Welcome to Gizmo's Cracking Tutorial #12! Target: Melody 1.5 (www.lighttek.com) Protection: Name/Serial Solution: Keygen Toolz Needed: Softice Your favourite programming language The last weeks, i learned a lot about Keygenning.. now i wanna teach you to write u're own little keygen! The Target isn't very hard, but for beginners, it's just right! So, what should i say more? Nothing.. so let's start! Ok, start Melody... click on the "?" and then on "Register Your Copy Now!". Now the program asks you for a Name and a Registration Code... Hmm, let's enter following things: Name: Gizmo Registration Code: 98765 now press OK.. "Invalide Registration name or code. Try again.".. ok, that's what we do.. we try again.. but with the help of softice! Enter Softice (STRG+D) and set a breakpoint on hmemcpy.. bpx hmemcpy Now press STRG+D again and click OK in Melody... SoftIce Breaks! Now the interesting thing... You're in Softice.. but what now? I'll tell you.. press STRG+D as often as u can, before u'Re back in Melody (3 times, cause at the 4th, u're back in Melody at the annoying messagebox). Ok, we pressed 3 times.. Now we see, that at the bottom of our screen, there is a "Kernel..."! What means that? That means, that we're in the Kernel.Dll.. but we wanna crack Melody and not Kernel ;) so let's press F12 a few times, till we're in Melody.. After pressing F12 7 times, i found "Melody..." at the bottom of my screen. Now we are Right!!! After pressing F10 some times and tracing through some returns, i found my self at this point: 0044734F 33F6 xor esi, esi ; esi = empty 00447351 8B45F8 mov eax, dword ptr [ebp-08] ; gets our name in eax 00447354 E86BC8FBFF call 00403BC4 ; gets lengh of our name 00447359 85C0 test eax, eax ; not important 0044735B 7E13 jle 00447370 ; not important 0044735D BA01000000 mov edx, 00000001 ; move edx -> 1 00447362 8B4DF8 mov ecx, dword ptr [ebp-08] ; gets our name in ecx <--------- 00447365 0FB64C11FF movzx ecx, byte ptr [ecx+edx-01] ; gets 1st char of our name | 0044736A 03F1 add esi, ecx ; ascii value of 1st char is | added to esi | 0044736C 42 inc edx ; edx is increased by one | 0044736D 48 dec eax ; eax is decreased by one | 0044736E 75F2 jne 00447362 ; is there a next char? if yes jump - 00447370 8975EC mov [ebp-14], esi ; esi = ebp-14 - not important 00447373 DB45EC fild dword ptr [ebp-14] ; not important 00447376 E84DB6FBFF call 004029C8 ; all ascii values are added to eax 0044737B 8BD0 mov edx, eax ; edx = eax 0044737D C1E007 shl eax, 07 ; shift logical left, 07 00447380 03C2 add eax, edx , edx is added to eax 00447382 8BF0 mov esi, eax ; eax = esi 00447384 3B75FC cmp esi, dword ptr [ebp-04] ; not important 00447387 0F85C9000000 jne 00447456 ; not important So, what happenes here??? lemme explain.. The important parts are following ones: 00447365 0FB64C11FF movzx ecx, byte ptr [ecx+edx-01] ; gets 1st char of our name | 0044736A 03F1 add esi, ecx ; ascii value of 1st char is | added to esi | The ascii value of the first char of our name is added to esi... Then the ascii value of the second char is added to esi... Go on, till we have all chars.. (jne) Then there's following: 0044737D C1E007 shl eax, 07 ; shift logical left, 07 puh, i don't know how to explain this.. hmm, as it sais, a logical shift left of eax with the value 7 ... the only thing i know is the VB Command for it (what do i need more? ;) .. btw: big thx to ACiD BuRN). And last but not least, there's following code: 00447380 03C2 add eax, edx , edx is added to eax edx contains the result of the addition of all ascii values of our name.. and this is added to eax, which is the result of the shl, 07. If we now do a "? eax" we can see our REAL serial =) congratz.. u have your serial.. but we wanna make a keygen.. So, what do we have to do? I'll explain the steps again: 1. Get every ascii value and add it to esi 2. Shl, 07 the result 3. Add the result of the value calculation to the result of the shl calculation.. That's ALL! go and write your keygen.. i included the source for VB (i know vb sux.. but it's the only language i can code in ;)) ---------------------------------- Code snipplet ---------------------------------- Private Sub Command1_Click() For i = 1 To Len(Text1.Text) ; i = 1 till lengh of name Serial = Serial + Asc(Mid(Text1.Text, i, 1)) ; get ascii value of i'th char Next i ; jump to next char Serial2 = Serial * 2 ^ 7 ; it's the SHL, 07 !!! Serial = Serial + Serial2 ; Add the result of the 1st calculation to the result of the 2nd Text2.Text = Serial ; Display the real serial! ---------------------------------- Code snipplet ---------------------------------- I know this code isn't very good, but i made it so, coz it's more clearer to learn... I hope u learned a bit.. if u have questions, CONTACT ME! e-mail: e-mailGIZMO@gmx.net EFNET: #learn2crack www: http://learn2crack.de.vu C ya oh.. the greetz ;) aDENOZiN, ACiD_BuRN, cheekey, Ghostman 1999, sEVanD0, Berserka, Flagg, PlAyEr, Prof_X, The Professor, scarabaeus, sToReMaStEr, SiONiDE, The AntiXryst, WeaxWeasel, skorpien, sn00pee, [iNC], CyberBlade, Jane, Intern, Chafe, iNFERNo, tHE eG0iSTE, b00m', CPiRe, MasterJax, sHI, s0NiK, viny, Peegee, xerberus, Smakker... if i forgot u, sorry.. tell me that u weren't here ;) and all ppl in #learn2crack and #gwa! Bye Gizmo