Jump to content
Tuts 4 You

Keygenme MT01


Go to solution Solved by KesMezar,

Recommended Posts

tarequl.hassan
Posted

Keygenme MT01


Hi

I got this keygenme in my hard drive, this is from CIN1TEAM and created by MR. Teo. 

Thought this might help someone to test his keygenning skill.

 

Thanks


 

Posted (edited)
Spoiler

Name:kesmezar Serial:F6DL-TUTS-4YOU  or kesmezar KESM-0000-0000

0046CE3C     E8 1BFCFFFF         CALL 0046CA5C
0046CE41     33F8                XOR EDI, EAX
0046CE43     3375 EC             XOR ESI, DWORD PTR SS:[EBP-14]
0046CE46     3BFE                CMP EDI, ESI ->main compare

uses Kao Base33 algorithm.->https://forum.tuts4you.com/topic/42890-base33-algo/?tab=comments#comment-208007

Serial format : XXXX-XXXX-XXXX -> PART1-PART2-PART3

base33encode(NAME(4 char & upper text)) XOR base33encode(reverse PART2) = A

base33encode(PART1) XOR base33encode(PART3) = B

if "A = B" the result is correct. 

The keygen can be written when there is time.

 

 

 

Edited by k3s_m3z4r
  • Like 1
johnfkingzton
Posted

Got this far

APPLE.png.3845ee137325bf927f7abea67f97b27f.png

  • Like 1
  • Solution
Posted

Generating code could be shorter, at least this time I didn't use an external rc file.

kgn.bat

;@echo off
;goto KesMezar

.686
.MODEL      flat, stdcall
OPTION      casemap:none
include \MASM32\INCLUDE\dialogs.inc
include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
include \MASM32\INCLUDE\shell32.inc
include \MASM32\INCLUDE\comctl32.inc
include \MASM32\INCLUDE\comdlg32.inc
includelib \MASM32\LIB\user32.lib
includelib \MASM32\LIB\kernel32.lib
includelib \MASM32\LIB\shell32.lib
includelib \MASM32\LIB\comctl32.lib
includelib \MASM32\LIB\comdlg32.lib

FUNC MACRO parameters:VARARG
  invoke parameters
  EXITM <eax>
ENDM

WndProc        PROTO :HWND,:UINT,:WPARAM,:LPARAM
keygengenerate PROTO :HWND
randomizechar  PROTO :DWORD,:DWORD
ReverseString  PROTO :DWORD,:DWORD
Base33Decode   PROTO :DWORD
Base33Encode   PROTO :DWORD,:DWORD

.CONST
KEYGEN_ICON = 200

.DATA
alphabet 	db 'ABCDEFGHJKLMNPQRSTUVWXYZ123456789',0
alphtrnd 	db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789',0

.DATA?
hInstance   DD  ?
CommandLine DD ?
hIcon 	  DD ?

serial dd ?
names  dd ?

.CODE
  start:
    MOV hInstance, FUNC(GetModuleHandle,NULL)
	mov hIcon,     FUNC(LoadIcon,hInstance,500)
    CALL WinMain
    INVOKE    ExitProcess,eax

WinMain proc  
    Dialog    "KeygenForTuts4you","MS Sans Serif",10, \  
              WS_VISIBLE or WS_CAPTION or WS_SYSMENU or DS_CENTER, \
              7, \                        
              128, 128, 106, 75, \     
              1024                      
    DlgStatic "&Name:",WS_VISIBLE,3,2,22,8,1001
    	DlgEdit WS_VISIBLE or WS_BORDER,3,10,100,10,1002
    DlgStatic "&Serial:",WS_VISIBLE,3,23,22,8,1003  
    	DlgEdit WS_VISIBLE or WS_BORDER,3,31,100,10,1004
    DlgButton "&Generate",1,3,45,100,10,1005
    DlgButton "&Exit", 1,3,60,100,10,1006
	DlgIcon   500,-15,0,500
    CallModalDialog hInstance,0,WndProc,NULL
    RET
WinMain endp
WndProc proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
    MOV       EAX, uMsg
    .IF       EAX == WM_INITDIALOG
	  INVOKE  SendMessage,hWin,WM_SETICON,0,FUNC(LoadIcon,hInstance, 500)
	  
    .ELSEIF   EAX == WM_COMMAND
    
       .IF wParam == 1005
        	invoke keygengenerate,hWin
			xor eax,eax
			ret
      .ENDIF 
    
      .IF wParam == 1006
            JMP exit_keygen
      .ENDIF 
           
    .ELSEIF EAX == WM_CLOSE
     exit_keygen:
      INVOKE    EndDialog,hWin,0
    .ENDIF
    XOR       EAX, EAX
    RET
  WndProc endp
 
keygengenerate	PROC	uses ebx edi esi hWin:DWORD
LOCAL namea:DWORD
.data
serF db "%s-%s-%s",0
namerr db "4 letters is enough!!! ",0 
.data?
part2 dd 8 dup(?)
revpart2 dd ?
part1 dd 8 dup(?)
part3 dd 8 dup(?)
xorsonA dd 8 dup(?)
.code
invoke GetDlgItemText,hWin,1002,addr names,50h
	.if eax != 4
		invoke SetDlgItemText, hWin, 1004, ADDR namerr
		Ret
	.endif
invoke CharUpper,addr names
invoke Base33Decode,addr names
mov namea,eax	
kontrol:
invoke randomizechar,addr part2,4
invoke ReverseString,addr part2,addr revpart2
invoke Base33Decode,addr revpart2
xor eax,namea
mov xorsonA,eax;(A)
invoke randomizechar,addr part1,4
invoke Base33Decode,addr part1
xor eax,xorsonA
	.if eax >= 121880h;base33enc up limit
		jmp kontrol
	.endif
invoke Base33Encode,EAX,addr part3
invoke wsprintf,addr serial,addr serF,addr part1,addr part2,addr part3
invoke SetDlgItemText,hWin,1004,addr serial
xor eax,eax
ret
keygengenerate endp  
  
randomizechar	PROC uses ebx edi esi sonuc:DWORD,lens:DWORD
.data
fmt db "%s",0
.data?
randomson dd 100 dup (?)																						
.code
xor ecx,ecx 					
.repeat 																		
  	RDTSC										
    xor edx,edx 							
    mov ebx,61 								
    div ebx  									
    movzx eax, byte ptr ds :[alphtrnd+edx] 	
    mov byte ptr ds :[randomson+ecx],al  
    inc ecx 								   
.until ecx == lens		
   invoke wsprintf,sonuc,addr fmt,addr randomson
ret
randomizechar endp 
  
IndexOf proc uses ebx charToFind:DWORD
   mov ebx, [charToFind]
   xor eax, eax
@@:
   cmp alphabet[eax], bl
   je @exit
   inc eax
   cmp eax, 33
   jbe @B
   xor eax, eax
@exit:
   ret
IndexOf endp
Base33Decode proc uses esi edi ebx encodedString:DWORD
    mov edi, 0
    mov esi, [encodedString]
    xor ebx, ebx
@@:
    mov eax, edi
    shl edi, 5
    add edi, eax ; edi = edi * 33
    xor eax, eax
    lodsb
    invoke IndexOf, eax
    add edi, eax
    inc ebx
    cmp ebx, 4
    jne @B
    mov eax, edi
    ret    
Base33Decode endp
Base33Encode proc uses esi edi ebx number:DWORD, encodedString:DWORD
    pushfd
    std
    mov ecx, 4        
    mov edi, [encodedString]
    add edi, 3          
    mov ebx, 33
    mov eax, [number]
@@:
    xor edx, edx    
    div ebx        
    lea esi, [alphabet + edx]
    movsb
    loop @B
    popfd
    ret
Base33Encode endp  
  
ReverseString proc insrc:DWORD, outsrc:DWORD
mov esi, insrc
mov edi, outsrc
xor ecx, ecx
@@: cmp byte ptr [esi+ecx], 0
	lea ecx, [ecx + 1]
	jne @B
	mov byte ptr [edi+ecx-1], 0
@@: sub ecx, 2
	jl @F
	mov ah, byte ptr [esi]
	mov al, byte ptr [esi+ecx]
	mov byte ptr [edi], al
	mov byte ptr [edi+ecx], ah
	inc esi
	inc edi
	jmp @B
@@: 
ret
ReverseString endp  
 
end start 

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
:KesMezar
set dosya=kgn
\masm32\Bin\ML.EXE /c /coff /Cp /nologo /I"\masm32\Include" %dosya%.bat
\masm32\Bin\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"\masm32\Lib" %dosya%.obj
del *.obj
pause
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    

    

 

  • Like 2
  • Thanks 1
tarequl.hassan
Posted
2 hours ago, k3s_m3z4r said:

Generating code could be shorter, at least this time I didn't use an external rc file.

kgn.bat


;@echo off
;goto KesMezar

.686
.MODEL      flat, stdcall
OPTION      casemap:none
include \MASM32\INCLUDE\dialogs.inc
include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
include \MASM32\INCLUDE\shell32.inc
include \MASM32\INCLUDE\comctl32.inc
include \MASM32\INCLUDE\comdlg32.inc
includelib \MASM32\LIB\user32.lib
includelib \MASM32\LIB\kernel32.lib
includelib \MASM32\LIB\shell32.lib
includelib \MASM32\LIB\comctl32.lib
includelib \MASM32\LIB\comdlg32.lib

FUNC MACRO parameters:VARARG
  invoke parameters
  EXITM <eax>
ENDM

WndProc        PROTO :HWND,:UINT,:WPARAM,:LPARAM
keygengenerate PROTO :HWND
randomizechar  PROTO :DWORD,:DWORD
ReverseString  PROTO :DWORD,:DWORD
Base33Decode   PROTO :DWORD
Base33Encode   PROTO :DWORD,:DWORD

.CONST
KEYGEN_ICON = 200

.DATA
alphabet 	db 'ABCDEFGHJKLMNPQRSTUVWXYZ123456789',0
alphtrnd 	db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789',0

.DATA?
hInstance   DD  ?
CommandLine DD ?
hIcon 	  DD ?

serial dd ?
names  dd ?

.CODE
  start:
    MOV hInstance, FUNC(GetModuleHandle,NULL)
	mov hIcon,     FUNC(LoadIcon,hInstance,500)
    CALL WinMain
    INVOKE    ExitProcess,eax

WinMain proc  
    Dialog    "KeygenForTuts4you","MS Sans Serif",10, \  
              WS_VISIBLE or WS_CAPTION or WS_SYSMENU or DS_CENTER, \
              7, \                        
              128, 128, 106, 75, \     
              1024                      
    DlgStatic "&Name:",WS_VISIBLE,3,2,22,8,1001
    	DlgEdit WS_VISIBLE or WS_BORDER,3,10,100,10,1002
    DlgStatic "&Serial:",WS_VISIBLE,3,23,22,8,1003  
    	DlgEdit WS_VISIBLE or WS_BORDER,3,31,100,10,1004
    DlgButton "&Generate",1,3,45,100,10,1005
    DlgButton "&Exit", 1,3,60,100,10,1006
	DlgIcon   500,-15,0,500
    CallModalDialog hInstance,0,WndProc,NULL
    RET
WinMain endp
WndProc proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
    MOV       EAX, uMsg
    .IF       EAX == WM_INITDIALOG
	  INVOKE  SendMessage,hWin,WM_SETICON,0,FUNC(LoadIcon,hInstance, 500)
	  
    .ELSEIF   EAX == WM_COMMAND
    
       .IF wParam == 1005
        	invoke keygengenerate,hWin
			xor eax,eax
			ret
      .ENDIF 
    
      .IF wParam == 1006
            JMP exit_keygen
      .ENDIF 
           
    .ELSEIF EAX == WM_CLOSE
     exit_keygen:
      INVOKE    EndDialog,hWin,0
    .ENDIF
    XOR       EAX, EAX
    RET
  WndProc endp
 
keygengenerate	PROC	uses ebx edi esi hWin:DWORD
LOCAL namea:DWORD
.data
serF db "%s-%s-%s",0
namerr db "4 letters is enough!!! ",0 
.data?
part2 dd 8 dup(?)
revpart2 dd ?
part1 dd 8 dup(?)
part3 dd 8 dup(?)
xorsonA dd 8 dup(?)
.code
invoke GetDlgItemText,hWin,1002,addr names,50h
	.if eax != 4
		invoke SetDlgItemText, hWin, 1004, ADDR namerr
		Ret
	.endif
invoke CharUpper,addr names
invoke Base33Decode,addr names
mov namea,eax	
kontrol:
invoke randomizechar,addr part2,4
invoke ReverseString,addr part2,addr revpart2
invoke Base33Decode,addr revpart2
xor eax,namea
mov xorsonA,eax;(A)
invoke randomizechar,addr part1,4
invoke Base33Decode,addr part1
xor eax,xorsonA
	.if eax >= 121880h;base33enc up limit
		jmp kontrol
	.endif
invoke Base33Encode,EAX,addr part3
invoke wsprintf,addr serial,addr serF,addr part1,addr part2,addr part3
invoke SetDlgItemText,hWin,1004,addr serial
xor eax,eax
ret
keygengenerate endp  
  
randomizechar	PROC uses ebx edi esi sonuc:DWORD,lens:DWORD
.data
fmt db "%s",0
.data?
randomson dd 100 dup (?)																						
.code
xor ecx,ecx 					
.repeat 																		
  	RDTSC										
    xor edx,edx 							
    mov ebx,61 								
    div ebx  									
    movzx eax, byte ptr ds :[alphtrnd+edx] 	
    mov byte ptr ds :[randomson+ecx],al  
    inc ecx 								   
.until ecx == lens		
   invoke wsprintf,sonuc,addr fmt,addr randomson
ret
randomizechar endp 
  
IndexOf proc uses ebx charToFind:DWORD
   mov ebx, [charToFind]
   xor eax, eax
@@:
   cmp alphabet[eax], bl
   je @exit
   inc eax
   cmp eax, 33
   jbe @B
   xor eax, eax
@exit:
   ret
IndexOf endp
Base33Decode proc uses esi edi ebx encodedString:DWORD
    mov edi, 0
    mov esi, [encodedString]
    xor ebx, ebx
@@:
    mov eax, edi
    shl edi, 5
    add edi, eax ; edi = edi * 33
    xor eax, eax
    lodsb
    invoke IndexOf, eax
    add edi, eax
    inc ebx
    cmp ebx, 4
    jne @B
    mov eax, edi
    ret    
Base33Decode endp
Base33Encode proc uses esi edi ebx number:DWORD, encodedString:DWORD
    pushfd
    std
    mov ecx, 4        
    mov edi, [encodedString]
    add edi, 3          
    mov ebx, 33
    mov eax, [number]
@@:
    xor edx, edx    
    div ebx        
    lea esi, [alphabet + edx]
    movsb
    loop @B
    popfd
    ret
Base33Encode endp  
  
ReverseString proc insrc:DWORD, outsrc:DWORD
mov esi, insrc
mov edi, outsrc
xor ecx, ecx
@@: cmp byte ptr [esi+ecx], 0
	lea ecx, [ecx + 1]
	jne @B
	mov byte ptr [edi+ecx-1], 0
@@: sub ecx, 2
	jl @F
	mov ah, byte ptr [esi]
	mov al, byte ptr [esi+ecx]
	mov byte ptr [edi], al
	mov byte ptr [edi+ecx], ah
	inc esi
	inc edi
	jmp @B
@@: 
ret
ReverseString endp  
 
end start 

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
:KesMezar
set dosya=kgn
\masm32\Bin\ML.EXE /c /coff /Cp /nologo /I"\masm32\Include" %dosya%.bat
\masm32\Bin\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"\masm32\Lib" %dosya%.obj
del *.obj
pause
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    

    

 

Perfect solution. Now shall you write a Tutorial?

tarequl.hassan
Posted
21 hours ago, johnfkingzton said:

Got this far

APPLE.png.3845ee137325bf927f7abea67f97b27f.png

Write a Tutorial with keygen and keygen sourcecode.

Thanks

  • 9 months later...
Sean Park - Lovejoy
Posted

Can you write the tutorial for us?

Thank you in advance.

regards.

sean.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...