dAKuRioUSCHiLD [ PC_'99 ] Tut Part Attack Angle Tools Needed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Part 7.-----------True KeyGen-----------SOFTICE, Borland C++, and a notepad.
I'm getting tired of writing...and i still gotta do the overview and appendix... |:( Oh well! I was taught and so I must teach! :) So now we need to back-up, because so far we've entered the program AFTER it had made the correct serial, but before the compare. Now we need to enter BEFORE it makes the serial so that we can see how it makes it... To do this I go back to windasm and i go to the funtions menu and i click on "Imports". Then we scroll down till we see USER32.GetDlgItemTextA. Double-Click it ( make sure you started from the top )! It should look like:
* Reference To: USER32.GetDlgItemTextA, Ord:00EDh | :004011AD 8B35D8924000 mov esi, dword ptr [004092D8] :004011B3 FFD6 call esi :004011B5 8D442410 lea eax, dword ptr [esp+10] :004011B9 6800010000 push 00000100 :004011BE 50 push eax * Possible Reference to Dialog: DialogID_0078, CONTROL_ID:0406, "" | :004011BF 6806040000 push 00000406 :004011C4 57 push edi :004011C5 FFD6 call esi :004011C7 6830604000 push 00406030 :004011CC 6830614000 push 00406130 :004011D1 E8AA000000 call 00401280 :004011D6 8D442418 lea eax, dword ptr [esp+18] :004011DA 83C408 add esp, 00000008 :004011DD 50 push eax :004011DE 6830604000 push 00406030 * Reference To: KERNEL32.lstrcmpA, Ord:0269h | :004011E3 FF1520924000 Call dword ptr [00409220] :004011E9 85C0 test eax, eax :004011EB 0F8580000000 jne 00401271
Now the red is where you should be, but see the blue? That should look familiar! It's the same place we landed in softice when we found the serial in part 5!! So now we KNOW we're in the right place! YEA!! All of that black code is setup...the program is preparing itself to generate...trust me ( if you want to see for yourself, you can trace it and watch the registers while you go ). This is what we care about:
:004011C7 6830604000 push 00406030 :004011CC 6830614000 push 00406130 :004011D1 E8AA000000 call 00401280
we know that 00406030 is the location it stores the good code, and if we type "d 00406130" we see that this is where our name is stored. So what it's doing, is it's telling the call to store the stuff it makes at 00406030 and that it's input will come from 00406130. Got it? Then it does the call. Now when we press F10 and we move over the call, then type "d 00406030" we see that the good code is already made...so the whole thing is made in the call. Lets go back to windasm now, cuz it's easier to navigate through. High-Light the call...notice above, there is a button that says "Call"...press it! It'll take you to the call...you could have done this in softice by tracing to the call then when it was high-lighted, press F8. Either way, you're in the call...now i suggest using softice, cuz you need to watch what is going on.
* Referenced by a CALL at Addresses: |:0040111F , :004011D1 | :00401280 81EC00010000 sub esp, 00000100 :00401286 A064624000 mov al, byte ptr [00406264] :0040128B 88442400 mov byte ptr [esp], al :0040128F 53 push ebx :00401290 56 push esi :00401291 33C0 xor eax, eax :00401293 57 push edi :00401294 B93F000000 mov ecx, 0000003F :00401299 8D7C240D lea edi, dword ptr [esp+0D] :0040129D 55 push ebp :0040129E F3 repz :0040129F AB stosd :004012A0 66AB stosw :004012A2 BD6A000000 mov ebp, 0000006A :004012A7 6864624000 push 00406264 :004012AC AA stosb :004012AD 8BB4241C010000 mov esi, dword ptr [esp+0000011C] :004012B4 56 push esi * Reference To: USER32.wsprintfA, Ord:0249h | :004012B5 FF15D4924000 Call dword ptr [004092D4] :004012BB 8B9C241C010000 mov ebx, dword ptr [esp+0000011C] :004012C2 83C408 add esp, 00000008 :004012C5 8BC3 mov eax, ebx * Reference To: USER32.CharNextA, Ord:001Eh | :004012C7 8B3DDC924000 mov edi, dword ptr [004092DC] :004012CD 803B00 cmp byte ptr [ebx], 00 :004012D0 740F je 004012E1
Again most of this is set up...the only one that really affects us is the one in red...it says move the value 6a ( hex ) into the register ebp! The last line 004012D0 and the line before it checks if there are any characters to process. If yes, then it starts to process...there are four parts, so i'll do them one at a time:
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004012DF(C) | :004012D2 0FBE08 movsx ecx, byte ptr [eax] :004012D5 50 push eax :004012D6 8D6C4D00 lea ebp, dword ptr [ebp+2*ecx] :004012DA FFD7 call edi :004012DC 803800 cmp byte ptr [eax], 00 :004012DF 75F1 jne 004012D2 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004012D0(C) | :004012E1 8D442410 lea eax, dword ptr [esp+10] :004012E5 55 push ebp * Possible StringData Ref from Data Obj ->"%d-" | :004012E6 6874624000 push 00406274 :004012EB 50 push eax
The RED is invaluable!! This is where the serial is calculated...Let's go over it:
movsx ecx, byte ptr [eax] // Reset ecx to the begining of the name. lea ebp, dword ptr [ebp+2*ecx] // ebp = ebp+2*ecx. cmp byte ptr [eax], 00 // "Is this the end of the name?" jne 004012D2 // "If this is not the end, repeat!"
Got it? Cool...now to the blue:
push ebp // Push the number from RED and save it. push 00406274 // Add a "-" at the end of ebp ( RED ). push eax // Save it in address 00406030.
This BLUE is repeated after every section, so i will ignore it from now on. Section two:
:00401308 0FBE08 movsx ecx, byte ptr [eax] // Reset name. :0040130B 03C9 add ecx, ecx // ecx = ecx+ecx. :0040130D 50 push eax :0040130E 8D14C9 lea edx, dword ptr [ecx+8*ecx]// edx = ecx+8*ecx. :00401311 03EA add ebp, edx // ebp = ebp+edx :00401313 FFD7 call edi :00401315 803800 cmp byte ptr [eax], 00 // same as first section. :00401318 75EE jne 00401308 //" "
Here's the third section, i'll let you decipher what it does:
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401390(C) | :00401380 0FBE08 movsx ecx, byte ptr [eax] :00401383 50 push eax :00401384 8D2C8D1D000000 lea ebp, dword ptr [4*ecx+0000001D] :0040138B FFD7 call edi :0040138D 803800 cmp byte ptr [eax], 00 :00401390 75EE jne 00401380
As for the fourth part...i'll let you find it and decipher it for yourself...this is learning, and you must apply to learn... ...ALL DONE? I hope so...btw you should have a notepad out and you should be writing down all the algorithms while going through it. Section 1 = 1422- Section 2 = 13266- Section 3 = 1827- Section 4 = 361 Put together we get: 1422-13266-1827-361 Our Code!! Now you need to program a program that'll take the same steps as startclean does. I programed mine in Borland C++. My fully commented source code is included, it's called keygen.c And my keygen is named keygen.exe. AH! Done with this part!! I suggest that you read the overview...it contains alot of important info that you should know.