No patching!

Valid solution is only a keygen

KeygenMe2.zip

Hello qpt^J

good job, but that's not a bug

N1ghtm4r3
2017CB5A701C96AE-84087C7ACBB32657

oh sorry, it's my fault, i didnt reversed it that much

heres fixed:

N1ghtm4r3 keygenme 2 - keygen.rar

I am struggling with this one

So far I have worked out the following I think I have a basic understanding of what this function 00401376 is doing:

00401453  |. C1F9 04        |SAR ECX,4                               ;  temp : 36 Binary 110110 sets CL & ECX to 03 - Shift right equlicant to NUM / 10
00401456  |. C0E2 02        |SHL DL,2                                ;  temp : 35 Binary 110101 sets DL & EDX to D4 - Shift Left  equlivant to NUM * 4
00401459  |. 0ACA           |OR CL,DL                                ;  The two numbers stored have an OR applied to them resulting in DL D4 OR CL 3 = D7
0040145B  |. 880E           |MOV BYTE PTR DS:[ESI],CL                ;  Move D7 into stack (This is passed back from this routine)
0040145D  |. 46             |INC ESI                                 ;  Increment ESI stack count placement
0040145E  |. 80FB 3D        |CMP BL,3D                               ;  Compare contents of BL to Hex 3D Decimal 61 char '='
00401461  |. 897424 28      |MOV DWORD PTR SS:[ESP+28],ESI
00401465  |. 0F84 9E000000  |JE KeygenMe.00401509                    ;  Jump if contents of BL is Hex 3D Decimal 61 char '='
0040146B  |. 8B4C24 10      |MOV ECX,DWORD PTR SS:[ESP+10]
0040146F  |. 41             |INC ECX
00401470  |. 894C24 10      |MOV DWORD PTR SS:[ESP+10],ECX
00401474  |. 8B4C24 30      |MOV ECX,DWORD PTR SS:[ESP+30]
00401478  |. 85C9           |TEST ECX,ECX
0040147A  |. 74 0A          |JE SHORT KeygenMe.00401486
0040147C  |. 394C24 10      |CMP DWORD PTR SS:[ESP+10],ECX
00401480  |. 0F8F 9F000000  |JG KeygenMe.00401525
00401486  |> 0FBE0F         |MOVSX ECX,BYTE PTR DS:[EDI]
00401489  |. 80FB 80        |CMP BL,80                               ;  Compare contents of BL to Hex 80 Decimal 128
0040148C  |. 73 11          |JNB SHORT KeygenMe.0040149F             ;  Jump if BL => Hex 80 Decimal 128 - Jump short if not below (CF=0)
0040148E  |. 8BD5           |MOV EDX,EBP
00401490  |. 81E2 FF000000  |AND EDX,0FF
00401496  |. 0FBE92 3461400>|MOVSX EDX,BYTE PTR DS:[EDX+406134]
0040149D  |. EB 03          |JMP SHORT KeygenMe.004014A2
0040149F  |> 83CA FF        |OR EDX,FFFFFFFF
004014A2  |> C1FA 02        |SAR EDX,2                               ;  temp : 36 Binary 110110 sets DL & EDX to 0D - Shift right equlicant to NUM / 4
004014A5  |. C0E1 04        |SHL CL,4                                ;  temp : 36 Binary 110110 sets CL & ECX to 60 - Shift Left  equlivant to NUM * 10 = 360 3 is lost
004014A8  |. 0AD1           |OR DL,CL                                ;  The two numbers stored have an OR applied to them resulting in DL 0D OR CL 60 = 6D
004014AA  |. 8816           |MOV BYTE PTR DS:[ESI],DL                ;  Move 6D into stack (This is passed back from this routine)
004014AC  |. 46             |INC ESI                                 ;  Increment ESI stack count placement
004014AD  |. 3C 3D          |CMP AL,3D                               ;  Compare contents of AL to Hex 3D Decimal 61 char '='
004014AF  |. 897424 28      |MOV DWORD PTR SS:[ESP+28],ESI
004014B3  |. 74 54          |JE SHORT KeygenMe.00401509              ;  Jump if contents of AL is Hex 3D Decimal 61 char '='
004014B5  |. 8B7C24 10      |MOV EDI,DWORD PTR SS:[ESP+10]
004014B9  |. 8B4C24 30      |MOV ECX,DWORD PTR SS:[ESP+30]
004014BD  |. 47             |INC EDI
004014BE  |. 85C9           |TEST ECX,ECX
004014C0  |. 897C24 10      |MOV DWORD PTR SS:[ESP+10],EDI
004014C4  |. 74 06          |JE SHORT KeygenMe.004014CC
004014C6  |. 8BD7           |MOV EDX,EDI
004014C8  |. 3BD1           |CMP EDX,ECX
004014CA  |. 7F 59          |JG SHORT KeygenMe.00401525
004014CC  |> 80FB 80        |CMP BL,80                               ;  Compare contents of BL to Hex 80 Decimal 128
004014CF  |. 73 0F          |JNB SHORT KeygenMe.004014E0             ;  Jump if BL => Hex 80 Decimal 128 - Jump short if not below (CF=0)
004014D1  |. 81E5 FF000000  |AND EBP,0FF
004014D7  |. 0FBE8D 3461400>|MOVSX ECX,BYTE PTR SS:[EBP+406134]
004014DE  |. EB 03          |JMP SHORT KeygenMe.004014E3
004014E0  |> 83C9 FF        |OR ECX,FFFFFFFF
004014E3  |> 3C 80          |CMP AL,80                               ;  Compare contents of AL to Hex 80 Decimal 128
004014E5  |. 73 13          |JNB SHORT KeygenMe.004014FA             ;  Jump if AL => Hex 80 Decimal 128 - Jump short if not below (CF=0)
004014E7  |. 8B5424 18      |MOV EDX,DWORD PTR SS:[ESP+18]
004014EB  |. 81E2 FF000000  |AND EDX,0FF
004014F1  |. 0FBE92 3461400>|MOVSX EDX,BYTE PTR DS:[EDX+406134]
004014F8  |. EB 03          |JMP SHORT KeygenMe.004014FD
004014FA  |> 83CA FF        |OR EDX,FFFFFFFF
004014FD  |> C0E1 06        |SHL CL,6                                ;  temp : 37 Binary 110111 sets CL & ECX to C0 - Shift Left  equlivant to NUM * 40 = DC0 D is lost
00401500  |. 0ACA           |OR CL,DL                                ;  The two numbers stored have an OR applied to them resulting in DL 38 OR CL C0 = F8
00401502  |. 880E           |MOV BYTE PTR DS:[ESI],CL                ;  Move F8 into stack (This is passed back from this routine)
00401504  |. 46             |INC ESI                                 ;  Increment ESI stack count placement

However after this routine it seems to aquire the serial number of my drive and then proceed to call the another function I can not get my head around what this is doing

0040123E  |. 68 5C704000    PUSH KeygenMe.0040705C                   ;  ASCII "%02X%02X"
00401243  |. 52             PUSH EDX                                 
00401244  |. E8 F7020000    CALL KeygenMe.0040154000402170  /$ 8B4C24 04      MOV ECX,DWORD PTR SS:[ESP+4]
00402174  |. F7C1 03000000  TEST ECX,3
0040217A  |. 74 14          JE SHORT KeygenMe.00402190
0040217C  |> 8A01           /MOV AL,BYTE PTR DS:[ECX]
0040217E  |. 41             |INC ECX
0040217F  |. 84C0           |TEST AL,AL
00402181  |. 74 40          |JE SHORT KeygenMe.004021C3
00402183  |. F7C1 03000000  |TEST ECX,3
00402189  |.^75 F1          \JNZ SHORT KeygenMe.0040217C
0040218B  |. 05 00000000    ADD EAX,0
00402190  |> 8B01           /MOV EAX,DWORD PTR DS:[ECX]              ;  Move Calculated serial into EAX
00402192  |. BA FFFEFE7E    |MOV EDX,7EFEFEFF
00402197  |. 03D0           |ADD EDX,EAX
00402199  |. 83F0 FF        |XOR EAX,FFFFFFFF
0040219C  |. 33C2           |XOR EAX,EDX
0040219E  |. 83C1 04        |ADD ECX,4
004021A1  |. A9 00010181    |TEST EAX,81010100
004021A6  |.^74 E8          |JE SHORT KeygenMe.00402190
004021A8  |. 8B41 FC        |MOV EAX,DWORD PTR DS:[ECX-4]
004021AB  |. 84C0           |TEST AL,AL
004021AD  |. 74 32          |JE SHORT KeygenMe.004021E1
004021AF  |. 84E4           |TEST AH,AH
004021B1  |. 74 24          |JE SHORT KeygenMe.004021D7
004021B3  |. A9 0000FF00    |TEST EAX,0FF0000
004021B8  |. 74 13          |JE SHORT KeygenMe.004021CD
004021BA  |. A9 000000FF    |TEST EAX,FF000000
004021BF  |. 74 02          |JE SHORT KeygenMe.004021C3
004021C1  |.^EB CD          \JMP SHORT KeygenMe.00402190
004021C3  |> 8D41 FF        LEA EAX,DWORD PTR DS:[ECX-1]
004021C6  |. 8B4C24 04      MOV ECX,DWORD PTR SS:[ESP+4]

Here I get stuck I can't understand what it is doing and why

@ISquishWorms:

I suggest you try some easier keygenmes. step by step

P.s. This is keygenme2, your analysis belongs to keygenme1!

Edited February 24, 201114 yr by N1ghtm4r3

Thanks a lot for this KeygenMe.

Learned something new, since never keygenned DSA before.

Also learned how to rip the whole MD5 algo.

Yes, I ripped the whole MD5 algo from your KGM.

N1ghtm4r3.KGM2.Keygen.zip

Edited June 3, 201114 yr by Saduff

Well done as first try!

Very good crackme! I learned a lot.

KeygenMe2_keygen.rar