/------------------------------HellSpawn 2K1-----------------------\ | Author: KahnAbyss | | Target: LmSoft Presenter | | v 4.0.0.5 | | Tools: SoftIce 3.25 | | Any Prog Soft | | I'll use Visual Basic | | Crack Type: KeyGen | | Level: Advanced | \-----------------------------------------------------------------------------/ ---------------------------------> INTRODUCTION <--------------------------------------------- I hope you read Part 2 of this tutorial since I don't gonna repeat all the stuff in the 1st part I gonna explain how to do reverse engeneering It could be painfull to follow for newbie so you gonna have to play with few software to find how tha bitch works:) ---------------------------------------------------------------------------------------------------------------- 1St Important loop that create a number that match with the Serial ------------------------------------------------------------------------------------------------------- :0040162A 33C0 xor eax, eax ;Reset Eax to 0 wich act as a counter :0040162C B90F000000 mov ecx, 0000000F ;Set Ecx to 0F/Start of the loop :00401631 2BC8 sub ecx, eax ;Ecx = Ecx-Eax :00401633 8BF2 mov esi, edx ;Esi = Edx :00401635 D3E6 shl esi, cl ;Esi = Esi*(2^Cl) :00401637 8BC8 mov ecx, eax ;Ecx = Eax :00401639 8BFA mov edi, edx ;Edi = Edx :0040163B D3E7 shl edi, cl ;Edi = Edi*(2^Cl) :0040163D 237D08 and edi, dword ptr [ebp+08] ;Logical AND return 0 or 1 in Zero Flag with comparison of the Serial :00401640 0F94C1 setz cl ;Set Cl to Zero Flag value :00401643 83E101 and ecx, 00000001 ;If Ecx = 0 reset Esi to 0 :00401646 0FAFF1 imul esi, ecx :00401649 03DE add ebx, esi ;Ebx = Ebx+Esi <---- Important value since its used in the next call to generate the Key :0040164B 40 inc eax ;Eax = Eax+1 :0040164C 83F810 cmp eax, 00000010 ;Is Eax = 10? :0040164F 7CDB jl 0040162C ;No do it again Ok from here it calculate 1st part of the Key 2 lines are important 1st is 40163D 2nd is 401649 the only thing you need to find out is how it sets the 0 flag to see if its add or not the value and its done on 40163D if we trace the loop 1 time we will conclude that Edi is always multiplicated by 2 in decimal 00001 00002 00004 00008 00016 00032 00064 00128 00256 00512 01024 02048 04096 08192 16384 from here we need to know what in Ebp+08 when you got at this line with Soft Ice you see in the right corner SS=Address=Value for serial 0053-0000-00 I got 328B740 in hex so in vb we gonna have to do 15 times this comparison with AND operator then we invert the result to add Esi wich is equal to 2^(15-LoopValue) here we dont realy care 'bout Edx since its always equal to 1 2Nd Important loop that create the Key that match with the entered Serial ------------------------------------------------------------------------------------------------------------------- :00401651 B810000000 mov eax, 00000010 ;Set Eax to 10h :00401656 B91F000000 mov ecx, 0000001F ;Set Ecx to 1F/Start of the loop :0040165B 2BC8 sub ecx, eax ;Ecx = Ecx-Eax :0040165D 83C110 add ecx, 00000010 ;Ecx = Ecx+10 :00401660 8BF2 mov esi, edx ;Esi = Edx :00401662 D3E6 shl esi, cl ;Esi = Esi*(2^Cl) :00401664 8BC8 mov ecx, eax ;Ecx = Eax :00401666 8BFA mov edi, edx ;Edi = Edx :00401668 D3E7 shl edi, cl ;Edi = Edi*(2^Cl) :0040166A 237D08 and edi, dword ptr [ebp+08] ;Logical AND return 0 or 1 in Zero Flag with comparison of the Serial :0040166D 0F94C1 setz cl ;Set Cl to 0 or 1 with the Zero Flag :00401670 83E101 and ecx, 00000001 ;Test if Ecx is 1 return 0 or 1 in Ecx :00401673 0FAFF1 imul esi, ecx ;Esi = Esi*Ecx :00401676 03DE add ebx, esi ;Ebx = Ebx+Esi <--- Remeber the value got in the 1st Loop?:))) :00401678 40 inc eax ;Eax = Eax+1 :00401679 83F820 cmp eax, 00000020 ;Compare if Eax = 20 :0040167C 7CD8 jl 00401656 ;If not Loop until Eax = 20 :0040167E 8BC3 mov eax, ebx ;Move Key in Eax as you can see its realy looks like the 1st loop but if you dig it a little bit you gonna see it always give the same number ok here we have the key generating... and 2 condition for it with few mathematical stuff at 40166A it test serial in hex with value of Edi if equal return 1 else return 0 after that Cl is set to 0 or 1 depending on the condition results of 40166A another check is done with Ecx to know if Esi is multiply by 0 or 1 then add the results to ebx wich contain a value generated by the previsious loop depending on the Serial As you can see it is made in 2 steps 1st loop generate an hex number that match with the Serial and the 2nd loop generate the key that match with the serial. So what I done to find it was checking wich var changed if I changed the serial it was Ebx then I traced the 2nd with few different serial to check how the 1st AND react 3 out of 3 gave me the same results... weird isnt it?:) well this what I got: 1st Serial 0053-0000-00 Ebx = FD12 2nd Serial 0053-0045-99 Ebx = 136C 3rd Serial 0053-0038-99 Ebx = 219C Eax = 10 1st = 1 2nd = 1 3rd = 1 11 1st = 1 2nd = 1 3rd = 1 12 1st = 1 2nd = 1 3rd = 1 13 1st = 0 2nd = 0 3rd = 0 14 1st = 1 2nd = 1 3rd = 1 15 1st = 0 2nd = 0 3rd = 0 16 1st = 1 2nd = 1 3rd = 1 17 1st = 1 2nd = 1 3rd = 1 18 1st = 0 2nd = 0 3rd = 0 19 1st = 0 2nd = 0 3rd = 0 1A 1st = 1 2nd = 1 3rd = 1 1B 1st = 1 2nd = 1 3rd = 1 1C 1st = 1 2nd = 1 3rd = 1 1D 1st = 1 2nd = 1 3rd = 1 1E 1st = 1 2nd = 1 3rd = 1 1F 1st = 1 2nd = 1 3rd = 1 The important lines in that are 13,15,18 and 19 since they add nothing we can conclude that the loop is equal to: 10000+20000+40000+100000+400000+800000+4000000+8000000+10000000+20000000+40000000+80000000 wich is equal to EB3F0000 converted in decimal its equal to 3946774528 right? so the final # gonna be Loop1Result+3946774528 LmSoft Presenter 4.0.0.5 sources (Visual Basic) ====================================== Here I assume that you have knowledge of VB progamming skills but I put enough comments for you to understand I hope else try it and understand by yourself:p Just add 2 text boxes called TxtSerial and TxtKey and a command button called cmdGen Dim Soft Private Sub cmdGen_Click() 'Dim Edi As Currency 'Dim Ebx As Currency If txtID <> "" Then RndSerial = Int((5000 * Rnd)) Ebp = (Val(txtID) * 1000000) + RndSerial Else MsgBox "Please enter the 1st 4 digits of Serial Number", _ vbOKOnly, "LmSoft KeyGenerator" Exit Sub End If 'Create 2nd part of the 8 HexaDecimal digits For Eax = 0 To 15 'Beginning of the loop If Not Eax <> 0 Then Edi = 1 'Set Edi to 1 on 1st loop If Not (Ebp And Edi) <> 0 Then _ Ebx = Ebx + 2 ^ (15 - Eax) 'Add Esi if AND result = 0 If Eax < 15 Then Edi = Edi * 2 'Set Edi for the next loop Next Eax 'End loop 'Create 1st part of the 8 HexaDecimal digits For Eax = 15 To 30 If Not (Ebp And Edi) <> 0 Then _ Ebx2 = Ebx2 + 2 ^ (30 - Eax) 'Add Esi if AND result = 0 Edi = Edi * 2 'Set Edi for the next loop Next Eax Ebx2 = Ebx2 * 2 + 1 Ebx = Hex2Dec(Right(Hex(Ebx2), 4) & Hex(Ebx)) 'Convert Serial into Decimal txtSerial = Format(Left(RndSerial, 2), "0000") & _ "-" & Right(RndSerial, 2) 'Print Serial txtKey = Left(Ebx, 4) & "-" & Mid(Ebx, 5, 4) & "-" & Right(Ebx, 2) 'Print Key End Sub Function Hex2Dec(Value) As String Dim RetVal As Currency For X = 1 To Len(Value) tmpValue = Mid(Value, X, 1) If Asc(UCase(tmpValue)) > 64 And _ Asc(UCase(tmpValue)) < 71 Then tmpValue = Asc(UCase(tmpValue)) - 55 Else tmpValue = Val(tmpValue) End If RetVal = RetVal + (tmpValue * 16 ^ (Len(Value) - X)) Next X Hex2Dec = Format(RetVal, "0000000000") End Function