/------------------------------HellSpawn 2K1-----------------------\ | Author: KahnAbyss | | Target: System Mechanic | | 3.6d | | Tools: SoftIce 4.05 | | IceDump 6.0.2.3 | | Crack Type: Serial | | Level: Novice | \-----------------------------------------------------------------------------/ You can get the software at: www.iolo.com Step 1: Download/install the software Step 2: When you run SM you gonna see that your pc always shutdown by itself I guess that it's looks up for softice or some shit... If you unload soft ice then run FrogsIce it gonna tell you that it looks up for softice using MetlIce protection... well you can go to the offset written in the log file and patch the near jump with Hiew or you can put a breakpoint like this one: bpx CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' do d @(esp+4);e @(esp+4) 0;x; or in your winice.dat add this macro then type HideMe MACRO NoSice="d @(esp+4);e @(esp+4) 0;x;" MACRO HideMe="bpx CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' do \"NoSice\"" And if you use IceDump 6.0.2.3 you can just type /PROTECT On Step 3: Now run SM When prompted for a serial enter this User ID = KahnAbyss Serial = 66699-66699-6669966699 DONT click on OK right now Enter softice (ctrl-d) put a break point on GetWindowTextA (bpx GetWindowTextA) now exit SoftIce with F5 Click on OK then softice will popup now press on F11 to get back to the caller you should be here 016F:004917BF CALL USER32!GetWindowTextA 016F:004917C4 LEA EAX,[EBP-0C] <-- Your here 016F:004917C7 MOV EDX,ESI <-- Put Name/Fake Serial in EDX ..... ..... 016F:004917E0 MOV EAX,[EBP-04] <-- Message for you type D EAX ..... ..... 016F:0049180A TEST EDI,EDI 016F:0049180C JNZ 004917B8 <-- Loop 016F:0049180E MOV EAX,ESI <-- Clear all breakpoints and put one after the loop then press F5 When you continue to trace you gonna get catch in KeyGen detection loops so you'll have to put a breakpoint on the return function or trace it a while..:) 016F:00491840 MOV EAX,00491904 016F:00491845 CALL 00491778 016F:0049184A TEST AL,AL 016F:0049184C JNZ 004918F7 016F:00491852 MOV EAX,00491918 016F:00491857 CALL 00491778 016F:0049185C TEST AL,AL 016F:0049185E JNZ 004918F7 ..... ..... 016F:004918F4 XOR EAX,EAX 016F:004918F6 RET <-- Put a breakpoint here then press F5 Step 4: After the return if you trace a litte lbit down with F10 soon you'll gonna be here: 016F:004973FF CALL 00423498 016F:00497404 MOV EAX,[EBP-18] <-- Put Name In EAX 016F:00497407 LEA ECX,[EBP-08] 016F:0049740A MOV EDX,00000001 <-- Put 1 In EDX 016F:0049740F CALL 0048F4F0 <-- Hmm what it could be? 016F:00497414 MOV EAX,[EBP-08] <-- Put Serial in EAX 016F:00497417 MOV EDX,[EBP-04] <-- D EAX (Write Down Serial) ..... ..... 016F:00497434 MOV EAX,[EBP-18] <-- Put Name In EAX (Again) 016F:00497437 LEA ECX,[EBP-08] 016F:0049743A MOV EDX,00000002 <-- Put 2 In EDX 016F:0049743F CALL 0048F4F0 <-- Still Call the same function? 016F:00497444 MOV EAX,[EBP-08] <-- Another Serial In EAX 016F:00497447 MOV EDX,[EBP-04] <-- D EAX (Write Down Serial) ..... ..... 016F:00497464 MOV EAX,[EBP-18] <-- Put Name In EAX 016F:00497467 LEA ECX,[EBP-08] 016F:0049746A MOV EDX,00000003 <-- Put 3 In EDX 016F:0049746F CALL 0048F4F0 <-- Yeah Yeah again this function 016F:00497474 MOV EAX,[EBP-08] <-- Then the 3rd Serial In EAX 016F:00497477 MOV EDX,[EBP-04] <-- D EAX (Write Down Serial) Ok now we have 3 Serials wich are for my name: KahnAbyss 57855-ST194-9694159549 <-- Standard Edition 51914-PR710-5734543500 <-- Professionnal Edition 62805-ND689-4645654698 <-- Industrial Edition So from here as you can see each block of codes are the same Except EDX is incremented by 1 each time then it always call 48F4F0 we can guess thats where the serial is generated. We gonna dig it in the next part of the Tutorial to make a KeyGen for System Mechanic so stay tuned:)