How to keygen PC-Adreßzz! v4.x ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by M.o.D. [F2F] tools used : - SoftIce 4.05 ( protools.cjb.net ) - Delphi 5 ( for the Keygen ) - pen & paper ( optional :) ) Ok, lets start ! Click on "Extras" and "Registration". We see a nice Registerbox, where we can enter our name and serial. Press Ctr+D to fire up SI and set a breakpoint on Hmemcpy ( bpx hmemcpy ). Leave SI by pressing F5 and enter your name and as serial "1122334455". Press the OK-Button and we're back in SI. Press F5 and we break again on "Hmemcpy". The programm grabbed our name first and then our serial. Now press F12 14 times to go back to our target programm and then press F5 and trace to line "4834A5". You should see this code: 004834A5 E8FAC7FFFF call 0047FCA4 -> calculates key & checks them :) 004834AA 5A pop edx 004834AB 0AD0 or dl, al 004834AD 7422 je 004834D1 -> test if we're a good/bad user Now clear your breakpoints ( bc * ) and set one at the keycheck-call ( bpx 4834A5 ). Press F5 to leave SI and press the Ok-Button in the RegistrationBox again. We break at line "4834A5". Now press F8 to go inside the call. It's time to start understanding the keycalculation. In SI we're at line "47FCA4". I will save some time. That means we can set a breakpint at line "47FD22" ( bpx 47FD22 ). Here starts the real fun :)! Press F5 to leave SI and click on the OK-Button again. You should see the following code: 0047FD22 8B55FC mov edx, dword ptr [ebp-04] -> type "d edx" & you see "PCA21" 0047FD25 E8CA40F8FF call 00403DF4 0047FD2A 33DB xor ebx, ebx 0047FD2C 8B45EC mov eax, dword ptr [ebp-14] -> type "d eax" If you typed "d eax" at line "0047FD2C" you see in the Data-Window "PCA21[our name]". That means that our programm set "PCA21" for our name before the real key-calculation starts. So we can note as first part of the keygen: paste "PCA21" before our name !! Now comes the real calculation ( sn & tmp are only for the explanation): 0047FD42 0FB64C01FF movzx ecx, byte ptr [ecx+eax-01] -> character from "PCA21[our name]" 0047FD47 03C9 add ecx, ecx -> tmp=ascii-value*2 0047FD49 8D0CC9 lea ecx, dword ptr [ecx+8*ecx] -> tmp=tmp*9 0047FD4C 03D9 add ebx, ecx -> sn=sn+tmp 0047FD4E 03D8 add ebx, eax 0047FD50 40 inc eax -> go to the next character 0047FD51 4A dec edx -> edx contains length from "PCA21+Name" 0047FD52 75EB jne 0047FD3F -> test if last character is reached Ok, here we see the calculation from the first part of our key: The programm takes the ascii-value from every character and multiplies the value with 18 and adds every result for each character together. The result is stored in EBX ! Now we trace to line "0047FD71". We see this: 0047FD71 8DB3E0930400 lea esi, dword ptr [ebx+000493E0] -> add 300000 to EBX ! Remember that EBX contains the result of the calculation above. The programms add 300000 to the result and we have the first part of the key :). The second part of the key is calculated at line "0047FD93". Code: 0047FD93 2D50850200 sub eax, 00028550 -> EAX contains first part of the key The programm subtracts 165200 from the first part of our key and we have the second part. Ok, we are nearly ready. First the programm puts a "-" between the to parts of the key ("-"first part"-"second part). Last part is that the programm puts "V4"+firswt letter before the two keyparts. Sound a little bit strange, therefor an example: name: M.o.D. ( you ) key : V4M-first part-second part (V4y-first part-second part) Yeah, thats it. Programm successfully cracked :) !! Now comes the Delphi 5 source of the keycalculation: ////////////////////////////////////////// cut here ///////////////////////////////////////// procedure calculatekey; var i,sn,tmp : integer; name : String; begin //edit1.text contains the username if length(edit1.text)=0 then begin // error that no name was entered end; name:='PCA21'+edit1.text; sn:=0;tmp:=0; for i:=1 to length(name) do begin tmp:=ord(name[i])*18+i; sn:=sn+tmp; end; sn:=sn+300000; edit2.text:='V4'+edit1.text[1]+'-'+inttostr(sn)+'-'+inttostr(sn-165200); end; ////////////////////////////////////////// cut end ////////////////////////////////////////// For questions and/or comments mail me : MoD_f2f@gmx.net to be continued... cu M.o.D. ps: english isn't my mother tongue !