Find a quick way back to more documents with these links.
Return to Main Index,
Key Generators.
http://www.thornsoft.com - Webpage.
FTP File Name: ClipMT50.exe (file size : 1,325,056 bytes)
Registration is via selecting the 'Help' menu option then choosing the 'Enter Registration Key' option. Here you will be asked to enter:
Licensed to : Registration Key :
The registration code is evidently based on what you type in for your name/handle.
1. Deep within your System Registry it uses the following branch to store it's
program settings and User Registration.
HKEY_CURRENT_USER\Software\Thornsoft\ClipMate5\Registration
2. It's a 30 day, time limited program that will 'expire' after 30 days of being installed
Run ClipMate - click on Help - Select Enter Registration Key....fill out the entries in registration screen with our name and our favourite key ..... We'll use these for this essay :
Licensed To : widYa@cL 2011 Registration Key : 0101010..press [validate key]...*boom*...error...This is an invalid...bla..bla..bla... [huh.no big deal]...Quit ClipMate, We're gonna do a "fast" serial cracking... fire up W32Dasm and disassemble Clipmt50.exe...once it's disassembled, click STRING DATA REFERENCE, look down for the string :
"This Is An Invalid Name/Number Combination"
..Close SDR window, and we'll see these:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
:004D934F(C), :004D9360(C), :004D9371(C), :004D9382(C) --> these 4 conditional
jumps lead us to invalid message..
:004D9483 PUSH 00000000
:004D9485 MOV CX, WORD PTR [004D94CC]
:004D948C MOV DL, 01
* Possible StringData Ref from Code Obj ->"This Is An Invalid Name/Number Combination"
:004D948E MOV EAX, 004D9730
:004D9493 CALL 00459F94
...press [SHIFT+12] goto code location 004D934F... we land here ...
:004D9342 MOV EAX, DWORD PTR [00502298] ; hmm..what's this ..!!
:004D9347 CALL 004094E0 ; last call before comparison
:004D934C CMP EAX, 0000000D ; first comparison..
:004D934F JNZ 004D9483 ; our 1'st bad jump
...we're gonna set a breakpoint at 004D9342......but first we'll have to set some breakpoints to get in clipmate code....now enter the registration screen again ... fill out the entries... DO NOT push [Validate Key] yet.....press [CTRL+D] to get into SoftICE....
BPX GetWindowTextA [Enter]
BPX GetDlgItemTextA [Enter]
BPX MessageBoxA [Enter]
X [Enter] ; leave SoftICE 'n back to ClipMate.
..push [VALIDATE KEY]...Huh...nothing happens...!..let's try the "Famous" one ....
BC* [Enter] ; clear all breakpoints BPX HMEMCPY [Enter] X [Enter]..push [VALIDATE KEY]...#BOOM#.....press F12 about 7 times..now we're in ClipMate code ..clear HMEMCPY breakpoint 'coz we don't need it anymore.. ..Now let's set a breakpoint at 004D9342..
BC* [Enter] BPX 004D9342 [Enter] X [Enter]..#BOOM#...ClipMate is totally under our control... aah..we're here now..let's analyze the code...
:004D9342 MOV EAX, [00502298] ; EAX contains our dummy key ..cool !
:004D9347 CALL 004094E0 ; this call calculates (gets - CrackZ) our key length
:004D934C CMP EAX, 0D ; compare our dummy key length with 13dec.
:004D934F JNZ 004D9483 ; if not equal then jump to hell (1'st jump)
...what do we see from here..to pass the first bad jump the key length must be
13..which means the correct key length is 13.....hurra..let's change our key
'n make sure the key length=13...
X [ENTER]- [OK] - change key to '0101010101010' - [VALIDATE KEY] - *BOOM* - F10 x4 ; now we pass 1'st bad jump..
:004D9355 LEA EAX,[EBP-0E] ; hmm..what's in here ? Type D EAX..
; you'll see G017367056946 in Data Window
; it could be our correct key.. let's continue anyway..
; 'coz our target is to bypass those 4 bad jump...
:004D9358 CALL 004094E0 ; calculate our key length ..again.?
:004D935D CMP EAX, 0D ; feel better ??..
:004D9360 JNZ 004D9483 ; if not equal then jump to hell (2'nd jump)
; we pass the 2'nd bad jump...
:004D9366 MOV EAX, [00502298] ; EAX now contain our key..
:004D936B MOV AL, [EAX+03] ; AL contains 4rth char from our dummy key '1'
; (count start from 0)
:004D936E CMP AL, [EBP-0B] ; compare it with 3'rd char from correct key '7'
0 1 0 1 0 1 0 1 0 1 0 1 0
X X X 7 X X X X X X X X X
now..let's change 4rth char of our key to '7' - X [ENTER] - [OK] - change key
to '0107010101010' - [VALIDATE KEY] - *BOOM* - F10 x11 (CrackZ - you could
just edit memory manually rather than repeating this).
:004D9371 JNZ 004D9483 ; if not equal then jump to hell (3'rd jump)
; ..hey..we pass the 3'rd jump..cool..
; ..one more jump to pass...'n we'll be a good
; buyer..!
:004D9377 MOV EAX, [00502298] ; EAX now contain our dummy key..
:004D937C MOV AL, [EAX+0C] ; AL contains 12th (the last) char from our key : '0'
:004D937F CMP AL, [EBP-02] ; compare it with 12th char from correct key : '6'
0 1 0 1 0 1 0 1 0 1 0 1 0
X X X 7 X X X X X X X X 6
:004D9382 JNZ 004D9483 ; if not equal then jump to hell (4'th jump)
;..hurrah....
...phew..at last..we have succeeded to pass those 4 'stupid' conditional jumps....now..
let's give 'the control' to ClipMate to do the rest....BD* (to disable our
breakpoint) - X (to leave SoftICE..'n leave ClipMate with his homework)....
aah..there is a message has been waiting 4 us..." You have succesfully
registered ClipMate. Thank You " - [OK] - You're Welcome ..
..are you thinking what i'm thinking..?! ....(yeah..we need more coffee 'n some cigars...) ..re-run ClipMate and click on Help - About..and we will see this...
Licensed To : widYa@cL 2011 16 User License
..!^#*+...where that '16' came from ?!....hmm...remember G017367056946...let's put G017367056946 as Registration Key..perhaps we could see some differences....but..you have to Un-Register ClipMate first.... We can do this in 2 ways :
1. Select Config in Clipmate - User Preferences - Click Advanced Tab - Reset All Settings To Defaults - [YES] - [OK] - [OK]
2. Run Regedit - Goto HKEY_CURRENT_USER\Software\Thornsoft\ClipMate5\ - Delete Registration key
..now enter the registration screen..again....
Licensed To : widYa@cL 2011 Registration Key : G017367056946 "You have successfully registered ClipMate. Thank You " - [OK]....look again in the help - About.. Licensed To : widYa@cL 2011 Single User License ..hmmm.....which part of the key makes us as a Single or 16 User License.?!...... ..are you thinking what i'm thinking..?! (yeah..perhaps...we should be a cop..!!) ..single means 1 (right ?!) 1 in hexadecimal is 01 and 16 in hexadecimal is 10..... look at table below. 0 1 0 7 0 1 0 1 0 1 0 1 6 ; 16 User License G 0 1 7 3 6 7 0 5 6 9 4 6 ; Single User License ...let's make a conclusion from our short 'party' above... ...These are some rules for the Correct Registration Key : (Notes: Char(Position)) 1. The correct key length is 13 2. We're only concerned with char (1) , char (2) , char (3) , and char (12) 0 1 2 3 4 5 6 7 8 9 10 11 12 ; position X X X X X X X X X X X X X ; key 3. 1st char and 2nd char is used for number of User licenses Syntax: 00h-FFh (0-255 Dec). 4.The rest char is totally free (u can use any chars) ..hey...how to generate char (3) and char (12)....?!....hurrah...let's start tracing again......but where do we start..?? :004D9342 MOV EAX, [00502298] ; we see our dummy key in EAX at here right ..since the correct key is based on what we typed for our name...we have to be suspicious when we see our name in data window..and it can't be far from here... U can start from .004D92DD... BPX 004D92DD...snip....snip.....snip..... :004D92FC LEA ECX, [EBP+FFFFFED8] ; D ECX here...kewl..it's our name..... :004D9302 MOV EDX, 00000001 :004D9307 CALL 0046F8B8 ; keygen routine..F8 at here I'll leave u to trace this 'exciting' call on your own from here ...but i should finished this tutor anyway.... ..here is what i got .... A. Take all char within "A..Z" : widYacl B. Change to Uppercase : WIDYACL C. If our name is less than 10 ... make a copy until 10 CHAR : WIDYACLWID - If our name is more than 10 ... cut it until 10 CHAR D. Only the first 10 char is calculated to generate our license key means: either widYa chandRa or widYa chandRa leSmaNa will generate the same key E. If our name doesn't have char within 'A..Z'...then char (3) is 9 and char (12) is 0 F. The Calculation for char (3) and char (12) License To : widYa@cL 2011 Correct Code Syntax : G%2x%d%d%d%d%d%d%d%d%d%d 0 1 2 3 4 5 6 7 8 9 ; position W I D Y A C L W I D ; 57 49 44 59 41 43 4C 57 49 44 ; hex value Hex Value for Char(0) Mod 0Ah --> the result will be our 3rd char 57%A = 7 Hex Value for Char(9) * 2 Mod 0Ah --> the result will be our 12th char ; (44+44)%A = 6 .....now we are free to generate our favourite registration key ; OFF7CRACKERZ6 ....G017367056946..is came from : 57%A = 7 49*1%A = 3 44*2%A = 6 59*3%A = 7 41*4%A = 0 43*5%A = 5 4C*6%A = 6 57*7%A = 9 49*8%A = 4 (44+44)%A = 6 ..add it with 'gift' from ClipMate(G01) : G017367056946.....now u can make a key generator in your favourite language... ..party is over.....
Essay by: widYa-cL 2011
Page Created: January 29, 1999
Return to Main Index,
Key Generators.