keygenning4newbies Crackme 1 coded by the analyst [UCF/ID]

Debugger: 0040110C | 0FBE840D 48FFFFFF | movsx eax,byte ptr ss:[ebp+ecx-B8] | Here is where the serial is gen'd from the input string 00401114 | 41 | inc ecx | 00401115 | 33C1 | xor eax,ecx | 00401117 | 03D8 | add ebx,eax | 00401119 | 3B4D D8 | cmp ecx,dword ptr ss:[ebp-28] | 0040111C | 75 EE | jne k4n.40110C | 0040111E | 6BC0 06 | imul eax,eax,6 | 00401121 | C1E3 07 | shl ebx,7 | 00401124 | 03C3 | add eax,ebx | IDA Pro FREE: CODE:0040110C loc_40110C: ; CODE XREF: sub_401000+11C↓j CODE:0040110C movsx eax, [ebp+ecx+String] CODE:00401114 inc ecx CODE:00401115 xor eax, ecx CODE:00401117 add ebx, eax CODE:00401119 cmp ecx, [ebp+var_28] CODE:0040111C jnz short loc_40110C CODE:0040111E imul eax, 6 CODE:00401121 shl ebx, 7 CODE:00401124 add eax, ebx

My C console code (Visual Studio): // The code iterates over each character in the username string, performs bitwise XOR operations, // updates the values of eax and ebx, eax is multiplied by 6, ebx is shifted left by 7 positions, // and the resulting values are combined. #include <stdio.h> #include <string.h> int main() { char username[50] = "aaaaa"; int len = strlen(username); int i = 0, eax = 0, ebx = 0; // Generate serial# from hard-coded username // While loop runs as long as "i" is less than len. Here, "len" is the length of the username string while (i < len) { // i++ increments the value of i by 1 i++; // Accesses the (i-1)-th character in the username array // The^ operator performs a bitwise XOR operation between the character at username[i - 1] // and the current value of i // The result of the XOR operation is stored in the variable eax eax = username[i - 1] ^ i; // adds the value of eax to ebx ebx += eax; } // Multiplies the value of eax by 6 and stores the result back in eax eax *= 6; // shifts the bits in ebx to the left by 7 positions. This is equivalent to multiplying ebx // by 2 to the 7th power, or 128 ebx <<= 7; // Adds the value of ebx to eax eax += ebx; // Print serial# as hex printf("Serial# from Username, aaaaa (hard-coded) in hex: %X\n", eax); printf("Serial# from Username, aaaaa as decimal: %d\n", eax); return 0; }

C-Assembly debug output (.COD file): https://stackoverflow.com/questions/8355205/how-to-view-the-cod-file-generated-by-vc-compiler
*Use Notepad ++ to select the Language by clicking Language->A->Assembly, to view more easily.

; 125 : // Generate serial# from hard-coded username
; 126 : // While loop runs as long as "i" is less than len. Here, "len" is the length of the username string
; 127 : while (i < len)

0008e 8b 45 54 mov eax, DWORD PTR len$[rbp]
00091 39 45 74 cmp DWORD PTR i$[rbp], eax
00094 7d 35 jge SHORT $LN3@main

; 128 : {
; 129 : // i++ increments the value of i by 1
; 130 : i++;

00096 8b 45 74 mov eax, DWORD PTR i$[rbp]
00099 ff c0 inc eax
0009b 89 45 74 mov DWORD PTR i$[rbp], eax

; 131 :
; 132 : // Accesses the (i-1)-th character in the username array
; 133 : // The^ operator performs a bitwise XOR operation between the character at username[i - 1]
; 134 : // and the current value of i
; 135 : // The result of the XOR operation is stored in the variable eax
; 136 : eax = username[i - 1] ^ i;

0009e 8b 45 74 mov eax, DWORD PTR i$[rbp]
000a1 ff c8 dec eax
000a3 48 98 cdqe
000a5 0f be 44 05 08 movsx eax, BYTE PTR username$[rbp+rax]
000aa 33 45 74 xor eax, DWORD PTR i$[rbp]
000ad 89 85 94 00 00
00 mov DWORD PTR eax$[rbp], eax

; 137 :
; 138 : // adds the value of eax to ebx
; 139 : ebx += eax;

000b3 8b 85 94 00 00
00 mov eax, DWORD PTR eax$[rbp]
000b9 8b 8d b4 00 00
00 mov ecx, DWORD PTR ebx$[rbp]
000bf 03 c8 add ecx, eax
000c1 8b c1 mov eax, ecx
000c3 89 85 b4 00 00
00 mov DWORD PTR ebx$[rbp], eax

; 140 : }

000c9 eb c3 jmp SHORT $LN2@main
$LN3@main:

; 141 : // Multiplies the value of eax by 6 and stores the result back in eax
; 142 : eax *= 6;

000cb 6b 85 94 00 00
00 06 imul eax, DWORD PTR eax$[rbp], 6
000d2 89 85 94 00 00
00 mov DWORD PTR eax$[rbp], eax

; 143 :
; 144 : // shifts the bits in ebx to the left by 7 positions. This is equivalent to multiplying ebx
; 145 : // by 2 to the 7th power, or 128
; 146 : ebx <<= 7;

000d8 8b 85 b4 00 00
00 mov eax, DWORD PTR ebx$[rbp]
000de c1 e0 07 shl eax, 7
000e1 89 85 b4 00 00
00 mov DWORD PTR ebx$[rbp], eax

; 147 :
; 148 : // Adds the value of ebx to eax
; 149 : eax += ebx;

000e7 8b 85 b4 00 00
00 mov eax, DWORD PTR ebx$[rbp]
000ed 8b 8d 94 00 00
00 mov ecx, DWORD PTR eax$[rbp]
000f3 03 c8 add ecx, eax
000f5 8b c1 mov eax, ecx
000f7 89 85 94 00 00
00 mov DWORD PTR eax$[rbp], eax

; 150 :
; 151 : // Print serial# as hex
; 152 : printf("Serial# from Username, aaaaa (hard-coded) in hex: %X\n", eax);

000fd 8b 95 94 00 00
00 mov edx, DWORD PTR eax$[rbp]
00103 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:??_C@_0DG@GGDILAPF@Serial?$CD?5from?5Username?0?5aaaaa?5?$CIh@
0010a e8 00 00 00 00 call printf
0010f 90 npad 1

; 153 : printf("Serial# from Username, aaaaa as decimal: %d\n", eax);

Why am I providing this write-up? I'm hoping to get people to start learning to keygen.
I've aspired to do this for years. And after reading all the TUTs I really never got anywhere. Then a friend (you know who you are), got me back into coding/keygenning. Now don't get me wrong, I've been cracking /patching s/w for years, but could never make the leap (and still have gotten there, but I'm getting closer and closer every day). Still, it's not easy, and you must be persistent. And what I mean by that, is that you need to have goals:
Learn to code. Picha language and stick to that language
Learn to debug that code, meaning write simple programs and walk through them in a debugger
Debug with and without source code to understand what you are looking at, meaning assembly language
Once you get good at these things, then you will be able to do what might seem impossible - convert the assembly to a higher-level language (I suggest C, but to each their own)

The conversion is what has stumped me, for years. Why? Because I wasn't willing to do the work. Get the foundation to build on. Without the foundation, you'll just never get there. Sure, I could find the assembly location for the generation of the keygen (if not too complex), cut/paste, and use an existing TUT to make it work. But I never felt good about it, and I didn't really understand it fully.
This is why you need a foundation to build on and be able to do an actual conversion of the code. You can get help.
There are tools you can buy, as well as help online (example: CodeConvert AI - Convert code with a click of a button), but I encourage you not to rely on those. You'll only hurt yourself if you rely on these tools, trust me. Below is my write-up. I hope this is helpful to someone.

0040114E | E8 339C0000 | call <JMP.&lstrcmpA> | lstrcmpA 00401153 | 85C0 | test eax,eax | 00401155 | 75 0D | jne k4n.401164 | 00401157 | 68 3CB44000 | push k4n.40B43C | 0040115C | 56 | push esi | 0040115D | E8 289B0000 | call <JMP.&SetWindowTextA> | SetWindowTextA 00401162 | EB 18 | jmp k4n.40117C | 00401164 | 68 90B44000 | push k4n.40B490 | Toooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo 0040114E | 90 | nop | lstrcmpA 0040114F | 90 | nop | 00401150 | 90 | nop | 00401151 | 90 | nop | 00401152 | 90 | nop | 00401153 | 85C0 | test eax,eax | 00401155 | 75 0D | jne k4n.401164 | 00401157 | 68 3CB44000 | push k4n.40B43C | 0040115C | 56 | push esi | HWND hWnd = esi:EntryPoint 0040115D | E8 289B0000 | call <JMP.&SetWindowTextA> | SetWindowTextA 00401162 | EB 18 | jmp k4n.40117C | 00401164 | 51 | push ecx | 00401165 | 90 | nop | 00401166 | 90 | nop | 00401167 | 90 | nop | 00401168 | 90 | nop |