Tutorial : Total reversing of Open Sesame 3.1
Target : Open Sesame 3.1 (http://www.geocities.com/SiliconValley/Vista/5610/)
Author : ManKind
Tools : SoftICE 3.25 (this is good software, worth buying)
Date : 10th September 1999

Descriptions / Comments : This is a simple program developed by some sixteen year old which can simplify your task of starting certain programs without using the Start Menu. Quite easy to fish its registration code, took me less than 15 minutes!.

This tutorial is copyright © 1999 ManKind.

Starting words:
Hello, welcome to my tutorial. I am ManKind, a newbie in cracking who wants to share my cracking experiences with other newbies. Contact me at mankind001@bigfoot.com


Part 1:Easy way of locating correct registration code

The process:

When you start this target, there is a splash screen and later a window. Press the 'Register' button on that window. Another smaller window will pop out and you should notice that the 'Register' button is disabled, fill in your name and code like for example, I fill in the following :-

Name:Sample Copy
Registration Code : 2319998

Next, after some filling of information, the 'Register' button will be enabled so now go into SoftICE and put a breakpoint on hmemcpy. For real newbies, this command will look as so :-

bpx hmemcpy

Go back to the registration window and press the 'Register' button. SoftICE will pop up, so press F5 once and later press F12 7 times. After that, the center of the screen (where there is a green line across the screen) should change to LAUNCHP!CODE+xxxxxxxx, if not continue pressing F12. Clear the breakpoint of hmemcpy because we don't need it anymore by typing bc * or bd * and press enter. Next, trace through all the code by pressing F10 until the white line of indicator is on top of the following code :-

0177:004302CE  CALL 004034CE

Now, press F8 to step into this call, and continue to step through until you reached here :-

0177:004034B3  CMP EAX,EDX

Type d eax, press enter and you should see your false registration code in the data window (upper right hand side). Type d edx, press enter and you should see your correct or real registration code in the data window but you have to be smart to sort out the code out of the other useless data like for example after sorting out, my code for the name 'Sample Copy' is 'i92wbtjnwu'. Now, you have reversed Open Sesame 3.1.

Additional/Extra Part or Stuff(s):

If you want to unregister, you can go to the Windows directory folder such as C:\Windows\, open the file sesame.INI and edit the [Register] section of it like this :-

[Register]
????=pickle
Name=Sample Copy

Change to:

[Register]
????=
Name=

Although this first way of easy locating of correct registration code is useful, it can be messy in the data window after you do this way a few times with different names and fake registration codes, so as an alternative of locating the code at the CMP instruction at address 004034B3, you can locate it at address 004034B 1(one line above the CMP instruction) with this command ->d edx because I think it will not be so messy in the data window. Note that the segment address given above may be different on your computer, you just have to follow my way and don't worry, the instruction will still be the same.


Part 2:Understanding the keygeneration routines
The process:

Well, you will ask that since we have already reversed Open Sesame, why should we ever need to understand the key generation routines of it? The answers are simple, firstly, this may serve as a keygen tutorial, secondly, we do this because we want to reverse Open Sesame totally. What I mean by totally? Totally means we know how the correct registration code is generated based on the name we enter.

This part is also easy owing to the simple key generation routine. Now, I'll will just give you a brief idea on said routine. By debugging the first part, one letter at a time, I discovered this (or you can also go into Open Sesame when SoftICE break on hmemcpy, disable hmemcpy breakpoint, set a breakpoint on address 004034B1 (refer to above) or 004034B3 (refer to above), press F5 to let SoftICE run and finally you will arrive at the place where you can just type 'd edx' to view your correct registration code) :-

A=9, B=x, C=j, D=4, E=t, F=5, G=p, H=y, I=c, J=3, K=v, L=b, M=2, N=e,
O=n, P=w, Q=o, R=m, S=i, T=1, U=r, V=l, W=7, X=k, Y=u, Z=8, 
any other character including space = null.

Condition : There is no difference between upper case and lower case letters, that means A=9 then a=9 also. The name must at least contain a letter from A to Z or else it will be an invalid name. The code will be counted from left to right like for example :-

S a m p l e C o p y
i 9 2 w b t j n w u

With this information, it will not be too hard for you to code a keygen. In fact I have included a C++ source of a simple Open Sesame 3.1 keygen below (written by a friend of mine) and slightly edited by myself. It was compiled under Visual C++ 6.0 but should work under any other C++ compiler.

#include <ctype.h> // toupper, isupper
#include <stdio.h> // printf, fflush
#include <conio.h> // getche

void main() {
      //Introduction
      printf("======================== \n");
      printf("|        Open Sesame Keygen by      | \n");
      printf("|                    ManKind                  | \n");
      printf("======================== \n");
 
      // I want the user to input his name
      // Prompt the user
      printf("Please enter your name:");
      fflush(stdout); // make sure the prompt is flushed from output buffer to the screen
      // read the name into an array of characters
      char UserName[100]; // Note: this may crash if you enter more than 100 characters
      gets(UserName);
 
      // Then I want to read his name and make the following above substitution
      // define the new alphabet as a lookup table with an entry for
      // each caharcter.
      char Lookup[] = "9xj4t5pyc3vb2enwomi1rl7ku8";
 
      // Condition:There are no difference between upper case alphabets with
      // lower case alphabets, that mean A=9 then a=9 also.
      // Eliminate invalid letters by writing the translated
      // character at a different position.
      char *P, *Q;
      for (P = Q = UserName; *P; ++P) {
           unsigned Index = toupper(*P) - 'A'; // place in lookup table
           if (Index < sizeof Lookup) *Q++ = Lookup[Index]; // translate
      }
      *Q = '\0'; // terminate the translated string
 
      // I want to display the registration code after substitution of the user's name
      // Note: this will end as soon as a null character is found
      printf("Registration Code = %s\n", UserName);
 
      // wait for a keypress before exiting
      getche();
}


Ending:

Thanks to : +ORC, Sandman, HarvestR, tKC, ytc_, Kwai_Lo, TORN@DO, CrackZ and other crackers and individuals who provide me with their tutorials and tools.

Greets to : HarvestR, tKC, ytc_, Kwai_Lo, TORN@Do, CiA, Phrozen Crew, other cracking groups and all crackers.

Service for ManKind
ManKind
mankind001@bigfoot.com
http://surf.to/mrep