDoGG [PC]"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F5E(C)
|
* Possible StringData Ref from Data Obj ->"CleverMaxx"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F6D(C)
|
* Possible StringData Ref from Data Obj ->"BaMa/DSK"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F7C(C)
|
* Possible StringData Ref from Data Obj ->"[ FACTOR ]"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F8B(C)
|
* Possible StringData Ref from Data Obj ->"The_Gimp!"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F9A(C)
|
* Possible StringData Ref from Data Obj ->"Phrozen Crew"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402FA9(C)
|
* Possible StringData Ref from Data Obj ->"CORE/JES" <-- 1st Pc Now Core
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402FB8(C)
|
* Possible StringData Ref from Data Obj ->"Dennis Ellis"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402FC7(C)
|
* Possible StringData Ref from Data Obj ->"Anne Judson"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402FD6(C)
|
* Possible StringData Ref from Data Obj ->"M A LEES"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402FE5(C)
|
* Possible StringData Ref from Data Obj ->"Robert Jennison"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402FF4(C)
|
* Possible StringData Ref from Data Obj ->"Destine Manifest"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403003(C)
|
* Possible StringData Ref from Data Obj ->"Mohamed Dawoud"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403012(C)
|
* Possible StringData Ref from Data Obj ->"mark henery"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403021(C)
|
* Possible StringData Ref from Data Obj ->"terry GEORGI"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403030(C)
|
* Possible StringData Ref from Data Obj ->"xxxxxxxxxxx"
|
...........
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040303F(C)
|
:00403044 33D2 xor edx, edx
:00403046 3955FC cmp dword ptr [ebp-04], edx
:00403049 7409 je 00403054
:0040304B E846000000 call 00403096 <-- Dunt Think Itz Important
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402E41(C), :00402E52(C), :00402E67(C)
|
:00403050 33C0 xor eax, eax
:00403052 EB3D jmp 00403091
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403049(C)
|
:00403054 6A28 push 00000028
:00403056 58 pop eax
:00403057 394508 cmp dword ptr [ebp+08], eax
:0040305A 7603 jbe 0040305F
:0040305C 894508 mov dword ptr [ebp+08], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040305A(C)
|
:0040305F A104DA4000 mov eax, dword ptr [0040DA04] <-Moves Special Buffer Into Eax
:00403064 33C9 xor ecx, ecx
:00403066 395508 cmp dword ptr [ebp+08], edx
:00403069 7619 jbe 00403084
:0040306B 8B3508DA4000 mov esi, dword ptr [0040DA08] <-Moves Special Buffer 2 Into Esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403082(C)
|
:00403071 0FBE1C39 movsx ebx, byte ptr [ecx+edi] }-+
:00403075 0FAFD8 imul ebx, eax } |
:00403078 03DA add ebx, edx } |
:0040307A 41 inc ecx } The
:0040307B 03D6 add edx, esi } Algo
:0040307D 3B4D08 cmp ecx, dword ptr [ebp+08] } |
:00403080 8BC3 mov eax, ebx } |
:00403082 72ED jb 00403071 }-+
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403069(C)
|
:00403084 3D00CA9A3B cmp eax, 3B9ACA00 <-- Cmps
:00403089 7306 jnb 00403091
:0040308B 03050CDA4000 add eax, dword ptr [0040DA0C] <-Adds Special
Buffer 3 IfTerms
Meet
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403052(U), :00403089(C)
|
:00403091 5F pop edi
:00403092 5E pop esi
:00403093 5B pop ebx
:00403094 C9 leave
:00403095 C3 ret
Ok Now I'll Rip The Algo And Show u Whats Itz Doing,Itz Pretty Simple Once U
Get The Hang Of It
:0040305F A104DA4000 mov eax, dword ptr [0040DA04] <--Moves Special Buffer Into Eax
:00403064 33C9 xor ecx, ecx (IMPORTANT)
:00403066 395508 cmp dword ptr [ebp+08], edx
:00403069 7619 jbe 00403084
:0040306B 8B3508DA4000 mov esi, dword ptr [0040DA08] <--Moves Special Buffer Into Esi
.........
.........
:00403071 0FBE1C39 movsx ebx, byte ptr [ecx+edi] <-- Moves A Char Of Name Into Ebx
:00403075 0FAFD8 imul ebx, eax <-- Mul With Eax=CC3233D6
:00403078 03DA add ebx, edx <-- Add It With Edx That Is 0 At Start
:0040307A 41 inc ecx <-- Inc Counter
:0040307B 03D6 add edx, esi <-- Add Esi=D1E98EF9 To Edx
:0040307D 3B4D08 cmp ecx, dword ptr [ebp+08] <-- Cmp With Name Length
:00403080 8BC3 mov eax, ebx <-Overides Special Buffer
:00403082 72ED jb 00403071 <-- Loops
:00403084 3D00CA9A3B cmp eax, 3B9ACA00 <-- Cmp eax with 1000000000
:00403089 7306 jnb 00403091
:0040308B 03050CDA4000 add eax, dword ptr [0040DA0C] <-- If Less Then Add
1325132163
Ok Now We Know How It Gens A Valid Serial ,For My Name Kwai_Lo The Serial Is
2149378377.Now We Code A Universal Keygen.I'll Coded Mine In C.
/* ************************************************** */
/* Compile With Bcc 5.0 And Above */
/* ************************************************** */
#include
#include
#include
int main()
{
unsigned char name[500]={0};
int nlen,i;
unsigned long int d1,mb1,mb2,sp1={0};
for(;;){
clrscr();
printf("UNIVERSAL KEYGEN FOR 12GHOSTS v99.1b SOFTWARE\n");
printf("CODED BY KWAI_LO'98\n");
printf("\nPLEASE ENTER A REGISTRATION NAME : ");
gets(name);
nlen=strlen(name);
if(nlen<1)
return 0;
else if(nlen>40) /*The Prog Only Takes 40 Chars*/
return 0;
else break;
}
mb1=0xCC3233D6; /*Hard Coded Look At Line 0040305F*/
mb2=0xD1E98EF9; /*Hard Coded Look At Line 0040306B*/
for(i=0 ; i