Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Tuesday, September 28 2021 @ 03:53 AM CEST

Creating an internal keygenerator


TutorialsLevel : beginner

An alternative to writing a keygenerator is making an inline keygenerator. If the target can be serial fished, it can be inline keygenned. An example on a simple crackme.


In this tutorial we will crack Rith's crackme, and make an internal keygenerator for it.
What is an internal keygenerator? Well, I call it a 'keygen for lazy reversers' The idea is to change the target program in a way that it displays the correct serial for you.

Target & solution: attachment

Tools needed :Disassembler & Hexeditor

Why make an internal keygen ?

Well, There are (at least) 2 good reasons :

- You don't have to reverse the algo completely
- You won't make any mistakes decompiling the algo ; )

Reversing the code

004015BC E8E3020000 Call 004018A4 004015C1 8B7E60 mov edi, dword ptr [esi+60] ;Name 004015C4 8B5FF8 mov ebx, dword ptr [edi-08] ;Name length 004015C7 83FB05 cmp ebx, 00000005 ;Name length 004015CA 7C7E jl 0040164A ;Jump to badguy 004015CC 8B4664 mov eax, dword ptr [esi+64] ;Serial 004015CF 89442414 mov dword ptr [esp+14], eax 004015D3 3958F8 cmp dword ptr [eax-08], ebx ;NameLength=Serial length? (*):004015D6 7572 jne 0040164A ;if not, jump to badguy 004015D8 83FB14 cmp ebx, 00000014 ;Name length>14 ? 004015DB 7F6D jg 0040164A ;if so, jump to badguy 004015DD 33C9 xor ecx, ecx 004015DF 85DB test ebx, ebx 004015E1 7E54 jle 00401637 004015E3 8B742410 mov esi, dword ptr [esp+10] ;Pi (20 digits) * Referenced by a (U)nconditional or (C)onditional Jump at Address:00401631(C) 004015E7 8A040F mov al, byte ptr [edi+ecx] ;(ecx)th byte of Name 004015EA 0FBE2C31 movsx ebp, byte ptr [ecx+esi] ;(ecx)th digit of Pi 004015EE 0FBEC0 movsx eax, al 004015F1 99 cdq 004015F2 F7FD idiv ebp ;Divide name-byte by Pi-byte 004015F4 8BC2 mov eax, edx ;Move remainder to eax 004015F6 D1E0 shl eax, 1 ;remainder * 2
; The code that follows are just some checks and modification in order to get
; a serial between certain ascii values. (So you can enter it in the proggy)
004015F8 83F87B        cmp eax, 0000007B 
004015FB 7E03          jle 00401600
004015FD 83E81A        sub eax, 0000001A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:004015FB(C)

00401600 83F841 cmp eax, 00000041 00401603 7D09 jge 0040160E 00401605 BA82000000 mov edx, 00000082 0040160A 2BD0 sub edx, eax 0040160C 8BC2 mov eax, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:00401603(C)

0040160E 83F85B cmp eax, 0000005B 00401611 7E12 jle 00401625 00401613 83F861 cmp eax, 00000061 00401616 7D0D jge 00401625 00401618 99 cdq 00401619 BD0A000000 mov ebp, 0000000A 0040161E F7FD idiv ebp 00401620 83C230 add edx, 00000030 00401623 8BC2 mov eax, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: 0401611(C), :00401616(C)

00401625 8B542414 mov edx, dword ptr [esp+14] (**):00401629 38040A cmp byte ptr [edx+ecx], al ;Serial byte=Our Serial byte?
(**):0040162C 751C jne 0040164A ;if not, jump badguy
0040162E 41            inc ecx                    ;point to next byte/digit
0040162F 3BCB          cmp ecx, ebx               ;all bytes done?
00401631 7CB4          jl 004015E7                ;if not, jump for next byte

(***)00401633 8B742418 mov esi, dword ptr [esp+18] 
00401637 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Congratulations!"
(****)00401639 6834304000 push 00403034
0040163E 6820304000 push 00403020 00401643 8BCE mov ecx, esi 00401645 E854020000 Call 0040189E ;Call MessageBoxA

Patching the code

To change this crackme in a keygen, we will need to patch the following :
(**) mov byte ptr [edx+ecx], al
         HEX : 38 04 0A 75 1C -> 88 04 11 90 90
(***) mov byte ptr [edx+ecx],00h HEX : 8B 74 24 18 -> C6 04 0A 00
(****) push edx HEX : 68 20 30 40 00 -> 52 90 90 90 90
(**)   Saves each byte of the calculated serial to address in EDX+Counter
(***) Add a NULL string terminator to the Serial
(****) Display serial in the MessageBox

When we change ** and *** and **** we have made a very basic, but working internal keygen.
Now enter your name and a serial with the same length, hit the Register-button ... tada ... There is your valid serial!

Have you noticed that we only had to change 14 bytes to change the proggy to an internal keygen? As I said, this is great for lazy programmers :)

To complete this keygen, let's change the program so that we don't have to enter any serial.
Nop the jump at (*), and we're done!
HEX : 75 72 -> 90 90

Name : Detten
Serial : 6|j46j


Detten (at) reversing (dot) be

What's Related

Story Options

Creating an internal keygenerator | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
 Copyright © 2021 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.86 seconds