|
|
|
|
|
|
|
Tools:
|
|
|
Sometimes coding keygen is just copy and paste with the power of assembly.
|
|
I wont explain how to bpx and such stuff on this tutorial, instead i will focus on how to write a keygen for this program.You bpx on hmemcyp after some F12's you will be here..
* Reference To: KERNEL32.lstrcpyA, Ord:0302h
|
:0040D5D3 8B1D28F14100 mov ebx, dword ptr [0041F128]
* Possible StringData Ref from Data Obj ->"Gregory Braun"
|
:0040D5D9 68D42E4200 push 00422ED4 ;Useless crap
:0040D5DE 56 push esi ;It checks username
:0040D5DF FFD3 call ebx ;for Gregory Braun and
* Possible StringData Ref from Data Obj ->"Software Design"
|
:0040D5E1 68C42E4200 push 00422EC4 ;company Software by Design
:0040D5E6 57 push edi
:0040D5E7 FFD3 call ebx
:0040D5E9 EB07 jmp 0040D5F2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5D1(C)
|
:0040D5EB 3D3CCE5F0D cmp eax, 0D5FCE3C ;you can see serial for gregory
:0040D5F0 750C jne 0040D5FE ;if you type D D5FCE3c
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5E9(U)
|
:0040D5F2 57 push edi
:0040D5F3 56 push esi
:0040D5F4 E8A77B0000 call 004151A0 ;Keygen algo
:0040D5F9 83C408 add esp, 00000008
:0040D5FC 8BD8 mov ebx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5F0(C)
|
:0040D5FE 57 push edi
:0040D5FF 56 push esi
:0040D600 E89B7B0000 call 004151A0 ;Keygen algo
:0040D605 83C408 add esp, 00000008
:0040D608 3BD8 cmp ebx, eax ;Check serial
:0040D60A 5F pop edi
:0040D60B 741D je 0040D62A ;Jump good guy
:0040D60D 68CFEA0000 push 0000EACF
So far so good.I F8 in to 40BB38 call.We are inside the calculation rutine.Follow it and try to understand.
:004151A0 8B442404 mov eax, dword ptr [esp+04] ;Move name to eax :004151A4 56 push esi :004151A5 8B3594D24200 mov esi, dword ptr [0042D294]; esi is now DB95DB95 :004151AB 50 push eax :004151AC 81CE78030000 or esi, 00000378 ;or esi with 378 :004151B2 E849050000 call 00415700 ;Loop :004151B7 8B4C2410 mov ecx, dword ptr [esp+10] ;Move comp to ecx :004151BB 03F0 add esi, eax :004151BD 51 push ecx :004151BE E83D050000 call 00415700 ;Loop :004151C3 83C408 add esp, 00000008 :004151C6 03C6 add eax, esi :004151C8 5E pop esi :004151C9 C3 ret
Ok one more call to look.I step into call 00415700 and i see this:
:00415700 51 push ecx
:00415701 53 push ebx
:00415702 8B5C240C mov ebx, dword ptr [esp+0C]
:00415706 56 push esi
:00415707 33F6 xor esi, esi
:00415709 53 push ebx
:0041570A 8974240C mov dword ptr [esp+0C], esi
* Reference To: KERNEL32.lstrlenA, Ord:0308h
|
:0041570E FF15B4F04100 Call dword ptr [0041F0B4]
:00415714 85DB test ebx, ebx
:00415716 744F je 00415767
:00415718 85C0 test eax, eax
:0041571A 744B je 00415767
:0041571C 33D2 xor edx, edx
:0041571E 85C0 test eax, eax
:00415720 7E45 jle 00415767
:00415722 55 push ebp
:00415723 57 push edi
* Possible StringData Ref from Data Obj ->"|b!pz*ls;rn|lf$vi^Axpe)rx5aic&9/2m5lsi4@0dmZw9"
->"4cmqpfhw"
|
:00415724 BEA44D4200 mov esi, 00424DA4; put above strign to esi
:00415729 BF01000000 mov edi, 00000001
:0041572E 2BF3 sub esi, ebx
:00415730 8BCB mov ecx, ebx
:00415732 2BFB sub edi, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041575D(C)
|
:00415734 0FBE1C0E movsx ebx, byte ptr [esi+ecx]
:00415738 0FBEAC106C4D4200 movsx ebp, byte ptr [eax+edx+00424D6C];another string
; type d 00424D6C and you will see #serB&nz|mfM1/5(!sd$Mq.{s]+sFjtKpzSdtzoXqmb^Al@dv:s?x/
:00415740 0FAFDD imul ebx, ebp ; multiply it
:00415743 8D2C0F lea ebp, dword ptr [edi+ecx]; take another char from above
;string
:00415746 0FAFDD imul ebx, ebp ;multiply it
:00415749 0FBE29 movsx ebp, byte ptr [ecx]
:0041574C 0FAFDD imul ebx, ebp
:0041574F 8B6C2410 mov ebp, dword ptr [esp+10]
:00415753 03EB add ebp, ebx
:00415755 42 inc edx
:00415756 41 inc ecx
:00415757 3BD0 cmp edx, eax ;have we multipled all of them
:00415759 896C2410 mov dword ptr [esp+10], ebp
:0041575D 7CD5 jl 00415734 ;repeat it untill all charectes multiplied
:0041575F 8BC5 mov eax, ebp
:00415761 5F pop edi
:00415762 5D pop ebp
:00415763 5E pop esi
:00415764 5B pop ebx
:00415765 59 pop ecx
:00415766 C3 ret
Ok.All done.I will try to explain keygen algorithm.My asm knowledge is very weak.So excuse my bad explanation or errors.Program takes username, takes company and put some magic value to esi.There are two strings which are used for keygen.It take username for example Laptonic,then for Laptonic(8 chars), it takes 8.char from this string and multiply.It makes this for all letters of string.It seems complicated.Here comes the power of asm.We will write a keygen with just copy and paste.I have added my keygen template for this.It comes from RudeBoy/PC.I have added second edit box and resized it to fit our needs.In asm first we should define our constants.I have added this lines to restest.asm
our_string db "|b!pz*ls;rn|lf$vi^Axpe)rx5aic&9/2m5lsi4@0dmZw94cmqpfhw",0
our_string2 db "#serB&nz|mfM1/5(!sd$Mq.{s]+sFjtKpzSdtzoXqmb^Al@dv:s?x/",0
Well i goto Genkey proc and paste what i see on w32dasm.First we get Name and company via getdlgitemtexta and store it.For the above calls i defined proc Sub1 for 40BB38 and loop1 for 00415734.Also tasm take numbers as a decimal.So, either we must add h after numbers or change numbers to decimal format.As you remember our serial was in decimal format.So we must convert our serial to decimal format.In order to make this ,we will use _wsprintfA .If you look at windows api help you will see that to convert some string to decimal we use %u as a format.We define fmat db "%lu",0 ; After some work some shits ahs and uhs, our keygen is ready to go.Look and try to understand what is going on Dont focus on dialogs and such stuffs just on keygen proc.I know this tut is very long, but once you understand the basic, it is very easy to make keygen in asm.Dissamble the program.Find where is the name and what is done with name( ie we will give this to getdlgitemtexta as a parameter).Copy and paste the strings.Find out the format string %x %u etc for wsprint.Push result to edit box.I suggest you first download RudeBoy keygen template[rude.zip - MISSING] and try.If you cant be successfull you can download my keygen source and binary from here[keygen.zip - MISSING].Hehe finally it is done.I hope you enjoyed it.I have written in at 3:AM, therefore dont blame me :P.
Greetings:
Shade : He inspired me with his dll
show tut
RudeBoy : I used his asm keygen template.
Quantico : His wonderfull site and keygens
helped me so much
Stone : Keymaker include functions very usefull !
and everyone who teached me a lot and give me inspiration and you _scottie :P
LaptoniC / PNC