Jump to content
Tuts 4 You

[keygenme] KeygenMe2

N1ghtm4r3

By N1ghtm4r3
in KeygenMe

 Share

Recommended Posts

ISquishWorms

ISquishWorms

Posted
Posted

I am struggling with this one :(

So far I have worked out the following I think I have a basic understanding of what this function 00401376 is doing:


00401453  |. C1F9 04        |SAR ECX,4                               ;  temp : 36 Binary 110110 sets CL & ECX to 03 - Shift right equlicant to NUM / 10
00401456  |. C0E2 02        |SHL DL,2                                ;  temp : 35 Binary 110101 sets DL & EDX to D4 - Shift Left  equlivant to NUM * 4
00401459  |. 0ACA           |OR CL,DL                                ;  The two numbers stored have an OR applied to them resulting in DL D4 OR CL 3 = D7
0040145B  |. 880E           |MOV BYTE PTR DS:[ESI],CL                ;  Move D7 into stack (This is passed back from this routine)
0040145D  |. 46             |INC ESI                                 ;  Increment ESI stack count placement
0040145E  |. 80FB 3D        |CMP BL,3D                               ;  Compare contents of BL to Hex 3D Decimal 61 char '='
00401461  |. 897424 28      |MOV DWORD PTR SS:[ESP+28],ESI
00401465  |. 0F84 9E000000  |JE KeygenMe.00401509                    ;  Jump if contents of BL is Hex 3D Decimal 61 char '='
0040146B  |. 8B4C24 10      |MOV ECX,DWORD PTR SS:[ESP+10]
0040146F  |. 41             |INC ECX
00401470  |. 894C24 10      |MOV DWORD PTR SS:[ESP+10],ECX
00401474  |. 8B4C24 30      |MOV ECX,DWORD PTR SS:[ESP+30]
00401478  |. 85C9           |TEST ECX,ECX
0040147A  |. 74 0A          |JE SHORT KeygenMe.00401486
0040147C  |. 394C24 10      |CMP DWORD PTR SS:[ESP+10],ECX
00401480  |. 0F8F 9F000000  |JG KeygenMe.00401525
00401486  |> 0FBE0F         |MOVSX ECX,BYTE PTR DS:[EDI]
00401489  |. 80FB 80        |CMP BL,80                               ;  Compare contents of BL to Hex 80 Decimal 128
0040148C  |. 73 11          |JNB SHORT KeygenMe.0040149F             ;  Jump if BL => Hex 80 Decimal 128 - Jump short if not below (CF=0)
0040148E  |. 8BD5           |MOV EDX,EBP
00401490  |. 81E2 FF000000  |AND EDX,0FF
00401496  |. 0FBE92 3461400>|MOVSX EDX,BYTE PTR DS:[EDX+406134]
0040149D  |. EB 03          |JMP SHORT KeygenMe.004014A2
0040149F  |> 83CA FF        |OR EDX,FFFFFFFF
004014A2  |> C1FA 02        |SAR EDX,2                               ;  temp : 36 Binary 110110 sets DL & EDX to 0D - Shift right equlicant to NUM / 4
004014A5  |. C0E1 04        |SHL CL,4                                ;  temp : 36 Binary 110110 sets CL & ECX to 60 - Shift Left  equlivant to NUM * 10 = 360 3 is lost
004014A8  |. 0AD1           |OR DL,CL                                ;  The two numbers stored have an OR applied to them resulting in DL 0D OR CL 60 = 6D
004014AA  |. 8816           |MOV BYTE PTR DS:[ESI],DL                ;  Move 6D into stack (This is passed back from this routine)
004014AC  |. 46             |INC ESI                                 ;  Increment ESI stack count placement
004014AD  |. 3C 3D          |CMP AL,3D                               ;  Compare contents of AL to Hex 3D Decimal 61 char '='
004014AF  |. 897424 28      |MOV DWORD PTR SS:[ESP+28],ESI
004014B3  |. 74 54          |JE SHORT KeygenMe.00401509              ;  Jump if contents of AL is Hex 3D Decimal 61 char '='
004014B5  |. 8B7C24 10      |MOV EDI,DWORD PTR SS:[ESP+10]
004014B9  |. 8B4C24 30      |MOV ECX,DWORD PTR SS:[ESP+30]
004014BD  |. 47             |INC EDI
004014BE  |. 85C9           |TEST ECX,ECX
004014C0  |. 897C24 10      |MOV DWORD PTR SS:[ESP+10],EDI
004014C4  |. 74 06          |JE SHORT KeygenMe.004014CC
004014C6  |. 8BD7           |MOV EDX,EDI
004014C8  |. 3BD1           |CMP EDX,ECX
004014CA  |. 7F 59          |JG SHORT KeygenMe.00401525
004014CC  |> 80FB 80        |CMP BL,80                               ;  Compare contents of BL to Hex 80 Decimal 128
004014CF  |. 73 0F          |JNB SHORT KeygenMe.004014E0             ;  Jump if BL => Hex 80 Decimal 128 - Jump short if not below (CF=0)
004014D1  |. 81E5 FF000000  |AND EBP,0FF
004014D7  |. 0FBE8D 3461400>|MOVSX ECX,BYTE PTR SS:[EBP+406134]
004014DE  |. EB 03          |JMP SHORT KeygenMe.004014E3
004014E0  |> 83C9 FF        |OR ECX,FFFFFFFF
004014E3  |> 3C 80          |CMP AL,80                               ;  Compare contents of AL to Hex 80 Decimal 128
004014E5  |. 73 13          |JNB SHORT KeygenMe.004014FA             ;  Jump if AL => Hex 80 Decimal 128 - Jump short if not below (CF=0)
004014E7  |. 8B5424 18      |MOV EDX,DWORD PTR SS:[ESP+18]
004014EB  |. 81E2 FF000000  |AND EDX,0FF
004014F1  |. 0FBE92 3461400>|MOVSX EDX,BYTE PTR DS:[EDX+406134]
004014F8  |. EB 03          |JMP SHORT KeygenMe.004014FD
004014FA  |> 83CA FF        |OR EDX,FFFFFFFF
004014FD  |> C0E1 06        |SHL CL,6                                ;  temp : 37 Binary 110111 sets CL & ECX to C0 - Shift Left  equlivant to NUM * 40 = DC0 D is lost
00401500  |. 0ACA           |OR CL,DL                                ;  The two numbers stored have an OR applied to them resulting in DL 38 OR CL C0 = F8
00401502  |. 880E           |MOV BYTE PTR DS:[ESI],CL                ;  Move F8 into stack (This is passed back from this routine)
00401504  |. 46             |INC ESI                                 ;  Increment ESI stack count placement

However after this routine it seems to aquire the serial number of my drive and then proceed to call the another function I can not get my head around what this is doing :(


0040123E  |. 68 5C704000    PUSH KeygenMe.0040705C                   ;  ASCII "%02X%02X"
00401243  |. 52             PUSH EDX                                 
00401244  |. E8 F7020000    CALL KeygenMe.0040154000402170  /$ 8B4C24 04      MOV ECX,DWORD PTR SS:[ESP+4]
00402174  |. F7C1 03000000  TEST ECX,3
0040217A  |. 74 14          JE SHORT KeygenMe.00402190
0040217C  |> 8A01           /MOV AL,BYTE PTR DS:[ECX]
0040217E  |. 41             |INC ECX
0040217F  |. 84C0           |TEST AL,AL
00402181  |. 74 40          |JE SHORT KeygenMe.004021C3
00402183  |. F7C1 03000000  |TEST ECX,3
00402189  |.^75 F1          \JNZ SHORT KeygenMe.0040217C
0040218B  |. 05 00000000    ADD EAX,0
00402190  |> 8B01           /MOV EAX,DWORD PTR DS:[ECX]              ;  Move Calculated serial into EAX
00402192  |. BA FFFEFE7E    |MOV EDX,7EFEFEFF
00402197  |. 03D0           |ADD EDX,EAX
00402199  |. 83F0 FF        |XOR EAX,FFFFFFFF
0040219C  |. 33C2           |XOR EAX,EDX
0040219E  |. 83C1 04        |ADD ECX,4
004021A1  |. A9 00010181    |TEST EAX,81010100
004021A6  |.^74 E8          |JE SHORT KeygenMe.00402190
004021A8  |. 8B41 FC        |MOV EAX,DWORD PTR DS:[ECX-4]
004021AB  |. 84C0           |TEST AL,AL
004021AD  |. 74 32          |JE SHORT KeygenMe.004021E1
004021AF  |. 84E4           |TEST AH,AH
004021B1  |. 74 24          |JE SHORT KeygenMe.004021D7
004021B3  |. A9 0000FF00    |TEST EAX,0FF0000
004021B8  |. 74 13          |JE SHORT KeygenMe.004021CD
004021BA  |. A9 000000FF    |TEST EAX,FF000000
004021BF  |. 74 02          |JE SHORT KeygenMe.004021C3
004021C1  |.^EB CD          \JMP SHORT KeygenMe.00402190
004021C3  |> 8D41 FF        LEA EAX,DWORD PTR DS:[ECX-1]
004021C6  |. 8B4C24 04      MOV ECX,DWORD PTR SS:[ESP+4]

Here I get stuck I can't understand what it is doing and why :(

Link to comment
Share on other sites
N1ghtm4r3

N1ghtm4r3

Posted
  • Author
Posted (edited)

@ISquishWorms:

I suggest you try some easier keygenmes. step by step ;)

P.s. This is keygenme2, your analysis belongs to keygenme1!

Edited by N1ghtm4r3
Link to comment
Share on other sites
  • 3 months later...
Saduff

Saduff

Posted
Posted (edited)

Thanks a lot for this KeygenMe.

Learned something new, since never keygenned DSA before. :)

Also learned how to rip the whole MD5 algo. :)

Yes, I ripped the whole MD5 algo from your KGM. :D

N1ghtm4r3.KGM2.Keygen.zip

Edited by Saduff
Link to comment
Share on other sites
  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...