Title        : HTML Dir v2.0x With C Source
Author       : Kwai_Lo
Date Written : 1-29-99
Leval        : Begginers/Intermediate
Url          : www.tlonstruct.com
Tools needed : - SoftICE 2.0 And Above
               - A C Compiler
               - A Brian


	              HTML Dir Keygen Tut By Kwai_Lo

Ello Again,This Is My Second Tut.Hope You Will Like It.So Shall We Start,
I Picked This App Cos I Find That The Algo Is Easy,But Hard To Code :).
Ok Now Start The App.Go To The Settings Menu And Click Register .I Use 
Kwai_Lo For Name And 987654321 For Serial.Now Set A Bpx On Hmemcpy,F5 Out
And Press Ok.U Will Be In S-ice By Now.F12 7 Times And F10 22 Times.U
R Now In The Program Code.Keep Tracing (F10) Untill U Reach Some Where Here.

:00443007 8B55F8                  mov edx, dword ptr [ebp-08] <-- Moves Name
                                                                  Into Edx
* Possible StringData Ref from Code Obj ->"Tlon32"
:0044300A B840324400              mov eax, 00443240 <-- Moves A Magic Buffer
:0044300F E81853FFFF              call 0043832C         Into Eax (MB==Tlon32)
:00443014 8B45F0                  mov eax, dword ptr [ebp-10]
:00443017 8B55F4                  mov edx, dword ptr [ebp-0C]
:0044301A E8690DFCFF              call 00403D88
:0044301F 0F857C010000            jne 004431A1

Once We Reach Here We Step Into Call 0043832C (F8).Keep On Tracing Untill U
Reach Here.

:004383BB 0FB64402FF              movzx eax, byte ptr [edx+eax-01] <-- Moves 1st Char Of Name
:004383C0 0345E8                  add eax, dword ptr [ebp-18]      <-- Adds A Value To It, 0x19 At Start   
:004383C3 7105                    jno 004383CA
:004383C5 E8A6AAFCFF              call 00402E70

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004383CA B9FF000000              mov ecx, 000000FF
:004383CF 99                      cdq
:004383D0 F7F9                    idiv ecx <-- Divides Eax With 0xff,Remainder Will Be In Edx
:004383D2 8955E0                  mov dword ptr [ebp-20], edx <-- Saves The Divided Value
:004383D5 8B45EC                  mov eax, dword ptr [ebp-14]       
:004383D8 3B45F0                  cmp eax, dword ptr [ebp-10] <-- Compares To See If We Reached The End Of The Magic Buffer
:004383DB 7D0D                    jge 004383EA <-- If So The Jump To Reset It                      
:004383DD 8345EC01                add dword ptr [ebp-14], 00000001 <-- Else Add 1
:004383E1 7105                    jno 004383E8                      
:004383E3 E888AAFCFF              call 00402E70 <-- Dont Think It Is Important

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004383E8 EB07                    jmp 004383F1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004383EA C745EC01000000          mov [ebp-14], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004383F1 8B45EC                  mov eax, dword ptr [ebp-14]
:004383F4 8B55FC                  mov edx, dword ptr [ebp-04]
:004383F7 0FB64402FF              movzx eax, byte ptr [edx+eax-01] <-- Moves 1st Char Of Hard Coded Value That Is
:004383FC 3145E0                  xor dword ptr [ebp-20], eax <-- Xor's The Saved Value With 1st Char Of Hard Coded Value
:004383FF 8D45CC                  lea eax, dword ptr [ebp-34]     This Is Now The 1st Digit Of The Serial Number,
:00438402 50                      push eax                   
:00438403 8B45E0                  mov eax, dword ptr [ebp-20]
:00438406 8945D0                  mov dword ptr [ebp-30], eax
:00438409 C645D400                mov [ebp-2C], 00
:0043840D 8D55D0                  lea edx, dword ptr [ebp-30]
:00438410 33C9                    xor ecx, ecx
:00438412 B880844300              mov eax, 00438480
:00438417 E890F6FCFF              call 00407AAC       <-- Store Code   
:0043841C 8B55CC                  mov edx, dword ptr [ebp-34]
:0043841F 8D45DC                  lea eax, dword ptr [ebp-24]
:00438422 E859B8FCFF              call 00403C80
:00438427 8B45E0                  mov eax, dword ptr [ebp-20]
:0043842A 8945E8                  mov dword ptr [ebp-18], eax <-- Replaces 0x19 With The Xored Value
:0043842D FF45E4                  inc [ebp-1C]
:00438430 FF4DD8                  dec [ebp-28] <-- Dec Name Length
:00438433 7580                    jne 004383B5 <-- Loop

And There We Have It.A Simple Algo.Lets Recap What Has Happened Here
1.Moves 1st Char Of Name
2.Addes A Value to 1st Char Of Name Call This qbx (Starts With 0x19)
3.Divides It With 0xFF And Saves The Remainder
4.Checks To See If We Have Reached The End Of The Hard Coded Value,If So Reset It
5.Moves 1st Char Of Hard Coded Value
6.Xor's It With The Remainder That We Divided Just Now
7.Moves The Xored Value In To qbx
8.Stores The Code
9.Loop Untill Finish
10.Sicks A 19 In Front Of The Code

Well Simple Eh ?? Below Is My Source For The Keygenerator In C :)

/* The C Source Code.Compile With Borland C v5+ */

int main()
int nlen,i;
unsigned int qax,qbx={0},qcx,qdx={0},qsi={0}; /*<-- I Used The Registers To,Easier To Identify*/
unsigned char name[500]={0},code[100]={0};
unsigned char hrdcod[7]="Tlon32"; /*<-- Hard Coded Value*/

   printf("KEY GENERATOR FOR HTML DIR v2.01");
   printf("\nCODED BY KWAI_LO [TNO'98]\n");


  return 0;
  else if(nlen>50)
  return 0;
  else break;
  qbx=0x19; /*<-- Set The Value To Be Added */ 

  for(i=0;i=0x06){ /*<-- Checks To See If We Have Reached The Max Of The Magic Byffer */
  qax=hrdcod[qsi-0x01]; /*<-- Moves 1st Char Of Maggic Buffer */
  qbx^=qax; /*<-- Xores The Magic Buffer With The Remainder And Saves It*/
  code[i]=qbx; /*<-- Stores Code */
  printf("YOUR REGISTRATION CODE IS        : 19");