Monday, May 09 2005 @ 07:15 PM CEST Contributed by: warezhog Views: 8071
Level : newbie
Serial fishing for kito's keygenme2 using Ollydbg. (Breaking on API call)
Well this is about the fastest way that you can get a serial for the name that you input (well, shy of using a keygen). Now, that being said I am only writing the tutorial on getting the key for your name, not writing a keygen as I have never done that... yet.
I used two programs:
Download the KGNME2-KiTo.rar from this site, coded by Kito here
Unzip it onto your desktop (in a folder), and make a backup in a new folder. Open PEiD and drag the exe file onto it to see what kind of protection that we are dealing with... Looks like there is none, coded in VC++, so that is good.
Go ahead and right click on the file and open in OllyDbg (if you don't have this option open OllyDbg and goto Option->add to Explorer). Once in OllyDbg hit F9 to run the exe, it asks for a name and a serial, enter anything into those textareas and then hit check... "Bad Boy!" message comes up. Hmmm... what do we do now? Go ahead and close the exe file (not OllyDbg, though) and then hit CTRL+F2 (this will reload the exe file).
Now go down to the Executeable modules window (the one with the blue E in the upper left corner) if you don't see it click on the "E" in the toolbar to open that window. Find the exe file in that list (should have about five things in it for this exe: KGNME2-K, USER32, GDI32, kernel32, and ntdll). You are looking for KGNME2-K. Right click on that name and select view names (or hit Ctrl+n). The names window will pop up and this time (not always this many names, but oh well) now I know from experience that lstrpcmpA will almost always give me the inputed bad key that I put in, and the real one that the computer generates based on the name that I put in. I go through the list and find it about 42 lines down... good. Right click on it and select: Toggle Breakpoint on Import.
Now hit F9 to run the program... it opens up behind OllyDbg, so Alt+Tab to pull it to the front. Enter the username of your choice, I will use warezhog. Now enter a fake Serial: I will use 123456.
Now hit the check button and see where the program breaks: COOL!!! if you look in the CPU main thread window (with the blue C in the upper left corner) down in the lower right side of that window you will see:
0012F974 004010E9 /CALL to lstrcmpA from KGNME2-K.004010E3
0012F978 0012F9C8 |String1 = "1164527"
0012F97C 0012F9A8 String2 = "123456"
Hmmm... as I told you before, was going to use 123456 as my fake serial, what is the other one that is sitting there? I would be willing to bet that it is the serial that the computer generated based on the name that I put in. Go ahead and copy down what it says in the String1 space (1164527 in my case).
Now hit CTRL+F2 to reload the exe file (it should pop-up saying that a Process is still active, that's fine, just click Yes). Let's try to run this without breakpoints to see how it runs. Hit F9 to run it and enter the same username as last time: warezhog (for me) and the serial that you found: 1164527 (in my case) now hit check... HELL YEAH!!! that is cool, it worked!
Well, I have never written a keygen so I am going to look into that now.
I hope that you have learned something from this. Not sure about you but I really just enjoy cracking keygenme's and crackme's I am not interested in the non-legal side of it. So, have fun and learn learn learn.