How to keygen PC-Adreßzz! v4.x
                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                     by M.o.D. [F2F]

tools used  :   - SoftIce 4.05  ( protools.cjb.net )
                - Delphi 5      ( for the Keygen   )
                - pen & paper   ( optional :)      )


Ok, lets start !

Click on "Extras" and "Registration". We see a nice Registerbox, where we can enter our name 
and serial. Press Ctr+D to fire up SI and set a breakpoint on Hmemcpy ( bpx hmemcpy ). Leave 
SI by pressing F5 and enter your name and as serial "1122334455". Press the OK-Button and 
we're back in SI. Press F5 and we break again on "Hmemcpy". The programm grabbed our name 
first and then our serial. Now press F12 14 times to go back to our target programm and then 
press F5 and trace to line "4834A5".
You should see this code:

004834A5 E8FAC7FFFF  call 0047FCA4 -> calculates key & checks them :)
004834AA 5A          pop edx
004834AB 0AD0        or dl, al
004834AD 7422        je 004834D1   -> test if we're a good/bad user

Now clear your breakpoints ( bc * ) and set one at the keycheck-call ( bpx 4834A5 ). Press F5
to leave SI and press the Ok-Button in the RegistrationBox again. We break at line "4834A5".
Now press F8 to go inside the call. It's time to start understanding the keycalculation.
In SI we're at line "47FCA4". I will save some time. That means we can set a breakpint
at line "47FD22" ( bpx 47FD22 ). Here starts the real fun :)! Press F5 to leave SI and click 
on the OK-Button again.
You should see the following code:

0047FD22 8B55FC      mov edx, dword ptr [ebp-04] -> type "d edx" & you see "PCA21"
0047FD25 E8CA40F8FF  call 00403DF4
0047FD2A 33DB        xor ebx, ebx
0047FD2C 8B45EC      mov eax, dword ptr [ebp-14] -> type "d eax"

If you typed "d eax" at line "0047FD2C" you see in the Data-Window "PCA21[our name]". That 
means that our programm set "PCA21" for our name before the real key-calculation starts.
So we can note as first part of the keygen: paste "PCA21" before our name !!
Now comes the real calculation ( sn & tmp are only for the explanation):

0047FD42 0FB64C01FF    movzx ecx, byte ptr [ecx+eax-01] -> character from "PCA21[our name]" 
0047FD47 03C9          add ecx, ecx                     -> tmp=ascii-value*2
0047FD49 8D0CC9        lea ecx, dword ptr [ecx+8*ecx]   -> tmp=tmp*9
0047FD4C 03D9          add ebx, ecx                     -> sn=sn+tmp
0047FD4E 03D8          add ebx, eax
0047FD50 40            inc eax      -> go to the next character
0047FD51 4A            dec edx      -> edx contains length from "PCA21+Name"                    
0047FD52 75EB          jne 0047FD3F -> test if last character is reached

Ok, here we see the calculation from the first part of our key:
The programm takes the ascii-value from every character and multiplies the value with 18 and 
adds every result for each character together. 
The result is stored in EBX !
Now we trace to line "0047FD71".
We see this:

0047FD71 8DB3E0930400  lea esi, dword ptr [ebx+000493E0] -> add 300000 to EBX !

Remember that EBX contains the result of the calculation above. The programms add 300000 to
the result and we have the first part of the key :).
The second part of the key is calculated at line "0047FD93".
Code:

0047FD93 2D50850200  sub eax, 00028550 -> EAX contains first part of the key

The programm subtracts 165200 from the first part of our key and we have the second part.
Ok, we are nearly ready.
First the programm puts a "-" between the to parts of the key ("-"first part"-"second part).
Last part is that the programm puts "V4"+firswt letter before the two keyparts.
Sound a little bit strange, therefor an example:
name: M.o.D. ( you )
key : V4M-first part-second part (V4y-first part-second part)

Yeah, thats it. Programm successfully cracked :) !!

Now comes the Delphi 5 source of the keycalculation:

////////////////////////////////////////// cut here /////////////////////////////////////////

procedure calculatekey;
var         i,sn,tmp       : integer;
            name           : String;
begin
//edit1.text contains the username
if length(edit1.text)=0 then
 begin
  // error that no name was entered
 end;
name:='PCA21'+edit1.text;
sn:=0;tmp:=0;
for i:=1 to length(name) do
 begin
  tmp:=ord(name[i])*18+i;
  sn:=sn+tmp;
 end;
sn:=sn+300000;
edit2.text:='V4'+edit1.text[1]+'-'+inttostr(sn)+'-'+inttostr(sn-165200);
end;

////////////////////////////////////////// cut end //////////////////////////////////////////

For questions and/or comments mail me : MoD_f2f@gmx.net

to be continued...

cu 
M.o.D.

ps: english isn't my mother tongue !