system mechanic 3.0 stuff for a keygen, play with softice and you will be rewarded...

please scroll through the following deadlisting, and the whole algo will be revealed, with a
running commentry on the progress of our license code...



* Referenced by a CALL at Addresses:
|:004AC731   , :004AC771   , :004AC7B1   , :004B3EF1   , :004B3F6D   
|:004B3FE9   
|
:004B40B0 55                      push ebp
:004B40B1 8BEC                    mov ebp, esp
:004B40B3 83C4E4                  add esp, FFFFFFE4
:004B40B6 53                      push ebx
:004B40B7 56                      push esi
:004B40B8 57                      push edi
:004B40B9 33DB                    xor ebx, ebx
:004B40BB 895DE8                  mov dword ptr [ebp-18], ebx
:004B40BE 895DF0                  mov dword ptr [ebp-10], ebx
:004B40C1 895DEC                  mov dword ptr [ebp-14], ebx
:004B40C4 894DF4                  mov dword ptr [ebp-0C], ecx
:004B40C7 8955F8                  mov dword ptr [ebp-08], edx
:004B40CA 8945FC                  mov dword ptr [ebp-04], eax
:004B40CD 8B45FC                  mov eax, dword ptr [ebp-04]
:004B40D0 E873FEF4FF              call 00403F48
:004B40D5 33C0                    xor eax, eax
:004B40D7 55                      push ebp
:004B40D8 68FF424B00              push 004B42FF
:004B40DD 64FF30                  push dword ptr fs:[eax]
:004B40E0 648920                  mov dword ptr fs:[eax], esp
:004B40E3 837DF801                cmp dword ptr [ebp-08], 00000001  ; first license
:004B40E7 7505                    jne 004B40EE
:004B40E9 BF11000000              mov edi, 00000011

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B40E7(C)
|
:004B40EE 837DF802                cmp dword ptr [ebp-08], 00000002  ; second license
:004B40F2 7505                    jne 004B40F9
:004B40F4 BF17000000              mov edi, 00000017

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B40F2(C)
|
:004B40F9 837DF803                cmp dword ptr [ebp-08], 00000003  ; third license type ($60)
:004B40FD 7505                    jne 004B4104
:004B40FF BF0C000000              mov edi, 0000000C                 ; value in edi get inc'ed and 
                                                                    ; added or subtracted to ascii name..
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B40FD(C)
|
:004B4104 BB21000000              mov ebx, 00000021
:004B4109 EB16                    jmp 004B4121

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B412C(C)
|
:004B410B 8D45E8                  lea eax, dword ptr [ebp-18]
:004B410E 8BD3                    mov edx, ebx
:004B4110 E8A7FBF4FF              call 00403CBC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B40AA(C)
|
:004B4115 8B55E8                  mov edx, dword ptr [ebp-18]
:004B4118 8D45FC                  lea eax, dword ptr [ebp-04]
:004B411B E87CFCF4FF              call 00403D9C
:004B4120 43                      inc ebx       

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4109(U)
|
:004B4121 8B45FC                  mov eax, dword ptr [ebp-04]
:004B4124 E86BFCF4FF              call 00403D94
:004B4129 83F80A                  cmp eax, 0000000A             ; check name is > 10 chars
:004B412C 7CDD                    jl 004B410B                   ; if not, add a character
:004B412E 8D55E8                  lea edx, dword ptr [ebp-18]   ; starting with '!'....inc char..
:004B4131 8B45FC                  mov eax, dword ptr [ebp-04]
:004B4134 E83733F5FF              call 00407470
:004B4139 8B55E8                  mov edx, dword ptr [ebp-18]
:004B413C 8D45FC                  lea eax, dword ptr [ebp-04]
:004B413F E86CFAF4FF              call 00403BB0                 ; uppercase name..
:004B4144 8B45FC                  mov eax, dword ptr [ebp-04]
:004B4147 E848FCF4FF              call 00403D94
:004B414C 8BF0                    mov esi, eax
:004B414E 85F6                    test esi, esi
:004B4150 7E57                    jle 004B41A9


okay, the above code selects license type, then checks the length of the name, if its less
than 10 characters, it starts adding a character, starting with 21h '!', adds the char to the
end of the name, inc the char (22h, 23h etc.) check length, loop !=0ah, it then makes sure
the name is uppercase, then the serial making can begin..

* Possible Reference to String Resource ID=00001: "&Help"
                                  |
:004B4152 BB01000000              mov ebx, 00000001             ; letter counter

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B41A7(C)
|
:004B4157 8B45FC                  mov eax, dword ptr [ebp-04]   ; pointer to name
:004B415A 8A4418FF                mov al, byte ptr [eax+ebx-01] ; get char from name[count]
:004B415E 3C46                    cmp al, 46                    ; >=46h add edi to it..
:004B4160 7622                    jbe 004B4184
:004B4162 8B45FC                  mov eax, dword ptr [ebp-04]   ; <46h, subtract from it
:004B4165 0FB64418FF              movzx eax, byte ptr [eax+ebx-01]
:004B416A 8D143B                  lea edx, dword ptr [ebx+edi]  ; edx=count+magic license value
:004B416D 2BC2                    sub eax, edx                  ; sub from ascii letter
:004B416F 8D55E8                  lea edx, dword ptr [ebp-18]
:004B4172 E8DD38F5FF              call 00407A54                 ; maybe convert it to decimal
:004B4177 8B55E8                  mov edx, dword ptr [ebp-18]
:004B417A 8D45F0                  lea eax, dword ptr [ebp-10]
:004B417D E81AFCF4FF              call 00403D9C                 ; maybe convert it to ascii decimal
:004B4182 EB20                    jmp 004B41A4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4160(C)
|
:004B4184 8B45FC                  mov eax, dword ptr [ebp-04]
:004B4187 0FB64418FF              movzx eax, byte ptr [eax+ebx-01]
:004B418C 8D143B                  lea edx, dword ptr [ebx+edi]  ; edx=count+magic license value
:004B418F 03C2                    add eax, edx                  ; add it to ascii letter
:004B4191 8D55E8                  lea edx, dword ptr [ebp-18]
:004B4194 E8BB38F5FF              call 00407A54                 ; convert decimal?
:004B4199 8B55E8                  mov edx, dword ptr [ebp-18]
:004B419C 8D45F0                  lea eax, dword ptr [ebp-10]
:004B419F E8F8FBF4FF              call 00403D9C                 ; convert decimal to ascii?

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4182(U)
|
:004B41A4 47                      inc edi                       ; inc magic license value
:004B41A5 43                      inc ebx                       ; inc letter counter
:004B41A6 4E                      dec esi                       ; dec length
:004B41A7 75AE                    jne 004B4157                  ; loop if letters left..


okay, to put that code simply (pseudo code)
esi=length(name)
x=0ch;
count=1;
while esi!=0 do {
char=name[count-1];
if char >=46h, char+=(x+count) 
else char-=(x+count);
char to decimal_ascii;
store char;
x++;count++;esi--;
} end while;

heh, cant do high level languages, there way to complicated..


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4150(C)
|
:004B41A9 BB31000000              mov ebx, 00000031
:004B41AE EB20                    jmp 004B41D0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B41DB(C)
|
:004B41B0 8D45E8                  lea eax, dword ptr [ebp-18]   ; this code obviously adds ascii
:004B41B3 8BD3                    mov edx, ebx                  ; numbers to the end of the serial
:004B41B5 E802FBF4FF              call 00403CBC                 ; starting with '1' .. '9'
:004B41BA 8B55E8                  mov edx, dword ptr [ebp-18]
:004B41BD 8D45F0                  lea eax, dword ptr [ebp-10]
:004B41C0 E8D7FBF4FF              call 00403D9C
:004B41C5 43                      inc ebx
:004B41C6 83FB39                  cmp ebx, 00000039
:004B41C9 7505                    jne 004B41D0
:004B41CB BB31000000              mov ebx, 00000031

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B41AE(U), :004B41C9(C)
|
:004B41D0 8B45F0                  mov eax, dword ptr [ebp-10]   ; ascii decimal code we just created
:004B41D3 E8BCFBF4FF              call 00403D94                 ; get length
:004B41D8 83F814                  cmp eax, 00000014             ; is it >14h ? 20decimal
:004B41DB 7CD3                    jl 004B41B0           ; of course it is, 10 characters, converted to decimal, minimum
                                                        ; 2 characters per number, 10*2=20..
                                                        ; 'A'=41h=65 decimal= '65' ascii, 2 chars


okay, that code checks the length of the serial we have created > 20, if not, it adds numbers on
the end, until it is..

lets pretend the code is '12345678910111213141' 20 chars

starts the ripping of these values to create the proper serial..

(5 from the beginning, 3 from the middle, 10 from the end, taken in reverse order..)


* Possible Reference to String Resource ID=00001: "&Help"
                                  |
:004B41DD BB01000000              mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4200(C)
|
:004B41E2 8D45E8                  lea eax, dword ptr [ebp-18]
:004B41E5 8B55F0                  mov edx, dword ptr [ebp-10]
:004B41E8 8A541AFF                mov dl, byte ptr [edx+ebx-01]
:004B41EC E8CBFAF4FF              call 00403CBC
:004B41F1 8B55E8                  mov edx, dword ptr [ebp-18]
:004B41F4 8D45EC                  lea eax, dword ptr [ebp-14]
:004B41F7 E8A0FBF4FF              call 00403D9C
:004B41FC 43                      inc ebx
:004B41FD 83FB06                  cmp ebx, 00000006
:004B4200 75E0                    jne 004B41E2

the code above gets the first 5 numbers from the serial, and puts them into the proper serial
lets pretend the code is '12345678910111213141' 20 chars
our license '12345-xxxxxxxxxxxxxxxx'

:004B4202 8D45EC                  lea eax, dword ptr [ebp-14]
:004B4205 BA18434B00              mov edx, 004B4318
:004B420A E88DFBF4FF              call 00403D9C
:004B420F 837DF801                cmp dword ptr [ebp-08], 00000001  ; check license type
:004B4213 750D                    jne 004B4222
:004B4215 8D45EC                  lea eax, dword ptr [ebp-14]
:004B4218 BA24434B00              mov edx, 004B4324
:004B421D E87AFBF4FF              call 00403D9C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4213(C)
|
:004B4222 837DF802                cmp dword ptr [ebp-08], 00000002  ; blah blah
:004B4226 750D                    jne 004B4235
:004B4228 8D45EC                  lea eax, dword ptr [ebp-14]
:004B422B BA30434B00              mov edx, 004B4330
:004B4230 E867FBF4FF              call 00403D9C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4226(C)
|
:004B4235 837DF803                cmp dword ptr [ebp-08], 00000003  ; hmm
:004B4239 750D                    jne 004B4248
:004B423B 8D45EC                  lea eax, dword ptr [ebp-14]
:004B423E BA3C434B00              mov edx, 004B433C
:004B4243 E854FBF4FF              call 00403D9C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4239(C)
|

it checks the license type, because after the first 5 digits, it add 2 letters, either
'ST','PR' or 'ND' for standard, professional or industrial license..
lets pretend the code is '12345678910111213141' 20 chars
our license '12345-PRxxxxxxxxxxxxxx'


* Possible Reference to String Resource ID=00003: "Next >"
                                  |
:004B4248 BB03000000              mov ebx, 00000003

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4288(C)
|
:004B424D 8B45F0                  mov eax, dword ptr [ebp-10]
:004B4250 E83FFBF4FF              call 00403D94                 ; gets length of serial
:004B4255 8945E4                  mov dword ptr [ebp-1C], eax
:004B4258 DB45E4                  fild dword ptr [ebp-1C]
:004B425B D80D40434B00            fmul dword ptr [004B4340]     ; do some stuff
:004B4261 E84AE8F4FF              call 00402AB0
:004B4266 83C003                  add eax, 00000003             ; eax=length/2 of dodgy serial
:004B4269 2BC3                    sub eax, ebx
:004B426B 8B55F0                  mov edx, dword ptr [ebp-10]
:004B426E 8A5402FF                mov dl, byte ptr [edx+eax-01]
:004B4272 8D45E8                  lea eax, dword ptr [ebp-18]
:004B4275 E842FAF4FF              call 00403CBC
:004B427A 8B55E8                  mov edx, dword ptr [ebp-18]
:004B427D 8D45EC                  lea eax, dword ptr [ebp-14]
:004B4280 E817FBF4FF              call 00403D9C
:004B4285 4B                      dec ebx
:004B4286 85DB                    test ebx, ebx
:004B4288 75C3                    jne 004B424D

that code locates the middle of the serial, then steals three numbers, and puts them with the
license type letters
lets pretend the code is '12345678910111213141' 20 chars
our license looks like this now '12345-PR101xxxxxxxxxxx'


:004B428A 8D45EC                  lea eax, dword ptr [ebp-14]
:004B428D BA18434B00              mov edx, 004B4318
:004B4292 E805FBF4FF              call 00403D9C
:004B4297 8B45F0                  mov eax, dword ptr [ebp-10]
:004B429A E8F5FAF4FF              call 00403D94                 ; get serial length?
:004B429F 8BD8                    mov ebx, eax                  ; save it in ebx
:004B42A1 8B45F0                  mov eax, dword ptr [ebp-10]
:004B42A4 E8EBFAF4FF              call 00403D94
:004B42A9 8BF0                    mov esi, eax                  ; and esi
:004B42AB 83EE09                  sub esi, 00000009             ; sub 9 from length
:004B42AE 2BF3                    sub esi, ebx                  ; esi is negative now, -9?
:004B42B0 7F1F                    jg 004B42D1
:004B42B2 4E                      dec esi                       ; -10?

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B42CF(C)
|
:004B42B3 8D45E8                  lea eax, dword ptr [ebp-18]
:004B42B6 8B55F0                  mov edx, dword ptr [ebp-10]
:004B42B9 8A541AFF                mov dl, byte ptr [edx+ebx-01] ; get char from serial[ebx]
:004B42BD E8FAF9F4FF              call 00403CBC
:004B42C2 8B55E8                  mov edx, dword ptr [ebp-18]
:004B42C5 8D45EC                  lea eax, dword ptr [ebp-14]
:004B42C8 E8CFFAF4FF              call 00403D9C
:004B42CD 4B                      dec ebx                       ; decrease ebx, was pointing to last letter?
:004B42CE 46                      inc esi                       ; inc counter, -9..-8..-1..0 yippee
:004B42CF 75E2                    jne 004B42B3

okay, study it, gets the serial, gets the length, get char from serial[length], dec length..
picks off the numbers backwards, and puts them into the license code..
lets pretend the code is '12345678910111213141' 20 chars
our code '12345-PR101-1413121110'

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B42B0(C)
|
:004B42D1 8B45F4                  mov eax, dword ptr [ebp-0C]
:004B42D4 8B55EC                  mov edx, dword ptr [ebp-14]
:004B42D7 E8D4F8F4FF              call 00403BB0
:004B42DC 33C0                    xor eax, eax
:004B42DE 5A                      pop edx
:004B42DF 59                      pop ecx
:004B42E0 59                      pop ecx
:004B42E1 648910                  mov dword ptr fs:[eax], edx

* Possible StringData Ref from Code Obj ->"_^["
                                  |
:004B42E4 6806434B00              push 004B4306

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4304(U)
|
:004B42E9 8D45E8                  lea eax, dword ptr [ebp-18]

* Possible Reference to String Resource ID=00003: "Next >"
                                  |
:004B42EC BA03000000              mov edx, 00000003
:004B42F1 E846F8F4FF              call 00403B3C
:004B42F6 8D45FC                  lea eax, dword ptr [ebp-04]
:004B42F9 E81AF8F4FF              call 00403B18
:004B42FE C3                      ret


damn simple after a few minutes (maybe hours) studying... oh my god! we can hopefully code a 
keygen now, and it will work? we will see..

R!SC