/------------------------------HellSpawn 2K1-----------------------\
| Author: KahnAbyss |
| Target: System Mechanic |
| 3.6d |
| Tools: SoftIce 4.05 |
| IceDump 6.0.2.3 |
| Any Prog Software |
| Ill use VB |
| Crack Type: KeyGen |
| Level: Advanced |
\-----------------------------------------------------------------------------/
---------------------------------> INTRODUCTION <---------------------------------------------
Part 5a: I hope you read Part 2 of this tutorial else go
back and read it since I dont gonna explain
again how I to find the generation routine
----------------------------------------------------------------------------------------------------------------
---------------------------------> WARNING <---------------------------------
The KeyGen will works fine but as soon as you got the
generated Serial write it down and close the KeyGen
or System Mechanic gonna shutdown your pc like if it
founded SoftIce or something maybe in next tut I gonna
explain how to bypass its routines for that protection
------------------------------------------------------------------------------------------
Part 5a: Understanding Encrpytion Key
===============================
Step 1 As you remember the call we founded
CALL 0048F4F0
put a breakpoint on this address (bpx 016F:48F4F0)
from here press F5 it gonna block 3 times
1 for Standard
1 for Professional
1 for Industrial
Trace it down till you get here:
016F:0048F556 LEA EAX,[EBP-18]
016F:0048F559 MOV EDX,EBX
016F:0048F55B CALL 00403DBC
016F:0048F560 MOV EDX,[EBP-18]
016F:0048F563 LEA EAX,[EBP-04]
016F:0048F566 CALL 00403E9C
016F:0048F56B INC EBX
016F:0048F56C MOV EAX,[EBP-04]
016F:0048F56F CALL 00403E94 <-- Calculate the Name Lenght
016F:0048F574 CMP EAX,0A <-- If < 10 loop
016F:0048F577 JL 0048F556
Now we know that it need at least 10 digits else it fills it
with asc 33 then increment it for every missing letter
KahnAbyss = 9 so it give KahnAbyss!
KahnAbys = 8 so it should give KahnAbys!" and so on..
(33=! and 34=")
016F:0048F57F CALL 00407EC4 <-- This call capitalize your name
Now we have KAHNABYSS!
A little bit down its generate the Serial Number
016F:0048F5A2 MOV EAX,[EBP-04] <-- Move Name in EAX
016F:0048F5A5 MOV AL,[EBX+EAX-01] <-- Move Letter 1 by 1 in AL
016F:0048F5A9 CMP AL,46 <-- Look If AL < h46
016F:0048F5AB JBE 0048F5CF <-- Jump if AL < h46 (70)
If AL > 70 it goes here
016F:0048F5AD MOV EAX,[EBP-04] <-- Move Name in EAX
016F:0048F5B0 MOVZX EAX,BYTE PTR [EBX+EAX-01] <-- Move Letter 1 by one in EAX
016F:0048F5B5 LEA EDX,[EDI+EBX] <-- EDX = EDI+EBX
016F:0048F5B8 SUB EAX,EDX <-- EAX = EAX-EDX
016F:0048F5BA LEA EDX,[EBP-18]
016F:0048F5BD CALL 004084A8
016F:0048F5C2 MOV EDX,[EBP-18] <-- Move result in EDX
016F:0048F5C5 LEA EAX,[EBP-10]
016F:0048F5C8 CALL 00403E9C
016F:0048F5CD JMP 0048F5EF <-- Jump in the last section of the loop
If AL < 70 it goes here
016F:0048F5CF MOV EAX,[EBP-04] <-- Move Name in EAX
016F:0048F5D2 MOVZX EAX,BYTE PTR [EBX+EAX-01] <-- Move Letter 1 by 1 in EAX
016F:0048F5D7 LEA EDX,[EDI+EBX] <-- EDX = EDI+EBX
016F:0048F5DA ADD EAX,EDX <-- EAX = EAX+EDX
016F:0048F5DC LEA EDX,[EBP-18]
016F:0048F5DF CALL 004084A8
016F:0048F5E4 MOV EDX,[EBP-18] <-- Move result in EDX
016F:0048F5E7 LEA EAX,[EBP-10]
016F:0048F5EA CALL 00403E9C
End of the algorythm
016F:0048F5EF INC EDI <-- EDI = EDI+1
016F:0048F5F0 INC EBX <-- EBX = EBX+1
016F:0048F5F1 DEC ESI <-- ESI = ESI-1
016F:0048F5F2 JNZ 0048F5A2 <-- Is ESI = 0 ? No Return to top
Ok here ESI is equal to the lenght of the entered name... or a minimum of 10
4 1st lines get character 1 by 1 and check the ascii char of it if its greater than 70
its substract or add a defined number
To find the number that the algo add or substract its easy
its EDI+EBX then EDI and EBX are incremented of 1 each time
so the final number is equal to initial number + 2
If you trace the entire algorythme you gonna have that (if you use my name for sure!)
This one is for the Standard version you gonna have to trace it 3 time if you want the other
serial but its the same algorythm just the add/substract number initially changes
K = 75 - 18 = 57
A = 65 + 20 = 85
H = 72 - 22 = 50
N = 78 - 24 = 54
A = 65 + 26 = 91
B = 66 + 28 = 94
Y = 89 - 30 = 59
S = 83 - 32 = 51
S = 83 - 34 = 49
! = 33 + 36 = 69
My original serial (on the 1st line) was and we got (on the 2nd line)
57855-ST194-9694159549
57855054919459514969
If you check closely the 5 1st digits are the same so these one arent a problem
The 10 lasts digits are inverted
9694159549
9459514969
Now its just miss us the middle digits wich ST gonna be always the same for Standard version
Where 194 come from?
Well you can say from the 10th char to the 12 one... yeah its a good way but what its gonna happend
if you have more than 10 letters in your name?
so its the middle digits here we have 20 digits and we start at 10
if we had 30 digits it would have to start at 15 to 17
The only thing left to do is to code the KeyGen:)
Part 5b: KeyGen Sources (Visual Basic)
===============================
Just put a button called cmdGen
Then 3 Indexed Label called lblSerial
Finally a TextBox called txtName
Private Sub cmdGen_Click()
InputStr = txtName.Text
For Y = 0 To 2
Select Case Y 'Set pointer
Case 0
CntAdd = 18 'Normal Edition
Case 1
RealStr = ""
CntAdd = 24 'Professional Edition
Case 2
RealStr = ""
CntAdd = 13 'Industrial Edition
End Select
If Len(InputStr) < 10 Then 'Fill the string to have at least 10 chars
TmpStr = 10 - Len(InputStr)
For X = 1 To TmpStr
InputStr = InputStr & Chr(32 + X)
Next X
End If
For X = 1 To Len(InputStr) 'Encrypt the data
TmpStr = Asc(UCase(Mid(InputStr, X, 1))) 'Get chars 1 by 1 in Upper Case
If TmpStr > 70 Then 'if Ascii char is greater than 70
TmpStr = TmpStr - CntAdd 'Substract pointer
Else
TmpStr = TmpStr + CntAdd 'Add pointer
End If
RealStr = RealStr & TmpStr 'Save string
CntAdd = CntAdd + 2 'Set new pointer position
Next X
Select Case Y
Case 0
MidStr = "-ST" 'Normal Edition
Case 1
MidStr = "-PR" 'Professionnal Edition
Case 2
MidStr = "-ND" 'Industrial Edition
End Select
'Put 5st digits of RealStr
'Put letter + 3 middle digits of RealStr
'Inverse 10 last digits of RealStr
lblSerial(Y).Caption = Left(RealStr, 5) & MidStr & _
Mid(RealStr, Len(RealStr) / 2, 3) & "-" & Reverse(Right(RealStr, 10))
Next Y
End Sub
Function Reverse(InputStr As String) As String
For X = 1 To Len(InputStr)
RetVal = Mid(InputStr, X, 1) & RetVal
Next X
Reverse = RetVal
End Function