CoDe_InSiDe's 5th crackme keygenning tutorial by nh

My e-mail: nh666@mail.ru
Used tools: SoftIce v4.01, Tasm v5.00

So, let's begin. Run crackme, fill editboxes & set breakpoint in
softice to GetDlgItemTextA by 'bpx GetDlgItemTextA' command
After that press F12, while we don't see this piece of code:

  mov eax,dword ptr [esp+0C] 		; clicking buttons handler
  cmp eax,00001111 		
  jz 00000048 
  cmp eax,00002222 
  jz 000000A9 
   xor eax,eax 
  ret 
; for "About" button click
  push 00000000 
  push 00401F00				; "About" messages
  push 00401F09 
  push 00000000 
  call dword ptr [00401D7C] 		; call MessageBoxA ("About" box)
  ret 
; for "Check" button click
  push ebp 
  mov ebp,esp 

; we get all editboxes text.
  push 00000015 
  push 00401E30 
  push 0000AAAA 
  push dword ptr [ebp+0C] 
  call dword ptr [00401D70] ; call GetDlgItemTextA

  pop ebp 
  push ebp 
  mov ebp,esp 
  push 00000015 
  push 00401E50 
  push 0000BBBB 
  push dword ptr [ebp+0C] 
  call dword ptr [00401D70] 
  pop ebp 
  push ebp 
  mov ebp,esp 
  push 00000015 
  push 00401E70 
  push 0000CCCC 
  push dword ptr [ebp+0C] 
  call dword ptr [00401D70] 
  pop ebp 
  ret 

; delete all breakpoint, set breakpoint to 'push ebp' and then press "Check"

  xor eax,eax 
  mov edi,00401E30	; offset of name
  xor ecx,ecx 
  mov cl,31 
  mov esi,00402300	; 256 '0' chars
  mov al,byte ptr [edi] 
  cmp al,00 
  jz 000000C5 
  mov byte ptr [eax+esi],cl 	; change to '1'
  inc edi 
  jmp 000000B9 
  mov edi,00401E50 	; offset of organisation
  mov esi,004023FF 
  xor eax,eax 
  xor ecx,ecx 
  mov cl,31 
  mov al,byte ptr [edi] 
  cmp al,00 
  jz 000000E5 
  not eax 
  mov byte ptr [eax+esi],cl	; change to '1'
  inc edi 
  xor eax,eax 
  jmp 000000D5 
  xor eax,eax 
  mov cl,00 
  mov edi,00402300 
  mov esi,00401E90 		; offset of generated key
  push esi 
  mov al,byte ptr [edi] 
  cmp al,00 
  jz 00000111 
  cmp al,30 
  jnz 00000102 
  inc ecx 
  inc edi 
  jmp 000000F4 
  cmp al,31 
  jz 0000010A 
  inc ecx 
  inc edi 
  jmp 000000F4 
  inc ecx 
  mov byte ptr [esi],cl 
  inc esi 
  inc edi 
  jmp 000000F4 
  pop edi 
  call 0000011E 	; check key for bad chars (less then ' ', etc)
  call 0000011E 	;
  jmp 00000144 
; checking procedure
  push edi 
  xor eax,eax 
  mov al,byte ptr [edi] 
  cmp al,00 
  jz 00000142 
  cmp al,20 
  jb 00000132 
  cmp al,7E 
  jnbe 0000013A 
  inc edi 
  jmp 00000121 
  add eax,00000045 
  mov byte ptr [edi],al 
  inc edi 
  jmp 00000121 
  add eax,FFFFFFBA 
  mov byte ptr [edi],al 
  inc edi 
  jmp 00000121 
  pop edi 
  ret 

  xor ecx,ecx 
  mov edx,00401E70 
  mov al,byte ptr [edx] 
  cmp al,00 
  jz 00000155 
  inc ecx 
  inc edx 
  jmp 0000014B 
  sub esi,edi 
  cmp esi,ecx 
  jnb 0000015D 
  jmp 0000018A 
  mov edi,00401E30 
  xor eax,eax 
  call 00000178 
  mov edi,00401E50 
  call 00000178 
  mov edi,00401E70 
  mov dword ptr [edi],eax 
  add edi,00000004 
  mov dword ptr [edi],eax 
  add edi,00000004 
  mov dword ptr [edi],eax 
  add edi,00000004 
  mov dword ptr [edi],eax 
  ret 
;
  mov edi,00401E70 
  mov al,byte ptr [edi] ; check for empty name
  cmp al,00 
  jnz 00000196 
  ret 
;
  xor eax,eax 
  xor ecx,ecx 
  xor edx,edx 
  xor esi,esi 
  xor edi,edi 
  mov edi,00401E50 
  mov al,byte ptr [edi] ; check for empty organisation
  cmp al,00 
  jnz 000001AC 
  ret 
;
  mov al,00 
  add edi,FFFFFFE0 
  mov al,byte ptr [edi] ; check for empty key
  cmp al,00 
  jnz 000001B8 
  ret 
  mov al,00 
  xor edi,edi 
  mov esi,00401FA9 ; 0a0b0c0d
  mov edi,00401E90 
  mov esi,dword ptr [esi] 
  mov eax,dword ptr [edi] 
  test eax,eax 
  jz 000001D8 
  xor eax,esi 		; xor every dword in gen.key with 0a0b0c0dh
  mov dword ptr [edi+20],eax 
  add edi,00000004 
  jmp 000001C8 
  mov edi,00401EB0 
; check for bad chars
  mov al,byte ptr [edi] 
  cmp al,00 
  jz 000001FE 
  cmp al,20 
  jb 000001EE 
  cmp al,7E 
  jnbe 000001F6 
  inc edi 
  jmp 000001DD 
  add al,30 
  mov byte ptr [edi],al 
  inc edi 
  jmp 000001DD 
  add al,D0 
  mov byte ptr [edi],al 
  inc edi 
  jmp 000001DD 
; compare two keys: generated & our.
  mov edi,00401E70 
  mov esi,00401EB0 
  mov eax,dword ptr [edi] 
  mov ecx,dword ptr [esi] 
  test eax,eax 
  jz 0000024E 
  cmp eax,ecx 
  jz 00000216 
[...skip...]

so, it's very simple algo...
the source of keygen in nh-cm50kg.asm

pS: oh, don't enter long name&organisation, because length of key is limited.=)
