keygenning4newbies Crackme 1
coded by the analyst [UCF/ID]

TUTORIAL!

	Well, this is a pretty easy keygenme, so, lets start:

Tools Used:

Ollydbg
MASM32 for the keygen :)

Let's start:

Open the k4n.exe in Ollygo and set breakpoint in GetWindowTextA API. Will
find 3 locations. Press F9 To run and write your name, i'll write mine.

Name:   tazmanian[BRC/2003]
Serial: 123456

Push the button. And press F8 in Ollygo until you see:

0040110C  |> 0FBE840D 48FFF>/MOVSX EAX,BYTE PTR SS:[EBP+ECX-B8]  ; Get Caracs from NAME
00401114  |. 41             |INC ECX                           ; counter++
00401115  |. 33C1           |XOR EAX,ECX                      ; Make a xor with carac and counter
00401117  |. 03D8           |ADD EBX,EAX                      ; Add to EBX the result
00401119  |. 3B4D D8        |CMP ECX,[LOCAL.10]               ; Check if loop is finished
0040111C  |.^75 EE          \JNZ SHORT K4N.0040110C           ; NO=JUMP

From my name, the final result in EBX was equal to: 618h, Lets Going ON:

0040111E  |. 6BC0 06        IMUL EAX,EAX,6     ; Multiply
00401121  |. C1E3 07        SHL EBX,7          ; bla bla
00401124  |. 03C3           ADD EAX,EBX        ; bla bla... some maths here

IN the end, my EAX was equal to: 30DD4h, in decimal its equal to: 200148.

Lets going on the code...

00401129  |. FF75 C8        PUSH [LOCAL.14]               ; /Arg3 = 00030DD4
0040112C  |. 68 38B44000    PUSH K4N.0040B438             ; |Arg2 = 0040B438 ASCII "%lX"
00401131  |. 8D8D 80FEFFFF  LEA ECX,[LOCAL.96]            ; |
00401137  |. 51             PUSH ECX                      ; |Arg1
00401138  |. E8 873D0000    CALL K4N.00404EC4             ; \K4N.00404EC4

Hum, that's a function that transforms the decimal to long hexadecimal.
(INFO: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/WinUI/WindowsUserInterface/Resources/Strings/StringReference/StringFunctions/wsprintf.asp)

The function returns ASCII "30DD4"... going on the code..

00401146  |. 50             PUSH EAX                                 ; /String2 = "30DD4"
00401147  |. 8D95 E4FEFFFF  LEA EDX,[LOCAL.71]                       ; |
0040114D  |. 52             PUSH EDX                                 ; |String1 = "123456"
0040114E  |. E8 339C0000    CALL <JMP.&KERNEL32.lstrcmpA>            ; \lstrcmpA

It compares the correct serial to the entered serial...

Name:    tazmanian[BRC/2003]
Serial:  30DD4

Congratulations! We find the correct serial! Now, lets code our keygen!

I'll not explain how to code, but i'll put the source code with this
tutorial, so you can learn by yourself ;)


03/22/2003
tazmanian[BRC/2003]






