***************************************************************************************************************************************************
				Keygenning4Newbies KeygenMe #1
***************************************************************************************************************************************************

Author:		tHE ANALYST [UCF/ID]
Protection:	Name / Serial
URL:		
Tools:		SoftICE 4.05


--->	Intro...

Hi and welcome to my next Tutorial :)
This one is very easy and simple to follow so let's begin :)


--->	Let's Begin...

Open the CrackMe and it'll ask for some Name and Serial, I've used:

Name:		CoDe_InSiDe
Serial:		1234567890

Then get into SoftICE (CTRL+D) and type "bpx hmemcpy" followed by "enter" (You can also use GetWindowTextA).
Then out of SoftICE (CTRL+D) and press "Check the Serial" and SoftICE should popup.
Now press (F12) 8 times till you see this:

---------------------------------------------------------------------------------------------------------------------------------------------------

:0040109C 6A68                    push 00000068				<--- HERE WE LAND AFTER THE BREAK !!!
:0040109E 53                      push ebx

* Reference To: USER32.GetDlgItem, Ord:0000h
                                  |
:0040109F E8FE9B0000              Call 0040ACA2
:004010A4 6A64                    push 00000064
:004010A6 8D8DE4FEFFFF            lea ecx, dword ptr [ebp+FFFFFEE4]
:004010AC 51                      push ecx
:004010AD 50                      push eax

* Reference To: USER32.GetWindowTextA, Ord:0000h
                                  |
:004010AE E8FB9B0000              Call 0040ACAE

* Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0067, ""
                                  |
:004010B3 6A67                    push 00000067
:004010B5 53                      push ebx

* Reference To: USER32.GetDlgItem, Ord:0000h
                                  |
:004010B6 E8E79B0000              Call 0040ACA2
:004010BB 8BF0                    mov esi, eax				<--- Move EAX in ESI
:004010BD 8D8548FFFFFF            lea eax, dword ptr [ebp+FFFFFF48]	<--- EAX now points to our Name
:004010C3 50                      push eax				<--- Save EAX
:004010C4 E867050000              call 00401630				<--- Here it gets the length of our Name
:004010C9 59                      pop ecx
:004010CA 8945D8                  mov dword ptr [ebp-28], eax		<--- Save our length in EBP-28
:004010CD 8D95E4FEFFFF            lea edx, dword ptr [ebp+FFFFFEE4]	<--- EDX now points to our "Fake" Serial
:004010D3 52                      push edx				<--- Save EDX
:004010D4 E857050000              call 00401630				<--- Here it gets the length of our "Fake" Serial
:004010D9 59                      pop ecx
:004010DA 68EAB04000              push 0040B0EA				<--- Points to nothing :)
:004010DF E84C050000              call 00401630				<--- Here it gets the length of nothing
:004010E4 59                      pop ecx
:004010E5 680EB14000              push 0040B10E				<--- Points to nothing :)
:004010EA E841050000              call 00401630				<--- Here it gets the length of nothing
:004010EF 59                      pop ecx
:004010F0 837DD803                cmp dword ptr [ebp-28], 00000003	<--- Compare the length of our Name with 00000003 (3 Decimal)
:004010F4 7E7B                    jle 00401171				<--- If equal or lower we jump and get the Bad Guy message, else continue
:004010F6 90                      nop					<--- No OPeration
:004010F7 90                      nop					<--- No OPeration
:004010F8 90                      nop					<--- No OPeration
:004010F9 90                      nop					<--- No OPeration
:004010FA 33C9                    xor ecx, ecx				<--- XOR ECX which is now 00
:004010FC 33D2                    xor edx, edx				<--- XOR EDX which is now 00
:004010FE 33DB                    xor ebx, ebx				<--- XOR EBX which is now 00
:00401100 33C0                    xor eax, eax				<--- XOR EAX which is now 00
:00401102 837DD832                cmp dword ptr [ebp-28], 00000032	<--- Compare the length of our Name with 00000032 (50 Decimal)
:00401106 7D69                    jge 00401171				<--- If equal or greater we jump and get the Bad Guy message, else continue
:00401108 90                      nop					<--- No OPeration
:00401109 90                      nop					<--- No OPeration
:0040110A 90                      nop					<--- No OPeration
:0040110B 90                      nop					<--- No OPeration

---------------------------------------------------------------------------------------------------------------------------------------------------

Ok, this looks much allready but it isn't :)
It just simply takes our Name and "Fake" Serial we entered, and then it Compares our Name with 00000003 (3 Decimal) and 00000032 (50 Decimal).
If lower or greater or equal we fail and get the Bad Guy message, else we continue.
let's see what's next:

---------------------------------------------------------------------------------------------------------------------------------------------------

:0040110C 0FBE840D48FFFFFF        movsx eax, byte ptr [ebp+ecx-000000B8]<--- Move the first Char in EAX
:00401114 41                      inc ecx				<--- ECX +1
:00401115 33C1                    xor eax, ecx				<--- XOR ECX with EAX
:00401117 03D8                    add ebx, eax				<--- ADD EAX to EBX
:00401119 3B4DD8                  cmp ecx, dword ptr [ebp-28]		<--- Compare EBP-28 (Length of our Name) with ECX
:0040111C 75EE                    jne 0040110C				<--- If not equal we jump and repeat this loop, else continue
:0040111E 6BC006                  imul eax, 00000006			<--- Multiply 00000006 with EAX
:00401121 C1E307                  shl ebx, 07				<--- Shift EBX to the left with 07
:00401124 03C3                    add eax, ebx				<--- ADD EBX to EAX
:00401126 8945C8                  mov dword ptr [ebp-38], eax		<--- Save EAX in EBP-38
:00401129 FF75C8                  push [ebp-38]				<--- Save the New Value

---------------------------------------------------------------------------------------------------------------------------------------------------

And here we have the Algo, damn small ;)
So, it does this:

It takes the first Char of our Name and puts it in EAX
Increase ECX with 01
Then XOR ECX with EAX
Then ADD EAX to EBX
Compare ECX with the length of our Name
If not equal we repeat the loop, else continue

Then it Multiplies EAX with 06
Shifts EBX to the left with 07
And then ADDs EBX to EAX
Final Result in EAX ---> use %lX to show the Serial in Readable Format (Ascii))

That's all :)
I don't need to show more because after this piece of Code it will use "lstrcmpyA" to Compare the "Real" Serial with the "Fake" Serial :)
I think you can KeyGen this in YOUR language now :)
And i hope you learned something from this tutorial...


--->	Greetings...

Everyone from TrickSoft			(www.TrickSoft.net)
Everyone from Cracking4Newbies		(www.Cracking4Newbies.com)
Everyone from Keygenning4Newbies :P	(Keygenning4Newbies.cjb.net)
And Everyone i know and You...
Thanks for reading !

			   Don't trust the Outside, trust the InSiDe !!!

					    Cya...

					  CoDe_InSiDe
