Jump to content
Tuts 4 You

[KeygenMe] KeygenMe#1


Recommended Posts

Hi ..

it's first My keygenMe for anybody care with Android Reversing ..

it's a medium protection "NOT FOR BEGINNING" it's need a good skills on Android OS & dalvik opcode

i left Application without obfuscation to be clear for anyone want to study it

if you have any question ..please ask




Link to comment
Share on other sites

  • 1 year later...
Hi, i'm new in android. Here is what i see in your kgm, didn't finish it but i hope all below is correct.



const/4 v6, 0x0

const/4 v9, 0x1

const-string v11, "Activate"

const-string v10, "About"

const-string v8, ""



_emulator_dete    : Mac address problem

_emulator_dete1  : IMEI problem



//patch to bypass prob1.

sget-object v0, LCom/zAWS/KeygenMe/main;->_mac_address:Ljava/lang/String;

    goto :cond_bb

    .line 321

    invoke-static {}, LCom/zAWS/KeygenMe/main;->_emulator_dete()Ljava/lang/String;


//patch to bypass prob2.


const-string v0, "123456789097531"

sput-object v0, LCom/zAWS/KeygenMe/main;->_imei:Ljava/lang/String;



//get imei

//get len and then sub 1.


invoke-static {}, Lanywheresoftware/b4a/phone/Phone$PhoneId;->GetDeviceId()Ljava/lang/String;

    move-result-object v0

    sput-object v0, LCom/zAWS/KeygenMe/main;->_imei:Ljava/lang/String;

    .line 340

    sget-object v0, LCom/zAWS/KeygenMe/main;->mostCurrent:LCom/zAWS/KeygenMe/main;

    sget-object v0, LCom/zAWS/KeygenMe/main;->_imei:Ljava/lang/String;

    invoke-virtual {v0}, Ljava/lang/String;->length()I

    move-result v0

    sub-int/2addr v0, v9

    int-to-double v0, v0


5. goto_d5


    move v2, v6 

    move v3, v6

//v2 = v3 = 0

    .line 341


    int-to-double v4, v2 

//v4 = 0

    cmpg-double v4, v4, v0

    if-lez v4, :cond_e3 #way1 jump at the first time.

    .line 349

    if-nez v3, :cond_106 #way2 jump at the second time.

    .line 351

    invoke-static {}, LCom/zAWS/KeygenMe/main;->_emulator_dete1()Ljava/lang/String;



v4 = imei

v5 = v2 + 1 = 1

v4 = substring(v4,v2,v5) = substring(imei,0,1) = 1

v5 = 0x10 = 16

v4 = invoke-static {v4, v5}, Lanywheresoftware/b4a/keywords/Bit;->ParseInt

mean convert v4 from b16 to b10 <=> v4 = 0x31 = 49

v4 = invoke-static {v4}, Lanywheresoftware/b4a/BA;->NumberToString

int-to-double A, B: as i read B is source, A is dest.

then i have 

v5 = v3 = 0

v3 = v4 (double)

v3 = v3 + v5 = v3 (int)


v4 = v2 = 0

v6 = 0x3FF0

v4 = v4 + v6 = v6

v2 = v4 = v6 (int)

then back to goto_d5


way2: main protect.

v0 = v3*0x17

v1 = 0xF

v0 = v0 and v1

put v0 into _key_from_imei_number

read from key.txt

come to _check_code function.



    const/4 v6, 0x1

    const/4 v5, 0x0

    const-string v2, ""

    .line 542

    const-string v0, ""

    .................................why so many v0 here?

v0 = readfile = key

v1 = compare v0, v2 => check if key is null.

if-eqz v1, :cond_20 => Start decrypt



v0 = _decrypt(v0) = 11 bits of DES decrypt, maybe key is UTF8, i'm not sure.

more than one complex function, i don't have time to check it all, serial is appended from these functions.
Link to comment
Share on other sites

  • 4 weeks later...

Fishing is not my goal (not your purpose either) i want to understand this kgm, please help me, i can't send pm to you, i still want to learn more about android cracking, please send me your mail/pm if you don't mind.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...