Crystal FTP v.1.0 KeyGen
by friendship     

Webpage :
---------
http://www.casdk.com/


Tools required :
----------------
- SoftICE v3.2x.
- Hex Workshop v2.5x.


Introduction :
--------------
Hello again !

Any comments are welcome. I'm short in comments, cause I am not good in English. 
But I try to explain as much as I can. Hope you all could understand. Crystal FTP 
is a good FTP program. Clever and friendly program. Upload or download files very
easy and comfortable. I bet you like it very much.


Essay :
-------
Fire up the program. Enter Registration section (help - purchase).

User Name     : gd@s[j)OAi                                   ( 16 chars )
Serial Number : 0909090909090909090909090909090909090909090909090  ( 49 numbers )

User name in hex code :
67 C4 64 B5 40 F1 73 5B 6A AC 29 F6 4F E5 41 69

Minimum for UserName is 16 characters. Then Serial Number length is 3 times length
of the username.

(Use copy and paste, to get the username in ASCII)
Quit the program. It saved into registry windows.

HKEY_CURRENT_USER\Software\Crystal Art Software\Crystal FTP\Setup

Then fire up Softice.

:bpx GetLocalTime  <-- break at subcall Getlocaltime.
:                  <-- F5, back to windows (return to caller)

Then, fire up Crystal FTP.
:004086B4  CALL    KERNEL32!GetLocalTime
:004086B9  MOV     CX,[ESP+0E]  <-- Crystal break here!
                                <-- CX = current date
:004086BE  MOV     DX,[ESP+0A]  <-- DX = current month 
:004086C3  MOV     AX,[ESP+08]  <-- AX = current year
:004086C8  CALL    004084EC     <-- calculate the time, save the flags.
:004086CD  FSTP    REAL8 PTR [ESP]
:004086D0  WAIT
:004086D1  FLD     REAL8 PTR [ESP]
:004086D4  ADD     ESP,18
:004086D7  RET

After some tracings and breakpoints, here is the area of analyzing the regcode,
:bd *              <-- Diable all the last breakpoint
:bpx CS:48B7B4     <-- Make breakpoint at the address
:                  <-- Press F5 to continue running the program

Here the list of program :
:0048B7A7  MOV     EAX,[EBP-24]
:0048B7AA  CALL    00402DFC     <-- Setting the length/size of username & regcode
                                <-- save some flags.
:0048B7AF  CALL    00486904     <-- Analyze the serial number then
                                <-- generate the the Username
:0048B7B4  TEST    AL,AL        <-- Break Here!
:0048B7B6  JNZ     0048B8F8     <-- Jump if good guy.


Crystal make a dynamic memory to place each generate username (8 bytes).
Or use this break point in Softice to view the generate code of username.

:bd *                <-- disable all breakpoint
:bpx cs:457A6B       <-- break point at the address

Look EAX register. This is the username code (8 bytes) according to serial number
(24 chars = 8 x 3) length. To see the next 24th serial number, just press F5.

Write down it. Make a new document txt. Write 16 bytes ONLY, don't press enter. 
Then save it.

012345679123456

Then, use a hexeditor to edit the document. Goto hex area to write it. Save it. 
Open the program, enter Registration area, then use copy and paste of the document
of the username into the UserName area. Leave the Serial Number.

Frankly, it is a litte difficult to write username in random character like that.
Especially when chars = 00.

Here is the flowchart steps to generate username code. All in bit numbers (1 and 0).

1. Get serial number and make bitwise (0 and 1) so it take 8 x 3 byte = (24 byte)
   Get the 3rd up to 27st of serial number.
E.G. :
If the S/N = 000123708123700123708123700
(x1x2x3 x4x5x6 x7x8x9 and so on...)

x1x2x3 = 000 = not used. But necessary to add.
x3x4x5 = 123 = 07Bh = 0111 1011
x7x8x9 = 708 = 2C4h = Take only value below 256, so take C4 = 1100 0100
... and so on.

The result save in 6EFAB8 = 
0 1 1 1 1 0 1 1 1 1 0 0 0 1 0 0   --> 7B C4
0 1 1 1 1 0 1 1 1 1 0 0 0 1 0 0   --> 7B C4
0 1 1 1 1 0 1 1 1 1 0 0 0 1 0 0   --> 7B C4
0 1 1 1 1 0 1 1 1 1 0 0 0 1 0 0   --> 7B C4

After that, use the bit table 6EFAB8 according to offset number in table 48DC3C 
to generate the bit tables saved at address 6EF758 and 6EF738.

2. Generate bit table the word 'bbeettaa' --> 62 62 65 65 74 74 61 61
   -- the bit wise is of 'bbeettaa' :
   0 1 1 0 0 0 1 0 0 1 1 0 0 0 1 0   --> 62 62
   0 1 1 0 0 1 0 1 0 1 1 0 0 1 0 1   --> 65 65
   0 1 1 1 0 1 0 0 0 1 1 1 0 1 0 0   --> 74 74
   0 1 1 0 0 0 0 1 0 1 1 0 0 0 0 1   --> 61 61
3. Take the bit table 'bbeettaa' accroding to offset number in table 48DF0C to 
   generate two tables 28 (1Ch) bytes length (6EFb28 and 6EFB0C).
4. Then Generate 16 tables bit length each 48 (30h) byte. Save at address
   6EF778 up to 6EFA77. Use table [0048DF44] as offset, and [0048DF74] as a rol 
   left times to table 6EFB28 and 6EFB0C.
   Lucky, this tables (6EF778 up to 6EFA77) is always the same.

Looping 16 times :
5. Then took these 16 tables bit (no. 4) each byte XOR with 6EF738 according offset 
   table 48DCBC, to generate the tables bit saved at address 6EF6C0 (30h length).
6. After that, use the tables bit 6EF6C0 to generate table bit saved at address
   6EF6A0. This use a random mathamatical to take each bit, use 8 tables too. The 
   8 tables are from address 48DD0C up to 48DF0C.
7. Use tables bit 6EF6A0 to generate table bit saved at address 6EF718
8. XOR table bit 6EF718 with 6EF758 saved at 6EF718
9. Moved tables 6EF738 to 6EF758
10. Moved tables 6EF718 to 6EF738
11. Loop from no. 5 up to no. 10, 16 times.

12. At last, it takes all table bit 6EF738 up to 6EF777 (40h byte) according to 
    index (offset) of table [48DC7C] to generate the username (8 bytes).

I use the scheme to my keygen program.

I'm honestly tell you, the keygen program took hours to generate the serial number
according to the specified username. Until now, I don't know the serial number
of 'friendship'. :)

I wonder, how the author of the program generate the serial number according to 
the specify username?

If it takes too long, you could break the keygen anytime. It generate the serial 
number (in dec), and username (in hex number and in ASCII).

Or, you could make a combination, just get 8 chars of UserName and 8 x 3 of serial 
number. Like this, e.g. :

User Name     : AF^]aG
Serial Number : 111097098099100101102103105097098095095095095095095

Let separate the serial number :
111 097098099100101102103105 097098095095095095095095

111                      = not used  <-- but necessary to add
097098099100101102103105 = AF^  <-- B4 19 BD 41 46 EF 5E B4
097098095095095095095095 = ]aG  <-- FB B3 5D 8B AF 61 A4 47

Use copy and paste to get username in ASCII. Just remember, minimum username is 16 
chars, and 48 chars for serial numbers.

If you see a file '_crystal.txt', you got a temporary result.


That's all.
Bye for now.


PS :
----
1. Many thanks to +ORC and this wonderful site.
2. This tutorial is for educational purposes ONLY. The software author deserves 
   your support!
by friendship