Jump to content
Tuts 4 You

[Keygenme] Keygenme #2 - Levis


Levis

Recommended Posts

DE!MCC

1E38743884D4444

Here's a quick and dirty keygen with Lazarus/Freepascal source included.

I think there's a bug in your keygen. In some cases there's an array item that doesn't get filled up but is used in further calculations.. I don't know if its on purpose or not.. that why i manually nserted this value (0x4365F7) into the calculations array (see source).

00466E10  |>  8B45 FC	   /mov	 eax, dword ptr [ebp-4]
00466E13 |. |0FB64438 FF |movzx eax, byte ptr [eax+edi-1]
00466E18 |. |8B55 FC |mov edx, dword ptr [ebp-4]
00466E1B |. |0FB6541A FF |movzx edx, byte ptr [edx+ebx-1]
00466E20 |. |03C2 |add eax, edx
00466E22 |. |89849D 10F8FF>|mov dword ptr [ebp+ebx*4-7F0], eax
00466E29 |. |43 |inc ebx
00466E2A |. |4F |dec edi
00466E2B |. |3B5D F0 |cmp ebx, dword ptr [ebp-10]
00466E2E |. |74 08 |je short 00466E38
00466E30 |. |8B45 F0 |mov eax, dword ptr [ebp-10]
00466E33 |. |40 |inc eax
00466E34 |. |3BF8 |cmp edi, eax
00466E36 |.^\75 D8 \jnz short 00466E10
00466E38 |> 8B45 FC mov eax, dword ptr [ebp-4]
00466E3B |. 8B55 F0 mov edx, dword ptr [ebp-10]
00466E3E |. 0FB64410 FF movzx eax, byte ptr [eax+edx-1]
00466E43 |. 8B55 FC mov edx, dword ptr [ebp-4]
00466E46 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
00466E49 |. 0FB6140A movzx edx, byte ptr [edx+ecx]
00466E4D |. 03C2 add eax, edx
00466E4F |. 8B55 F0 mov edx, dword ptr [ebp-10]
00466E52 |. 898495 10F8FF>mov dword ptr [ebp+edx*4-7F0], eax[/font]

Gives :

0012EE4C CC 00 00 00 CC 00 00 00 F7 65 43 00 CC 00 00 00 Ì...Ì...÷eC.Ì...

Thanks!

KeyGenMe#2.rar

Edited by DE!
  • Like 1
Link to comment

Oh, many thank for trying this, DE!. Really have a bug in my keygenme. But, in my code, i can't realize it :). Thank for your information

and HepL3R too, all of you did a great job, which incredible speed.

Best of luck :)

Link to comment

My contribution....

semttulocw.png


@keygenme_00466EAB:
MOV EAX, DWORD PTR DS:[EBX]
ADD DWORD PTR SS:[EBP-0Ch], EAX
LEA ECX, DWORD PTR SS:[EBP-0FC4h]
MOV EDX, 1
MOV EAX, DWORD PTR DS:[EBX]
CALL @keygenme_00408294 ;<= Jump/Call Address Not Resolved
MOV EAX, DWORD PTR SS:[EBP-0FC4h]
CALL @keygenme_004044DC ;<= Jump/Call Address Not Resolved
ADD DWORD PTR SS:[EBP-018h], EAX
LEA ECX, DWORD PTR SS:[EBP-0FC8h]
MOV EDX, 1
MOV EAX, DWORD PTR DS:[EBX]
CALL @keygenme_00408294 ;<= Jump/Call Address Not Resolved
MOV EDX, DWORD PTR SS:[EBP-0FC8h]
LEA EAX, DWORD PTR DS:[ESI+031Ch]
CALL @keygenme_004044E4 ;<= Jump/Call Address Not Resolved
ADD EBX, 4
DEC DWORD PTR SS:[EBP-01Ch]
JNZ @keygenme_00466EAB

Serial

Code:

9530604491346744594333243

332 + 9530604491346744594333243 + 43

33295306044913467445943

DS:[01D22308]=01D2467C, (ASCII "33295306044913467445943")

Link to comment

Oh, many thank for trying this, DE!. Really have a bug in my keygenme. But, in my code, i can't realize it smile.png. Thank for your information

and HepL3R too, all of you did a great job, which incredible speed.

Best of luck smile.png

When you try "fffffff" as registration name this happens :

00466E10 |> 8B45 FC /mov eax, dword ptr [ebp-4]

00466E13 |. |0FB64438 FF |movzx eax, byte ptr [eax+edi-1]

00466E18 |. |8B55 FC |mov edx, dword ptr [ebp-4]

00466E1B |. |0FB6541A FF |movzx edx, byte ptr [edx+ebx-1]

00466E20 |. |03C2 |add eax, edx

00466E22 |. |89849D 10F8FF>|mov dword ptr [ebp+ebx*4-7F0], eax <---- Full up array

00466E29 |. |43 |inc ebx

00466E2A |. |4F |dec edi

00466E2B |. |3B5D F0 |cmp ebx, dword ptr [ebp-10]

00466E2E |. |74 08 |je short 00466E38

00466E30 |. |8B45 F0 |mov eax, dword ptr [ebp-10]

00466E33 |. |40 |inc eax

00466E34 |. |3BF8 |cmp edi, eax

00466E36 |.^\75 D8 \jnz short 00466E10

Initially this buffer has the following content :

0012EE4C AE 0F 3D 00 D0 0A 96 00 F7 65 43 00 80 EE 12 00

0012EE5C 0E 66 43 00 16 66 43 00 1C EF 12 00 20 66 43 00

After the above code you'll get this :

0012EE4C CC 00 00 00 CC 00 00 00 F7 65 43 00 80 EE 12 00

0012EE5C 0E 66 43 00 16 66 43 00 1C EF 12 00 20 66 43 00

The next piece of code will add the last dword to the array :

00466E38 |> \8B45 FC mov eax, dword ptr [ebp-4]

00466E3B |. 8B55 F0 mov edx, dword ptr [ebp-10]

00466E3E |. 0FB64410 FF movzx eax, byte ptr [eax+edx-1]

00466E43 |. 8B55 FC mov edx, dword ptr [ebp-4]

00466E46 |. 8B4D F0 mov ecx, dword ptr [ebp-10]

00466E49 |. 0FB6140A movzx edx, byte ptr [edx+ecx]

00466E4D |. 03C2 add eax, edx

00466E4F |. 8B55 F0 mov edx, dword ptr [ebp-10]

00466E52 |. 898495 10F8FF>mov dword ptr [ebp+edx*4-7F0], eax

And your buffer becomes :

0012EE4C CC 00 00 00 CC 00 00 00 F7 65 43 00 CC 00 00 00

0012EE5C 0E 66 43 00 16 66 43 00 1C EF 12 00 20 66 43 00

Those values are then being used in the next part :

00466E59 |> \BB 01000000 mov ebx, 1

00466E5E |. BF 01000000 mov edi, 1

00466E63 |> 8B849D 10F8FF>/mov eax, dword ptr [ebp+ebx*4-7F0]

00466E6A |. 8984BD 40F0FF>|mov dword ptr [ebp+edi*4-FC0], eax

00466E71 |. 8B45 EC |mov eax, dword ptr [ebp-14]

00466E74 |. 2BC3 |sub eax, ebx

00466E76 |. 8B55 FC |mov edx, dword ptr [ebp-4]

00466E79 |. 0FB64402 FF |movzx eax, byte ptr [edx+eax-1]

00466E7E |. 8984BD 44F0FF>|mov dword ptr [ebp+edi*4-FBC], eax

00466E85 |. 83C7 02 |add edi, 2

00466E88 |. 43 |inc ebx

00466E89 |. 8B45 F0 |mov eax, dword ptr [ebp-10]

00466E8C |. 40 |inc eax

00466E8D |. 3BD8 |cmp ebx, eax

00466E8F |.^ 75 D2 \jnz short 00466E63

So this "0x004365f7" is also used within the serial calculation but is never actually initialised

If you run this through the keygen without anticipating on this you wil get the following serial :

Name : fffffff

Serial : 117C06CC66CC6611787066CC66

Which doesn't work. when inserting this value before making our serial calculations you'll get this :

Name : fffffff

Serial : 43698DCC66CC664365F766CC66

And that one works.. So there's a possible bug smile.png

It only happens with a small number of names..

@ hepL3r :

When entering "fffffff", "ffffffff", "fffffffffff" and so on in your keygen you get "00066" as serial number...

The same with "[DE!MCC]".. You'll get "0005B" as serial...

Edited by DE!
Link to comment

yeah after testing some other serials I found out that there is a bug but I didn't work on this so much :P

@Levis:

waiting for new keygen me :)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...