Welcome once again to a key generator tutorial. So without further ado lets launch our target, and select Register from the screen which appears, now you'll need to enter a name, company name and registration code, I'm using CrackZ, Zencrack and 12345678 in that order, you'll find that 3 breaks on GetWindowTextA work well.
You should easily trace to the following code, either with F10 or F12.
:00408802 MOV EAX,[EDI] <-- Name.
:00408804 CMP DWORD PTR [EAX-08],05 <-- Check name was at least 5.
:00408808 JGE 0040881E <-- Jump_good_name.
:0040881E MOV EAX,[ESI+64] <-- Code entered.
:00408821 CMP DWORD PTR [EAX-08],01 <-- Check code was at least 1.
:00408825 JGE 0040883B <-- Jump_good_code_length.
So as we have become accustomed, a simple length of name check for 5 characters
and a code check for at least 1, we continue at the following code:
:0040883C CALL [00414038] <-- Returns code entered in EAX.
:00408842 ADD ESP,04 <-- Tidy stack.
:00408845 MOV EBX,EAX <-- Place code entered in EBX.
:00408847 PUSH [EDI]
:00408849 CALL 00409010 <-- Calculate real good code.
:0040884E ADD ESP,04 <-- Tidy stack.
:00408851 CMP EAX,EBX <-- Compare good_guy_/_bad_guy.
:00408853 JZ 00408866 <-- Jump_good_code.
Well its easy to type >? EBX in SoftICE and find
the good code, however we need to investigate how the program builds this
code by tracing into 00409010. Well without highlighting the actual code,
the program works as follows. Firstly, the name will be uppercased so
in my case we get CRACKZ, then each letter will be squared before the
individual results are added together, so I get.
(672 + 822 + 652 + 672 + 752 + 902) = 33,652.
Then we multiply this result by 93h (147 dec) to give the good code (4946844), if you trace the function be sure to also note the use of IsCharAlphaA to identify whether a character is a number or letter. I've attached here the assembly level source code for a key generator which I wrote, should you wish to examine it.