$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Solution for diablo2002 #1 $ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ --------------------------------------------------------------------------------------------------------- Tools used: OllyDbg for debugging Dev-C++ 4.9.8.1 for keygenning And UltraEdit-32 v9.00b --------------------------------------------------------------------------------------------------------- OK, open diablo #1 in OllyDbg, set a beakpoint on GetDlgItemTextA, write your Name & Serial and press [try] then hit Ctrl+F9 and F8. Then we are ready to start... $$$$$$$$$$$$$$$$$Fake serial calculation$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 00401246 |. 33C0 XOR EAX,EAX 00401248 |. 6A 28 PUSH 28 ; /Count = 28 (40.) 0040124A |. 68 8C314000 PUSH d2k2_cra.0040318C ; |Buffer = d2k2_cra.0040318C 0040124F |. 6A 02 PUSH 2 ; |ControlID = 2 00401251 |. FF75 08 PUSH [ARG.1] ; |hWnd 00401254 |. E8 8F010000 CALL ; \GetDlgItemTextA 00401259 |. 84C0 TEST AL,AL <--//Test for NULL 0040125B |. 0F84 06010000 JE d2k2_cra.00401367 <--//Jump if NULL to "bad message" 00401261 |. 3C 20 CMP AL,20 00401263 |. 0F8F 13010000 JG d2k2_cra.0040137C <--//Check if size is bigger than 0x20 00401269 |. 3C 05 CMP AL,5 0040126B |. 0F8C 20010000 JL d2k2_cra.00401391 00401271 |. 8D1D 8C314000 LEA EBX,DWORD PTR DS:[40318C] 00401277 |. 33C9 XOR ECX,ECX 00401279 |. B0 05 MOV AL,5 <--//Make counter 5 0040127B |. 33D2 XOR EDX,EDX 0040127D |> 8A0C1A MOV CL,BYTE PTR DS:[EDX+EBX] <--//Put byte in CL 00401280 |. 80F1 29 XOR CL,29 <--//XOR byte with 0x29 00401283 |. 02C8 ADD CL,AL <--//Add counter 00401285 |. 80F9 41 CMP CL,41 ; / 00401288 |. 7C 1C JL SHORT d2k2_cra.004012A6 ; |Check if byte is: 0040128A |. 80F9 5A CMP CL,5A ; |Lower than 0x41 or bigger than 0x5A 0040128D |. 7F 17 JG SHORT d2k2_cra.004012A6 ; \ 0040128F |> 888A 3C314000 MOV BYTE PTR DS:[EDX+40313C],CL <--//Move calculated byte to buffer 00401295 |. C682 3D314000 >MOV BYTE PTR DS:[EDX+40313D],0 0040129C |. FEC2 INC DL 0040129E |. FEC8 DEC AL 004012A0 |. 3C 00 CMP AL,0 004012A2 |. 74 08 JE SHORT d2k2_cra.004012AC 004012A4 |.^EB D7 JMP SHORT d2k2_cra.0040127D 004012A6 |> B1 52 MOV CL,52 004012A8 |. 02C8 ADD CL,AL 004012AA |.^EB E3 JMP SHORT d2k2_cra.0040128F 004012AC |> 33D2 XOR EDX,EDX 004012AE |. B8 05000000 MOV EAX,5 <--//Make counter 5 004012B3 |> 8A0C1A MOV CL,BYTE PTR DS:[EDX+EBX] 004012B6 |. 80F1 27 XOR CL,27 <--//XOR byte with 0x27 004012B9 |. 02C8 ADD CL,AL <--//Add counter 004012BB |. 80C1 01 ADD CL,1 <--//Add 0x01 004012BE |. 80F9 41 CMP CL,41 ; / 004012C1 |. 7C 1C JL SHORT d2k2_cra.004012DF ; |Check if byte is: 004012C3 |. 80F9 5A CMP CL,5A ; |Lower than 0x41 or bigger than 0x5A 004012C6 |. 7F 17 JG SHORT d2k2_cra.004012DF ; \ 004012C8 |> 888A 41314000 MOV BYTE PTR DS:[EDX+403141],CL <--//Move calculated byte to buffer 004012CE |. C682 42314000 >MOV BYTE PTR DS:[EDX+403142],0 004012D5 |. FEC2 INC DL 004012D7 |. FEC8 DEC AL 004012D9 |. 3C 00 CMP AL,0 004012DB |. 74 08 JE SHORT d2k2_cra.004012E5 004012DD |.^EB D4 JMP SHORT d2k2_cra.004012B3 004012DF |> B1 4D MOV CL,4D <--//Make byte 4B 004012E1 |. 02C8 ADD CL,AL <--//Add counter to byte 004012E3 |.^EB E3 JMP SHORT d2k2_cra.004012C8 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ The routines above which are very similar to each other are used to make the fake serial. The next part of the routine makes the real serial from the fake one... $$$$$$$$$$$$$$$$$$Real serial calculation$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 004012E5 |> 33C0 XOR EAX,EAX 004012E7 |. 6A 28 PUSH 28 ; /Count = 28 (40.) 004012E9 |. 68 B4314000 PUSH d2k2_cra.004031B4 ; |Buffer = d2k2_cra.004031B4 004012EE |. 6A 04 PUSH 4 ; |ControlID = 4 004012F0 |. FF75 08 PUSH [ARG.1] ; |hWnd 004012F3 |. E8 F0000000 CALL ; \GetDlgItemTextA 004012F8 |. 66:85C0 TEST AX,AX 004012FB |. 74 55 JE SHORT d2k2_cra.00401352 004012FD |. 66:83F8 0A CMP AX,0A <--//Check if entered serial is 10 chars long 00401301 |. 7F 4F JG SHORT d2k2_cra.00401352 <--//If not jump to "bad boy" message 00401303 |. 7C 4D JL SHORT d2k2_cra.00401352 <--//If not jump to "bad boy" message 00401305 |. 33C0 XOR EAX,EAX 00401307 |. 33DB XOR EBX,EBX 00401309 |. 33C9 XOR ECX,ECX 0040130B |. 33D2 XOR EDX,EDX 0040130D |. 8D05 B4314000 LEA EAX,DWORD PTR DS:[4031B4] 00401313 |> 8A1C01 MOV BL,BYTE PTR DS:[ECX+EAX] 00401316 |. 8A91 3C314000 MOV DL,BYTE PTR DS:[ECX+40313C] 0040131C |. 80FB 00 CMP BL,0 0040131F |. 0F84 81000000 JE d2k2_cra.004013A6 00401325 |. 80C2 05 ADD DL,5 <--//Add 0x05 to byte 00401328 |. 80FA 5A CMP DL,5A 0040132B |. 7F 14 JG SHORT d2k2_cra.00401341 <--//If byte is bigger than 0x5A then jump 0040132D |> 80F2 0C XOR DL,0C <--//XOR byte with 0x0C 00401330 |. 80FA 41 CMP DL,41 00401333 |. 7C 11 JL SHORT d2k2_cra.00401346 <--//If byte is lower than 0x41 then jump 00401335 |. 80FA 5A CMP DL,5A 00401338 |. 7F 12 JG SHORT d2k2_cra.0040134C <--//If byte is bigger than 0x5A then jump 0040133A |> 41 INC ECX <--//Increment counter 0040133B |. 38DA CMP DL,BL <--//Check if real byte and entered byte are equal 0040133D |.^74 D4 JE SHORT d2k2_cra.00401313 <--//If they are then LOOP 0040133F |. EB 11 JMP SHORT d2k2_cra.00401352 <--//Else jump "bad boy" message 00401341 |> 80EA 0D SUB DL,0D 00401344 |.^EB E7 JMP SHORT d2k2_cra.0040132D 00401346 |> B2 4B MOV DL,4B 00401348 |. 02D1 ADD DL,CL 0040134A |.^EB EE JMP SHORT d2k2_cra.0040133A 0040134C |> B2 4B MOV DL,4B 0040134E |. 2AD1 SUB DL,CL 00401350 |.^EB E8 JMP SHORT d2k2_cra.0040133A $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ That's it. Thanks to diablo2002 for this crackme! Jeg vil også hilse til alle norske crackere. The source of the keygen is in the zip file. Made by:*Sorcerer* 17/9 2003