Log in

View Full Version : Magic File Renamer Keygenning tips and solutions


RalDnoR
November 7th, 2000, 17:04
Please post all you experiences on keygenning MFR here...

Thanks!

ThRaX
November 10th, 2000, 21:02
Whoops, double post...just edited it out, sorry 'bout that.

ThRaX
November 10th, 2000, 21:03
Kay as i said in the patching thread, we are getting into keygen territory so we should move over here...
kay so as i left of, stanks, you left out a few keylines in that code that takes place after the loop: and here it is, attached to this post (the actual code was too long with my comments so i had to attach it...)

Basically what you left out was that after the loop, the "serial" in ESI was really not the correct serial. Before the "real" serial is totally calculated, the resulting value that is in esi after the loop is copied over to eax. It is then shifted to the left 4 bits, then copied back to esi. THEN we have our real serial...I think the file i attached is worth viewing for newbies who are having trouble comprehending the calculation routine.

If I am mistaken in anyway, please feel free to correct me.
Thanks,

stanks
November 11th, 2000, 04:13
Hi!

Thank you. I forget that part. Sorry!!


Greetz

Lord Rhesus
November 11th, 2000, 07:10
I have had a go at the program and have come up with a key generator for it written in Masm. Included with the keygen I have a hastily written tutorial describing the method I used. I hope this is of use to somebody. Please note that it is probably easier to follow the code that my actual tutorial.

Also as a suggestion, I was thinking that all of the solutions to each mini-project could be compiled together and made available for download and quick reference. This way new reversers will be able to look at all the different solutions and perhaps learn which methods produce the most effective results.

One more suggestion. Perhaps the next project could be about something different, such as removing ad banners from internet programs like GoZilla.

If you think this is spoiling the challenge then send me an e-mail. (To get attachment see a few posts down)

goatass
November 11th, 2000, 10:05
Hi everybody, I also wrote a keygen in masm but I really liked Timmy's keygen that he posted in the Tips and Solutions thread. It's written in Delphi (just like our target) and it shows you almost exactly what the target is doing so you can get a much better feel to how this algorithm works. The keygen in assembly is easy to do because all you have to do is rip out that one CALL that does all the modifications to our name and convert the reutrn value in EAX to decimal and print it on the screen.

Great job Timmy.

p.s as for what Lord Rhesus said about compiling all these projects together, I think it's a good idea. I'll start doing that when I have some free time.

Lord Rhesus if you could please send me your tutorial for this project it would be great so I don't have to write this one too

goatass

ThRaX
November 11th, 2000, 11:51
Hey all, one questino about writing an ASM keygen:

In the actual calculation loop of the program, there are multiple references to the byte located at ESP+4, and the byte located at ESP+5...I was just wondering if, in your keygen that you are writing when you rip out the code can you stick to these two values? or do you have to create your own variables/store your own values in registers in order to use them? Basically what I'm asking is do the lines of code that reference 'ESP+4' and 'ESP+5' need to be tweaked? If so, how?

Thanks

One more thing, I hear that "Unless you know what you are doing, you shouldn't mess with the ESP register"...is this an exception to that "rule"??
thanks again

goatass
November 11th, 2000, 21:10
Well no you don't need to tweak those values. Here is how my main loop looks like, I didn't calculate a character at a time, I read everything at one time and looped through the characters (I'm lazy).

invoke GetDlgItemText,hWnd,IDC_NAME,ADDR szName, 03ch
lea edi, offset [szName]
or ecx, 0FFFFFFFFh
xor eax, eax
repne scasb
not ecx
dec ecx
mov szLength, ecx

@DOAGAIN:
mov dl, byte ptr [szName-4]
mov cl, byte ptr [szLength]
cmp dl, cl
jg @ALLDONE
mov edx, offset aLcjfvibb22vg45
mov eax, offset szName
call sub_491A98 <-- this is where the ripped code is
inc byte ptr [szName-4]
jmp @DOAGAIN

@ALLDONE:
invoke dwtoa, eax, ADDR szKey
invoke SetDlgItemText,hWnd,IDC_KEY,ADDR szKey

What you were relating to is this, when you rip code from a program you need to make sure you include the local variables declared by that function, looks like this:

sub_491A98 proc near ; CODE XREF: sub_4A8378+62p

var_8 = dword ptr -8
var_4 = byte ptr -4
var_3 = byte ptr -3

The code that you mentioned, ESP+4 and ESP+5 therefore will looke like this:

loc_491AF7: ; CODE XREF: sub_491A98+5Bj
inc [esp+8+var_4] <-- ESP+4
dec [esp+8+var_3] <-- ESP+5

I use IDA when riping code out, it's the best since it shows you everything you ever wanted.

When using the ESP it's not dangarous you just have to make sure to save it (PUSH ESP) before you use it and when you are all done restore it (POP ESP).

goatass

ThRaX
November 11th, 2000, 23:26
Ahh, i see...Thanks for clearing that up, goatass

Lord Rhesus
November 12th, 2000, 09:37
Quote:
goatass (11-10-2000 23:05):

Lord Rhesus if you could please send me your tutorial for this project it would be great so I don't have to write this one too

goatass


Hey goatass! I can attach files now? So here is my tutorial and keygen. Note that you have to right click on the link and select save to disk other wise you get a window displaying garbage!

ThRaX
November 13th, 2000, 17:27
Hey all I just finished up the Keygen in Win32ASM...the code is basically identical to Lord Rhesus's, so I dont really think I need to post it up here.

Anyway, this was a really nifty project...Taught a lot about other languages (namely, Delphi), and how to defeat *many* Delphi protections. As I said in the patching post, I read the authors website and he seems like a cool guy, the type who would appreciate something like this...I think we should contact him and point him to this forum...And maybe in the future he could make a better protection, possibly with help from the reverser community

laterz

Timmy
November 13th, 2000, 19:23
Just as a note, I know high level languages are overbloated but writing a keygen in delphi or whatever gives me a complete understanding of what is going on and is a hell of a lot easier to look at later on when you are looking back at your past projects for tips. Actually I should have added plenty of comments to my source code to clarify things but I was slightly drunk at the time of posting.

ThRaX
November 14th, 2000, 17:01
Hey all, one question....
This project showed how useful DeDe the delphi decompiler (er...sorta decompiler.) Anyway, is there a conveniant way to know if a program is written in Delphi? (Any clear cut give aways, or even subtle hints)...It would be tedious to simply attempt to decompile every singel app you stumble across, just to find out if it was in Delphi.

Thanks

hz
November 14th, 2000, 17:46
hi,
Gettype works for me, protools or h*tp://surf.to/phax
regards
hz