:00412610 53
push ebx
:00412611 8B442414
mov eax, dword ptr [esp+14]
:00412615 0BC0
or eax, eax
:00412617 7518
jne 00412631
:00412619 8B4C2410
mov ecx, dword ptr [esp+10]
:0041261D 8B44240C
mov eax, dword ptr [esp+0C]
:00412621 33D2
xor edx, edx
:00412623 F7F1
div ecx
:00412625 8B442408
mov eax, dword ptr [esp+08]
:00412629 F7F1
div ecx
:0041262B 8BC2
mov eax, edx
:0041262D 33D2
xor edx, edx
:0041262F EB50
jmp 00412681
This is the last part of the keygeneration.
This call does the following. It takes the magic
number calculated with the Name, and devides it trough A (=10). The
remainder is in the interval of 0..10 and is the serialnumber. The result
is stored and then reused in the next step. An example will show you everything.
Th magic number was craeted by Ignatz and is
2FACE:
2FACE div A = 4C47... this is used in the next
calculation
4C47 div A = 7A0... and so on
7A0 div A = C3
C3 div A = 13
13 div A = 1
1 div A = 0 ... this marks the end.
Now lets look at the remainders:
2FACE mod A = 8 (it´s all in
hex. Don´t forget)
4C47 mod A = 7
7A0 mod A = 2
C3 mod A = 5
13 mod A = 9
1 mod A = 1 ... this marks the end.
Now reading the results starting with the last
one we got we get 195278. This is the correct serial! Ok so now all we
have to do is finding the call which calculates the magic number.
Howto find this section? Well one possibility
is to see where in memory the realy serial is kept. To do this, you just
need to take a look at the registers. If you see a suspicios call then
rightclick the regs and see what they have inside. If it´s the serial
then step throug the code again and watch the place in the memory where
the serial will be stored.When it appears after a call you know, that you
have to follow this call. Follow until you see the characters appearing
one by one. Then you found the last part of the keygen. There are serveral
other methods. Take a stroll around and read other tutorials to find them.
Also try to develope your own methods.
GOOD LUCK! (caus I ain´t got the time to
do this)
(Watch the push
esi and a mov
eax, esi befor the call described above)
BACK