How to Grab & Crack Encrypted Windows Passwords (Part 2)

Welcome back, my neophyte hackers!

Several of you have written me asking how to crack passwords. The answer, in part, depends upon whether you have physical access to the computer, what operating system you are running, and how strong the passwords are.

In this first installment on password cracking, we’ll assume the simplest arrangement; you’re running Windows, attacking Windows, and have physical access to the computer whose passwords you’re attempting to crack.

In future installments, we’ll look at cracking passwords remotely, with and on Linux operating systems, and cracking famous web applications such as Gmail and Facebook, so keep coming back!

Step 1 Download Pwdump3

Windows systems encrypt user passwords and store them in a file named SAM and store them in the following directory:

  • c:\Windows\system32\config

The first thing we need to do is grab this file. In an earlier article, we used Metasploit to hack into the malicious dictator’s computer and grab his password hashes.

We can also grab the hashes without Metasploit if we have physical access to a computer on the network. This can be done with a neat piece of software called pwdump3. It’s installed on BackTrack already, but you can download it for free on Windows using the link below.


How to Crack Passwords, Part 1 (Principles & Technologies)

Welcome back, my neophyte hackers!

I have already done a few tutorials on password cracking, including ones for Linux and Windows, WEP and WPA2, and even online passwords using THC Hydra. Now, I thought it might be worthwhile to begin a series on password cracking in general. Password cracking is both an art and a science, and I hope to show you the many ways and subtleties involved.

We will start with the basic principles of password cracking that are essential to ALL password cracking techniques, followed by some of the tools and technologies used. Then, one by one, I will show you how to use those principles and technologies effectively to crack or capture the various types of passwords out there.

The Importance & Methods of Password Cracking

Passwords are the most widely used form of authentication throughout the world. A username and password are used on computer systems, bank accounts, ATMs, and more. The ability to crack passwords is an essential skill to both the hacker and the forensic investigator, the latter needing to hack passwords for accessing the suspect’s system, hard drive, email account, etc.

Although some passwords are very easy to crack, some are very difficult. In those cases, the hacker or forensic investigator can either employ greater computing resources (a botnet, supercomputer, GPU, ASIC, etc.), or they can look to obtain the password in other ways.

These ways might include insecure storage. In addition, sometimes you don’t need a password to access password-protected resources. For instance, if you can replay a cookie, session ID, a Kerberos ticket, an authenticated session, or other resource that authenticates the user after the password authentication process, you can access the password protected resource without ever knowing the password.

Sometimes these attacks can be much easier than cracking a complex and long password. I will do a tutorial on various replay attacks in the near future (look out specifically for my upcoming article on stealing the Facebook cookie to access someone’s Facebook account).

Now, let’s start with the basics.

Step 1 Password Storage

In general, passwords are not stored in clear text. As a rule, passwords are stored as hashes. Hashes are one-way encryption that are unique for a given input. These systems very often use MD5 or SHA1 to hash the passwords.

In the Windows operating system, passwords on the local system are stored in the SAM file, while Linux stores them in the /etc/shadow file. These files are accessible only by someone with root/sysadmin privileges. In both cases, you can use a service or file that has root/sysadmin privileges to grab the password file (e.g. DLL injection with samdump.dll in Windows).

Step 2 Types of Attacks


A dictionary attack is the simplest and fastest password cracking attack. To put it simply, it just runs through a dictionary of words trying each one of them to see if they work. Although such an approach would seem impractical to do manually, computers can do this very fast and run through millions of words in a few hours. This should usually be your first approach to attacking any password, and in some cases, it can prove successful in mere minutes.

Rainbow Table

Most modern systems now store passwords in a hash. This means that even if you can get to the area or file that stores the password, what you get is an encrypted password. One approach to cracking this encryption is to take dictionary file and hash each word and compare it to the hashed password. This is very time- and CPU-intensive. A faster approach is to take a table with all the words in the dictionary already hashed and compare the hash from the password file to your list of hashes. If there is a match, you now know the password.

Brute Force

Brute force is the most time consuming approach to password cracking. It should always be your last resort. Brute force password cracking attempts all possibilities of all the letters, number, special characters that might be combined for a password and attempts them. As you might expect, the more computing horsepower you have, the more successful you will be with this approach.


A hybrid password attack is one that uses a combination of dictionary words with special characters, numbers, etc. Often these hybrid attacks use a combination of dictionary words with numbers appending and prepending them, and replacing letters with numbers and special characters. For instance, a dictionary attack would look for the word “password”, but a hybrid attack might look for “p@$$w0rd123”.

Step 3 Commonly Used Passwords

As much as we think each of us is unique, we do show some common patterns of behavior within our species. One of those patterns is the words we choose for passwords. There are number of wordlists that have been compiled of common passwords. In recent years, many systems have been cracked and passwords captured from millions of users. By using these already captured passwords, you are likely to find at least a few on the network you are trying to hack.

Step 4 Password Cracking Strategy

Many newbies, when they start cracking passwords, simply choose a tool and word list and then turn them loose. They are often disappointed with the results. Expert password crackers have a strategy. They don’t expect to be able to crack every password, but with a well-developed strategy, they can crack most passwords in a very short amount of time.

The key to develop a successful strategy of password cracking is to use multiple iterations, going after the easiest passwords with the first iteration to the most difficult passwords using different techniques for each iteration.

Step 5 Password Cracking Software


John the Ripper is probably the world’s best known password cracking tool. It is strictly command line and strictly for Linux. Its lack of a GUI makes a bit more challenging to use, but it is also why it is such a fast password cracker.

One of the beauties of this tool is its built in default password cracking strategy. First, attempts a dictionary attack and if that fails, it then attempts to use combined dictionary words, then tries a hybrid attack of dictionary words with special characters and numbers and only if all those fail will it resort to a brute force.


Ophcrack is a free rainbow table-based password cracking tool for Windows. It is among the most popular Windows password cracking tools (Cain and Abel is probably the most popular; see below), but can also be used on Linux and Mac systems.

Image by Ysangkok/Wikimedia Commons

It cracks LM and NTLM (Windows) hashes. For cracking Windows XP, Vista and Windows 7, you can download free rainbow tables. You can download Ophcrack on SourceForge, and you can get some free and premium rainbow tables for Ophcrack here.


L0phtCrack is an alternative to Ophcrack, and attempts to crack Windows passwords from hashes in the SAM file or the Active Directory (AD). It also uses dictionary and brute force attacks for generating and guessing passwords.

Image via L0phtCrack

L0phtCrack was acquired by Symantec and they promptly discontinued it in 2006. Later, L0phtCrack developers re-acquired this excellent password cracking tool and re-released it in 2009. You can download the tool here.

Cain and Abel

Cain and Abel just might be the best known password cracking tool on the planet. Written strictly for Windows, it can crack numerous hash types, including NTLM, NTLMv2, MD5, wireless, Oracle, MySQL, SQL Server, SHA1, SHA2, Cisco, VoIP, and many others.

Cain and Abel can crack passwords using a dictionary attack, rainbow attack, and brute force. One of its better features is the ability to select the password length and character set when attempting a brute force attack. And besides being an excellent password cracking tool, it is also a great ARP Poisoning and MiTM tool.


THC-Hydra is probably the most widely used online hacking tool. It is capable of cracking web form authentication, and when used in conjunction with other tools such as Tamper Data, it can be a powerful and effective tool for cracking nearly every type of online password authentication mechanism.

The initial help screen for Hydra.


Brutus is an online password cracking tool that many consider the fastest online password cracker. It is free and available on both Linux and Windows, and it supports password cracking in HTTP (Basic Authentication), HTTP (HTML Form/CGI), POP3, FTP, SMB, Telnet, and other types such as IMAP, NNTP, NetBus, etc.

Brutus has not been updated in quite awhile, but it can still be useful and since it is open source, you can update it yourself. Brutus can be downloaded here.


In my humble opinion, aircrack-ng is undoubtedly the best all-around Wi-Fi hacking software available. It is capable of cracking both WEP and WPA2, and it is also capable of doing the following, among many other things.

  1. Creating a Soft AP
  2. Creating an Evil Twin
  3. Creating a Rogue AP
  4. Conducting a DOS attack against a Wi-Fi AP

It is only available for Linux and requires a bit of a learning curve to master, but you will be richly rewarded for the time spent learning it. In addition, to be most effective you will need to use an aircrack-ng compatible wireless card, so check their extensive list before buying your card. You can find more info on aircrack-ng over in my Wi-Fi hacking series.

Aircrack-ng is built into BackTrack and Kali and can be downloaded here.

Step 6 Password Cracking Hardware


Password cracking is simply a function of brute force computing power. What one machine can do in one hour, two machines can do in a half hour. This same principle applies to using a network machines. Imagine what you can do if you could access a network of one million machines!

Some of the botnets available around the globe are more than a million machines strong and are available for rent to crack passwords. If you have a password that might take one year to crack with your single CPU, a million-machine botnet can cut that time to approximately 1 millionth the time, or 30 seconds!


GPUs, or graphical processing units, are much more powerful and faster than CPU for rendering graphics on your computer and for cracking passwords. We have a few tools built into Kali that are specially designed for using GPUs to crack passwords, namely cudahashcat, oclhashcat, and pyrit. Look for coming tutorials on using these tools and the GPU on your high-end video card to accelerate your password cracking.


In recent years, some devices have been developed specifically for hardware cracking. These application-specific devices can crack passwords faster than over 100 CPUs working symmetrically.

(1) Bitfury boards by Black Arrow, (2) Butterfly Labs processor, (3) Inside the Butterfly Labs Monarch.Images via Bitcoin Talk, CoinDesk, Gizmodo

Black Arrow Software and Butterfly Labs, among others, are now selling these devices for prices up to $1500 per.

That concludes our beginning lesson on the basics of general password cracking. Stay tuned for more lessons as we go more in-depth with specific examples of using some of the tools and methods we have just covered above.

How to Hack Web Apps, Part 1 (Getting Started)

Welcome, budding hackers!

Before attacking any website, it’s critical to do good reconnaissance. A few minutes of recon can save you hours on a hack. Simply trying various attacks without first finding which attacks the site is vulnerable is pure foolishness.

There are a number of tools and applications to find vulnerabilities in websites, but one of the phishing website simplest (and one of my favorites) is nikto.This small and simple tool examines a website and reports back to you the potential vulnerabilities that it found that you could use to exploit or hack the site. In addition, it’s one of the most widely used website vulnerabilities tools in the industry and in many circles considered the industry standard.

Although this tool is extremely useful and effective, it is NOT stealthy. Any website with an IDS or other security measures in place will detect that you are scanning it. Originally designed for security testing, it was never meant to be stealthy.

Step 1 Fire Up Kali & Open Nikto

Let’s fire up Kali and get started with nikto. Once we have Kali up and running, go to Kali Linux -> Vulnerability Analysis -> Misc Scanners -> nikto, like in the screenshot below.

Image via

Although there are many options in using nikto, we will limit ourselves here to the basic syntax, such as this:

  • nikto -h <IP or hostname>

Step 2 Scan the Web Server

Let’s start with a safe web server on our own network. In this case, I have started the http service on another machine on my network. There is not a website hosted by this machine, just the web server. Let’s scan it for vulnerabilities by typing:

  • nikto -h

Nikto responds with a lot of information, as you can see below.

First, it tells us the server is Apache 2.2.14, probably on Ubuntu. It nailed this info and gives up more information on other potential vulnerabilities on this web server.

Note near the bottom that it identifies some vulnerabilities with the OSVDB prefix. This is the Open Source Vulnerability Database. This is a database maintained of known vulnerabilities at, in addition to other databases I covered, such as SecurityFocus and Microsoft’s Technet.

Step 3 Scan the Site

Let’s try another site. In an earlier tutorial, we had hacked a web server named Let’s see what nikto can tell us about this site.

  • nikto -h

Once again, it identifies the server (Apache) and then proceeds to identify numerous potential vulnerabilities pre-fixed with OSVDB. We can take a look at that website at to learn more about these vulnerabilities.

Cracking WPA2-PSK Passwords

Welcome, my hacker novitiates!

As part of my series on hacking Wi-Fi, I want to demonstrate another excellent piece of hacking software for cracking WPA2-PSK passwords. In my last post, we cracked WPA2 using aircrack-ng. In this tutorial, we’ll use a piece of software developed by wireless security researcher Joshua Wright called cowpatty (often stylized as coWPAtty). This app simplifies and speeds up the dictionary/hybrid attack against WPA2 passwords, so let’s get to it!

Step 1 Find Cowpatty

Cowpatty is one of the hundreds of pieces of software that are included in the BackTrack suite of software. For some reason, it was not placed in the /pentest/wireless directory, but instead was left in the /usr/local/bin directory, so let’s navigate there.

  • cd /usr/local/bin

Because cowpatty is in the /usr/local/bin directory and this directory should be in your PATH, we should be able to run it from any directory in BackTrack.

Step 2 Find the Cowpatty Help Screen

To get a brief rundown of the cowpatty options, simply type:

  • cowpatty

BackTrack will provide you a brief help screen. Take a note that cowpatty requires all of the following.

  • a word list
  • a file where the password hash has been captured
  • the SSID of the target AP

Step 3 Place the Wireless Adapter in Monitor Mode

Just as in cracking with aircrack-ng, we need to put the wireless adapter into monitor mode.

  • airmon-ng start wlan0

Step 4 Start a Capture File

Next, we need to start a capture file where the hashed password will be stored when we capture the 4-way handshake.

  • airodump-ng –bssid 00:25:9C:97:4F:48 -c 9 -w cowpatty mon0

This will start a dump on the selected AP (00:25:9C:97:4F:48), on the selected channel (-c 9) and save the the hash in a file named cowcrack.

Step 5 Capture the Handshake

Now when someone connects to the AP, we’ll capture the hash and airdump-ng will show us it has been captured in the upper right-hand corner.

Step 6 Run the Cowpatty

Now that we have the hash of the password, we can use it with cowpatty and our wordlist to crack the hash.

  • cowpatty -f /pentest/passwords/wordlists/darkc0de.lst -r /root/cowcrack-01.cap -s Mandela2

As you can see in the screenshot above, cowpatty is generating a hash of every word on our wordlist with the SSID as a seed and comparing it to the captured hash. When the hashes match, it dsplays the password of the AP.

Step 7 Make Your Own Hash

Although running cowpatty can be rather simple, it can also be very slow. The password hash is hashed with SHA1 with a seed of the SSID. This means that the same password on different SSIDs will generate different hashes. This prevents us from simply using a rainbow table against all APs. Cowpatty must take the password list you provide and compute the hash with the SSID for each word. This is very CPU intensive and slow.

Cowpatty now supports using a pre-computed hash file rather than a plain-text word file, making the cracking of the WPA2-PSK password 1000x faster! Pre-computed hash files are available from the Church of WiFi, and these pre-computed hash files are generated using 172,000 dictionary file and the 1,000 most popular SSIDs. As useful as this is, if your SSID is not in that 1,000, the hash list really doesn’t help us.

In that case, we need to generate our own hashes for our target SSID. We can do this by using an application called genpmk. We can generate our hash file for the “darkcode” wordlist for the SSID “Mandela2” by typing:

  • genpmk -f /pentest/passwords/wordlists/darkc0de.lst -d hashes -s Mandela2

Step 8Using Our Hash

Once we have generated our hashes for the particular SSIDs, we can then crack the password with cowpatty by typing:

  • cowpatty -d hashfile -r dumpfile -s ssid

Stay Tuned for More Wireless Hacking Guides

Keep coming back for more on Wi-Fi hacking and other hacking techniques! Haven’t seen the other Wi-Fi hacking guides yet? Check them out here. If you have questions on any of this, please ask them in the comments below. If it’s something unrelated, try asking in the Null Byte forum.

Software Cracking Basics

Before you can begin cracking a trial, you must have some basic knowledge of assembly. If you are already familiar with it, you can skip this section. Well, you’re still here, so I guess I should start explaining. Unlike high-level programming languages (such as C++, Pascal, and Java) assembly does not rely on variables. Instead, it allows you to interact directly with the processor, and retrieve it in the same way. The places on the processor where the data is stored are called “registers”. The four most common registers are named AX, BX, CX, and DX (easy, eh?). These four registers are for general storage. The don’t have any special functions, they just store data (like variables).

In assembly, all commands look like this: COMMAND PARAMETER,PARAMETER (unless the command only uses one parameter). There are a few basic commands that you should know:

The MOV command is pretty much like using the assignment operator (“=”). It places the value of the second parameter in the first parameter. For example, MOV AX,DX moves the contents of the DX register into the AX register. You can also move numbers directly, as in MOV AX,15.

The basic math commands are ADD (addition), SUB (subtraction), MUL (multiply), and DIV (divide). Each of these commands require two parameters and store the result in the first parameter. You can also increase or decrease the value of a single register by 1, using the INC and DEC commands.

To compare values, most programs use the CMP command, which subtracts the value of the second parameter from the first. There is also a TEST command that does a bit-wise comparison. The result for each command is stored in a special area that can be accessed by functions called “conditional jumps”.

To move to another part of the code, a program will use the JMP command. The syntax is JMP (ADDRESS). If you want the program to jump only if a certain condition has been met (like the “If” statements in high-level languages), you can use these conditional jumps:

JE: Is executed if the parameters of the CMP command were equal.
JZ: Jump if zero (similar to JE).
JNE: Is executed if the parameters of the CMP command were NOT equal.
JNZ: Jump if not zero (similar to JNE).
JG: Is executed if the first parameter was greater than the second.
JL: Is executed if the first parameter was less than the second.
JGE: Is executed if the first parameter was greater than or equal to the second.
JLE: Is executed if the first parameter was less than or equal to the second.

You now know the very basics of x86 assembly. It’s time to get cracking!
(NOTE: If you want to continue learning assembly, visit

Cracking the Program

Tools needed: any good debugger (I’ll be using OllyDbg, which can be found at

The first step is to launch Olly (the debugger). Open the program you want to crack (cracking will be easier if the program is already expired). Olly will do some processing and analyzing, then display the code. Now, it’s time to get started. The very first thing you want to do is right-click the code and select “Search for” -> “All intermodular calls”. A window should pop up and show a big list of functions. These are all of the APIs that Olly found in the code. Towards the top of the window, there is a row of that says:

Address | Disassembly      | Destination

Click destination, so we can sort the APIs by name. Scroll down until you find a function called ollydbg”GetSystemTime“. (If there are several, you will have to follow the next steps for each one.) Click it and press F2. This will set a breakpoint so the program will automatically be pause when GetSystemTime is called. Press F9 to run the program. The program should pause before it can show you a dialog box notifying you that the trial is expired. If that happens, then go back to Olly, and press CTRL+F2 to restart the program. Find GetSystemTime again, click it, and press F2 to disable the breakpoint. Now double-click it. You should now be looking at the actual code of the program near the call to GetSystemTime. What we want to do now is look for a CMP or TEST statement, followed by a CONDITIONAL jump, such as JE or JG. The jump is there to either display a dialog and exit (if it expired), or give you access (if it hasn’t expired yet). Not all trial programs are the same, so I can’t tell you exactly what it will be like. Set a breakpoint on the jump (F2) and run the program again. If it still pauses before displaying a message or exiting, we’re almost done! (If not, you’ll need to look for another conditional jump.) The program should now be paused, and the conditional jump should be highlighted. Double-click it so you can modify it. Make it the opposite of whatever it is (change JE to JNEJG to JLet cetera…), then click the “Assemble” button. Press F9 to run the program again. Tada! Your program should work now. Right-click the code again and select “Copy to executable” -> “All modifications”, then choose “Copy all”. A new window should appear. Right-click it and choose “Save file” to save the program. Congratulations! You’re a real app cracker now!

BIOS-এর কিছু Default পাসওয়ার্ড |

বায়োসের (BIOS) কিছু দরকারী পাসওয়ার্ড

কখনও কখনও ভাইরাসের কারণে বায়োস ক্ষতিগ্রস্ত হয়ে থাকে। এক্ষেত্রে বায়োসে ব্যবহ্রত সফটওয়্যার ভার্সন এবং কোম্পানীর নামটি জানা থাকলে ভাল হয়।

সাধারনত মাদারবোর্ডে AWARD BIOS সবচেয়ে বেশি ব্যবহ্রত হয়। এছাড়াও ব্রান্ড পিসিগুলোতে এবং ল্যাপটপে নিজস্ব কোম্পানীর BIOS সফটওয়্যার ব্যবহ্রত হয়। BIOS ক্ষতিগ্রস্ত হলে আপনার বায়োস ROM চিপটি/IC টি সমমানের ROM chip ‍দিয়ে পরিবর্তন করে নিন।

BIOS পাসওয়ার্ড ভুলে গেলে:

প্রত্যেকটি BIOS সফটওয়্যার প্রস্তুতকারকতাদের নির্দিষ্ট বায়োসের জন্য Defult password ব্যবহার করে থাকেন। কোম্পানী অনুযায়ী নিচে লিখিত বায়োস পাসওয়ার্ডগুলো ব্যবহার করে দেখুন।

Award BIOS backdoor Passward

ALFAROME, ALLy, aLLy, aLLY, ALLY, aPAf, _award, BIOSTAR, CONCAT, CONDO,Condo, d8on, djonet, HLT, KDD, Lkwpeter, LKWPETER,PINT, pint, SER, SKY_FOX, ZAAADA, ZBAAACA, ZJAAADC, 01322222, 589589, 589721, 595595, AWARD_SW, AWARD?SW, AWARD SW, AWARD PW, AWKWARD, awkward, J64, J256, J262, J332, J322, SYXZ, syxz, shift+syxz, TTPTHA, 598598.

AMI BIOS backdoor passwords


PHOENIX BIOS backdoor passwords:



ALFAROME, BIOSTAR, biostar, biosstar, CMOS, cmos, LKWPETER, lkwpeter, setup, SETUP, Syxz, Wodj.


VOBIS & IBM >>>>> merlin

Dell >>>>> Dell

Biostar >>>>> Biostar

Compaq >>>>> Compaq

Enox >>>>> xo11nE

Epox >>>>>central

Freetech >>>>>Posterie


Jetway>>>>> spooml

Packard Bell >>>>> bell9

QDI >>>>> QDI

Siemens >>>>> SKY_FOX


Toshiba>>>>> Toshiba


Most Toshiba laptops and some desktop systems willbypass the BIOS passwordif the left shift key is held down during boot.


Press both mouse buttonsrepeatedly during the boot

Software Cracking Tutorial

If you’ve ever wondered how software pirates can take software and crack it time and time again, even with security in place, this small series is for you. Even with today’s most advanced methods of defeating piracy in place, it is still relatively easy to crack almost any program in the world. This is mainly due to computer processes’ ability to be completely manipulated by an assembly debugger. Using this, you can completely bypass the registration process by making it skip the application’s key code verification process without using a valid key. This works because assembly allows you to speak directly to the processor and force a skip over the registration process.In this Null Byte, let’s go over how cracking could work in practice by looking at an example program (a program that serves no purpose other than for me to hack). I will not be walking you through how to actually crack a legitimate program, because I can’t just crack a program for demonstration, but the techniques applied to my examples should give you the foundation needed to create your own. At that point, it’s a test of your morals if you want to use your knowledge for good or bad.


  • Windows (for examples only, debuggers exist across platforms)
  • A debugger installed: IDAollydbg, etc. (ollydbg will be used in examples)

Step 1 Test the Program

First, run the program that you are attempting to reverse engineer and try to activate it with a random key to verify that you need a valid software key to proceed. This is to verify that we can come up with the keys.

Step 2 Run the Program in a Debugger

  1. Run ollydbg.
  2. Open up the program you wish to bypass with ollydbg.
  3. Click the play button to run the program with the debugger attached.
  4. Right click the CPU window, and click Search For > All intermodular calls.
  5. Search for high interest DLLs. GETDLGITEMTEXT, will be for dialog boxes, which get called when you try to enter a software key. By stepping into the function with the debugger, we can examine the registration specifically. SENDDLGITEM could be used as well.
  6. Test to see which one works to break out of the activation loop by right clicking the DLL call and setting a breakpoint for all instances of that call.
  7. hacks-behind-cracking-part-1-bypass-software-registration.w654
  8. Resume the program and enter any software key you feel like. If the debugger breaks (pauses the program’s execution) after entering your key, then you know you found DLL in step 5.
  9. Press F8 back in the CPU window to force the next step until you get to the TEST EAX. EAX is the return of a value, which means that a check is being performed here. Upon examination, we can see that the EAX is checking for a number that is not equal to a null value. This means that if it is replaced with anything other than null, it will run.hacks-behind-cracking-part-1-bypass-software-registration.w654(1)
  10. Right-click the EAX and change it in hex value to 1, instead of 0.
  11. Resume the program again, and you will have successfully activated the program.hacks-behind-cracking-part-1-bypass-software-registration.w654(2)
  12. And for proof it was registered to me:
  13. hacks-behind-cracking-part-1-bypass-software-registration.w654(3)

This works because you are making the process jump from one register and skip the one that verifies the key entered. To exploit the key registration algorithm, keep an eye out for part two of this tutorial on making the key generator. Hooray for assembly!