Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Sunday, March 29 2020 @ 07:25 PM CEST

Keygening KiTo's Keygenme 2

   

TutorialsLevel : newbie

Solution for KiTo's keygenme 2.
Keygen source included.

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*.....
*Author:Tanatos
|Date:27.12.2004
*Target:http://www.reversing.be/easyfile/file.php?show=2005030512450060
|Dificulty:Easy
*Tools:Olly Debug,C++ Compiler
|Solution:Fishing/Keygen
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*.....

Introduction:Hello and welcome you all to my latest tutorial...hope you enjoy readin it and
maybe you will even understand something of it!

The Essay:

OK...You load the crackme into OllyDbg...now you right-click->search for->all referenced text strings
double click on :

Text strings referenced in KGNME2-K:.text, item 6
Address=00401114
Disassembly=PUSH KGNME2-K.00407188
Text string=ASCII "Bad Boy!"

that is the caption of our error message...no we land on this code section:

00401107 . 83C4 60 ADD ESP,60
0040110A . C2 1000 RETN 10
0040110D > 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0040110F . 68 08724000 PUSH KGNME2-K.00407208 ; |Title = "Doh!"
00401114 . 68 88714000 PUSH KGNME2-K.00407188 ; |Text = "Bad Boy!"
00401119 . 53 PUSH EBX ; |hOwner
0040111A . FF15 DC704000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; MessageBoxA
00401120 . 5F POP EDI
00401121 . B8 01000000 MOV EAX,1

that is just the bad boy error message...scroll a bit up...this is the end of our sequence the start is a bit up...
here for example:

00401066 . 6A 1E PUSH 1E ; /Count = 1E (30.)
00401068 . 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30] ; |
0040106C . 51 PUSH ECX ; |Buffer
0040106D . 68 F0030000 PUSH 3F0 ; |ControlID = 3F0 (1008.)
00401072 . 53 PUSH EBX ; |hWnd
00401073 . FFD6 CALL ESI ; GetDlgItemTextA

This is the part where the crackme gets the text from the edit box(particulary our name)...so this would be a good
place to put a breakpoint(press F2).Now run the crackme F9 and enter the following data:Name:Tanatos Serial:1234567890
and press Check.It breaks...well start...
Now i will try to explain what does each section of code do:

00401075 . 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C] <--This has our name in it
00401079 . 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1] <--Our name without the first letter
0040107C . 5E POP ESI
0040107D . 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
00401080 > 8A08 MOV CL,BYTE PTR DS:[EAX] <-
00401082 . 40 INC EAX | This section is the section where
00401083 . 84C9 TEST CL,CL | the crackme counts the number of chars
00401085 .^75 F9 JNZ SHORT KGNME2-K.00401080 <- that our name has.
00401087 . 2BC2 SUB EAX,EDX
00401089 . 83F8 03 CMP EAX,3 <--Compares the number of chars he found with 3
0040108C . 7F 20 JG SHORT KGNME2-K.004010AE <--If our name is > than 3 chars we go on else we get a error

We are gonna jump the explaining of the case when you entered less than 3 chars.The next section is the serial calculation
section..so pay atention!(EDI,EDX=0 at starters):

004010B4 > 0FBE540C 08 MOVSX EDX,BYTE PTR SS:[ESP+ECX+8] <--Gets the char in the current position
004010B9 . 03FA ADD EDI,EDX <--Adds his hex value to EDX
004010BB . 41 INC ECX <--Rises the couter with one
004010BC . 3BC8 CMP ECX,EAX <--Compares ECX with the leght of the name(in our case 7)
004010BE .^7E F4 JLE SHORT KGNME2-K.004010B4 <--Goes back to 4010B4 if its lower or equal to 7
004010C0 > 69FF 39050000 IMUL EDI,EDI,539 <--The EDI we obtained from the algo above will be multipyed

with 539(thats the hex value)
That is the way the serial is calculated...if you just wanted to fish it...the right place is just coming up:

004010DD . 51 PUSH ECX ; /String2
004010DE . 8D5424 4C LEA EDX,DWORD PTR SS:[ESP+4C] ; |
004010E2 . 52 PUSH EDX ; |String1 = "976010" <--That is the correct serial!
004010E3 . FF15 00704000 CALL DWORD PTR DS:[<&KERNEL32.lstrcmpA>] ; lstrcmpA

If you want to keygen it take a look here this is the algo you need to put for a Visual C++ coder so you can keygen it:

#include <stdio.h>
#include <conio.h>
#include <string.h>
char name[32];
int n,i;
long int serial=0;
void main(void)
{
printf("Name:");scanf("%s",&name);
n=strlen(name);
if(n>3 && n<=32)
{
for(i=0;i<=n+1;i++)
{
serial+=name[i];
}
serial=serial*1337;
printf("Serial:%dn",serial);
}
else
{
printf("Please enter a name with more than 3 chars and less than 32");
}
}

Now a bit more explenations you may wonder what does 1337 mean? well think well above i said that the EDI obtained from
the loop in our case the variable serial...will be multiplyed with 539 well 1337 is actually the value of 539 in decimal.

Done explaining for this one hope you understood something of this tutorial and that you liked it...

GREETZ:
bLaCk-eye,Detten,Wizzard,chainie,Irokos,BuLLet,whole BiW

http://www.reversing.be/binaries/articles/20050306184835195.zip




What's Related

Story Options

Keygening KiTo's Keygenme 2 | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.78 seconds