An asm keygenerator code
("Hypersnap-DX version 3.02 Key generator")
STUPID

by +SNiKkEL
cracker

(28 July 1997 ~ Updated 25 January 1998)


Courtesy of Fravia's page of reverse engineering

Well, another of these stupid protections with crackers' handles inside them... a "blacklist" of names as +SNiKkEL calls it... study the asm code, understand +SNiKkEL's reverse engineering effort and learn!
Here is +SNiKkEL's email snippet:
...thanx to +ORC and you I can now write something like this source
code for a license code generator... for educational purposes.
I put some comments with it so it's pretty much self explanatory...
Indeed it is, a bright essay, by the way... May be we should from now on leave the "deep explanations" stuff (with heavy code disassembly) and simply publish good commented ASM code of the complete solution... lusers would not be able to follow (and this would be nice :-) yet people that understand a little our work would enjoy it much more...
(dunno, it's just a suggestion, let me know what you think :-)
HERE WE GO:
.model small .stack 100h .data ;****************************************************************************** ; variables for code gen ; ;****************************************************************************** header DB ' Hypersnap-DX 3.02 license generator by +SNiKkEL',0ah,0dh,0ah,0dh,'$' info DB 0ah,0dh,' for some reason they decided to insert a ',027h,'-',027h,' into the code',0ah,0dh DB ' invalid names are:',0ah,0dh DB ' xygorf, Saltine, super user, tHATDUDE, ED!SON and hacker... sigh',0ah,0dh db 0ah,0dh,'enter any name:',0ah,0dh,' $' notright db 0ah,0dh,' your name must contain at least one letter',0ah,0dh,'$' should_be DB 'WORDXCJOSEFMENGELEJOSE',0 ;this is the regcode before 'encryption' ;WOR = world license (SIT = site license) DXC = some check ;the rest is the name; snikkel will be SNIKKELSNIKKELSN ;the alphabet will be A t/m F + L t/m o + U t/m Z (over 16 chars) ;according to this principle: divide total letters in name by 2 ;sub 2 from answer and get 4 chars from beginning of name+answer ;put those 4 after first 6 chars, then put the last 6 letters in the ;name at the end (spaces, numbers etc are ignored, all letters must be capitalized) fifthchar db 0ah,0dh,0ah,0dh,'what would you like to be the 5th letter in your code?',0ah,0dh db ' enter anything from a to z',0ah,0dh,' $' wrong db 'anything from a to z, isn',027h,'t that enuff?',0ah,0dh,' $' wagain db 'why don',027h,'t you just fuck off',0ah,0dh,'$' whatkind db 0ah,0dh,'would you like a site or a worldwide license? (s or w)',0ah,0dh,' $' personals db 0ah,0dh,0ah,0dh,' your personal unlimited site license code is:',0ah,0dh,0ah,0dh,' $' personalw db 0ah,0dh,0ah,0dh,' your personal unlimited world-wide license code is:',0ah,0dh,0ah,0dh,' $' to_enter DB 'S2345678901234-6789012345',0ah,0dh,0ah,0dh,'$' ;the code will be put here ;the S is the fifth char on which the 1st letter depends encodestr DB 'XCFNAKSHIPZUJLDORGVQTEWYBM',0 ;according to this the letters will be 'encoded' checks Dw 0 ;checksum (last char) will be put here keyb db 033h,033h,034h dup (0) ;keyboard buffer, place for input ;****************************************************************************** ; end of data, begin of code ;****************************************************************************** .code start: JMP begin ;****************************************************************************** ; calculate code proc ;****************************************************************************** calculate PROC near mov ax,@data mov ds,ax mov es,ax xor bx,bx mov cx,00001h xor dx,dx go: mov si,offset should_be add si,bx MOV al,byte ptr [si] ;put byte of name you want in al cmp al,000h jz done mov si,offset to_enter cmp cx,00010h jnz dont_use_the_2D_for_calculating inc dx ;make it skip the '-' for calculating next inc dx dont_use_the_2D_for_calculating: add si,bx add si,dx mov ah,byte ptr [si] ;put byte in ah for substracting (adding) inc al cmp bx,00000h jz fifth jmp continue fifth: mov si,offset to_enter add si,00004h ;put the 1st char in should_be MOV [si],ah ;in the right place fer output sub dx,001h continue: sub ah,041h sub al,041h add al,ah cmp al,01ah jge rotate jmp continue2 rotate: sub al,01ah continue2: mov si,offset encodestr mov ah,000h add si,ax MOV al,byte ptr [si] cmp cx,0000eh jnz dont_overwrite_the_2D_check inc cx dec dx ; make it read the char before the '-' for calculating dont_overwrite_the_2D_check: cmp cx,00005h jg fifth2 jz incdx jmp continue3 incdx: inc dx fifth2: mov si,offset to_enter add si,cx MOV byte ptr [si],al inc bx inc cx jmp go continue3: mov si,offset to_enter add si,bx MOV byte ptr [si],al inc bx inc cx jmp go done: RET ;return calculate ENDP ;****************************************************************************** ; this part asks for name ;****************************************************************************** input PROC near mov ax,@data mov ds,ax mov es,ax MOV ah,09h mov dx,offset info ;spam info int 21h mov dx,offset keyb mov ah,0ah int 21h ;and get user name MOV AH,09H MOV DX,offset fifthchar ;display fifth char message INT 21H xor cx,cx get5char: mov ax,0c07h ;clear keyb buffer & wait for input int 21h cmp al,061h ; 'a' jge letsee cmp al,041h ; 'A' jge letsee2 jmp wrongg letsee: cmp al,07bh ;'z' jge wrongg sub al,020h jmp putitin letsee2: cmp al,05bh ;'Z' jge wrongg putitin: mov si,offset to_enter MOV byte ptr [si],al MOV AH,09H MOV DX,offset whatkind ;display question INT 21H getregmode: mov ax,0c07h ;clear keyb buffer & wait for input int 21h cmp al,073h ; 's' jz sitelic cmp al,041h ; 'S' jz sitelic cmp al,077h ;'w' jz worldlic cmp al,057h ;'W' jz worldlic jmp getregmode sitelic: mov si,offset should_be MOV byte ptr [si],'S' MOV byte ptr [si+1],'I' MOV byte ptr [si+2],'T' ret worldlic: mov si,offset should_be MOV byte ptr [si],'W' MOV byte ptr [si+1],'O' MOV byte ptr [si+2],'R' ret wrongg: cmp cx,001h jz wrongagain mov ah,09h mov dx,offset wrong int 21h inc cx jmp get5char wrongagain: mov ah,09h mov dx,offset wagain int 21h jmp exit ret input endp ;****************************************************************************** ; calculate checksum ;****************************************************************************** checksum PROC near mov ax,@data mov ds,ax mov es,ax xor cx,cx mov di,offset checks go2: mov si,offset should_be xor ax,ax cmp cx,016h jz cal_char add si,cx MOV al,byte ptr [si] ;put byte of calculated in al sub al,041h push ax push cx mov ax,cx mov cx,00002h div cx pop cx pop ax test dx,dx jz nodouble add ax,ax nodouble: cmp ax,0001ah jb allrighty sub ax,00019h allrighty: add [di],ax inc cx jmp go2 cal_char: mov ax,[di] mov cx,01ah xor dx,dx div cx mov bx,dx inc bl mov si,offset to_enter+017h ;added one here, made it read the last char mov bh,byte ptr [si] sub bh,041h add bl,bh cmp bl,01ah jge rotate2 jmp go_on rotate2: sub bl,01ah go_on: mov si,offset encodestr mov bh,000h add si,bx MOV bl,byte ptr [si] mov si,offset to_enter+018h ;added one here cause of the '-' mov byte ptr [si],bl RET checksum endp ;****************************************************************************** ; check and shape up user input ;****************************************************************************** read_input proc near mov ax,@data mov ds,ax mov es,ax xor dx,dx xor ax,ax xor cx,cx mov si,offset keyb mov al,byte ptr [si+1] ;get number of chars put in by user cmp al,000h jz step_no_input ;number is zero mov bx,ax add si,2 ;move si to beginning of input loopstart: cmp bx,000h jnz notalldone jmp reformat step_no_input: jmp no_input notalldone: mov al,byte ptr [si] cmp al,061h ; 'a' checking for letters or other chars jge letsee3 cmp al,041h ; 'A' jge letsee4 jmp nolet letsee3: cmp al,07bh ;'z' jge nolet sub al,020h ;capitalize jmp putitinmem letsee4: cmp al,05bh ;'Z' jge nolet putitinmem: mov di,si sub di,dx mov byte ptr [di],al dec bx inc si jmp loopstart nolet: inc dx dec bx inc si jmp loopstart reformat: xor bx,bx mov si,offset keyb mov bl,byte ptr [si+1] ;get number of chars put in by user sub bx,dx ;substract number of not-letters cmp bl,000h jz no_input cmp bl,010h jg strip ;if name is over 16, strip 6th to ... mov si,offset keyb ;if name is =< 16 chars, repeat till full add si,002h mov di,offset should_be add di,006h mov al,010h div bl ;full times to repeat is in al, remaining is in ah ;(bl= number of valid letters in code) loopje: mov si,offset keyb ;if name is =< 16 chars, repeat till full add si,002h mov cl,bl repz movsb ;put it in once dec al ;one done cmp al,000h ;check if needs repeating jz last_time ;no, go put in remaining jmp loopje ;yes, do it again last_time: mov si,offset keyb add si,002h mov cl,ah repz movsb ;put in the remaining chars ret strip: mov si,offset keyb add si,002h mov di,offset should_be add di,006h mov cl,006h repz movsb ;put 1st 6 in place xor ax,ax mov al,bl mov cl,002h div cl mov si,offset keyb xor cx,cx mov cl,al add si,cx ;put next 4 in place mov cl,004h repz movsb sub bl,004h ;six from end, the two non chars ;from beginning 'keyb' counted mov si,offset keyb add si,bx mov cl,006h repz movsb ret no_input: mov dx,offset notright mov ah,009h int 21h jmp exit read_input endp ;****************************************************************************** ; spam the code ";------------------------------------------------------------------------------.class" tppabs="http://fravia.org/;******************************************************************************.class" spam PROC near mov ax,@data mov ds,ax mov es,ax mov di,offset should_be mov al,byte ptr[di] cmp al,'S' MOV AH,09H jnz wormessage MOV DX,offset personals ;display personal message INT 21H jmp dispcode wormessage: MOV DX,offset personalw ;display personal message INT 21H dispcode: MOV AH,09H MOV DX,offset to_enter ;display right code INT 21H RET spam endp ;****************************************************************************** ; the main program ;****************************************************************************** begin PROC near mov ax,@data mov ds,ax mov es,ax MOV AH,09H MOV DX,offset header ;display header INT 21H CALL input ;get user input call read_input CALL calculate ;calculate code from input call checksum ;calculate last char CALL spam ;spam calculated code exit: MOV AX,4C00H ;and exit INT 21H begin ENDP END START
Well, +Snikkel sent an update on 25 January 1998... here it is, with his email:
here's the update to the hypersnap thingy.

severely,
+SNiKkEL

;hypersnap 3 keygen by +SNiKkEL ;16 bit exe, only tried with tasm .model small .stack 100h .data ;****************************************************************************** ; variables for code gen ; ;****************************************************************************** header DB ' Hypersnap-DX 3.08 license generator by +SNiKkEL',0ah,0dh,0ah,0dh,'$' info DB 0ah,0dh,' this one works all seasons ;)',0ah,0dh DB ' invalid names are:',0ah,0dh,0ah,0dh db ' Marcko, jackkuo, Monkey, abel, ALI-BABA, Unlimited World-Wide Lic, xygorf,',0ah,0dh db ' Gone Hyper, ^SaTaNa, -M-O-A-, Hypersnap, Alexander Chen, Saltine,',0ah,0dh DB ' super user, tHATDUDE, ED!SON and hacker... sjees',0ah,0dh db 0ah,0dh,'enter any name:',0ah,0dh,' $' notright db 0ah,0dh,' your name must contain at least one letter',0ah,0dh,'$' should_be DB 'WORDXCJOSEFMENGELEJOSE',0 ;this is the regcode before 'encryption' ;WOR = world license (SIT = site license) DXC = some check ;the rest is the name; snikkel will be SNIKKELSNIKKELSN ;the alphabet will be A t/m F + L t/m o + U t/m Z (over 16 chars) ;according to this principle: divide total letters in name by 2 ;sub 2 from answer and get 4 chars from beginning of name+answer ;put those 4 after first 6 chars, then put the last 6 letters in the ;name at the end (spaces, numbers etc are ignored, all letters must be capitalized) fifthchar db 0ah,0dh,0ah,0dh,'what would you like to be the 5th letter in your code?',0ah,0dh db ' enter anything from a to z',0ah,0dh,' $' wrong db 'anything from a to z, isn',027h,'t that enuff?',0ah,0dh,' $' wagain db 'why don',027h,'t you just fuck off',0ah,0dh,'$' whatkind db 0ah,0dh,'would you like a site or a worldwide license? (s or w)',0ah,0dh,' $' personals db 0ah,0dh,0ah,0dh,' your personal unlimited site license code is:',0ah,0dh,0ah,0dh,' $' personalw db 0ah,0dh,0ah,0dh,' your personal unlimited world-wide license code is:',0ah,0dh,0ah,0dh,' $' to_enter DB '1234-5678-9012-3456-7890-1234',0ah,0dh,0ah,0dh,'$' ;the code will be put here encodestr DB 'XCFNAKSHIPZUJLDORGVQTEWYBM',0 ;according to this the letters will be 'encoded' checks Dw 0 ;checksum (last char) will be put here keyb db 033h,033h,034h dup (0) ;keyboard buffer, place for input temp DB 'S23412341234123412341234',0 ;place for temporary key without dashes ;the S is the fifth char on which the 1st letter depends ;it gets put in the fifth place in the code ;****************************************************************************** ; end of data, begin of code ;****************************************************************************** .code start: JMP begin ;****************************************************************************** ; calculate code proc ;****************************************************************************** calculate PROC near mov ax,@data mov ds,ax mov es,ax xor bx,bx mov cx,00001h xor dx,dx go: mov si,offset should_be add si,bx MOV al,byte ptr [si] ;put byte of name you want in al cmp al,000h jz done mov si,offset temp add si,bx add si,dx mov ah,byte ptr [si] ;put byte in ah for substracting (adding) inc al cmp bx,00000h jz fifth jmp continue fifth: mov si,offset temp add si,00004h ;put the 1st char in should_be MOV [si],ah ;in the right place fer output sub dx,001h continue: sub ah,041h sub al,041h add al,ah cmp al,01ah jge rotate jmp continue2 rotate: sub al,01ah continue2: mov si,offset encodestr mov ah,000h add si,ax MOV al,byte ptr [si] do_not_loop: cmp cx,00005h jg fifth2 jz incdx jmp continue3 incdx: inc dx fifth2: mov si,offset temp add si,cx MOV byte ptr [si],al inc bx inc cx jmp go continue3: mov si,offset temp add si,bx MOV byte ptr [si],al inc bx inc cx jmp go done: RET calculate ENDP ;****************************************************************************** ; this part asks for name ;****************************************************************************** input PROC near mov ax,@data mov ds,ax mov es,ax MOV ah,09h mov dx,offset info ;spam info int 21h mov dx,offset keyb mov ah,0ah int 21h ;and get user name MOV AH,09H MOV DX,offset fifthchar ;display fifth char message INT 21H xor cx,cx get5char: mov ax,0c07h ;clear keyb buffer & wait for input int 21h cmp al,061h ; 'a' jge letsee cmp al,041h ; 'A' jge letsee2 jmp wrongg letsee: cmp al,07bh ;'z' jge wrongg sub al,020h jmp putitin letsee2: cmp al,05bh ;'Z' jge wrongg putitin: mov si,offset temp MOV byte ptr [si],al MOV AH,09H MOV DX,offset whatkind ;display question INT 21H getregmode: mov ax,0c07h ;clear keyb buffer & wait for input int 21h cmp al,073h ; 's' jz sitelic cmp al,041h ; 'S' jz sitelic cmp al,077h ;'w' jz worldlic cmp al,057h ;'W' jz worldlic jmp getregmode sitelic: mov si,offset should_be MOV byte ptr [si],'S' MOV byte ptr [si+1],'I' MOV byte ptr [si+2],'T' ret worldlic: mov si,offset should_be MOV byte ptr [si],'W' MOV byte ptr [si+1],'O' MOV byte ptr [si+2],'R' ret wrongg: cmp cx,001h jz wrongagain mov ah,09h mov dx,offset wrong int 21h inc cx jmp get5char wrongagain: mov ah,09h mov dx,offset wagain int 21h jmp exit ret input endp ;****************************************************************************** ; calculate checksum ;****************************************************************************** checksum PROC near mov ax,@data mov ds,ax mov es,ax xor cx,cx xor dx,dx ;(?, dx=0002 gave me an illegal opcode in windows with DIV CX) mov di,offset checks go2: mov si,offset should_be xor ax,ax cmp cx,016h jz cal_char add si,cx MOV al,byte ptr [si] ;put byte of calculated in al sub al,041h push ax push cx mov ax,cx mov cx,00002h div cx pop cx pop ax test dx,dx jz nodouble add ax,ax nodouble: cmp ax,0001ah jb allrighty sub ax,00019h allrighty: add [di],ax inc cx jmp go2 cal_char: mov ax,[di] mov cx,01ah xor dx,dx div cx mov bx,dx inc bl mov si,offset temp+016h mov bh,byte ptr [si] sub bh,041h add bl,bh cmp bl,01ah jge rotate2 jmp go_on rotate2: sub bl,01ah go_on: mov si,offset encodestr mov bh,000h add si,bx MOV bl,byte ptr [si] mov si,offset temp+017h mov byte ptr [si],bl RET checksum endp ;****************************************************************************** ; check and shape up user input ;****************************************************************************** read_input proc near mov ax,@data mov ds,ax mov es,ax xor dx,dx xor ax,ax xor cx,cx mov si,offset keyb mov al,byte ptr [si+1] ;get number of chars put in by user cmp al,000h jz step_no_input ;number is zero mov bx,ax add si,2 ;move si to beginning of input loopstart: cmp bx,000h jnz notalldone jmp reformat step_no_input: jmp no_input notalldone: mov al,byte ptr [si] cmp al,061h ; 'a' checking for letters or other chars jge letsee3 cmp al,041h ; 'A' jge letsee4 jmp nolet letsee3: cmp al,07bh ;'z' jge nolet sub al,020h ;capitalize jmp putitinmem letsee4: cmp al,05bh ;'Z' jge nolet putitinmem: mov di,si sub di,dx mov byte ptr [di],al dec bx inc si jmp loopstart nolet: inc dx dec bx inc si jmp loopstart reformat: xor bx,bx mov si,offset keyb mov bl,byte ptr [si+1] ;get number of chars put in by user sub bx,dx ;substract number of not-letters cmp bl,000h jz no_input cmp bl,010h jg strip ;if name is over 16, strip 6th to ... mov si,offset keyb ;if name is =< 16 chars, repeat till full add si,002h mov di,offset should_be add di,006h mov al,010h div bl ;full times to repeat is in al, remaining is in ah ;(bl= number of valid letters in code) loopje: mov si,offset keyb ;if name is =< 16 chars, repeat till full add si,002h mov cl,bl repz movsb ;put it in once dec al ;one done cmp al,000h ;check if needs repeating jz last_time ;no, go put in remaining jmp loopje ;yes, do it again last_time: mov si,offset keyb add si,002h mov cl,ah repz movsb ;put in the remaining chars ret strip: mov si,offset keyb add si,002h mov di,offset should_be add di,006h mov cl,006h repz movsb ;put 1st 6 in place xor ax,ax mov al,bl mov cl,002h div cl mov si,offset keyb xor cx,cx mov cl,al add si,cx ;put next 4 in place mov cl,004h repz movsb sub bl,004h ;six from end, the two non chars ;from beginning 'keyb' counted mov si,offset keyb add si,bx mov cl,006h repz movsb ret no_input: mov dx,offset notright mov ah,009h int 21h jmp exit read_input endp ;****************************************************************************** ; spam the code ";------------------------------------------------------------------------------.class" tppabs="http://fravia.org/;******************************************************************************.class" spam PROC near mov ax,@data mov ds,ax mov es,ax mov di,offset should_be mov al,byte ptr[di] cmp al,'S' MOV AH,09H jnz wormessage MOV DX,offset personals ;display personal message INT 21H jmp dispcode wormessage: MOV DX,offset personalw ;display personal message INT 21H dispcode: MOV AH,09H MOV DX,offset to_enter ;display right code INT 21H RET spam endp ;****************************************************************************** ; put stuff in place ;****************************************************************************** move_stuff proc near mov ax,@data mov ds,ax mov es,ax xor dx,dx mov si,offset temp mov di,offset to_enter agin: mov cx,00004h ;copy 4 repz movsb cmp dx,00005h jz yes inc dx inc di ;skip 1 jmp agin yes: ret move_stuff endp ;****************************************************************************** ; main program ;****************************************************************************** begin PROC near mov ax,@data mov ds,ax mov es,ax MOV AH,09H MOV DX,offset header ;display header INT 21H CALL input ;get user input call read_input CALL calculate ;calculate code from input call checksum ;calculate last char call move_stuff ;move from temp into to_enter CALL spam ;spam calculated code exit: MOV AX,4C00H ;and exit INT 21H begin ENDP END START (c) +SNikkel 1997. All rights reserved.
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
antismut CGI scripts Javascript wars search_forms mail_fravia+
is reverse engineering legal?