Items needed for this tutorial: W32 Dasm SoftICE Animato v1.0 (ftp://ftp.lakeclear.com/ANIMAT10.EXE) Basic asm knowlodge... Ok, after you have all of these items your ready Im going to introduce you to a little known method of turning a program into its OWN keygen! Im not talking about that dialog box trick either.. Ok, enough Bullcrap, lets get down to it. Start our target and goto the register screen. Look, the author is already giving us some useful information, All serials start with ANM- . We have an idea of what to look for now... Ok, enter in any name and serial, switch to softice and set your breakpoints (you should know these), after a while of tracing we will come to some code that looks like this (NOTE: addresses may be different): :00493AF4 8B45FC mov eax, dword ptr [ebp-04] :00493AF7 8B80EC010000 mov eax, dword ptr [eax+000001EC] :00493AFD E816B6F8FF call 0041F118 :00493B02 8B45E4 mov eax, dword ptr [ebp-1C] :00493B05 8D55F4 lea edx, dword ptr [ebp-0C] :00493B08 E87B38F7FF call 00407388 :00493B0D 8D55E0 lea edx, dword ptr [ebp-20] :00493B10 8B45F4 mov eax, dword ptr [ebp-0C] :00493B13 E8A839F7FF call 004074C0 :00493B18 8B55E0 mov edx, dword ptr [ebp-20] :00493B1B 8D45F4 lea eax, dword ptr [ebp-0C] :00493B1E E85DFFF6FF call 00403A80 :00493B23 8B45F8 mov eax, dword ptr [ebp-08] <-- good serial :00493B26 8B55F4 mov edx, dword ptr [ebp-0C] <-- our faake # :00493B29 E84602F7FF call 00403D74 <-- call to test if we put in good serial :00493B2E 0F85A3000000 jne 00493BD7 <--if not same goto bad cracker Ok we can see where the Real and our Fake Serial #'s are as i marked. Now most of us are thiinking right now, hmm, lets just write down the serial# and use it. Tsk Tsk, we can do better than that. How about turning this sucker into its own keygen? Obviously at the code marked above it is getting edx / eax ready to be compared. Well if we look closely we notice that the line mov edx, [ebp-c] holds our fake serial and mov eax, [ebp-8] holds our REAL one. How about if we changed mov edx, [ebp-c] TO mov edx, [ebp-8] so it would go from: :00493B23 8B45F8 mov eax, dword ptr [ebp-08] :00493B26 8B55F4 mov edx, dword ptr [ebp-0C] TO :00493B23 8B45F8 mov eax, dword ptr [ebp-08] :00493B26 8B55F8 mov edx, dword ptr [ebp-08] now BOTH eax and edx would hold the correct serial# before the compare is made! Ok. patch it and try it. Hew it works... kinda.. You should get a box that says you have successfully registered. But the program is still unregistered. What could have happened. Ok lets trace again... get back to that point of the code where the serial#'s are getting set up to be compared. lets trace throught from here... :00493B23 8B45F8 mov eax, dword ptr [ebp-08] <-- Good serial# :00493B26 8B55F8 mov edx, dword ptr [ebp-08] <-- changed from above :00493B29 E84602F7FF call 00403D74 :00493B2E 0F85A3000000 jne 00493BD7 <-- since we changed above we skip this jmp :00493B34 A108884A00 mov eax, dword ptr [004A8808] :00493B39 8B00 mov eax, dword ptr [eax] :00493B3B 8B9084040000 mov edx, dword ptr [eax+00000484] :00493B41 8D45E0 lea eax, dword ptr [ebp-20] * Possible StringData Ref from Code Obj ->"\Registration" | :00493B44 B97C3C4900 mov ecx, 00493C7C :00493B49 E86201F7FF call 00403CB0 :00493B4E 8B55E0 mov edx, dword ptr [ebp-20] :00493B51 A108884A00 mov eax, dword ptr [004A8808] :00493B56 8B00 mov eax, dword ptr [eax] :00493B58 8B8080040000 mov eax, dword ptr [eax+00000480] :00493B5E B101 mov cl, 01 :00493B60 E83F33FBFF call 00446EA4 :00493B65 8D55E4 lea edx, dword ptr [ebp-1C] :00493B68 8B45FC mov eax, dword ptr [ebp-04] :00493B6B 8B80E4010000 mov eax, dword ptr [eax+000001E4] :00493B71 E8A2B5F8FF call 0041F118 :00493B76 8B4DE4 mov ecx, dword ptr [ebp-1C] :00493B79 A108884A00 mov eax, dword ptr [004A8808] :00493B7E 8B00 mov eax, dword ptr [eax] :00493B80 8B8080040000 mov eax, dword ptr [eax+00000480] * Possible StringData Ref from Code Obj ->"User" | :00493B86 BA943C4900 mov edx, 00493C94 :00493B8B E8BC36FBFF call 0044724C :00493B90 A108884A00 mov eax, dword ptr [004A8808] :00493B95 8B00 mov eax, dword ptr [eax] :00493B97 8B8080040000 mov eax, dword ptr [eax+00000480] :00493B9D 8B4DF4 mov ecx, dword ptr [ebp-0C] <-- hey look here notice the [ebp-c] lets change it! * Possible StringData Ref from Code Obj ->"Key" | :00493BA0 BAA43C4900 mov edx, 00493CA4 :00493BA5 E8A236FBFF call 0044724C * Possible StringData Ref from Code Obj ->"Thank you for Purchasing Animato! " ->" All limitations have now been " ->"removed." OK, lets see why it didnt keep our registration, scrolling down past the jump we come to the registration section. near the end we notice how it moves [ebp-c] into ecx.. wait a miniute.. if i remember correctly [ebp-c] was our fake serial # from above! and it looks like it saves the information from ecx into the registry maybe if we change it to [ebp-8] it will keep our correct information! Lets try it ... hey it works.. now when you enter any serial starting with ANM- the correct one is stored!. Now most of us are asying, wow thats cool, but why not just write down the serial # and be done with it? Well, heres a good use of tis method... Some shareware authors are starting to use random ID#'s that are generated and the serial#'s are generated from them so people cant just pass arround serial#'s to their programs. Well this type of patch would apply there. You could simply move in the correct information to be stored as the program saves the serial#. Anyways, i dont have to say this as it should be understood, if you like thes program and continue to use it you should purchase a copy. Flu[X] - Phrozen Crew 98