*************************************************************************************************************************************************** Keygenning4Newbies KeygenMe #1 *************************************************************************************************************************************************** Author: tHE ANALYST [UCF/ID] Protection: Name / Serial URL: http://www.leelouonline.com/users/bofh/k4n/k4n.zip Tools: SoftICE 4.05 ---> Intro... Hi and welcome to my next Tutorial :) This one is very easy and simple to follow so let's begin :) ---> Let's Begin... Open the CrackMe and it'll ask for some Name and Serial, I've used: Name: CoDe_InSiDe Serial: 1234567890 Then get into SoftICE (CTRL+D) and type "bpx hmemcpy" followed by "enter" (You can also use GetWindowTextA). Then out of SoftICE (CTRL+D) and press "Check the Serial" and SoftICE should popup. Now press (F12) 8 times till you see this: --------------------------------------------------------------------------------------------------------------------------------------------------- :0040109C 6A68 push 00000068 <--- HERE WE LAND AFTER THE BREAK !!! :0040109E 53 push ebx * Reference To: USER32.GetDlgItem, Ord:0000h | :0040109F E8FE9B0000 Call 0040ACA2 :004010A4 6A64 push 00000064 :004010A6 8D8DE4FEFFFF lea ecx, dword ptr [ebp+FFFFFEE4] :004010AC 51 push ecx :004010AD 50 push eax * Reference To: USER32.GetWindowTextA, Ord:0000h | :004010AE E8FB9B0000 Call 0040ACAE * Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0067, "" | :004010B3 6A67 push 00000067 :004010B5 53 push ebx * Reference To: USER32.GetDlgItem, Ord:0000h | :004010B6 E8E79B0000 Call 0040ACA2 :004010BB 8BF0 mov esi, eax <--- Move EAX in ESI :004010BD 8D8548FFFFFF lea eax, dword ptr [ebp+FFFFFF48] <--- EAX now points to our Name :004010C3 50 push eax <--- Save EAX :004010C4 E867050000 call 00401630 <--- Here it gets the length of our Name :004010C9 59 pop ecx :004010CA 8945D8 mov dword ptr [ebp-28], eax <--- Save our length in EBP-28 :004010CD 8D95E4FEFFFF lea edx, dword ptr [ebp+FFFFFEE4] <--- EDX now points to our "Fake" Serial :004010D3 52 push edx <--- Save EDX :004010D4 E857050000 call 00401630 <--- Here it gets the length of our "Fake" Serial :004010D9 59 pop ecx :004010DA 68EAB04000 push 0040B0EA <--- Points to nothing :) :004010DF E84C050000 call 00401630 <--- Here it gets the length of nothing :004010E4 59 pop ecx :004010E5 680EB14000 push 0040B10E <--- Points to nothing :) :004010EA E841050000 call 00401630 <--- Here it gets the length of nothing :004010EF 59 pop ecx :004010F0 837DD803 cmp dword ptr [ebp-28], 00000003 <--- Compare the length of our Name with 00000003 (3 Decimal) :004010F4 7E7B jle 00401171 <--- If equal or lower we jump and get the Bad Guy message, else continue :004010F6 90 nop <--- No OPeration :004010F7 90 nop <--- No OPeration :004010F8 90 nop <--- No OPeration :004010F9 90 nop <--- No OPeration :004010FA 33C9 xor ecx, ecx <--- XOR ECX which is now 00 :004010FC 33D2 xor edx, edx <--- XOR EDX which is now 00 :004010FE 33DB xor ebx, ebx <--- XOR EBX which is now 00 :00401100 33C0 xor eax, eax <--- XOR EAX which is now 00 :00401102 837DD832 cmp dword ptr [ebp-28], 00000032 <--- Compare the length of our Name with 00000032 (50 Decimal) :00401106 7D69 jge 00401171 <--- If equal or greater we jump and get the Bad Guy message, else continue :00401108 90 nop <--- No OPeration :00401109 90 nop <--- No OPeration :0040110A 90 nop <--- No OPeration :0040110B 90 nop <--- No OPeration --------------------------------------------------------------------------------------------------------------------------------------------------- Ok, this looks much allready but it isn't :) It just simply takes our Name and "Fake" Serial we entered, and then it Compares our Name with 00000003 (3 Decimal) and 00000032 (50 Decimal). If lower or greater or equal we fail and get the Bad Guy message, else we continue. let's see what's next: --------------------------------------------------------------------------------------------------------------------------------------------------- :0040110C 0FBE840D48FFFFFF movsx eax, byte ptr [ebp+ecx-000000B8]<--- Move the first Char in EAX :00401114 41 inc ecx <--- ECX +1 :00401115 33C1 xor eax, ecx <--- XOR ECX with EAX :00401117 03D8 add ebx, eax <--- ADD EAX to EBX :00401119 3B4DD8 cmp ecx, dword ptr [ebp-28] <--- Compare EBP-28 (Length of our Name) with ECX :0040111C 75EE jne 0040110C <--- If not equal we jump and repeat this loop, else continue :0040111E 6BC006 imul eax, 00000006 <--- Multiply 00000006 with EAX :00401121 C1E307 shl ebx, 07 <--- Shift EBX to the left with 07 :00401124 03C3 add eax, ebx <--- ADD EBX to EAX :00401126 8945C8 mov dword ptr [ebp-38], eax <--- Save EAX in EBP-38 :00401129 FF75C8 push [ebp-38] <--- Save the New Value --------------------------------------------------------------------------------------------------------------------------------------------------- And here we have the Algo, damn small ;) So, it does this: It takes the first Char of our Name and puts it in EAX Increase ECX with 01 Then XOR ECX with EAX Then ADD EAX to EBX Compare ECX with the length of our Name If not equal we repeat the loop, else continue Then it Multiplies EAX with 06 Shifts EBX to the left with 07 And then ADDs EBX to EAX Final Result in EAX ---> use %lX to show the Serial in Readable Format (Ascii)) That's all :) I don't need to show more because after this piece of Code it will use "lstrcmpyA" to Compare the "Real" Serial with the "Fake" Serial :) I think you can KeyGen this in YOUR language now :) And i hope you learned something from this tutorial... ---> Greetings... Everyone from TrickSoft (www.TrickSoft.net) Everyone from Cracking4Newbies (www.Cracking4Newbies.com) Everyone from Keygenning4Newbies :P (Keygenning4Newbies.cjb.net) And Everyone i know and You... Thanks for reading ! Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl