How to make Keygens?

May 13, 2008 by Ashik in Hacking Tutorials, Hardcore Hacking, Keygens, Software | Tags: Coding, Cracking, Hacking, Hardcore, Keygens

:0040A2FD 56 push esi ——–> The user name is pushed, in order
to
Upcase it’s chars.
* Reference To: USER32.CharUpperA, Ord:0000h
|
:0040A2FE E80F330000 Call User!CharUpper —> After this, our name is in
upper case.
:0040A303 56 push esi —–> Our name in upper case here.
* Reference To: cw3220mt._strlen, Ord:0000h
|
:0040A304 E86F300000 Call 0040D378 —> This is the length of our name.
:0040A309 59 pop ecx
:0040A30A 8BC8 mov ecx, eax —> ECX=Length.
:0040A30C 83F904 cmp ecx, 00000004 —> Length>=4 (MUST).
:0040A30F 7D05 jge 0040A316 —> Let’s go to this address…
:0040A311 83C8FF or eax, FFFFFFFF
:0040A314 EB67 jmp 0040A37D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A30F(C)
|
:0040A316 33D2 xor edx, edx
:0040A318 33C0 xor eax, eax
:0040A31A 3BC8 cmp ecx, eax
:0040A31C 7E17 jle 0040A335 —> (Not important, just another useless
checking).

==================================================================
FROM HERE AND ON, THE IMPORTANT CODE, PAY ATTENTION
==================================================================
One thing before we continue, EDX = 00000000h as we enter to the next instructions.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A333(C)
|
:0040A31E 0FBE1C06 movsx ebx, byte ptr [esi+eax] —> EBX <— char in user
name, offset EAX.
:0040A322 C1E303 shl ebx, 03 —–> Hmm, it shl’s the char by 03h…
(Remember that).
:0040A325 0FBE3C06 movsx edi, byte ptr [esi+eax] —> Now EDI <— Char in
user name , offset EAX.
:0040A329 0FAFF8 imul edi, eax —–> It multiplies the char by the
offset in user name! (Remember that).
:0040A32C 03DF add ebx, edi —–> Adds the result to EBX (That was
Shelled (Ding Dong =)).
:0040A32E 03D3 add edx, ebx —–> EDX=EDX+EBX!!! - This is the CORE
of this registration routine!!!
:0040A330 40 inc eax —–> Increase EAX by one (next char).
:0040A331 3BC8 cmp ecx, eax
:0040A333 7FE9 jg 0040A31E —-> If ECX<EAX then, we leave the
loop.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A31C(C)
|
:0040A335 A120674100 mov eax, dword ptr [00416720] —> HMMMMMM, What’s in
here?????
:0040A33A C1F803 sar eax, 03 ———> WAIT! Please type in SIce ‘?
EAX’
Does this number in EAX look
familiar to us?
If you still don`t understand,
than, It’s our SERIAL NUMBER! (PLEASE, take your time, and check by yourself - don`t trust me!).