Aescu
1) Keygen
2) Usefull breackpoints
KeyGens ...
Useful tips:
1. The best tool to analyze a key file is an Hex Editor. Text editor are not suitable for this task.
2. A key file is nothing more than a continuous array of bytes inside a small file. These bytes reflect the personal user
information (encrypted), checksums of the key file integrity, encrypted dates,
names, addresses, encrypted flags (for instance: a flag for multi-user license), etc.
3. To defeat a Key File Based protection scheme, you should create a little program to code a small bogus key file. This
generic program should be able to create files under different names a sizes. The content of this bogus file (against most
believes) must be readable information. In my
case, the bogus key file generator, cuts a large chapter from my favorite literature novel and paste it in the bogus file, adjusting
the file size and name according to my necessities. Why readable information inside the bogus file? because the target program
will read strategic offset locations of the key file. A readable text inside it will warn about the precise location being read at any
time. It will also mark the locations where certain checksums must be added to the final key file.
4. The key file name is in most cases, the target program main executable file name with the extension '*.key'. A very old
stupidity flag still available these days. Other strategies to figure out the key file name, are the use of a string searching utility,
reading the user's manual (sometimes the author will include instructions on the key file installation, revealing its name), at
debugging level, bpint 21 if ah==3d (DOS), when the break occurs, execute: d (e)dx at SoftICE command screen, in windows
environment, bpx CreatFile, ReadFile, GetFileAttributesA, etc., will perform the same task.
Once you have figured out the key file name, create the bogus file and copy it to the same path as the main target executable.
Start the program and see what happens. If you receive an 'Invalid Key File' or 'Corrupted Key File' message (another
stupidity flag), your cracking work have been greatly reduced; the next logical step is to search the location of the code where
this message is triggered.
5. The key file has to be read. There is no other alternative, the program must read the key file to test its validity. According to
this, appropriate breakpoints on file reading interrupts (DOS) or API's (windows) should be set.
SoftICE Advice: Useful Breakpoints ...
One of the most important abilities a cracker most develop is where, when and what kind of breakpoint to set. If a perfectly
timed and intelligent breakpoint is not set, then you'll grow old and die before being able to take a glimpse of the protection
scheme. Remember, even the most insignificant program can contain thousands of code lines. The most important breakpoints
you should know are:
General Purposes ...
bpx messagebox
bpx getdlgitemtext
bpx getwindowtext
bpx hmemcpy
bpx showwindow
bpx updatewindow
bmsg xxxx wm_gettext
bmsg xxxx wm_command
bmsg xxxx wm_move
Time Related ...
bpint 21 if ah==2A (DOS)
bpx getlocaltime
bpx getfiletime
bpx getsystemtime
Register Flag Related (e.g. Flag on EAX) ...
bpx cs:eip if EAX==0 (SICE 3.x)
Memory Flag Related (e.g. Flag on 0030:000045AA) ...
bpmb cs:eip rw if 0x30:0x45AA==0 (SICE 3.x)
"Hear The Echo" Technique Related ...
bpx 0x30:0x45AA do "d 0x30:0x44BB" (SICE 3.x)
bpx CS:0x66CC do "? EAX" (SICE 3.x)
CD-ROM and Disk Based Schemes ...
bpint 13 if ah==2 (DOS)
bpint 13 if ah==3 (DOS)
bpint 13 if ah==4 (DOS)
bpx GetFileAttributesA
bpx GetFileSize
bpx GetDriveType
bpx GetLastError
bpx ReadFile
bpio -h (Your CD-ROM Port Address) R
Dongle Cracking ...
bpio -h 278 R
bpio -h 378 R
Key File Related ...
bpint 21 if ah==3dh (DOS)
bpint 31 if ah==3fh (DOS)
bpint 21 if ah==3dh (DOS)
bpx ReadFileA
bpx CreateFileA
Keyboard Input Related ...
bpint 16 if ah==0 (DOS)
bpint 21 if ah==0xA (DOS)
Possibilities are endless. I copied only those breakpoints which are considered most useful and frequently used for crackers,
nevertheless, if you have a preferred breakpoint to crack certain schemes that is not listed, please let me know, I'll publish it (if
worthy).