:00426935 0F8406010000 je 00426A41 <--- If EAX is equal to EBX we jump and that means we haven't entered a Serial, or our Serial consists of 00000000, else continue
:0042693B FFB7D5000000 push dword ptr [edi+000000D5] <--- Push the offset to our Name
:00426941 E896090000 call 004272DC <--- Here's the Algo !!!
:00426946 3945E8 cmp dword ptr [ebp-18], eax <--- Compare EAX ("Real" Serial) with our "Fake" Serial in Memory
:00426949 59 pop ecx
:0042694A 753A jne 00426986 <--- If not equal we jump and get the Bad Guy message ,else we get the Good Guy message :)
Ok well, first it puts our "Fake" Serial into the Register EAX (In Decimal Format), so if your out of that CALL and then do a "? EAX" you'll see your "Fake" Serial in SoftICE :)
Then it Compares that value (Your "Fake" Serial) to the value 00000000, to see if we really entered something or to see if we entered only 0's :)
If so we jump and fail, if not we continue to the Algo, let's see what the Algo is so enter the CALL 004272DC and you'll see this:
In this piece of Code it takes the length of our Name and Compares it with 05, if less then 5 Characters entered as Name we fail, else we continue to the Algo.
So trace a little further till it jumps after the "cmp eax, 00000005" (or do everything again if you entered less then 5 Characters for your Name) and then you'll see this:
Ok, so it takes the length of your Name and subtracts 04 from it why?... Because as you see it XOR's a Dword (4 bytes) with ESI (Our Magic Value), if it didn't subtract 04 from the length then you
would get a XOR with 00 and they didn't want that :)
So it goes like this:
CoDe_InSiDe"
Lenght of my Name "0B" (11 Decimal)
Length - 04 = "07" (7 Decimal)
Then it Compares EBX (00 at the beginning) with our "New" Length (07)
If below we continue to make the "Real" Serial, else we jump to the end and move ESI (Our "Real" Serial) in EAX
Then it XOR's the first 4 bytes of our Name with the Magic Value in ESI (65446F43 XOR 5DFEE4A4)
Then it Test's if BL is less then 40
If so we jump and increase EBX by 1, else we increase EBX by 2
Repeat loop
...
Compare EBX (01 now) with our "New" Length (07)
If below we continue to make the "Real" Serial, else we jump to the end and move ESI (Our "Real" Serial) in EAX
Then it XOR's with ESI with 4 bytes of our Name (now it begins at the next Char of our Name because of "inc EBX")
Then it Test's if BL is less then 40
If so we jump and increase EBX by 1, else we increase EBX by 2
And so on...
Till the "Compare ebx, eax" is the same and then we jump and move the final result from ESI in EAX
Then we get back to the main Code and then it does "cmp dword ptr [ebp-18], eax", Compare EAX ("Real" Serial) with our "Fake" Serial in Memory.
If equal we continue and get the Good Guy message, else we get the Bad Guy message :)
Do a "? EAX" to see your Serial in Decimal Format.
Ok, that's it...
As you can see it hasn't calculated our "Company" like so much other Program's won't :)
So finally i got this Serial for my Name:
Name: CoDe_InSiDe
Company: KnOwLeDgE <--- Not necessary can be left blank
Serial: 1050509777
I hope you learned something from this tutorial, as it wasn't very hard to understand i hope :)
If you have any questions or just something to say send it to:
Email: code.inside@home.nl
---> Greetings...
Everyone from TrickSoft (www.TrickSoft.net)
Everyone from Cracking4Newbies (www.Cracking4Newbies.com)
Everyone from Keygenning4Newbies (Keygenning4Newbies.cjb.net)
