/------------------------------HellSpawn 2K1-----------------------\ | Author: KahnAbyss | | Target: System Mechanic | | 3.6d | | Tools: SoftIce 4.05 | | IceDump 6.0.2.3 | | Any Prog Software | | Ill use VB | | Crack Type: KeyGen | | Level: Advanced | \-----------------------------------------------------------------------------/ ---------------------------------> INTRODUCTION <--------------------------------------------- Part 5a: I hope you read Part 2 of this tutorial else go back and read it since I dont gonna explain again how I to find the generation routine ---------------------------------------------------------------------------------------------------------------- ---------------------------------> WARNING <--------------------------------- The KeyGen will works fine but as soon as you got the generated Serial write it down and close the KeyGen or System Mechanic gonna shutdown your pc like if it founded SoftIce or something maybe in next tut I gonna explain how to bypass its routines for that protection ------------------------------------------------------------------------------------------ Part 5a: Understanding Encrpytion Key =============================== Step 1 As you remember the call we founded CALL 0048F4F0 put a breakpoint on this address (bpx 016F:48F4F0) from here press F5 it gonna block 3 times 1 for Standard 1 for Professional 1 for Industrial Trace it down till you get here: 016F:0048F556 LEA EAX,[EBP-18] 016F:0048F559 MOV EDX,EBX 016F:0048F55B CALL 00403DBC 016F:0048F560 MOV EDX,[EBP-18] 016F:0048F563 LEA EAX,[EBP-04] 016F:0048F566 CALL 00403E9C 016F:0048F56B INC EBX 016F:0048F56C MOV EAX,[EBP-04] 016F:0048F56F CALL 00403E94 <-- Calculate the Name Lenght 016F:0048F574 CMP EAX,0A <-- If < 10 loop 016F:0048F577 JL 0048F556 Now we know that it need at least 10 digits else it fills it with asc 33 then increment it for every missing letter KahnAbyss = 9 so it give KahnAbyss! KahnAbys = 8 so it should give KahnAbys!" and so on.. (33=! and 34=") 016F:0048F57F CALL 00407EC4 <-- This call capitalize your name Now we have KAHNABYSS! A little bit down its generate the Serial Number 016F:0048F5A2 MOV EAX,[EBP-04] <-- Move Name in EAX 016F:0048F5A5 MOV AL,[EBX+EAX-01] <-- Move Letter 1 by 1 in AL 016F:0048F5A9 CMP AL,46 <-- Look If AL < h46 016F:0048F5AB JBE 0048F5CF <-- Jump if AL < h46 (70) If AL > 70 it goes here 016F:0048F5AD MOV EAX,[EBP-04] <-- Move Name in EAX 016F:0048F5B0 MOVZX EAX,BYTE PTR [EBX+EAX-01] <-- Move Letter 1 by one in EAX 016F:0048F5B5 LEA EDX,[EDI+EBX] <-- EDX = EDI+EBX 016F:0048F5B8 SUB EAX,EDX <-- EAX = EAX-EDX 016F:0048F5BA LEA EDX,[EBP-18] 016F:0048F5BD CALL 004084A8 016F:0048F5C2 MOV EDX,[EBP-18] <-- Move result in EDX 016F:0048F5C5 LEA EAX,[EBP-10] 016F:0048F5C8 CALL 00403E9C 016F:0048F5CD JMP 0048F5EF <-- Jump in the last section of the loop If AL < 70 it goes here 016F:0048F5CF MOV EAX,[EBP-04] <-- Move Name in EAX 016F:0048F5D2 MOVZX EAX,BYTE PTR [EBX+EAX-01] <-- Move Letter 1 by 1 in EAX 016F:0048F5D7 LEA EDX,[EDI+EBX] <-- EDX = EDI+EBX 016F:0048F5DA ADD EAX,EDX <-- EAX = EAX+EDX 016F:0048F5DC LEA EDX,[EBP-18] 016F:0048F5DF CALL 004084A8 016F:0048F5E4 MOV EDX,[EBP-18] <-- Move result in EDX 016F:0048F5E7 LEA EAX,[EBP-10] 016F:0048F5EA CALL 00403E9C End of the algorythm 016F:0048F5EF INC EDI <-- EDI = EDI+1 016F:0048F5F0 INC EBX <-- EBX = EBX+1 016F:0048F5F1 DEC ESI <-- ESI = ESI-1 016F:0048F5F2 JNZ 0048F5A2 <-- Is ESI = 0 ? No Return to top Ok here ESI is equal to the lenght of the entered name... or a minimum of 10 4 1st lines get character 1 by 1 and check the ascii char of it if its greater than 70 its substract or add a defined number To find the number that the algo add or substract its easy its EDI+EBX then EDI and EBX are incremented of 1 each time so the final number is equal to initial number + 2 If you trace the entire algorythme you gonna have that (if you use my name for sure!) This one is for the Standard version you gonna have to trace it 3 time if you want the other serial but its the same algorythm just the add/substract number initially changes K = 75 - 18 = 57 A = 65 + 20 = 85 H = 72 - 22 = 50 N = 78 - 24 = 54 A = 65 + 26 = 91 B = 66 + 28 = 94 Y = 89 - 30 = 59 S = 83 - 32 = 51 S = 83 - 34 = 49 ! = 33 + 36 = 69 My original serial (on the 1st line) was and we got (on the 2nd line) 57855-ST194-9694159549 57855054919459514969 If you check closely the 5 1st digits are the same so these one arent a problem The 10 lasts digits are inverted 9694159549 9459514969 Now its just miss us the middle digits wich ST gonna be always the same for Standard version Where 194 come from? Well you can say from the 10th char to the 12 one... yeah its a good way but what its gonna happend if you have more than 10 letters in your name? so its the middle digits here we have 20 digits and we start at 10 if we had 30 digits it would have to start at 15 to 17 The only thing left to do is to code the KeyGen:) Part 5b: KeyGen Sources (Visual Basic) =============================== Just put a button called cmdGen Then 3 Indexed Label called lblSerial Finally a TextBox called txtName Private Sub cmdGen_Click() InputStr = txtName.Text For Y = 0 To 2 Select Case Y 'Set pointer Case 0 CntAdd = 18 'Normal Edition Case 1 RealStr = "" CntAdd = 24 'Professional Edition Case 2 RealStr = "" CntAdd = 13 'Industrial Edition End Select If Len(InputStr) < 10 Then 'Fill the string to have at least 10 chars TmpStr = 10 - Len(InputStr) For X = 1 To TmpStr InputStr = InputStr & Chr(32 + X) Next X End If For X = 1 To Len(InputStr) 'Encrypt the data TmpStr = Asc(UCase(Mid(InputStr, X, 1))) 'Get chars 1 by 1 in Upper Case If TmpStr > 70 Then 'if Ascii char is greater than 70 TmpStr = TmpStr - CntAdd 'Substract pointer Else TmpStr = TmpStr + CntAdd 'Add pointer End If RealStr = RealStr & TmpStr 'Save string CntAdd = CntAdd + 2 'Set new pointer position Next X Select Case Y Case 0 MidStr = "-ST" 'Normal Edition Case 1 MidStr = "-PR" 'Professionnal Edition Case 2 MidStr = "-ND" 'Industrial Edition End Select 'Put 5st digits of RealStr 'Put letter + 3 middle digits of RealStr 'Inverse 10 last digits of RealStr lblSerial(Y).Caption = Left(RealStr, 5) & MidStr & _ Mid(RealStr, Len(RealStr) / 2, 3) & "-" & Reverse(Right(RealStr, 10)) Next Y End Sub Function Reverse(InputStr As String) As String For X = 1 To Len(InputStr) RetVal = Mid(InputStr, X, 1) & RetVal Next X Reverse = RetVal End Function