LaunchPad v2.87 - Tutorial - Webpage ( (375k)).

In this tutorial (aimed at new or first time keygen makers), I'll take you through step-by-step the processes and stages I follow when making a key generator. The nature of making a keygen requires your complete understanding of the mechanism used by the program to compute your code. Without further ado launch LaunchPad (no pun intended) and select the Register option, 2 dialog boxes (Name & Registration Number) appear.

Insert your bogus details, I use CrackZ/12344321 most times, the first task is to locate the generating mechanism, you'll find that bpx GetWindowTextA serves you well (allow 2 breaks for both dialogs contents). As soon as you've returned to the caller of the 2nd break, slice to the meat of the protection by performing a memory search for your name.

s 30:0 l ffffffff 'CrackZ'

The first location will most likely be the one you are interested in (but note multiple instances if they exist), now breakpoint on the memory range. My name was found at cs:00741120 so my bpr looked as follows (you don't need to include the CS if its current, but I use it as good practice).

bpr 0167:00741120 00741120+5 rw

Just note the rw flags (read/write) and the +5 (that is 1 less than my names length). When you hit Ctrl+D you should find yourself at this code.

:004808A7 REPNZ
:004808A8 SCASB <-- Its a string length routine.

When this call returns you'll be back at address 00424925, here commences the protection, trace very slowly with F10 (don't trace any subfunctions just yet), just observe the 2 loops and the final calculation before the call to wsprintfA at 004249BE. Now lets work through slowly, the first loop uses all the letters of the user name to generate a value (in my case 7F2h - 2034). The next loop generates another value from the user name, the arithmetic doesn't differ but the condition depending on the sign flag is reversed, the result is (BB0h - 2992), the final result is obtained using the first 2 results, the larger result - the smaller + 64h (i.e. 2992 - 2034 + 100 = 1058).

Lets slowly convert this into a full ASM key generator.

Stage 1 - Create an opening logo, prompt for the user name, and declare the program strings. If you are at all serious about coding more than 1 key generator in your lifetime you'll probably decide to use a standard template for this stage.

Stage 2 - Add some error handling, don't allow invalid user names (determine the min/max name length) 28 and 6 in this example, users will thank you for graceful exits to DOS.

Stage 3 - Chart how the program generates your code, think in terms of the functions you will need to code. Determine how the program handles numbers and space (20h) characters. Keep an uppercasing routine in your store of regular code snippets.

Stage 4 - Code in stages and debug each to destruction, its easier to find run-time errors when your examing specific areas of the source code, debugging your 100k masterpiece at the end is NOT a good idea. Remember that comments aren't the sole domain of high-level languages :-).

Stage 5 - Add the output routine + necessary conversion routines. These should be fairly generic.


Optimising a key generators source code generally isn't important, most users after all won't notice any difference between a keygen with some slight inefficiencies and one which has been optimised. In most cases the only way to achieve a significant reduction in bytes is to reduce your message strings, unnecessary logo's for example. You might like to contrast the inefficient CTMailer key generator with this one I coded for LaunchPad. In this example I made some efforts to improve the efficiency, some operations have been optimised and the efficiency of the output routine has been improved.

Specific tips include using 16-bit registers if at all possible, certain maths operations such as MUL can be optimised using SHL/SHR. Some MOV's can be optimised by PUSH src, POP dest instructions. Saving values on the stack as opposed to using memory areas is also a smart move.

Newbies Return to Main Index

© 1999 by CrackZ. 14th January 1999.