CoDe_InSiDe's KeygenMe Crackme Keygenning tutorial by nh

E-mail: nh666@mail.ru
Used tools: SoftIce v4.01, Tasm v5.00

Run the crackme, fill the text-fields & set breakpoint to GetDlgItemTextA,
then clock "Check 1" button, press F12, until u see such code:

 push      ebp
 mov       ebp,esp
 push      010
 push      000401E30 ;" @0"
 push      000000122 ;"  ""
 push      d,[ebp][00008]
 call      GetDlgItemTextA ;USER32.DLL	; get name from editbox
 mov       [000401E20],eax
 cmp       al,003 ;""			; length of name must be greater then 4
 ja       .0004010D4   -------- (1)
 pop       ebp
 push      010
 push      000401C00 ;" @ "
 push      000401B9E ;" @"
 push      000
 jmp      .000401CF0   -------- (2)
 pop       ebp
 push      ebp
 mov       ebp,esp
 push      010
 push      000401E70 ;" @p"
 push      000000222 ;"  ""
 push      d,[ebp][00008]
 call      GetDlgItemTextA ;USER32.DLL	; get serial from editbox
 mov       [000401E60],eax
 cmp       al,000 ;" "
 jne      .00040110A   -------- (1)
 pop       ebp
 push      010
 push      000401C00 ;" @ "
 push      000401C38 ;" @8"
 push      000
 jmp      .000401CF0   -------- (2)
 pop       ebp
 xor       eax,eax
 xor       edx,edx
 mov       ecx,000401E20 ;" @ "	; get length of name
 mov       ecx,[ecx]
 mov       edi,000401E30 ;" @0"
 mov       al,[edi]
 cmp       al,000 ;" "
 je       .00040112B   -------- (3)
 imul      eax,ecx			; each char of name multiplied by length
 add       edx,eax			; and add to edx
 inc       edi
 xor       eax,eax
 jmps     .00040111B   -------- (1)
 push      edx
 xor       eax,eax
 xor       edx,edx
 mov       edi,000401E30 ;" @0"
 mov       al,[edi]
 cmp       al,000 ;" "
 je       .000401144   -------- (2)
 xor       eax,ecx			
 add       edx,eax			; summ all chars xored with length
 inc       edi
 xor       eax,eax
 jmps     .000401135   -------- (3)
 pop       esi
 add       esi,edx
 push      esi
 xor       eax,eax
 xor       edx,edx
 xor       esi,esi
 xor       ebx,ebx
 mov       edi,000401E30 ;" @0"
 mov       esi,000401E30 ;" @0"
 mov       al,[edi]
 cmp       al,000 ;" "
 je       .00040117B   -------- (1)
 mov       cl,[esi]
 cmp       ecx,000 ;" "
 je       .000401171   -------- (2)
 imul      eax,ecx			; summ of chars multiplied by summ of chars
 add       edx,eax
 inc       esi
 xor       eax,eax
 jmps     .00040115A   -------- (3)
 inc       edi
 xor       eax,eax
 mov       esi,000401E30 ;" @0"
 jmps     .00040115A   -------- (4)
 pop       esi
 add       esi,edx			; and summ all numbers to esi
 push      esi
 xor       eax,eax
 xor       ecx,ecx
 xor       edx,edx
 xor       esi,esi
 xor       edi,edi
 pop       eax
 mov       edi,000401C60 ;" @`"	; simple routine for converting number
 test      eax,eax			; to string
 je       .0004011B7   -------- (1)
 rol       eax,004 ;""
 mov       dl,al
 ror       edx,004 ;""
 cmp       dl,009 ;"	"
 ja       .0004011AD   -------- (2)
 add       dl,030 ;"0"
 mov       [edi],dl
 inc       edi
 mov       al,000 ;" "
 ror       eax,008 ;""
 jmps     .00040118F   -------- (3)
 sub       dl,004 ;""
 cmp       dl,009 ;"	"
 ja       .0004011AD   -------- (4)
 jmps     .0004011A0   -------- (5)
 mov       [edi],cl
 mov       edi,000401C60 ;" @`"
 mov       al,[edi]
 cmp       al,000 ;" "
 je       .0004011C8   -------- (6)
 inc       ecx
 inc       edi
 jmps     .0004011BE   -------- (1)
 mov       edi,000401E60 ;" @`"
 cmp       [edi],cl
 je       .0004011E4   -------- (2)
 push      010
 push      000401C49 ;" @I"
 push      000401BED ;" @"
 push      000
 jmp      .000401CF0   -------- (3)
 mov       edi,000401E70 ;" @p"
 mov       esi,000401C60 ;" @`"	; compare our & gen.serial
 mov       al,[edi]
 cmp       al,000 ;" "
 je       .000401200   -------- (4)
 mov       cl,[esi]
 cmp       eax,ecx
 jne      .0004011FE   -------- (5)
 inc       esi
 inc       edi
 jmps     .0004011EE   -------- (6)
 jmps     .0004011D1   -------- (7)
 push      020
 push      000401BD0 ;" @-"
 push      000401BD6 ;" @+"
 push      000
 call      MessageBoxA ;USER32.DLL
 mov       b,[000401FFF],001 ;""
 retn


 push      ebp
 mov       ebp,esp
 push      015
 push      000401F00 ;" @ "
 push      000000322 ;"  ""
 push      d,[ebp][00008]
 call      GetDlgItemTextA ;USER32.DLL
 pop       ebp
 cmp       al,000 ;" "
 jne      .00040124E   -------- (1)
 push      010
 push      000401C00 ;" @ "
 push      000401BBE ;" @+"
 push      000
 call      MessageBoxA ;USER32.DLL
 retn
 xor       eax,eax
 xor       ecx,ecx
 xor       edx,edx
 mov       cl,004 ;""
 mov       dl,02D ;"-"
 mov       edi,000401CA0 ;" @"
 mov       esi,000401E30 ;" @0"	; get 4 chars from name
 mov       al,[esi]
 mov       [edi],al
 inc       esi
 inc       edi
 dec       ecx
 jne      .000401262   -------- (1)
 mov       [edi],dl			; then '-'
 inc       edi
 mov       esi,000401C60 ;" @`"	; get serial
 mov       al,[esi]
 cmp       al,000 ;" "
 je       .00040127F   -------- (2)
 mov       [edi],al
 inc       edi
 inc       esi
 jmps     .000401273   -------- (3)
 mov       [edi],dl			; then '-'
 inc       edi
 push      edi
 mov       edi,000401C60 ;" @`"
 xor       esi,esi
 mov       al,[edi]
 cmp       al,000 ;" "
 je       .00040129A   -------- (1)
 imul      eax,edx			; each char of serial multiplied by
 add       esi,eax			; 2dh
 xor       eax,eax
 inc       edi
 jmps     .00040128A   -------- (2)
 pop       edi
 mov       eax,esi
 xor       esi,esi
 xor       ecx,ecx			; and simple routine for converting
 test      eax,eax			; number to string
 je       .0004012CA   -------- (3)
 rol       eax,004 ;""
 mov       cl,al
 ror       ecx,004 ;""
 cmp       cl,009 ;"	"
 ja       .0004012C0   -------- (1)
 add       cl,030 ;"0"
 push      ecx
 inc       esi
 mov       al,000 ;" "
 xor       ecx,ecx
 ror       eax,008 ;""
 jmps     .0004012A1   -------- (2)
 sub       cl,004 ;""
 cmp       cl,009 ;"	"
 ja       .0004012C0   -------- (3)
 jmps     .0004012B2   -------- (4)
 pop       d,[edi]
 inc       edi
 dec       esi
 jne      .0004012CA   -------- (5)
 mov       [edi],dl			; then add '-X'
 inc       edi
 mov       dl,058 ;"X"
 mov       [edi],edx
 xor       eax,eax
 xor       ecx,ecx
 xor       edx,edx
 xor       esi,esi
 xor       edi,edi
 mov       edi,000401F00 ;" @ "	; and compare two strings
 mov       esi,000401CA0 ;" @"
 mov       al,[edi]
 cmp       al,000 ;" "
 je       .000401310   -------- (1)
 mov       cl,[esi]
 cmp       eax,ecx
[...skipped...]

so, algo is easy.
keygen source is in nh-kgme.asm

That's all...
