		--=== keygenning4newbies Crackme 1 Solution ===--
				-= by Dya-Blo =-



You Can Download This Crackme At : *** www.keygenning4newbies.cjb.net ***


To keygen something, i usaually start with Win32Dasm to see (if i can) where the calculation is made.
So disassemble the file and look at the String Ref :

Wow : "Congratulations! IF this number"
Looks great :)

Double-clic on "Congratulations! IF this number"

Then go up a little, here is the source code :

eax, ebx, ... = 0

0040110C:
movsx eax, byte ptr [ebp+ecx-000000B8]
inc ecx
xor eax, ecx
add ebx, eax
cmp ecx, dword ptr [ebp-28]
jne 0040110C
imul eax, 06
shl ebx, 07
add eax, ebx
mov dword ptr [ebp-38], eax
push [ebp-38]

* Possible StringData Ref from Data Obj ->"%lX"
...
...
* Reference To: KERNEL32.lstrcmpA, Ord:0000h
call 0040ad86
test eax, eax
jne 00401164

* Possible String Ref from Data Obj -> "Congratulations! IF this number comes *FROM YOUR* keygen, Write a tutorial dude ;)."
....
....


Ok, this extract really looks like a serial generation routine :
 - some xor
 - imul
 - add
 - shl
 - + the most important : a loop (jne 0040110C)

Maybe 2 problems :
 - what is : dword ptr [ebp-28] ?
 - what is : Possible StringData Ref from Data Obj ->"%lX" ?

To know what dword ptr [ebp-28] is, 2 methods first comes in my mind :
 - first is ZEN or Experience, as you want to call it : serial are mostly calculated with the name so in 90 % of the case, this dword ptr would be the length of the name (here it is).
 - or, if you want to be sure right now : go up in the asm source and look :

cmp dword ptr [ebp-28], 03
jle 00401171
nops + xors
cmp dword ptr [ebp-28], 32
jge 00401171

Wow, looks like a name-length check routine, lets see what's hidden in 00401171 :) :
* Possible StringData Ref from Data Obj ->"Name must contain more than 4 chars and less than 50 chars !!"

Ok, i was right, as usual (j/k) ;p

So here is a commented source of the routine :


movsx eax, byte ptr [ebp+ecx-000000B8]	; this byte ptr is obviously pointing to the name
					  but we will be sure later, as you will see.
inc ecx					; a counter for the number of loop
xor eax, ecx				; some encryption
add ebx, eax				; serial = serial + eax
cmp ecx, dword ptr [ebp-28]		; enough loop ?
jne 0040110C				; yes then continue, no go back upper
imul eax, 06				; eax = eax*6
shl ebx, 07				; serial << 7 : means serial = serial * 2^7
add eax, ebx				; serial = serial + eax

Now we can make a keygen to see if we're right :
Here is my source in C++ Builder.

{
String Name;				; variable to put name in
unsigned int NameLong;			; variable to put name-length in
unsigned int serial;			; did you guess it ?
unsigned char CharTemp;			; to put one char of the name to do calculation
unsigned int serialTemp;		; a temp variable, we will need maybe :)

Name=edName->Text;			; retrieve the name from the box
NameLong=edName->GetTextLen();		; take the name-length
serial=0;				; init the serial
serialTemp=0;				; and the temp var
unsigned int i=0;			; and the counter (ecx)

do
{
  CharTemp=Name[i+1];			; take the (i+1)th letter of the name
  i++;					; = inc ecx
  CharTemp = CharTemp^i;		; eax xor ecx
  serial += CharTemp;			; update serial
} while (i<NameLong);

serialTemp = CharTemp*6;		; = imul
serial = serial<<7;			; = shl 7
serial += serialTemp;			; update the serial

edSerial->Text=(int)serial;		; show the serial
}


Run the program, get a serial, and try it in the crackme.
Damn, WRONG serial.

At this moment the problem may be everything :) : the number of loop, not the name in the loop, ...

So we decide to use our beloved SoftIce :p (best tool ever btw)

After breakpointing we are at this asm code (see before).

Then we can look what's hidden in : byte ptr [ebp+ecx-000000B8]
It's our Name so we're rigth on this point.

Then bpx on the end of the loop and look at the 'serial' : the same that we found, nice.

But it still remains this "%lX" String.

Look at what the call do : yeah, hexadecimal translation, great :)

"%lX" is for A->F
"%lx" is for a->f


Now, we can make the REAL keygen :p
Here comes my *free* source, lol :


String Name;				; variable to put name in
unsigned int NameLong;			; variable to put name-length in
unsigned int serial;			; did you guess it ?
unsigned char CharTemp;			; to put one char of the name to do calculation
unsigned int serialTemp;		; a temp variable, we will need maybe :)

Name=edName->Text;			; retrieve the name from the box
NameLong=edName->GetTextLen();		; take the name-length
serial=0;				; init the serial
serialTemp=0;				; and the temp var
unsigned int i=0;			; and the counter (ecx)

do
{
  CharTemp=Name[i+1];			; take the (i+1)th letter of the name
  i++;					; = inc ecx
  CharTemp = CharTemp^i;		; eax xor ecx
  serial += CharTemp;			; update serial
} while (i<NameLong);

serialTemp = CharTemp*6;		; = imul
serial = serial<<7;			; = shl 7
serial += serialTemp;			; update the serial

char buffer[80];
sprintf(buffer, "%X", serial);		; hexa conversion :)

edSerial->Text=buffer;			; show the serial



Now it's fully functionnal (at least i hope ;p ).
I hope you learned something out of this little tutor.

Please write ANY comment to : Dya-Blo@gmx.net
(btw, dont be too hard : it's just my first tutorial).

Greetings : everybody in #c.i.a and #cracking4newbies (especially analyst who wrote this crackme).

See You.  Dya-Blo.