Cracking Tutorial for Coffee Break 1.1
Reconstructing a missing key file and creating a key file generator

 
 


Target Program: Coffee Break 1.1
Description: This desktop tray accessory allows the user to set a periodical reminder, which when triggered will display a message inviting the user to take a well-earned Coffee-Break.
Location: http://www.powerup.com.au/~marver
Protection: Missing Key File
Tools needed: SoftICE 3.24
Ob duh: Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
BTW, It's illegal to use cracked Software!

 
If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info: Brand and product names are trademarks or registered trademarks of their respective holders.
Level: ( )Beginner (X)Intermediate ( )Advanced ( )Expert

This tutorial was written for all those crackers who want to learn the *magic* thing of a key file reconstruction. I took that target program from Popcorn Software simply for that reason that you don't forget breaks, ... which we should all have sometimes.

First of all we need to find out the name of the key file. So open COFFEBREAK.EXE in Hacker's View and look for .KEY (most key files have the .KEY extension). You will find out that the name of our key file is REG.KEY. So create a file in the program directory. Your key file should look like the following:

   Cr@cking Tutori@l (PIRATED COPY)

Restart the program. Now we get the error message 'Cr@cking Tutori@l (PIRATED COPY)' is not a valid integer value. So in our first line there must be an integer value. Just edit your key file. It should now look like the following:

   12345
   Cr@cking Tutori@l (PIRATED COPY)


Restart the program. You'll get another error message: " is not a valid integer value. Hey, what's that?? Ok. Just add a third line to your key file. It should now look something like that:

   12345
   Cr@cking Tutori@l (PIRATED COPY)
   67890


Restart the program. This time we didn't got any error message; so we can assume that our fake values are in the right format ... when you exit the program REGISTER.TXT will still be opend by the program. So it's time for the SoftICE tracing now. For key files I recommend the breakpoints _lopen and CreateFileA. So set these breakpoints now.
SoftICE will break at CreateFileA and you'll be confrontated with the following code snippet:

 
  :004048B7    CALL    KERNEL32!CreateFileA
  :004048BC    CMP     EAX,-01                        ; Does file exist?
  :004048BF    JZ      004049B0                       ; if not JMP

... the above code snippet is just a test if the file exists. After some tracing you will come accross the following code snippet:

  :0043792E    CALL    00402718
  :00437933    LEA     EDX,[EBP-08]
  :00437936    LEA     EAX,[EBP-01E0]
  :0043793C    CALL    00403C28
               ...
  :004379BD    MOV     EBX,00000001                    ; EBX = 1
  :004379C2    LEA     EAX,[EBP-02E0]
  :004379C8    CALL    00406CFC                        ; get length of line 2
  :004379CD    MOV     EDX,EAX                         ; move length (EAX) into EDX
  :004379CF    DEC     EDX
  :004379D0    TEST    EDX,EDX                         ; loops (length of name) left > 0?
  :004379D2    JL      004379E5
  :004379D4    INC     EDX
  :004379D5    LEA     EAX,[EBP-02E0]
  :004379DB    XOR     ECX,ECX
  :004379DD    MOV     CL,[EAX]                        ; get char from EAX
  :004379DF    XOR     EBX,ECX                         ; EBX = EBX XOR ECX
  :004379E1    INC     EAX                             ; next char
  :004379E2    DEC     EDX
  :004379E3    JNZ     00437ADB
  :004379E5    MOV     EAX,[EBP-14]
  :004379E8    CDQ
  :004379E9    IDIV    EBX                             ; EAX = EAX / EBX
  :004379EB    MOV     EBX,EAX
  :004379ED    MOV     BYTE PTR [00439764],01          ; set good buyer flag
  :004379F4    CMP     DWORD PTR [EBP-14],04E0277F     ; first line = 4E0277F?
  :004379FB    JZ      00437A04                        ; JZ good buyer
  :004379FD    MOV     BYTE PTR [00439764],00          ; set bad cracker flag
  :00437A04    MOV     EAX,[EBP-10]
  :00437A07    CALL    00406A24
  :00437A0C    CMP     EBX,EAX                         ; compare line 3 with real line 3
  :00437A0E    JZ      00437A17                        ; good buyer jump
  :00437A10    MOV     BYTE PTR [00439764],00          ; set bad cracker flag
  :00437A17    CMP     BYTE PTR [00439764],00          ; bad cracker?
  :00437A1E    JNZ     00437A2D                        ; JNZ good buyer!

As you may see from my code comments above, we need to edit our key file once again. It will now look something like that:

   81799039
   Cr@cking Tutori@l (PIRATED COPY)
   67890


Now you need to run the target once again. Be sure to understand the very easy key generation algorithm. You may then sniff out the real code at 437A0C.
 
A working key file for this target will look like the following:

   81799039
   Cr@cking Tutori@l (PIRATED COPY)
   743627


Just run the target to see if your key file generation was good - and you won't see any NAG ... congratulations! This is fairly too easy for me. I want to create a key file generator. Have a look again at 004379D5 - 004379E9 ... and try to figure out how the calculation works yourself ... otherwise you won't be able to learn something new from this tutorial.

The calculation works like the following (EBX = 1):
1) take char from name and store it in CL
2) XOR EBX by ASCII value of char
3) repeat 1 and 2 until there were no chars left
4) divide 81799039 by EBX

Now create your key file generator in your favourite programming language - like C++.

 

// This is the C++ Source Code of my KeyGEN. I hope you like it.
// I've compiled it using Symantec C/C++ 6.11

#include <stdio.h>
#include <stdlib.h>

int main()
{
unsigned long EAX, EBX, CL, i;
unsigned long constant = 0x04E0277F;
char name[100]         = {0};
FILE* REG_KEY;

printf("   ____                     __       __\n");
printf("  /  _/_ _  __ _  ___  ____/ /____ _/ /\n");
printf(" _/ //  ' \\/  ' \\/ _ \\/ __/ __/ _ `/ /\n");
printf("/___/_/_/_/_/_/_/\\___/_/  \\__/\\_,_/_/\n");
printf("   ____                          __          __\n");
printf("  / __ \\___ ___ _______ ___  ___/ /__ ____  / /____\n");
printf(" / /_/ / -_|_-</ __/ -_) _ \\/ _  / _ `/ _ \\/ __(_-<\n");
printf("/_____/\\__/___/\\__/\\__/_//_/\\_,_/\\_,_/_//_/\\__/___/\n\n");

for (;;){
printf("\nCoffee Break 1.1 KeyGEN - d0NE bY TORN@DO in '99\n");
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n");
printf("Name:   ");
gets(name);

if (strlen(name)<1)
{
 printf("ERROR:  NAME can't be less than 1 char long!");
 return 0;
}

if (strlen(name)>99)
{
 printf("ERROR:  NAME can't be greater than 99 chars long!");
 return 0;
}
else break;

}

EAX = 0;
EBX = 1;
CL  = 0;


for (i=1; i<=strlen(name); i++)
{
CL  = name[i-1];
EBX = EBX ^ CL;
}

EAX = constant;
EAX = EAX / EBX;



// create the keyfile
if ((REG_KEY = fopen("REG.KEY", "wt")) == NULL)
{
 fprintf(stderr, "ERROR:  Couldn't open REG.KEY for writing!\n");
 return -1;
}


// write in the data
fprintf(REG_KEY, "%lu\n", constant);
fprintf(REG_KEY, "%s\n",  name);
fprintf(REG_KEY, "%lu",   EAX);

// close the file
fclose(REG_KEY);

// file created successfully
printf("Key file successfully created. Copy REG.KEY to your Coffee Break directory!\n");

return 0;
}

 
 
Another target has been Reverse Engineerd. Any questions (no crack requests)?

 

 
If you're USING Coffee Break BEYOND it's FREE TRIAL PERIOD, then please BUY IT.


Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved.