home *** CD-ROM | disk | FTP | other *** search
/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / CrackMesCbjNet / nh-fcm05.ZIP / nh-fcm05.txt < prev   
Encoding:
Text File  |  2001-04-22  |  4.3 KB  |  130 lines
  1. fusS' 5th crackme keygenning tutorial by nh
  2.  
  3. E-Mail: nh666@mail.ru
  4.  
  5. Need tools: IDA v3.xx-4.xx, TASM v5.0
  6.  
  7. Run crackme to IDA & see this fragment of code:
  8.   
  9. .text:0040117D               push    offset dword_0_403143
  10. .text:00401182               push    0
  11. .text:00401184               push    20019h
  12. .text:00401189               push    0
  13. .text:0040118B               push    0
  14. .text:0040118D               push    0
  15. .text:0040118F               push    offset aSoftwareTricks
  16. .text:00401194               push    80000002h
  17. .text:00401199               call    j_RegCreateKeyExA
  18.  
  19. find in Windows registry 'Software\TrickSoft\fusS\Crackme05' key
  20.  
  21.  
  22. .text:0040119E               push    offset asc_0_403127
  23. .text:004011A3               push    offset Name
  24. .text:004011A8               push    offset unk_0_4031AB
  25. .text:004011AD               push    0
  26. .text:004011AF               push    offset aUsername
  27. .text:004011B4               push    dword_0_403143
  28. .text:004011BA               call    j_RegQueryValueExA
  29.  
  30. read UserName value to Name
  31.  
  32. .text:004011BF               push    offset asc_0_40312B
  33. .text:004011C4               push    offset Code
  34. .text:004011C9               push    offset unk_0_4031AB
  35. .text:004011CE               push    0
  36. .text:004011D0               push    offset aMagicvalue
  37. .text:004011D5               push    dword_0_403143
  38.  
  39.  
  40. read MagicValue value to Code
  41.  
  42. .text:004011DB               call    j_RegQueryValueExA
  43. .text:004011E0               push    0
  44. .text:004011E2               call    j_RegCloseKey
  45.  
  46. [...skipped...]
  47.  
  48. .text:00401222 sub_0_401222    proc near           ; CODE XREF: start+1E7p
  49. .text:00401222               push    ebp
  50. .text:00401223               mov     ebp, esp
  51. .text:00401225               push    offset Name
  52. .text:0040122A               call    j_lstrlenA
  53. .text:0040122F               cmp     eax, 1
  54. .text:00401232               jle     loc_0_4012FC
  55. .text:00401238               push    offset Code
  56. .text:0040123D               call    j_lstrlenA
  57. .text:00401242               cmp     eax, 0
  58. .text:00401245               jz      loc_0_4012FC
  59. .text:0040124B               lea     eax, ds:40314Bh
  60. .text:00401251               xor     ecx, ecx
  61. .text:00401253               xor     ebx, ebx
  62. .text:00401255 
  63. .text:00401255 loc_0_401255:                   ; CODE XREF: sub_0_401222+45j
  64. .text:00401255               mov     bl, [eax]
  65. .text:00401257               cmp     bl, 0
  66. .text:0040125A               jz      short loc_0_401269
  67. .text:0040125C               mov     bh, [eax+1]
  68. .text:0040125F               imul    ebx, ebx
  69. .text:00401262               add     ecx, ebx
  70. .text:00401264               xor     ebx, ebx
  71. .text:00401266               inc     eax
  72. .text:00401267               jmp     short loc_0_401255
  73.  
  74. so, it's very simple algo. %))
  75.  
  76.  
  77. .text:00401269 loc_0_401269:                   ; CODE XREF: sub_0_401222+38j
  78. .text:00401269               add     ecx, 0BAB1E5h
  79. .text:0040126F               xor     ebx, ebx
  80. .text:00401271 
  81. .text:00401271 loc_0_401271:                   ; CODE XREF: sub_0_401222+56j
  82. .text:00401271               add     ecx, 2
  83. .text:00401274               inc     ebx
  84. .text:00401275               cmp     ebx, 63h
  85. .text:00401278               jnz     short loc_0_401271 
  86.  
  87. =) add 63h*2
  88.  
  89. .text:0040127A               imul    ecx, 0DEADBEEFh
  90. .text:00401280               sub     ecx, 0DEADBEEFh
  91. .text:00401286               lea     ebx, ds:403048h
  92. .text:0040128C               push    ecx
  93. .text:0040128D               push    offset aD
  94. .text:00401292               push    offset unk_0_40318B
  95. .text:00401297               call    j_wsprintfA
  96.  
  97. convert ecx to string
  98.  
  99. .text:0040129C               add     esp, 0Ch
  100. .text:0040129F               push    offset unk_0_40318B
  101. .text:004012A4               call    j_lstrlenA
  102. .text:004012A9               lea     ebx, ds:40318Bh
  103. .text:004012AF               add     ebx, eax
  104. .text:004012B1               mov     byte ptr    [ebx], 2Dh
  105. .text:004012B4               inc     ebx
  106. .text:004012B5               push    offset aTs
  107. .text:004012BA               push    ebx
  108. .text:004012BB               call    j_lstrcpyA
  109.  
  110. add to this string '-[TS]' string
  111.  
  112. .text:004012C0               push    offset unk_0_40318B
  113. .text:004012C5               push    offset Code
  114. .text:004012CA               call    j_lstrcmpA
  115.  
  116. and compare with MagicValue
  117.  
  118. .text:004012CF               cmp     eax, 0
  119. .text:004012D2               jnz     short loc_0_4012E8
  120. .text:004012D4               push    offset aCongratulation
  121. .text:004012D9               push    dword_0_40313F
  122. .text:004012DF               call    j_SetWindowTextA
  123. .text:004012E4               leave   
  124. .text:004012E5               retn    4
  125.  
  126. so, keygen source in nh-fcm05.asm & nh-fcm05.rc
  127.  
  128. that's all.
  129.  
  130. /nh