Tuts 4 You

# [keygenme] KeygenMe2

## Recommended Posts

No patching!

Valid solution is only a keygen

KeygenMe2.zip

• 1
##### Share on other sites

Hello qpt^J

good job, but that's not a bug

`N1ghtm4r32017CB5A701C96AE-84087C7ACBB32657`
##### Share on other sites

oh sorry, it's my fault, i didnt reversed it that much

heres fixed:

N1ghtm4r3 keygenme 2 - keygen.rar

• 1
##### Share on other sites

I am struggling with this one

So far I have worked out the following I think I have a basic understanding of what this function 00401376 is doing:

`00401453  |. C1F9 04        |SAR ECX,4                               ;  temp : 36 Binary 110110 sets CL & ECX to 03 - Shift right equlicant to NUM / 1000401456  |. C0E2 02        |SHL DL,2                                ;  temp : 35 Binary 110101 sets DL & EDX to D4 - Shift Left  equlivant to NUM * 400401459  |. 0ACA           |OR CL,DL                                ;  The two numbers stored have an OR applied to them resulting in DL D4 OR CL 3 = D70040145B  |. 880E           |MOV BYTE PTR DS:[ESI],CL                ;  Move D7 into stack (This is passed back from this routine)0040145D  |. 46             |INC ESI                                 ;  Increment ESI stack count placement0040145E  |. 80FB 3D        |CMP BL,3D                               ;  Compare contents of BL to Hex 3D Decimal 61 char '='00401461  |. 897424 28      |MOV DWORD PTR SS:[ESP+28],ESI00401465  |. 0F84 9E000000  |JE KeygenMe.00401509                    ;  Jump if contents of BL is Hex 3D Decimal 61 char '='0040146B  |. 8B4C24 10      |MOV ECX,DWORD PTR SS:[ESP+10]0040146F  |. 41             |INC ECX00401470  |. 894C24 10      |MOV DWORD PTR SS:[ESP+10],ECX00401474  |. 8B4C24 30      |MOV ECX,DWORD PTR SS:[ESP+30]00401478  |. 85C9           |TEST ECX,ECX0040147A  |. 74 0A          |JE SHORT KeygenMe.004014860040147C  |. 394C24 10      |CMP DWORD PTR SS:[ESP+10],ECX00401480  |. 0F8F 9F000000  |JG KeygenMe.0040152500401486  |> 0FBE0F         |MOVSX ECX,BYTE PTR DS:[EDI]00401489  |. 80FB 80        |CMP BL,80                               ;  Compare contents of BL to Hex 80 Decimal 1280040148C  |. 73 11          |JNB SHORT KeygenMe.0040149F             ;  Jump if BL => Hex 80 Decimal 128 - Jump short if not below (CF=0)0040148E  |. 8BD5           |MOV EDX,EBP00401490  |. 81E2 FF000000  |AND EDX,0FF00401496  |. 0FBE92 3461400>|MOVSX EDX,BYTE PTR DS:[EDX+406134]0040149D  |. EB 03          |JMP SHORT KeygenMe.004014A20040149F  |> 83CA FF        |OR EDX,FFFFFFFF004014A2  |> C1FA 02        |SAR EDX,2                               ;  temp : 36 Binary 110110 sets DL & EDX to 0D - Shift right equlicant to NUM / 4004014A5  |. C0E1 04        |SHL CL,4                                ;  temp : 36 Binary 110110 sets CL & ECX to 60 - Shift Left  equlivant to NUM * 10 = 360 3 is lost004014A8  |. 0AD1           |OR DL,CL                                ;  The two numbers stored have an OR applied to them resulting in DL 0D OR CL 60 = 6D004014AA  |. 8816           |MOV BYTE PTR DS:[ESI],DL                ;  Move 6D into stack (This is passed back from this routine)004014AC  |. 46             |INC ESI                                 ;  Increment ESI stack count placement004014AD  |. 3C 3D          |CMP AL,3D                               ;  Compare contents of AL to Hex 3D Decimal 61 char '='004014AF  |. 897424 28      |MOV DWORD PTR SS:[ESP+28],ESI004014B3  |. 74 54          |JE SHORT KeygenMe.00401509              ;  Jump if contents of AL is Hex 3D Decimal 61 char '='004014B5  |. 8B7C24 10      |MOV EDI,DWORD PTR SS:[ESP+10]004014B9  |. 8B4C24 30      |MOV ECX,DWORD PTR SS:[ESP+30]004014BD  |. 47             |INC EDI004014BE  |. 85C9           |TEST ECX,ECX004014C0  |. 897C24 10      |MOV DWORD PTR SS:[ESP+10],EDI004014C4  |. 74 06          |JE SHORT KeygenMe.004014CC004014C6  |. 8BD7           |MOV EDX,EDI004014C8  |. 3BD1           |CMP EDX,ECX004014CA  |. 7F 59          |JG SHORT KeygenMe.00401525004014CC  |> 80FB 80        |CMP BL,80                               ;  Compare contents of BL to Hex 80 Decimal 128004014CF  |. 73 0F          |JNB SHORT KeygenMe.004014E0             ;  Jump if BL => Hex 80 Decimal 128 - Jump short if not below (CF=0)004014D1  |. 81E5 FF000000  |AND EBP,0FF004014D7  |. 0FBE8D 3461400>|MOVSX ECX,BYTE PTR SS:[EBP+406134]004014DE  |. EB 03          |JMP SHORT KeygenMe.004014E3004014E0  |> 83C9 FF        |OR ECX,FFFFFFFF004014E3  |> 3C 80          |CMP AL,80                               ;  Compare contents of AL to Hex 80 Decimal 128004014E5  |. 73 13          |JNB SHORT KeygenMe.004014FA             ;  Jump if AL => Hex 80 Decimal 128 - Jump short if not below (CF=0)004014E7  |. 8B5424 18      |MOV EDX,DWORD PTR SS:[ESP+18]004014EB  |. 81E2 FF000000  |AND EDX,0FF004014F1  |. 0FBE92 3461400>|MOVSX EDX,BYTE PTR DS:[EDX+406134]004014F8  |. EB 03          |JMP SHORT KeygenMe.004014FD004014FA  |> 83CA FF        |OR EDX,FFFFFFFF004014FD  |> C0E1 06        |SHL CL,6                                ;  temp : 37 Binary 110111 sets CL & ECX to C0 - Shift Left  equlivant to NUM * 40 = DC0 D is lost00401500  |. 0ACA           |OR CL,DL                                ;  The two numbers stored have an OR applied to them resulting in DL 38 OR CL C0 = F800401502  |. 880E           |MOV BYTE PTR DS:[ESI],CL                ;  Move F8 into stack (This is passed back from this routine)00401504  |. 46             |INC ESI                                 ;  Increment ESI stack count placement`

However after this routine it seems to aquire the serial number of my drive and then proceed to call the another function I can not get my head around what this is doing

`0040123E  |. 68 5C704000    PUSH KeygenMe.0040705C                   ;  ASCII "%02X%02X"00401243  |. 52             PUSH EDX                                 00401244  |. E8 F7020000    CALL KeygenMe.0040154000402170  /\$ 8B4C24 04      MOV ECX,DWORD PTR SS:[ESP+4]00402174  |. F7C1 03000000  TEST ECX,30040217A  |. 74 14          JE SHORT KeygenMe.004021900040217C  |> 8A01           /MOV AL,BYTE PTR DS:[ECX]0040217E  |. 41             |INC ECX0040217F  |. 84C0           |TEST AL,AL00402181  |. 74 40          |JE SHORT KeygenMe.004021C300402183  |. F7C1 03000000  |TEST ECX,300402189  |.^75 F1          \JNZ SHORT KeygenMe.0040217C0040218B  |. 05 00000000    ADD EAX,000402190  |> 8B01           /MOV EAX,DWORD PTR DS:[ECX]              ;  Move Calculated serial into EAX00402192  |. BA FFFEFE7E    |MOV EDX,7EFEFEFF00402197  |. 03D0           |ADD EDX,EAX00402199  |. 83F0 FF        |XOR EAX,FFFFFFFF0040219C  |. 33C2           |XOR EAX,EDX0040219E  |. 83C1 04        |ADD ECX,4004021A1  |. A9 00010181    |TEST EAX,81010100004021A6  |.^74 E8          |JE SHORT KeygenMe.00402190004021A8  |. 8B41 FC        |MOV EAX,DWORD PTR DS:[ECX-4]004021AB  |. 84C0           |TEST AL,AL004021AD  |. 74 32          |JE SHORT KeygenMe.004021E1004021AF  |. 84E4           |TEST AH,AH004021B1  |. 74 24          |JE SHORT KeygenMe.004021D7004021B3  |. A9 0000FF00    |TEST EAX,0FF0000004021B8  |. 74 13          |JE SHORT KeygenMe.004021CD004021BA  |. A9 000000FF    |TEST EAX,FF000000004021BF  |. 74 02          |JE SHORT KeygenMe.004021C3004021C1  |.^EB CD          \JMP SHORT KeygenMe.00402190004021C3  |> 8D41 FF        LEA EAX,DWORD PTR DS:[ECX-1]004021C6  |. 8B4C24 04      MOV ECX,DWORD PTR SS:[ESP+4]`

Here I get stuck I can't understand what it is doing and why

##### Share on other sites

@ISquishWorms:

I suggest you try some easier keygenmes. step by step

P.s. This is keygenme2, your analysis belongs to keygenme1!

Edited by N1ghtm4r3
##### Share on other sites

• 3 months later...

Thanks a lot for this KeygenMe.

Learned something new, since never keygenned DSA before.

Also learned how to rip the whole MD5 algo.

Yes, I ripped the whole MD5 algo from your KGM.

N1ghtm4r3.KGM2.Keygen.zip

##### Share on other sites

Well done as first try!

##### Share on other sites

• 2 months later...

Very good crackme! I learned a lot.

KeygenMe2_keygen.rar