Jump to content
Tuts 4 You

[Keygenme] Keygenme #2 - Levis

Levis

By Levis
in KeygenMe

 Share

Recommended Posts

DE!

DE!

Posted
Posted (edited)

DE!MCC

1E38743884D4444

Here's a quick and dirty keygen with Lazarus/Freepascal source included.

I think there's a bug in your keygen. In some cases there's an array item that doesn't get filled up but is used in further calculations.. I don't know if its on purpose or not.. that why i manually nserted this value (0x4365F7) into the calculations array (see source).

00466E10  |>  8B45 FC	   /mov	 eax, dword ptr [ebp-4]
00466E13  |. |0FB64438 FF   |movzx   eax, byte ptr [eax+edi-1]
00466E18  |. |8B55 FC	   |mov	 edx, dword ptr [ebp-4]
00466E1B  |. |0FB6541A FF   |movzx   edx, byte ptr [edx+ebx-1]
00466E20  |. |03C2		  |add	 eax, edx
00466E22  |. |89849D 10F8FF>|mov	 dword ptr [ebp+ebx*4-7F0], eax
00466E29  |. |43			|inc	 ebx
00466E2A  |. |4F			|dec	 edi
00466E2B  |. |3B5D F0	   |cmp	 ebx, dword ptr [ebp-10]
00466E2E  |. |74 08		 |je	  short 00466E38
00466E30  |. |8B45 F0	   |mov	 eax, dword ptr [ebp-10]
00466E33  |. |40			|inc	 eax
00466E34  |. |3BF8		  |cmp	 edi, eax
00466E36  |.^\75 D8		 \jnz	 short 00466E10
00466E38  |>  8B45 FC	   mov	 eax, dword ptr [ebp-4]
00466E3B  |.  8B55 F0	   mov	 edx, dword ptr [ebp-10]
00466E3E  |.  0FB64410 FF   movzx   eax, byte ptr [eax+edx-1]
00466E43  |.  8B55 FC	   mov	 edx, dword ptr [ebp-4]
00466E46  |.  8B4D F0	   mov	 ecx, dword ptr [ebp-10]
00466E49  |.  0FB6140A	  movzx   edx, byte ptr [edx+ecx]
00466E4D  |.  03C2		  add	 eax, edx
00466E4F  |.  8B55 F0	   mov	 edx, dword ptr [ebp-10]
00466E52  |.  898495 10F8FF>mov	 dword ptr [ebp+edx*4-7F0], eax[/font]

Gives :

0012EE4C CC 00 00 00 CC 00 00 00 F7 65 43 00 CC 00 00 00 Ì...Ì...÷eC.Ì...

Thanks!

KeyGenMe#2.rar

Edited by DE!
  • Like 1
Levis

Levis

Posted
  • Author
Posted

Oh, many thank for trying this, DE!. Really have a bug in my keygenme. But, in my code, i can't realize it :). Thank for your information

and HepL3R too, all of you did a great job, which incredible speed.

Best of luck :)

C0M3ND4D0R

C0M3ND4D0R

Posted
Posted

My contribution....

semttulocw.png


@keygenme_00466EAB:
	    MOV	 EAX, DWORD PTR DS:[EBX]
	    ADD	 DWORD PTR SS:[EBP-0Ch], EAX
	    LEA	 ECX, DWORD PTR SS:[EBP-0FC4h]
	    MOV	 EDX, 1
	    MOV	 EAX, DWORD PTR DS:[EBX]
	    CALL    @keygenme_00408294		   ;<= Jump/Call Address Not Resolved
	    MOV	 EAX, DWORD PTR SS:[EBP-0FC4h]
	    CALL    @keygenme_004044DC		   ;<= Jump/Call Address Not Resolved
	    ADD	 DWORD PTR SS:[EBP-018h], EAX
	    LEA	 ECX, DWORD PTR SS:[EBP-0FC8h]
	    MOV	 EDX, 1
	    MOV	 EAX, DWORD PTR DS:[EBX]
	    CALL    @keygenme_00408294		   ;<= Jump/Call Address Not Resolved
	    MOV	 EDX, DWORD PTR SS:[EBP-0FC8h]
	    LEA	 EAX, DWORD PTR DS:[ESI+031Ch]
	    CALL    @keygenme_004044E4		   ;<= Jump/Call Address Not Resolved
	    ADD	 EBX, 4
	    DEC	 DWORD PTR SS:[EBP-01Ch]
	    JNZ	 @keygenme_00466EAB

Serial

Code:

9530604491346744594333243

332 + 9530604491346744594333243 + 43

33295306044913467445943

DS:[01D22308]=01D2467C, (ASCII "33295306044913467445943")

DE!

DE!

Posted
Posted (edited)

Oh, many thank for trying this, DE!. Really have a bug in my keygenme. But, in my code, i can't realize it smile.png. Thank for your information

and HepL3R too, all of you did a great job, which incredible speed.

Best of luck smile.png

When you try "fffffff" as registration name this happens :

00466E10 |> 8B45 FC /mov eax, dword ptr [ebp-4]

00466E13 |. |0FB64438 FF |movzx eax, byte ptr [eax+edi-1]

00466E18 |. |8B55 FC |mov edx, dword ptr [ebp-4]

00466E1B |. |0FB6541A FF |movzx edx, byte ptr [edx+ebx-1]

00466E20 |. |03C2 |add eax, edx

00466E22 |. |89849D 10F8FF>|mov dword ptr [ebp+ebx*4-7F0], eax <---- Full up array

00466E29 |. |43 |inc ebx

00466E2A |. |4F |dec edi

00466E2B |. |3B5D F0 |cmp ebx, dword ptr [ebp-10]

00466E2E |. |74 08 |je short 00466E38

00466E30 |. |8B45 F0 |mov eax, dword ptr [ebp-10]

00466E33 |. |40 |inc eax

00466E34 |. |3BF8 |cmp edi, eax

00466E36 |.^\75 D8 \jnz short 00466E10

Initially this buffer has the following content :

0012EE4C AE 0F 3D 00 D0 0A 96 00 F7 65 43 00 80 EE 12 00

0012EE5C 0E 66 43 00 16 66 43 00 1C EF 12 00 20 66 43 00

After the above code you'll get this :

0012EE4C CC 00 00 00 CC 00 00 00 F7 65 43 00 80 EE 12 00

0012EE5C 0E 66 43 00 16 66 43 00 1C EF 12 00 20 66 43 00

The next piece of code will add the last dword to the array :

00466E38 |> \8B45 FC mov eax, dword ptr [ebp-4]

00466E3B |. 8B55 F0 mov edx, dword ptr [ebp-10]

00466E3E |. 0FB64410 FF movzx eax, byte ptr [eax+edx-1]

00466E43 |. 8B55 FC mov edx, dword ptr [ebp-4]

00466E46 |. 8B4D F0 mov ecx, dword ptr [ebp-10]

00466E49 |. 0FB6140A movzx edx, byte ptr [edx+ecx]

00466E4D |. 03C2 add eax, edx

00466E4F |. 8B55 F0 mov edx, dword ptr [ebp-10]

00466E52 |. 898495 10F8FF>mov dword ptr [ebp+edx*4-7F0], eax

And your buffer becomes :

0012EE4C CC 00 00 00 CC 00 00 00 F7 65 43 00 CC 00 00 00

0012EE5C 0E 66 43 00 16 66 43 00 1C EF 12 00 20 66 43 00

Those values are then being used in the next part :

00466E59 |> \BB 01000000 mov ebx, 1

00466E5E |. BF 01000000 mov edi, 1

00466E63 |> 8B849D 10F8FF>/mov eax, dword ptr [ebp+ebx*4-7F0]

00466E6A |. 8984BD 40F0FF>|mov dword ptr [ebp+edi*4-FC0], eax

00466E71 |. 8B45 EC |mov eax, dword ptr [ebp-14]

00466E74 |. 2BC3 |sub eax, ebx

00466E76 |. 8B55 FC |mov edx, dword ptr [ebp-4]

00466E79 |. 0FB64402 FF |movzx eax, byte ptr [edx+eax-1]

00466E7E |. 8984BD 44F0FF>|mov dword ptr [ebp+edi*4-FBC], eax

00466E85 |. 83C7 02 |add edi, 2

00466E88 |. 43 |inc ebx

00466E89 |. 8B45 F0 |mov eax, dword ptr [ebp-10]

00466E8C |. 40 |inc eax

00466E8D |. 3BD8 |cmp ebx, eax

00466E8F |.^ 75 D2 \jnz short 00466E63

So this "0x004365f7" is also used within the serial calculation but is never actually initialised

If you run this through the keygen without anticipating on this you wil get the following serial :

Name : fffffff

Serial : 117C06CC66CC6611787066CC66

Which doesn't work. when inserting this value before making our serial calculations you'll get this :

Name : fffffff

Serial : 43698DCC66CC664365F766CC66

And that one works.. So there's a possible bug smile.png

It only happens with a small number of names..

@ hepL3r :

When entering "fffffff", "ffffffff", "fffffffffff" and so on in your keygen you get "00066" as serial number...

The same with "[DE!MCC]".. You'll get "0005B" as serial...

Edited by DE!
hepL3r

hepL3r

Posted
Posted

yeah after testing some other serials I found out that there is a bug but I didn't work on this so much :P

@Levis:

waiting for new keygen me :)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...