Interesting CRACKME Cracking Analysis

[Cracking tool] OD, Calculator
[Cracking platform] WINXP
[Software Overview] Difficulty: 2-Needs a little brain (or luck)
Platform: Windows
Language: Assembler

----------------------------------------------------------------------
CRACKME is very interesting. The first time I saw CRACKME registered in this way, I will analyze it,
The key code can be easily found based on the prompts.

00401288/$55 push ebp; breakpoint
00401289 |. 8BEC mov ebp, esp
0040128B |. 81C4 FCFEFFFF add esp,-104
00401291 |. C785 FCFEFFFF> mov dword ptr [ebp-104>
0040129B |. 68 80000000 push 80;/Count = 80 (128 .)
004012A0 |. 8D45 80 lea eax, [ebp-80]; |
004012A3 |. 50 push eax; | Buffer
004012A4 |. 68 ED030000 push 3ED; | ControlID = 3ED (1005 .)
004012A9 |. FF35 0C304000 push dword ptr [40300C]; | hWnd = 00190644 (B2C _2k5, class = DLGCLASS)
004012AF |. E8 3A010000 call <jmp. & user32.GetDl>; GetDlgItemTextA
004012B4 |. 83F8 05 cmp eax, 5; number of registration names compared with 5
004012B7 |. 0F82 C7000000 jb 00401384; if it is less than 5 bits, the jump fails.
004012BD |. 68 80000000 push 80;/Count = 80 (128 .)
004012C2 |. 8D85 00 FFFFFF lea eax, [ebp-100]; |
004012C8 |. 50 push eax; | Buffer
004012C9 |. 68 EE030000 push 3EE; | ControlID = 3EE (1006 .)
004012CE |. FF35 0C304000 push dword ptr [40300C]; | hWnd = 00190644 (B2C _2k5, class = DLGCLASS)
004012D4 |. E8 15010000 call <jmp. & user32.GetDl>; GetDlgItemTextA
004012D9 |. 83F8 08 cmp eax, 8; number of registration codes compared with 8
004012DC |. 0F85 A2000000 jnz 00401384; The redirect fails if the registration code is not equal to 8 digits.
We can learn from this:
The registration name must be greater than 5 Characters
The registration code must be 8 characters long

004012E2 |. 8D95 00 FFFFFF lea edx, [ebp-100]; Make EDX equal to the entered registration code
004012E8 |. 52 push edx
004012E9 |. E8 82010000 call 00401470; converts the entered registration code to an uppercase value.
004012EE |. 50 push eax
004012EF |. E8 92000000 call 00401386
004012F4 |. 83F8 00 cmp eax, 0; have you entered the registration code?
004012F7 |. 0F84 87000000 je 00401384; failed to jump without entering the registration code
004012FD |. 33D2 xor edx, edx, and EDX are cleared, and calculation is started.
004012FF |. 35 33644752 xor eax, 52476433; XOR (entered registration code, 0x52476433), the result is set to
00401304 |. 35 56244752 xor eax, 52472456; XOR (A, 0x52472456), the result is set to B
00401309 |. 2D 00000004 sub eax, 4000000; B minus 0x4000000 is set to C

This is the processing of the registration code. First, convert the small-sized portion of the registration code into the corresponding upper-case form.
Set the entered registration CODE to; CODE
The registration CODE is processed as follows: XOR [XOR (CODE, 0x52476433), 0x52472456],
Author: xiaoyaofeng
Because XOR (0x52476433,0x52472456) = 0x4065

Therefore, the process of processing the registration CODE is equivalent to setting the result of XOR (CODE, 0x4065) to B.

C = B-0x4000000

0040130E |. BB 01000000 mov ebx, 1; Make EBX equal to 1
00401313 |. C1C3 10 rol ebx, 10; ROL (EBX, 10)
00401316 |. 8D75 80 lea esi, [ebp-80]; Make ESI equal to Registration Name
00401319 |> 803E 00/cmp byte ptr [esi], 0
0040131C |. 74 0D | je short 0040132B
0040da-e |. 0FB616 | movzx edx, byte ptr [esi]; get the ASCII code of each digit of the Registration Name
00401321 |. C1C2 10 | rol edx, 10; ROL (Registration Name ASCII, 10)
00401324 |. 03C2 | add eax, edx; C and Registration Name ASCII code cumulative Calculation
00401326 |. 2BC3 | sub eax, ebx; the result of each calculation minus the value 0x10000
00401328 |. 46 | inc esi; ESI plus 1 per Calculation
00401329 |. ^ eb ee jmp short 00401319; cyclic computing
0040132B | &