--------------------------------------- How to make a keygen for Second Copy 97 --------------------------------------- Cracker: stealthFIGHTER Target: Second Copy 97 v5.10 Tools: Soft-Ice Delphi Brain Where: http://www.centered.com Protection: Name/serial -------------------------------------------------- Sorry for my English, it's not my mother language. -------------------------------------------------- ---------------- ===[ Step 1 ]=== ---------------- ======================================================================= Run program >> Go to registration >> Fill input boxes >> Go to Soft-Ice and set breakpoint bpx hmemcpy and go back >> OK - Soft-Ice breaks >> disable the breakpoint (bd *) and trace till you come here (main entrypoint of the keygen rountine): ======================================================================= :00457E3E CALL 0045744C ; Press F8 to enter the CALL :00457E43 MOV ESI, EAX :00457E45 TEST ESI, ESI :00457E47 JLE 00457872 ======================================================================= Once you entered the CALL 0045744C (=calc. rountine) trace till you are here: ======================================================================= :00457474 CALL 00403668 ;Get length of our fake serial number :00457479 CMP EAX, 0E ;Compare it with $E (=14) :0045747C JNZ 00457523 ;If its different jump to bad cracker ======================================================================= Continue tracing: ======================================================================= : :004574A7 CALL 0040386C ;Our fake serial (type D EAX) : :004574B4 CALL 004036B4 ;First 4 chars of the fake serial (t. D EDX) : :004574BF CALL 0045766C ;4 chars + our name (t. D EAX)-enter the CALL : :004574CA CALL 00403778 ;Compare our serials :004574CF JNZ 0045751F ;If bad >> jump : ======================================================================= Once you entered the CALL 0045766C(when you type D EDX you will see first 4 chars of your fake serial + your name >> this is the string the serial is calculated from; I've got: 1122stealthFIGHTER) trace here: ======================================================================= : :004576C4 MOVZX EAX, BYTE PTR [EDX+EAX-01] ;Line #1 :004576C9 IMUL EBX ;Line #2 :004576CB ADD EAX, [00464B00] ;Line #3 : :004576EF DEC DWORD PTR [EBP-18] ;Decrease counter of our string :004576F2 JNZ 004576B0 ;If it was last char continue : ======================================================================= I think its easy to find a serial so I will describe only the keygen. ======================================================================= Keygen: 1) Move 1st char of our string (first 4 chars of fake num. + name) into EAX (begin of the loop) for i := 1 to length(name2) do begin eax := Ord(name2[i]); 2) Multiply value in EAX with value in EBX and move it into EAX. For the first time the EBX contain $7ECA in HEX (=32458 in Decimal) eax := eax * ebx; 3) Add the value from [00464B00] (it still contain $7ECA) to EAX eax := eax + 32458; 4) Do this loop x times (x = length of the [1st 4 chars + name]) 5) After the loop convert the serial to HEX 6) Insert '-' in the middle of the serial (e.g. 1234-ABCD) 7) Take 1st 5 chars of the fake serial + 2nd part of the serial (in HEX) 8) Display serial ======================================================================= -------------------------- ===[ Source of keygen ]=== -------------------------- ======================================================================= Procedure TForm1.Keygen; Var code, name, name2, part, temp : String; i, eax, ebx : integer; begin name := Edit1.text; code := Edit2.text; part := copy(code,1,4); name2 := part + name; ebx := 32458; for i := 1 to length(name2) do begin eax := Ord(name2[i]); eax := eax * ebx; eax := eax + 32458; ebx := eax; end; temp := inttohex(ebx, 1); insert('-', temp, 5); Edit3.Text := copy(Edit2.text, 1, 5) + temp; end; ======================================================================= Any comments or mistakes are welcome at: stealthfighter@another.com =======================================================================