How To Create Keygens

How to make key generators? -===========================Introduction -----------I take no responsibility of the usage of this information. This tutorial, is for educational knowledge ONLY. Hi there, in this tutorial, I intend to teach you how to make a pretty simple keygen, of a program called W3Filer 32 V1.1.3. W3Filer is a pretty good web downloader... I guess some of you might know theprogram. I`ll assume you know: A.How to use debugger (in this case, SoftIce). B.How to crack, generally (finding protection routines,patching them,etc...). C.How to use Disassembler (This knowledge can help). D.Assembly. E.How to code in Turbo Pascal (tm). Tools you`ll need: A.SoftIce 3.00/01 or newer. B.WD32Asm. (Not a must). C.The program W3Filer V1.13 (if not provided in this package), can be found inwww.windows95.com I believe. D.Turbo Pascal (ANY version). Well, enough blah blah, let's go cracking... Run W3Filer 32. A nag screen pops, and , demands registration (Hmm, this sux ;-)) Now, We notice this program has some kind of serial number (Mine is 873977046), Let's keep the serial in mind, I bet we`ll meet it again while we're on the debugger. Well, now, let's put your name and a dummy regcode... set a BP on GetDlgItemTextA, and, press OK. We pop inside GetDlgItemTextA, Lets find the registration routine... I`ll save you the work, the registration routine is this: :00404DB2 :00404DB8 :00404DB9 :00404DBE :00404DC1 :00404DC3 8D95A8FAFFFF 52 E80B550000 83C408 85C0 7D17 lea edx, dword ptr [ebp+FFFFFAA8] push edx ---> Your user name here. call 0040A2C9 ---> Registration routine. addesp, 00000008 ---> Dunno exactly what is it. test eax, eax ---> Boolean identifier, 0 if jge 00404DDC ---> registration failed, 1 if OK.

Well, Let's enter the CALL 40A2C9, and see what's inside it: (Please read my comments in the code). * Referenced by a CALL at Addresses: |:00404DB9 , :00407F76 | :0040A2C9 55 push ebp :0040A2CA 8BEC mov ebp, esp :0040A2CC 81C4B0FEFFFF add esp, FFFFFEB0 :0040A2D253 push ebx :0040A2D3 56 push esi

:0040A2D4 :0040A2D5 :0040A2D8 :0040A2DE :0040A2E0

57 8B5508 8DB500FFFFFF 33C0 EB16

push edi mov edx, dword ptr [ebp+08] lea esi, dword ptr [ebp+FFFFFF00] xor eax, eax jmp 0040A2F8 or (C)onditional Jump at Address:

* Referenced by a (U)nconditional |:0040A2FB(C) | :0040A2E2 0FBE0A interesting part. :0040A2E5 83F920 char in the user name, Hmm, 20h=':0040A2E8 740D :0040A2EA 8A0A does, is copying

movsx ecx, byte ptr [edx] ----> Here Starts the cmp ecx, 00000020 '... je 0040A2F7 mov cl, byte ptr [edx] ----> ECX is the the current ----> Let's see, ----> Generally, all this loop the user name from

[EDX], to [ESI], WITHOUT the spaces! (Keep this in mind! ). :0040A2EC :0040A2EF :0040A2F0 :0040A2F1 :0040A2F5 880C06 42 40 C6040600 EB01 mov inc incmov jmp byte ptr [esi+eax], cl edx eax byte ptr [esi+eax], 00 0040A2F8

* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040A2E8(C) | :0040A2F7 42 inc edx * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040A2E0(U), :0040A2F5(U) | :0040A2F8 803A00 cmp byte ptr [edx], 00 :0040A2FB 75E5 jne 0040A2E2 ----------------> This is the loop , we got what itdoes, Let's continue tracing the code... :0040A2FD 56 to push esi --------> The user name is pushed, in order Upcase it's chars. * Reference To: USER32.CharUpperA, Ord:0000h | :0040A2FE E80F330000 Call User!CharUpper ---> After this, our name is in upper case. :0040A303 56 push esi -----> Our name in upper case here. * Reference To: cw3220mt._strlen, Ord:0000h | :0040A304 E86F300000 Call 0040D378---> This is the length of our name. :0040A309 59 pop ecx :0040A30A 8BC8 mov ecx, eax ---> ECX=Length. :0040A30C 83F904 cmp ecx, 00000004 ---> Length>=4 (MUST). :0040A30F 7D05 jge 0040A316 ---> Let's go to this address... :0040A311 83C8FF or eax, FFFFFFFF :0040A314 EB67 jmp 0040A37D * Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:0040A30F(C) | :0040A316 33D2 :0040A318...