BiW Reversing - Tutorial for KiTo's KeyGenMe 6

The challenge is yours

Topics
News (13) Tutorials (115) Crackmes (69) Coding (23)

Challenges
Download Hall Of Fame

User Functions
Username: Password: Don't have an account yet? Sign up as a New User

Banners

Welcome to BiW Reversing
Friday, September 10 2010 @ 10:32 PM CEST

Tutorial for KiTo's KeyGenMe 6

Friday, March 25 2005 @ 03:29 PM CET
Contributed by: riX
Views: 1751

Level : newbie

Solution for KiTo's KeyGenMe 6.

Serial fishing + keygenning

Attachment with keygen + source :
File here: http://www.reversing.be/binaries/articles/200503251524360.rar

level1:
======
olly gives:

.
.
.
00401092 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; GetDlgItemTextA
00401098 CMP BYTE PTR SS:[ESP+13],72 ;72=='r'
0040109D JNZ 004014B5
004010A3 CMP BYTE PTR SS:[ESP+12],77 ;77=='w'
004010A8 JNZ 004014B5
004010AE CMP BYTE PTR SS:[ESP+15],70 ;70=='p'
004010B3 JNZ 004014B5
004010B9 --GoodBoy--
.
.
004014B5 --BadBoy--

Just type in 123456789 as serial and step through the code. You'll see that
the "4" is compared to 72 (r), the "3" to 77 (w) and the "6" to 70 (p).
Just change the numbers in your original serail to the right letters. (12wr5p789)
Any serial of the form "--wr-p..." will do the trick.

level2:
======
olly -->

00401111 PUSH 1E ; /Count = 1E (30.)
00401113 LEA EDX,DWORD PTR SS:[ESP+14] ; |
00401117 PUSH EDX ; |Buffer
00401118 PUSH 3F4 ; |ControlID = 3F4 (1012.)
0040111D STOS WORD PTR ES:[EDI] ; |
0040111F PUSH EBP ; |hWnd
00401120 XOR EDI,EDI ; |
00401122 MOV ESI,2D <--- OBS ESI=2d
00401127 CALL EBX ; GetDlgItemTextA
00401129 PUSH 1E ; /Count = 1E (30.)
0040112B LEA EAX,DWORD PTR SS:[ESP+EC] ; |
00401132 PUSH EAX ; |Buffer
00401133 PUSH 3F5 ; |ControlID = 3F5 (1013.)
00401138 PUSH EBP ; |hWnd
00401139 CALL EBX ; GetDlgItemTextA
0040113B LEA EAX,DWORD PTR SS:[ESP+10]
0040113F LEA EDX,DWORD PTR DS:[EAX+1]
00401142 MOV CL,BYTE PTR DS:[EAX]
00401144 INC EAX
00401145 TEST CL,CL
00401147 JNZ SHORT KGNME-6.00401142
00401149 SUB EAX,EDX ; eax = length of username
0040114B CMP EAX,3 ; username must be 4 chars or longer
0040114E JLE KGNME-6.004014B5
00401154 XOR ECX,ECX
00401156 TEST EAX,EAX
00401158 JLE SHORT KGNME-6.00401176
0040115A LEA EBX,DWORD PTR DS:[EBX] |
00401160 MOVSX EDX,BYTE PTR SS:[ESP+ECX+10] | this loop takes every letter in the username,
00401165 ADD EDX,ESI | adds esi (2d at first)
00401167 ADD EDI,EDX | adds result to edi (which is 0 at first)
00401169 ADD ESI,ESI | multiplies esi by 2
0040116B ADD EDI,86 | and adds 86 to the value in edi
00401171 INC ECX | (ecx=counter)
00401172 CMP ECX,EAX | (eax=usrname.length)
00401174 JL SHORT KGNME-6.00401160 |
00401176 IMUL EDI,EDI,FFFF2155 / when done it multiplies the result from the
0040117C PUSH EDI loop with FFFF2155 (=-DEAB) to get a hash
0040117D LEA EAX,DWORD PTR SS:[ESP+84]
00401184 PUSH KGNME-6.00407280 ; ASCII "%X"
00401189 PUSH EAX
0040118A CALL KGNME-6.0040151E
0040118F LEA EAX,DWORD PTR SS:[ESP+8C]
00401196 ADD ESP,0C
00401199 MOV EDX,EAX
0040119B JMP SHORT KGNME-6.004011A0
0040119D LEA ECX,DWORD PTR DS:[ECX]
004011A0 MOV CL,BYTE PTR DS:[EAX]
004011A2 INC EAX
004011A3 TEST CL,CL
004011A5 JNZ SHORT KGNME-6.004011A0
004011A7 LEA EDI,DWORD PTR SS:[ESP+44] ;EDI = "KiTo~"
004011AB SUB EAX,EDX
004011AD DEC EDI
004011AE MOV EDI,EDI
004011B0 MOV CL,BYTE PTR DS:[EDI+1]
004011B3 INC EDI
004011B4 TEST CL,CL
004011B6 JNZ SHORT KGNME-6.004011B0
004011B8 MOV ECX,EAX
004011BA SHR ECX,2
004011BD MOV ESI,EDX
004011BF REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
004011C1 MOV ECX,EAX
004011C3 AND ECX,3
004011C6 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
004011C8 LEA EDI,DWORD PTR SS:[ESP+44]
004011CC DEC EDI
004011CD LEA ECX,DWORD PTR DS:[ECX]
004011D0 MOV AL,BYTE PTR DS:[EDI+1]
004011D3 INC EDI
004011D4 TEST AL,AL
004011D6 JNZ SHORT KGNME-6.004011D0
004011D8 MOV ECX,DWORD PTR DS:[407274]
004011DE MOV EDX,DWORD PTR DS:[407278]
004011E4 MOV AL,BYTE PTR DS:[40727C]
004011E9 MOV DWORD PTR DS:[EDI],ECX ;DS:[EDI] = "~Is"
004011EB MOV DWORD PTR DS:[EDI+4],EDX ;DS:[EDI+4] = "~Leet"
004011EE MOV BYTE PTR DS:[EDI+8],AL
004011F1 LEA ESI,DWORD PTR SS:[ESP+E8]
004011F8 LEA EAX,DWORD PTR SS:[ESP+44] ;EAX=serial ("KiTo~ourhash~Is~Leet") <--Here's the serial....
004011FC LEA ESP,DWORD PTR SS:[ESP]
00401200 MOV DL,BYTE PTR DS:[EAX]
00401202 MOV BL,BYTE PTR DS:[ESI]
00401204 MOV CL,DL
00401206 CMP DL,BL
00401208 JNZ SHORT KGNME-6.00401228
0040120A TEST CL,CL
0040120C JE SHORT KGNME-6.00401224
0040120E MOV DL,BYTE PTR DS:[EAX+1]
00401211 MOV BL,BYTE PTR DS:[ESI+1]
00401214 MOV CL,DL
00401216 CMP DL,BL
00401218 JNZ SHORT KGNME-6.00401228
0040121A ADD EAX,2
0040121D ADD ESI,2
00401220 TEST CL,CL
00401222 JNZ SHORT KGNME-6.00401200
00401224 XOR EAX,EAX
00401226 JMP SHORT KGNME-6.0040122D
00401228 SBB EAX,EAX
0040122A SBB EAX,-1
0040122D TEST EAX,EAX
0040122F JNZ Badboy
00401235 --GoodBoy--

So.. the serial is KiTo~thehash~Is~Leet
for example, username abcd --> hash FA9131EB --> serial KiTo~FA9131EB~Is~Leet

keygen is simple to make, just make a function that calculates the hash like the one above...

level3:
======
Same thing here, playin around some in olly -->
serial: KiTo-hash1-SWEDEN-hash2

just find the hash-calculation function and port it to your favorite language
-> keygen in no time

(and the minlength for name is 4 here as well)
(min for company is 3 or serial gets *censored*ed up)

hashcalcfunction:
----------------
004012EA LEA EBX,DWORD PTR DS:[EBX]
004012F0 MOVSX ECX,BYTE PTR SS:[ESP+EAX+80] ;letter 1+eax of name
004012F8 MOVSX EDI,BYTE PTR SS:[ESP+B7] ;letter 3 of company
00401300 MOVSX EBP,BYTE PTR SS:[ESP+EAX+B4] ;letter 1+eax of company
00401308 IMUL EDI,ECX
0040130B ADD EBX,EDI
0040130D MOVSX EDI,BYTE PTR SS:[ESP+B6] ;letter 2 of company
00401315 IMUL EDI,ECX
00401318 ADD EDI,ESI
0040131A INC EAX
0040131B CMP EAX,EDX
0040131D LEA ESI,DWORD PTR DS:[EDI+EBP]
00401320 JL SHORT KGNME-6.004012F0
00401322 MOV EBP,DWORD PTR SS:[ESP+160]
00401329 ADD EBX,0DEAD
0040132F PUSH EBX ;hash1
00401330 LEA EDX,DWORD PTR SS:[ESP+128]
00401337 PUSH KGNME-6.00407280 ;ASCII "%X"
0040133C PUSH EDX
0040133D CALL KGNME-6.0040151E
00401342 ADD ESI,0BABE ;hash2
00401348 PUSH ESI

actually theres another function below that adds some shit to the end of the serial...

00401408 . 8D7C24 10 LEA EDI,DWORD PTR SS:[ESP+10] ;serial ok (KiTo-hash1-SWEDEN-hash2)
0040140C . 4F DEC EDI
0040140D . 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
00401410 > 8A47 01 MOV AL,BYTE PTR DS:[EDI+1]
00401413 . 47 INC EDI
00401414 . 84C0 TEST AL,AL
00401416 .^75 F8 JNZ SHORT KGNME-6.00401410
00401418 . 8B15 2C724000 MOV EDX,DWORD PTR DS:[40722C]
0040141E . 66:A1 30724000 MOV AX,WORD PTR DS:[407230]
00401424 . 8917 MOV DWORD PTR DS:[EDI],EDX
00401426 . 66:8947 04 MOV WORD PTR DS:[EDI+4],AX
0040142A . 8D7424 44 LEA ESI,DWORD PTR SS:[ESP+44] ;entered serial 2 compare with
0040142E . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10] ;serial with shit on end

hmm...so whats the shit on the end?
simple.. it always 48FE0

so just make your keygen add that to the end of the serial and you're done...

/riX - 2005-03-24

What's Related
http://www.reversing.be... More by riX More from Tutorials

Story Options
Mail Story to a Friend Printable Story Format

Tutorial for KiTo's KeyGenMe 6 | 1 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Tutorial for KiTo's KeyGenMe 6

Authored by: TDC on Sunday, October 23 2005 @ 09:35 PM CEST

hey dude funny tut.. the keygen is working almost 100%

you can't help it, KiTo made a bug at the end of HASH 2 in level 3...

for instance, enter "sdfsdf" as name and "affd" as company name, your serial generation will be the same each time

but KiTo's crackme's serial is different each time...

it happens because (I think) the memory part is shared by windows and the crackme.. and the algorithm loops NAME times and it keeps on trying to get [eax+COMPANY] while eax = the counter...

bit weird, but I had to say this :-)

Greetz, TDC

---
[img]http://www35.tok2.com/home/jellard23/sig-reverse.jpg[/img]
:: The world is yours! ::