²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²
    ²²    ____                     __       __           ²²ßÛ
    ²²   /  _/_ _  __ _  ___  ____/ /____ _/ /           ²² ÛßÛ
    ²²  _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /            ²² Û Û
    ²² /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/             ²² Û Û
    ²²   ____                          __          __    ²² Û Û
    ²²  / __ \___ ___ _______ ___  ___/ /__ ____  / /____²² Û Û
    ²² / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<²² Û Û
    ²²/_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/²² Û Û
    ²²                                                   ²² Û Û
    ²²      Web: http://www.ImmortalDescendants.com      ²² Û Û
    ²²                 Author: Muad'Dib                  ²² Û Û
    ²²                  Date: 12/26/99                   ²² Û Û
    ²²      Topic: Keygenning Cement Estimator 2.0       ²² Û Û
    ²²                  Level: Beginner                  ²² Û Û
    ²²                                                   ²² Û Û
    ²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² Û Û
      ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ Û
        ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ

=====================================================================================
NOTE: Source code for this essay is available here:
www.ImmortalDescendants.com/database/essays/muad/source/ce-2-0.zip
=====================================================================================

Enter the program and click the little tools button.  Click the register menu item in
the "Information" submenu.  Click the "Register Now" button in the new window.  Enter
a fake name, company, and serial.  Put a breakpoint on hmemcpy and get out of SICE.
Press the OK button and you'll break into SICE.  F12 into your program (7 times) and
type 'd @edi'.  You'll see your fake serial.  Put a break on it.  Keep using F12 on
the hmemcpy breaks and put breakpoints on your name, company, and serial.  Once you
are done doing that, you'll break on your name.  Trace some until you get to some code
that looks like this (edi+38 is 12E):

:00451ACF 8B45FC             mov eax, dword ptr [ebp-04]	; move name to eax
:00451AD2 0FBE5418FF         movsx edx, byte ptr [eax+ebx-01]	; move a char to edx
:00451AD7 0FAF5738           imul edx, dword ptr [edi+38]	; mul it by 12E
:00451ADB 03F2               add esi, edx			; add it to total
:00451ADD 43                 inc ebx				; increment username pos

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00451ACD(U)
|
:00451ADE 8D45FC             lea eax, dword ptr [ebp-04]	; put the len in eax again
:00451AE1 E8482AFCFF         call 0041452E			; get len of name
:00451AE6 3BD8               cmp ebx, eax			; compare pos to len
:00451AE8 7EE5               jle 00451ACF			; if it's less, continue

Pretty easy, isn't it?  You'll notice that it does nothing with your company and if you
dig around a little bit more, you'll notice that there's no minimum length for the name
OR company!  Unregister the program and try putting in no name, any or no company, and 0
for the serial.  It works!  Wow, that's pretty bad programming (Actually, I did the same
one night very late, but I fixed it the next morning).  Now to make a keygenerator.