Results 1 to 14 of 14

Thread: Magic File Renamer Keygenning tips and solutions

  1. #1
    RalDnoR
    Guest

    Magic File Renamer Keygenning tips and solutions

    Please post all you experiences on keygenning MFR here...

    Thanks!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    ThRaX
    Guest
    Whoops, double post...just edited it out, sorry 'bout that.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    ThRaX
    Guest
    Kay as i said in the patching thread, we are getting into keygen territory so we should move over here...
    kay so as i left of, stanks, you left out a few keylines in that code that takes place after the loop: and here it is, attached to this post (the actual code was too long with my comments so i had to attach it...)

    Basically what you left out was that after the loop, the "serial" in ESI was really not the correct serial. Before the "real" serial is totally calculated, the resulting value that is in esi after the loop is copied over to eax. It is then shifted to the left 4 bits, then copied back to esi. THEN we have our real serial...I think the file i attached is worth viewing for newbies who are having trouble comprehending the calculation routine.

    If I am mistaken in anyway, please feel free to correct me.
    Thanks,
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    stanks
    Guest
    Hi!

    Thank you. I forget that part. Sorry!!


    Greetz
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Lord Rhesus
    Guest
    I have had a go at the program and have come up with a key generator for it written in Masm. Included with the keygen I have a hastily written tutorial describing the method I used. I hope this is of use to somebody. Please note that it is probably easier to follow the code that my actual tutorial.

    Also as a suggestion, I was thinking that all of the solutions to each mini-project could be compiled together and made available for download and quick reference. This way new reversers will be able to look at all the different solutions and perhaps learn which methods produce the most effective results.

    One more suggestion. Perhaps the next project could be about something different, such as removing ad banners from internet programs like GoZilla.

    If you think this is spoiling the challenge then send me an e-mail. (To get attachment see a few posts down)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    goatass
    Guest
    Hi everybody, I also wrote a keygen in masm but I really liked Timmy's keygen that he posted in the Tips and Solutions thread. It's written in Delphi (just like our target) and it shows you almost exactly what the target is doing so you can get a much better feel to how this algorithm works. The keygen in assembly is easy to do because all you have to do is rip out that one CALL that does all the modifications to our name and convert the reutrn value in EAX to decimal and print it on the screen.

    Great job Timmy.

    p.s as for what Lord Rhesus said about compiling all these projects together, I think it's a good idea. I'll start doing that when I have some free time.

    Lord Rhesus if you could please send me your tutorial for this project it would be great so I don't have to write this one too

    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    ThRaX
    Guest
    Hey all, one questino about writing an ASM keygen:

    In the actual calculation loop of the program, there are multiple references to the byte located at ESP+4, and the byte located at ESP+5...I was just wondering if, in your keygen that you are writing when you rip out the code can you stick to these two values? or do you have to create your own variables/store your own values in registers in order to use them? Basically what I'm asking is do the lines of code that reference 'ESP+4' and 'ESP+5' need to be tweaked? If so, how?

    Thanks

    One more thing, I hear that "Unless you know what you are doing, you shouldn't mess with the ESP register"...is this an exception to that "rule"??
    thanks again
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    goatass
    Guest
    Well no you don't need to tweak those values. Here is how my main loop looks like, I didn't calculate a character at a time, I read everything at one time and looped through the characters (I'm lazy).

    invoke GetDlgItemText,hWnd,IDC_NAME,ADDR szName, 03ch
    lea edi, offset [szName]
    or ecx, 0FFFFFFFFh
    xor eax, eax
    repne scasb
    not ecx
    dec ecx
    mov szLength, ecx

    @DOAGAIN:
    mov dl, byte ptr [szName-4]
    mov cl, byte ptr [szLength]
    cmp dl, cl
    jg @ALLDONE
    mov edx, offset aLcjfvibb22vg45
    mov eax, offset szName
    call sub_491A98 <-- this is where the ripped code is
    inc byte ptr [szName-4]
    jmp @DOAGAIN

    @ALLDONE:
    invoke dwtoa, eax, ADDR szKey
    invoke SetDlgItemText,hWnd,IDC_KEY,ADDR szKey

    What you were relating to is this, when you rip code from a program you need to make sure you include the local variables declared by that function, looks like this:

    sub_491A98 proc near ; CODE XREF: sub_4A8378+62p

    var_8 = dword ptr -8
    var_4 = byte ptr -4
    var_3 = byte ptr -3

    The code that you mentioned, ESP+4 and ESP+5 therefore will looke like this:

    loc_491AF7: ; CODE XREF: sub_491A98+5Bj
    inc [esp+8+var_4] <-- ESP+4
    dec [esp+8+var_3] <-- ESP+5

    I use IDA when riping code out, it's the best since it shows you everything you ever wanted.

    When using the ESP it's not dangarous you just have to make sure to save it (PUSH ESP) before you use it and when you are all done restore it (POP ESP).

    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    ThRaX
    Guest
    Ahh, i see...Thanks for clearing that up, goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Lord Rhesus
    Guest
    goatass (11-10-2000 23:05):

    Lord Rhesus if you could please send me your tutorial for this project it would be great so I don't have to write this one too

    goatass
    Hey goatass! I can attach files now? So here is my tutorial and keygen. Note that you have to right click on the link and select save to disk other wise you get a window displaying garbage!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    ThRaX
    Guest
    Hey all I just finished up the Keygen in Win32ASM...the code is basically identical to Lord Rhesus's, so I dont really think I need to post it up here.

    Anyway, this was a really nifty project...Taught a lot about other languages (namely, Delphi), and how to defeat *many* Delphi protections. As I said in the patching post, I read the authors website and he seems like a cool guy, the type who would appreciate something like this...I think we should contact him and point him to this forum...And maybe in the future he could make a better protection, possibly with help from the reverser community

    laterz
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Timmy
    Guest
    Just as a note, I know high level languages are overbloated but writing a keygen in delphi or whatever gives me a complete understanding of what is going on and is a hell of a lot easier to look at later on when you are looking back at your past projects for tips. Actually I should have added plenty of comments to my source code to clarify things but I was slightly drunk at the time of posting.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    ThRaX
    Guest
    Hey all, one question....
    This project showed how useful DeDe the delphi decompiler (er...sorta decompiler.) Anyway, is there a conveniant way to know if a program is written in Delphi? (Any clear cut give aways, or even subtle hints)...It would be tedious to simply attempt to decompile every singel app you stumble across, just to find out if it was in Delphi.

    Thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    hz
    Guest
    hi,
    Gettype works for me, protools or h*tp://surf.to/phax
    regards
    hz
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Keygenning java-based target
    By EB00 in forum The Newbie Forum
    Replies: 0
    Last Post: August 4th, 2010, 03:41
  2. Keygenning!
    By Sphinx in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: December 12th, 2000, 03:24
  3. Magic File Renamer Patching tips and solutions
    By RalDnoR in forum Mini Project Area
    Replies: 44
    Last Post: December 10th, 2000, 17:22
  4. Magic File Renamer
    By MGJ in forum Mini Project Area
    Replies: 1
    Last Post: November 20th, 2000, 20:54
  5. New project: Magic File Renamer
    By RalDnoR in forum Mini Project Area
    Replies: 6
    Last Post: November 16th, 2000, 14:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •