BEGINNERS: KeyGenerator for AddItem:
- Turning a *NAG* in to a keygen!

Not Assigned

12 February 1998

by Jon

Courtesy of Fravia's page of reverse engineering


Well, as anyone knows we are not so much favourable to the publishing of key generators, why the hell should we allow all lamers of the planet to use stolen software? Yet in this case it's the protection scheme itself that is 'reversed' (changing a SINGLE byte) and used as a keygenerator... a nice essay for beginners, by Jon. Very useful for those among you that DO NOT KNOW how to work with Softice in order to fish simple echos. A useful lesson for shareware programmers as well, clearly the idea of pushing a "not valid registered number" location that can be turned into a "valid registered number" location changing a single byte is ludicrous to say the least.
This is an essay for beginners (almost for NEWBYES) yet it may be enjoyed by any reverser


+prog cor

There is a crack, a crack in everything That's how the light gets in



(x)Beginner ( )Intermediate ( )Advanced ( )Expert

Useful for beginners, who haven't discovered the ease of "fishing" serials with SoftIce yet. I'll also show how to crack "creative": Turning a *NAG* in to a key-gen!

KeyGenerator for AddItem:
- Turning a *NAG* in to a keygen!

Written by Jon


Greetings, all!

Today, I'll crack several nice little programs, all made by the shareware 
programmer Firas El-Hasan. His programs are all nice Window$-utilities,
that are pretty useful. But unfortunately they all have a *NAG* at launch,
which is really annoying, considering that the programs are probably all
made within a couple of hours...
The programs are:

SysDate - A program which shows you the day of the month in the system tray.
StartClean - Cleans shortcuts, that points to nonexisting files.
SysLaunch - A "lite" version of the start menu, for fast access of your
favorite apps.
QuickDesk - Minimizes all the windows with ALT+TAB, or by a click on the
tray icon.
HotCorners - Starts your screensaver, when you leave the mouse-pointer in
one of the desktop corners (nice!).
DirectNet - Automatically dials your ISP, and launches an Internet-app. of
your choice (useful?).
AddLink - Allows you to right-click on a program, and add it to the
Also: DOS-Explore and DialMSN (MSN??? Yucchh!!!), but they are freeware,
so no cracking is needed :-)

I'll use two different approaches to cracking the protection-schemes:
1. Using SoftIce to "Hear the echo".
2. Using SoftIce/HIEW to turn the program in to a key-gen.

As a template, I'll use AddLink, which is one of the most useful of them.
Actually, StartClean is the most useful, but a dude named Qapla has already
made a tutorial for that program (good work, BTW). 
I'll describe the crack in a way, that'll make it easy apply the same 
approach on the other programs. And I'll also describe, if there's 
something that you should take note of, when using the same approach on the
other programs...

Tools required

SoftIce 3.22 for Win95/NT (any version is useful, though).
HIEW 5.66 (or whatever hex-editor you prefer).

Target's URL/FTP

You can fetch the apps. at the authors homepage:

Program History

None that I know of (I stumbled over the apps. by coincidence)... Check out the authors homepage, for more info.


So let's begin!

Start by installing AddLink (or one of the apps., that you wish to crack).
Start AddLink by right-clicking on any file, select Send To -->  Start Menu.
A nasty *NAG* will show, and remind you to "pay" for the program. Go in to 
SoftIce (CTRL+D) and
BPX Lstrcmp
Press F5 to get out of SoftIce...
Select Register...
Enter your name (in my case): -=[JON!]=-
And a fake serial: 1212121212 (Copyright  +ORC)
Hit ENTER...
Now, SoftIce BREAKS at Lstrcmp!
BC *
To clear the breakpoint.
Press F11 to go back, where it was CALLed from, scroll up a little, and you
see this:

CALL   00401BB0           ;Calculate valid code.
LEA    EAX,[ESP+18]       ;Copy your code to EAX.
ADD    ESP,08
PUSH   EAX                ;PUSH your code.
PUSH   004051C8           ;PUSH valid code.
CALL   [Kernel32!lstrcmp] ;Compare strings.
TEST   EAX,EAX            ;Are you registered?
JNZ    00401BA5           ;If not, JMP to *NAG*!

Now, to retrieve the valid code, you'll need to set a breakpoint on the line
where your code is PUSHed. To do this, simply double-click on that line. 
(If you have mouse disabled, do a BPX XXXX:YYYYYYYY, where XXXX:YYYYYYYY is
the memory location). Now, go out of SoftIce and enter the name and a bogus
code again. Press OK, and SoftIce breaks again. Type:
BD *
to temporarily disable the breakpoint (it will be used later).
D 004051C8
And you discover that the valid code for the name -=[JON!]=- is:
But why stop here? Why not make a key-gen? To do so, UNREGISTER the program,
by deleting its registry-entries (HKEY_CURRENT_USER\SOFTWARE\ADDLINK).
Now that it's unregistered, start the program, go in to SoftIce and enable
your breakpoint once again:
BE *
Enter something fake and press OK. SoftIce breaks once again, where the
valid code is PUSHed. 
Clear your breakpoint:
BC *
Now, write down the HEX-numbers for the PUSH function: 68C8514000

68C8514000 PUSH 004051C8 ;PUSH valid code.
Keep pressing F10, until you see these lines of code: PUSH 00 PUSH 00 PUSH 004051B4 ;PUSH the text "Incorrect code!" PUSH ESI CALL [USER32!MessageBoxA] ;CALL the *NAG* dialog. MOV EAX,00000001 ;Set EAX=1 (unregistered). Now, type: E XXXX:YYYYYYYY Where XXXX:YYYYYYYY is the memory-location of PUSH 004051B4 Enter the hex-digits you've written down (68C851400). Press F5 to get out of SoftIce, and what shows before your eyes?! A *NAG* with the valid code for your name!!! Cool, huh? To make the crack permanent: HIEW ADDLINK.EXE Search, F7: 6A006A0068B451400056 ^^ Replace : 6A006A0068C851400056 Save (F9) and exit (F10), and you've got yourself a working key-generator!
6A006A0068B451400056 ;push incorrect code has been changed into 6A006A0068C851400056 ;push correct code
This can be applied to all the other apps. (some minor differences, of course), with the exception of QuickDesk and SysLaunch. This is because, the memory location in which the valid serial is stored is overwritten before the *NAG* is shown :-( But you can, of course still "fish" a serial, using the same method described above.

Final Notes

What have we learned?
1.If Lstrcmp is used the compare the codes, it's easy to locate the right 
one, since it has already been calculated!
2. If the programmer hasn't cleared the valid code before the "Incorrect
code!" *NAG*, we can in most cases turn our worst enemy in to a key-gen!
3. The shareware programmers should make the protection-schemes different 
if they have more that one product!
4. SoftIce is the best debugger!
5. Cracking rulez!

+ORC, The +HCU, Fravia+, +Gthorne, all (+)crackers, all the cool cracking 
groups, all those who have killed a spammer, and of course to you, reader of
this essay!

Have Fun! :-)

By Jon, February 9th, 1998.
If you have any comments on this crap (good or bad), don't hesitate to
e-mail me at: jon101514(at)cyberjunkie(point)com

Ob Duh

I wont even bother explaining you that you should BUY these target programs if you intend to use them for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection schemes at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:
redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?