-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

Welcome to Gizmo's Cracking Tutorial #12!

Target:		Melody 1.5  (www.lighttek.com)
Protection: 	Name/Serial
Solution: 	Keygen
Toolz Needed:	Softice
		Your favourite programming language

The last weeks, i learned a lot about Keygenning.. now i wanna teach you to write u're own little keygen! The Target isn't very hard, but for beginners, it's just right! So, what should i say more? Nothing.. so let's start!

Ok, start Melody... click on the "?" and then on "Register Your Copy Now!".
Now the program asks you for a Name and a Registration Code...
Hmm, let's enter following things:

Name:			Gizmo
Registration Code:	98765

now press OK.. "Invalide Registration name or code. Try again.".. ok, that's what we do.. we try again.. but with the help of softice!
Enter Softice (STRG+D) and set a breakpoint on hmemcpy..

bpx hmemcpy

Now press STRG+D again and click OK in Melody... SoftIce Breaks! Now the interesting thing...
You're in Softice.. but what now? I'll tell you.. press STRG+D as often as u can, before u'Re back in Melody (3 times, cause at the 4th, u're back in Melody at the annoying messagebox). Ok, we pressed 3 times..
Now we see, that at the bottom of our screen, there is a "Kernel..."! What means that? That means, that we're in the Kernel.Dll.. but we wanna crack Melody and not Kernel ;) so let's press F12 a few times, till we're in Melody.. After pressing F12 7 times, i found "Melody..." at the bottom of my screen. Now we are Right!!!
After pressing F10 some times and tracing through some returns, i found my self at this point:

0044734F	33F6			xor esi, esi				; esi = empty
00447351	8B45F8			mov eax, dword ptr [ebp-08]		; gets our name in eax
00447354	E86BC8FBFF		call 00403BC4				; gets lengh of our name
00447359	85C0			test eax, eax				; not important
0044735B	7E13			jle 00447370				; not important
0044735D	BA01000000		mov edx, 00000001			; move edx -> 1
00447362	8B4DF8			mov ecx, dword ptr [ebp-08]		; gets our name in ecx      <---------
00447365	0FB64C11FF		movzx ecx, byte ptr [ecx+edx-01]	; gets 1st char of our name           |
0044736A	03F1			add esi, ecx				; ascii value of 1st char is          | 
										  added to esi                        |
0044736C	42			inc edx					; edx is increased by one             |
0044736D	48			dec eax					; eax is decreased by one             |
0044736E	75F2			jne 00447362				; is there a next char? if yes jump  -
00447370	8975EC			mov [ebp-14], esi			; esi = ebp-14 - not important
00447373	DB45EC			fild dword ptr [ebp-14]			; not important 
00447376	E84DB6FBFF		call 004029C8				; all ascii values are added to eax
0044737B	8BD0			mov edx, eax				; edx = eax
0044737D	C1E007			shl eax, 07				; shift logical left, 07
00447380	03C2			add eax, edx				, edx is added to eax
00447382	8BF0			mov esi, eax				; eax = esi
00447384	3B75FC			cmp esi, dword ptr [ebp-04]		; not important
00447387	0F85C9000000		jne 00447456				; not important

So, what happenes here??? lemme explain..
The important parts are following ones:

00447365	0FB64C11FF		movzx ecx, byte ptr [ecx+edx-01]	; gets 1st char of our name           |
0044736A	03F1			add esi, ecx				; ascii value of 1st char is          | 
										  added to esi                        |

The ascii value of the first char of our name is added to esi...
Then the ascii value of the second char is added to esi...
Go on, till we have all chars.. (jne)

Then there's following:

0044737D	C1E007			shl eax, 07				; shift logical left, 07

puh, i don't know how to explain this.. hmm, as it sais, a logical shift left of eax with the value 7 ... the only thing i know is the VB Command for it (what do i need more? ;) .. btw: big thx to ACiD BuRN).
And last but not least, there's following code:

00447380	03C2			add eax, edx				, edx is added to eax

edx contains the result of the addition of all ascii values of our name.. and this is added to eax, which is the result of the shl, 07.

If we now do a "? eax" we can see our REAL serial =) congratz..  u have your serial.. but we wanna make a keygen..
So, what do we have to do?
I'll explain the steps again:

1. Get every ascii value and add it to esi
2. Shl, 07 the result
3. Add the result of the value calculation to the result of the shl calculation..

That's ALL!

go and write your keygen.. i included the source for VB (i know vb sux.. but it's the only language i can code in ;))

---------------------------------- Code snipplet ----------------------------------
Private Sub Command1_Click()
For i = 1 To Len(Text1.Text)			; i = 1 till lengh of name
Serial = Serial + Asc(Mid(Text1.Text, i, 1))	; get ascii value of i'th char
Next i						; jump to next char
Serial2 = Serial * 2 ^ 7			; it's the SHL, 07 !!!
Serial = Serial + Serial2			; Add the result of the 1st calculation to the result of the 2nd
Text2.Text = Serial				; Display the real serial!
---------------------------------- Code snipplet ----------------------------------

I know this code isn't very good, but i made it so, coz it's more clearer to learn...

I hope u learned a bit.. if u have questions, CONTACT ME!

e-mail: e-mailGIZMO@gmx.net
EFNET:  #learn2crack
www:    http://learn2crack.de.vu

C ya

oh.. the greetz ;)
aDENOZiN, ACiD_BuRN, cheekey, Ghostman 1999, sEVanD0, Berserka, Flagg, PlAyEr, Prof_X, The Professor, scarabaeus, 
sToReMaStEr, SiONiDE, The AntiXryst, WeaxWeasel, skorpien, sn00pee, [iNC], CyberBlade, Jane, Intern, Chafe, iNFERNo, tHE eG0iSTE, b00m', CPiRe, MasterJax, sHI, s0NiK, viny, Peegee, xerberus, Smakker...

if i forgot u, sorry.. tell me that u weren't here ;)

and all ppl in #learn2crack and #gwa!

Bye
	Gizmo