Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: Easy KeygenMe !!

  1. #1

    Easy KeygenMe !!

    This kengen me is very hard !!

    from now on , i dont see this kengen me .

    most of kengen me , trace with ollydbg , then apperance in (eax,ebx,ecx or etc)

    this kenge me is not apperance serial name in ollydbg.

    key routine is calcuration cmp.

    no error msg. no packing.

    solving a rule : no change name (hansir) then find serial name.

    i want to serial name and solving method... plz. help me T-T

    i`m from kor. -_-
    Last edited by kami13x; March 3rd, 2006 at 12:03.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    This file does appear to be a keygenme, but it is infected with Parite.B as well...

    I suggest you scan your system if this was not deliberate.

    As for the keygenme itself, I suggest you make a note of exactly what it does with the serial it reads in line by line (between 4012db and 40137a, see how the serial has been read into memory at that point?). Then work backwards, and try to think how you can "undo" each step. It's not too complicated :-)


    Last edited by wtbw; March 3rd, 2006 at 08:44.

  3. #3
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Blog Entries
    will you upload a cleaned version of the keygenme? Do you have a link to it?

  4. #4
    Here you go, I'm pretty sure this is totally clean... I removed the bad section and fixed the imports it moved, and put the EP back. It's small enough to analyse completely if you're unsure.


    Attached Files Attached Files

  5. #5
    - - sorry T-T No, deliberate !!

    my system is infected with Parite.B as well.

    i dont know either. my system isnt setup virus program -_-

    thank you . wtbw .

    now , scan my system .. more 200 files infected with Parite.B
    Last edited by kami13x; March 4th, 2006 at 00:48.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Blog Entries
    Ok, I moved the thread in the Mini Project Area. The keygenme is really easy and it might be a nice exercize for those whom want to learn how to reverse simple instructions.

    The idea behind the keygenme is:
    1. perform a calculation over the name's characters obtaining a number, call it numberFromName
    2. perform a calculation over the serial obtaining a number, call it numberFromSerial
    3 compare numberFromName with numberFromSerial
    The only thing to do is to understand how numberFromSerial is obtained and then you have to try to reverse the process, nothing more.

    Some questions that might help you in the reverse engeneering process of the keygenme:
    1. Where is the numberFromName stored?
    2. Where is the routine over the serial, I mean which are the initial and the end addresses of the routine performing the calculation over the serial?
    3. Can you reverse all the instructions used in the routine?

    Good luck

  7. #7
    On a difficulty from 0-9, I'd consider this 2.

    Edit: Not much to it. Took ~20 minutes to write the Keygen. Here is the sourcecode:
    mov ah 9 | mov dx .mname | int h21
    mov ah 10 | mov dx .name_buf | int h21
    mov si .name_buf+1 | lodsb | cmp al 5 | jnb .lxt
    ; sum
    :lxt | sub al 4 | mov cl al | lodsd | push eax | xor eax eax
    :snl | lodsb | add ah al | loop .snl
    ; algorithm
    mov al ah | push eax | bswap eax | pop ebx | or eax ebx | pop ebx
    xor eax ebx | bswap eax | add eax h3022006 ; February 3rd, 2006
    bswap eax | sub eax hDEADC0DE | bswap eax | inc al | inc ah | bswap eax
    dec al | dec ah | bswap eax | xor eax hEDB88320 | bswap eax
    add eax hD76AA478 | bswap eax | sub eax hB00BFACE | bswap eax
    add eax hBADBEEF | bswap eax | inc eax | bswap eax | dec eax | bswap eax
    add eax ebx | bswap eax | inc ax | bswap eax | inc ax
    ; inverse algorithm
    sub al hef | xor al hcd | sub ah hab | xor ah h90
                         bswap eax
    sub al h34 | xor al h12 | sub ah h78 | xor ah h56
    push eax
        mov ah 9 | mov dx .mseri | int h21
    pop edx
    mov cl 4
     :prloop | mov al dl | call bout | shr edx 8
     loop .prloop
    /hd4 16 | call $+3 | xchg al ah | cmp al 10 | sbb al h69 | das | int h29
    :mname | "Name: $"
    :mseri | /13 10 "Ser#: $"
    Assembles to 230-byte Keygen
    Last edited by LLXX; March 4th, 2006 at 08:02.

  8. #8
    T-T.... No obtaining serial number ....

    ZaiRoN`s talks make out .. but no find serial number

    i`m a beginner reverser T-T

    name is hansir then what is serial name ? be eager to know

    i will analogize why this serial is answer .

    <first blank : name , second black : serial>
    Last edited by kami13x; March 4th, 2006 at 14:28.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Follow the algorithm. It's been extracted from the file and put in the source I posted above. Read through it.

    BTW, is this a Korean keygen? All I see for the text are a bunch of ____

  10. #10
    .......... LLXX, your source is MASM ? this keygen is korean`s making.

    how interpret your algorithm .. not to mention , asm command i know.

    i`m from korean. so, on this score, i see this source for the first time.

    by means of korean , i am interested in reverse engineering.

    but i go with adversity. because of english ability is shortage.

    how come in contact with reverse engineering by me .

    asking advise for me . can you make tutorial ? T-T

    i need to an example .
    Last edited by kami13x; March 5th, 2006 at 00:05.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    너가 매우 영어 그때 나를 모르면 너를 묻는다 한국 반전 기술설계 웹사이트에 추천하십시요. 여기, 우리들을 이해하는것은 너가 단단하, 너를 이해하게 우리들을 위해 단단한.

    If you don't know much English then I recommend you ask on Korean reverse-engineering websites. Here, it is hard for you to understand us, and hard for us to understand you.

  12. #12
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Blog Entries
    did you try to step a single line of the keygenme? Which kind of tools are you using?

    If you are a beginner you can start with something mentioned inside our faq:
    Is there a "most useful breakpoint"?
    Hmmm, there is not any specific best one, but there are some common breakpoints to start with. For example: - if you have to catch when the application reads something from an edit box you can use one of: GetDlgItemTextA, GetWindowTextA
    Start your analysis from here trying find how and where the serial is readed.

  13. #13
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    well you have ollydbg the code is not obfuscated it coded in plain
    find where it reads your name and serial

    hint enter a serial > 8 chars like 12345678
    004011E7  |.  E8 F4010000   CALL <JMP.&user32.GetDlgItemTextA>    ; \GetDlgItemTextA
    break there and single step through the whole code
    with f7
    and watch all over the screen

    see what changes (the changes will be in red colour if you have default appearnce)

    the first part of hash for you name should be
    004030##                                      65 07 29 70              e)p
    these following changes you should observe in the register
    kami13x keygen name hash craeator
    the hash is db
    the hash is db00
    the hash is dbdb
    the hash is dbdb0000
    the hash is dbdbdbdb
    the hash is 736e6168
    the hash is a8b5bab3
    the hash is b3bab5a8
    the hash is b6bcd5ae
    the hash is aed5bcb6
    the hash is d027fbd8
    the hash is d8fb27d0
    the hash is d8fb28d1
    the hash is d128fbd8
    the hash is d128fad7
    the hash is d7fa28d1
    the hash is 3a42abf1
    the hash is f1ab423a
    the hash is c915e6b2
    the hash is b2e615c9
    the hash is 2da1afb
    the hash is fb1ada02
    the hash is 6c898f1
    the hash is f198c806
    the hash is f198c807
    the hash is 7c898f1
    the hash is 7c898f0
    the hash is f098c807
    the hash is 6407296f
    the hash is 6f290764
    the hash is 6f290765
    the hash is 6507296f
    the hash is 65072970
    the final hash is 70290765
    now if you get through this part you can easily find the serial your name

    i did a proto code just for referance its totally in c
    if you understand that language its done on one to one basis
    viz a viz asm

    #include <stdio.h>
    #define bswap_32(x) \
         ((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >>  8) | \
          (((x) & 0x0000ff00) <<  8) | (((x) & 0x000000ff) << 24))
    char name[25]= {0};
    unsigned int hash;
    int i,namelen,temp1,temp2,temp3,temp4,temp5,temp6,temp7,temp8, \
    temp9,temp10,temp11,temp12,temp13,temp14,temp15,temp16,temp17, \
    int main ()
    printf("kami13x keygen name hash craeator\n");
                    printf("you need a bigger name\n");
                            hash += (unsigned int)name[i];
            printf("the hash is %x\n",hash);
            temp1 = hash << 8;
            printf("the hash is %x\n",temp1);
            temp1 = temp1 | hash;
            printf("the hash is %x\n",temp1);
            temp2 = temp1 << 16;
            printf("the hash is %x\n",temp2);
            temp2 = temp2 | temp1;
            printf("the hash is %x\n",temp2);
                            temp3 = temp3 | name[i];
                            temp3 = temp3 << 8;
                    temp3 = temp3 | name[0];
                    printf("the hash is %x\n",temp3);
                    temp4 = temp3 ^ temp2;
                    printf("the hash is %x\n",temp4);
                    temp5 = bswap_32(temp4);
                    printf("the hash is %x\n",temp5);
                    temp5 = temp5 + 0x3022006;
                    printf("the hash is %x\n",temp5);
                    temp6 = bswap_32(temp5);
                    printf("the hash is %x\n",temp6);
                    temp6 = temp6 - 0xdeadc0de;
                    printf("the hash is %x\n",temp6);
                    temp7 = bswap_32(temp6);
                    printf("the hash is %x\n",temp7);
                    temp7 = temp7 + 0x00000101;
                    printf("the hash is %x\n",temp7);
                    temp8 = bswap_32(temp7);
                    printf("the hash is %x\n",temp8);
                    temp8 = temp8 - 0x00000101;
                    printf("the hash is %x\n",temp8);
                    temp9 = bswap_32(temp8);
                    printf("the hash is %x\n",temp9);
                    temp9 = temp9 ^ 0xedb88320;
                    printf("the hash is %x\n",temp9);
                    temp10 = bswap_32(temp9);
                    printf("the hash is %x\n",temp10);
                    temp10 = temp10 + 0xd76aa478;
                    printf("the hash is %x\n",temp10);
                    temp11 = bswap_32(temp10);
                    printf("the hash is %x\n",temp11);
                    temp11 = temp11 - 0xb00bface;
                    printf("the hash is %x\n",temp11);
                    temp12 = bswap_32(temp11);
                    printf("the hash is %x\n",temp12);
                    temp12 = temp12 + 0x0badbeef;
                    printf("the hash is %x\n",temp12);
                    temp13 = bswap_32(temp12);
                    printf("the hash is %x\n",temp13);
                    temp13 = temp13 +1;
                    printf("the hash is %x\n",temp13);
                    temp14 = bswap_32(temp13);
                    printf("the hash is %x\n",temp14);
                    temp14 = temp14 -1;
                    printf("the hash is %x\n",temp14);
                    temp15 = bswap_32(temp14);
                    printf("the hash is %x\n",temp15);
                    temp15 = temp15 + temp3;
                    printf("the hash is %x\n",temp15);
                    temp16 = bswap_32(temp15);
                    printf("the hash is %x\n",temp16);
                    temp16 = temp16 + 1;
                    printf("the hash is %x\n",temp16);
                    temp17 = bswap_32(temp16);
                    printf("the hash is %x\n",temp17);
                    temp17 = temp17 + 1;
                    printf("the hash is %x\n",temp17);
                    temp18 = bswap_32(temp17);
                    printf("the final hash is %x\n",temp18);
    return 1;
    now make a complete keygen and tell you have succeded so that my
    little effort bears fruit

  14. #14
    Is it just me or is the C version even harder to understand than my Asm one? It doesn't look like it'll work as well, since some of the increments and decrements are byte or word sized, leading to possible carry-over errors. Adding 0x101 may look like it'll work, but if AX was already FFFF then [inc al | inc ah] will produce 0000 while [add eax h0101] will produce 0100

    This keygenme is more suited to dead analysis, since the code is short and lucid. Don't forget, the more you read Asm code like it was a story, the better you get at it!
    Last edited by LLXX; March 5th, 2006 at 19:37.

  15. #15
    thank you , all reverser . very reinforcement !!

    Reverser is job ? In the site all people , reversing is hobby?

    So , hash is function? descrambling ?

    blabberer`s code is apperance in ollydbg? register?

    with F8 , tracing and watch register , none the less , No watched T-T

    I know api function , I have breakpoint skill .

    But why i dont see serial name in ollydbg ?

    because of i watched serial name on register in ollydbg that i have solved

    keygen me and crack me.

    But this kegenme is almost watch in ollydbg. and name is kami13x then

    serial name is 70290765 ? I dont have knowledged hash function ?

    How find serial of genuine? I can too much question ?

    I use ollydbg and more tools , e.g. I used to PointH plugin for serial fishing

    I use that like your reverser use tools.

    I try to unpacking and cracking . Not absolute biginner!!

    Merely , I meet with this keygenme`s routine.

    e.g ) I watch serial ,tracing Api function (with brack point VbaStrCmp)that I solved keygenme and crackme

    developed by visual basic . or I solve break point api function of error msgbox by the C, C++

    or divergence sentances (JE,JNZ) i find , edit by force jump ( JMP)

    This keygenme is special ? Why i dont solve this keygenme ?

    Finally, What do you think making my english sentance ?

    1. beginner 2. intemediate 3. expert 4.master

    and why do you think so ? (e.g. low vocabulary , low structure sentance )

    That advise will help to me in english studing.

    Repeatedly , Although I dont know more knowledge , I appreciated to this site users paticipate in my problem.
    Last edited by kami13x; March 6th, 2006 at 08:25.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. PatchMe / KeygenMe
    By niaren in forum Mini Project Area
    Replies: 26
    Last Post: January 17th, 2014, 05:50
  2. Help at newbie KeygenMe
    By opc0d3 in forum The Newbie Forum
    Replies: 8
    Last Post: March 23rd, 2013, 08:37
  3. New KeygenMe: Darkelf KeygenMe #2
    By Darkelf in forum Mini Project Area
    Replies: 0
    Last Post: July 20th, 2012, 16:20
  4. Just a KeygenMe...
    By Darkelf in forum Mini Project Area
    Replies: 18
    Last Post: February 29th, 2012, 19:56
  5. My New KeygenMe --- Give it a try ;-)
    By GodsJiva in forum Mini Project Area
    Replies: 27
    Last Post: September 1st, 2002, 18:30


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts