Ziggy Posted May 21, 2005 Posted May 21, 2005 For anyone wanting to start KeyGenning here is another very simple KeyGenMe to learn the basics on. Some found keygenme#1 too hard when it came to writing the MASM code - so this keygenme is even simpler . Ziggy's KeyGenMe#0 - very easy - about as simple as they get. The registration algorithm is simple and has been ripped from a real app - CTP Software Find It! 1.09. As far as I could make it, the registration algo code is the same as the real app. If you write your own keygen, you can use it on the real app. By following this tutorial, you will easily recognise the algo code in the real app. This KeyGenMe is a learning opportunity and the the aim is to provide help step by step. Best learning is when you understand and do it yourself. What You Need - Download the ZiggysKeyGenMe#0.zip file (install notes included) - OllyDbg 1.10 (all the help etc will be based on this). You need to know the basics of how to use it. - Masm32 v8.2 (to write and assemble your KeyGen). You can get this from www.masm32.com. MASM32 is not a real beginner's package so you need at least some basic understanding about assembler coding (or be prepared to try the simple examples in the MASM package and learn). You will not have to write much code for this KeyGenMe#0. How to get Help I will post help in stages - first topic is "Getting Started" included in the download. Message me if your stuck - I'll try my best to help those wanting to learn. Ok I KeyGen'ed it - now what? Post your solution and tutorial. Idea here is to help others. Happy Keygenning Ziggyskeygenme_0.zip
Jada^AoC Posted May 21, 2005 Posted May 21, 2005 Nice one Quick Tutorial -=-=-=-=-=-=- Ok first of all we load the keygenme#0.exe into Olly and let it run with F9. After this we enter our fake details to register. I will use this: NAME : Jada^AoC SERIAL: 1234567890 Now we go back in Olly and put a bp on GetDlgItemTextA. After pressing the "Register" button Olly will break here: 00401172 . E8 93020000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA00401177 . 6A 50 PUSH 50 ; /Count = 50 (80.)00401179 . 68 9A334000 PUSH keygenMe.0040339A ; |Buffer = keygenMe.0040339A0040117E . 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)00401183 . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')00401189 . E8 7C020000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA0040118E . 68 9A334000 PUSH keygenMe.0040339A ; /String = "Jada^AoC"00401193 . E8 C0020000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA00401198 . 0BC0 OR EAX,EAX0040119A . 75 1A JNZ SHORT keygenMe.004011B60040119C . 68 14304000 PUSH keygenMe.00403014 ; /Text = "Please Enter Your Name"004011A1 . 68 F1030000 PUSH 3F1 ; |ControlID = 3F1 (1009.)004011A6 . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')004011AC . E8 7D020000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA004011B1 . E9 9F010000 JMP keygenMe.00401355004011B6 > E8 A1010000 CALL keygenMe.0040135C004011BB . 0BC0 OR EAX,EAX004011BD . 75 53 JNZ SHORT keygenMe.00401212004011BF . 68 EE304000 PUSH keygenMe.004030EE ; /Text = " :: Ziggy's KeyGenMe #0 - REGISTERED ::"004011C4 . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')004011CA . E8 65020000 CALL <JMP.&user32.SetWindowTextA> ; \SetWindowTextA004011CF . 6A 50 PUSH 50 ; /Count = 50 (80.)004011D1 . 68 9A334000 PUSH keygenMe.0040339A ; |Buffer = keygenMe.0040339A004011D6 . 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)004011DB . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')004011E1 . E8 24020000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA004011E6 . 68 9A334000 PUSH keygenMe.0040339A ; /Text = "Jada^AoC"004011EB . 68 F0030000 PUSH 3F0 ; |ControlID = 3F0 (1008.)004011F0 . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')004011F6 . E8 33020000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA004011FB . 68 A3304000 PUSH keygenMe.004030A3 ; /Text = "Registration Accepted - Thanks for your support"00401200 . 68 F2030000 PUSH 3F2 ; |ControlID = 3F2 (1010.)00401205 . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')0040120B . E8 1E020000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA00401210 . EB 51 JMP SHORT keygenMe.0040126300401212 > 68 D3304000 PUSH keygenMe.004030D3 ; /Text = " :: Ziggy's KeyGenMe #0 ::"00401217 . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')0040121D . E8 12020000 CALL <JMP.&user32.SetWindowTextA> ; \SetWindowTextA00401222 . 68 79304000 PUSH keygenMe.00403079 ; /Text = "UNREGISTERED"00401227 . 68 F0030000 PUSH 3F0 ; |ControlID = 3F0 (1008.)0040122C . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')00401232 . E8 F7010000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA00401237 . 68 3C364000 PUSH keygenMe.0040363C ; /Text = " "0040123C . 68 F2030000 PUSH 3F2 ; |ControlID = 3F2 (1010.)00401241 . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')00401247 . E8 E2010000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA0040124C . 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL0040124E . 68 3E364000 PUSH keygenMe.0040363E ; |Title = " Ziggy's KeyGenMe #0"00401253 . 68 86304000 PUSH keygenMe.00403086 ; |Text = "Invalid registration details"00401258 . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hOwner = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')0040125E . E8 B9010000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA... Now we trace slow through the code you will see some interesting things. 0040118E . 68 9A334000 PUSH keygenMe.0040339A ; /String = "Jada^AoC" Yep that's our Name we entered Now continue tracing until here: 000401198 . 0BC0 OR EAX,EAX0040119A . 75 1A JNZ SHORT keygenMe.004011B6 Ok EAX=00000008 = our entered name have 8char but if EAX = 0 (0char) Msgbox "Please Enter Your Name". Ok now we jump to a call. 004011B6 > E8 A1010000 CALL keygenMe.0040135C004011BB . 0BC0 OR EAX,EAX004011BD . 75 53 JNZ SHORT keygenMe.00401212004011BF . 68 EE304000 PUSH keygenMe.004030EE ; /Text = " :: Ziggy's KeyGenMe #0 - REGISTERED ::"004011C4 . FF35 54374000 PUSH DWORD PTR DS:[403754] ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')004011CA . E8 65020000 CALL <JMP.&user32.SetWindowTextA> ; \SetWindowTextA004011CF . 6A 50 PUSH 50 ; /Count = 50 (80.)004011D1 . 68 9A334000 PUSH keygenMe.0040339A ; |Buffer = keygenMe.0040339A004011D6 . 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)... Looks interesting right? Let us step into this Call by pressing F7 and we will land here: 0040135C /$ 8D05 9A334000 LEA EAX,DWORD PTR DS:[40339A]00401362 |. A3 34364000 MOV DWORD PTR DS:[403634],EAX00401367 |. 68 1A364000 PUSH keygenMe.0040361A ; /String2 = "FIT-"0040136C |. 68 56324000 PUSH keygenMe.00403256 ; |String1 = keygenMe.0040325600401371 |. E8 DC000000 CALL <JMP.&kernel32.lstrcpyA> ; \lstrcpyA00401376 |. 68 9A334000 PUSH keygenMe.0040339A ; /String = "Jada"0040137B |. E8 D8000000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA00401380 |. A3 96334000 MOV DWORD PTR DS:[403396],EAX00401385 |. 83F8 05 CMP EAX,500401388 |. 7C 67 JL SHORT keygenMe.004013F10040138A |. 8D2D 38364000 LEA EBP,DWORD PTR DS:[403638]00401390 |. 8D3D 96334000 LEA EDI,DWORD PTR DS:[403396]00401396 |. 52 PUSH EDX00401397 |. 53 PUSH EBX00401398 |. 57 PUSH EDI00401399 |. 51 PUSH ECX0040139A |. 50 PUSH EAX0040139B |. BA BCF46A4E MOV EDX,4E6AF4BC004013A0 |. 8D5D FC LEA EBX,DWORD PTR SS:[EBP-4]004013A3 |. 36:8B3B MOV EDI,DWORD PTR SS:[EBX]004013A6 |. 8B4F FC MOV ECX,DWORD PTR DS:[EDI-4]004013A9 |. 83E9 03 SUB ECX,3004013AC |> 8B07 /MOV EAX,DWORD PTR DS:[EDI]004013AE |. 33D0 |XOR EDX,EAX004013B0 |. 47 |INC EDI004013B1 |. 49 |DEC ECX004013B2 |.^75 F8 \JNZ SHORT keygenMe.004013AC004013B4 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX004013B7 |. 58 POP EAX004013B8 |. 59 POP ECX004013B9 |. 5F POP EDI004013BA |. 5B POP EBX004013BB |. 5A POP EDX004013BC |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]004013BF |. 50 PUSH EAX ; /<%d>004013C0 |. 68 1F364000 PUSH keygenMe.0040361F ; |Format = "%d"004013C5 |. 68 DA344000 PUSH keygenMe.004034DA ; |s = keygenMe.004034DA004013CA |. E8 29000000 CALL <JMP.&user32.wsprintfA> ; \wsprintfA004013CF |. 83C4 0C ADD ESP,0C004013D2 |. 68 DA344000 PUSH keygenMe.004034DA ; /StringToAdd = "471830476"004013D7 |. 68 56324000 PUSH keygenMe.00403256 ; |ConcatString = "FIT-471830476"004013DC |. E8 65000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA004013E1 |. 68 56324000 PUSH keygenMe.00403256 ; /String2 = "FIT-471830476"004013E6 |. 68 16314000 PUSH keygenMe.00403116 ; |String1 = "1234567890"004013EB |. E8 5C000000 CALL <JMP.&kernel32.lstrcmpA> ; \lstrcmpA004013F0 |. C3 RETN004013F1 |> B8 01000000 MOV EAX,1004013F6 \. C3 RETN Very interesting Seems that our Serial will start wit FIT-XXXXXX our generated serial. But hey maybe i'm wrong let us continue tracing. 00401385 |. 83F8 05 CMP EAX,500401388 |. 7C 67 JL SHORT keygenMe.004013F1 Well yes Ziggy wrote not less than 5char so here is the check ladies and gents. If EAX = 5 or under 5 JL will jump above our routine. Maybe if you are excited you can try to nop the JL and see if you will find a serial for your 5char name but this is not our lesson here. Let's continue. 004013B4 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX mmh interesting. Look this: EDX=1C1F8FCCSS:[00403630]=1C1F8FCC Not interesting? Sure if you trace next you will see your serial but how does it work? Well Hexadecimal = 1C1F8FCC, but Signed = 471830476 Ok why? As i told you it will become your serial just continue tracing until here: 004013E1 |. 68 56324000 PUSH keygenMe.00403256 ; /String2 = "FIT-471830476" Then you will see what i mean I hope i explained it as good as i can to all of you. Cheers J
tibetti Posted May 21, 2005 Posted May 21, 2005 Hi self keygen is done I have also packed the selfkeygenned file. How abt unpacking it & telling me the procedure check PM for link if anybody else wants to try to unpack PM me or Ziggy for the link.
Vepergen Posted May 21, 2005 Posted May 21, 2005 Jada, I don't think posting solution same day as keygen was out is good for learning something. People should have at least some days for trying out, and then solution should be posted.
Teddy Rogers Posted May 22, 2005 Posted May 22, 2005 If they want to learn they could choose to ignore the solution and work their own way out... Ted.
Jada^AoC Posted May 23, 2005 Posted May 23, 2005 Post your solution and tutorial. Idea here is to help others. Hehe you are right Veperger sorry about that but as Ziggy told (see Quote) i posted it here only for helping Jada^AoC
SuperCRacker Posted May 23, 2005 Posted May 23, 2005 @Jada : I think you helped in serial fishing, so it's good ... the second matter is to code a keygen ... So the explanation of the algo will be posted as soon as Ziggy gives us the green light !!
Ziggy Posted May 23, 2005 Author Posted May 23, 2005 Go ahead and post your solutions and tuts if you like. You guys are a hellofalot faster than me writing the tutorials. And I think it really helps to give others some different ideas how to go about keygenning. Regards Ziggy
Ziggy Posted May 24, 2005 Author Posted May 24, 2005 Here is the next part of the tutorial. It's about understanding the registration procedure.Keygenme_0_help2.zip
Vepergen Posted May 26, 2005 Posted May 26, 2005 No problem Jada. I just wanted to say that people should try this without your tut first.
Ziggy Posted May 26, 2005 Author Posted May 26, 2005 Here is the third help file which describes the Keygenme#0 registration algorithm in detail step by step . Once you understand what the registration algorithm does then you can decide how best to keygen it - and that will be in the next help file. If anyone wants to add their own help or tut - go ahead. Keygenme_0_help3.zip
Ziggy Posted May 30, 2005 Author Posted May 30, 2005 Here is the 4th and last part of the keygeme#0 tutorial. It's about writing and testing the keygen itself and includes a basic MASM template for keygens. The helpfile includes detailed instructions describing how to rip the algoritm code and getting the algoritm to work in your keygen . Keygenme_0_help4.zip
Ziggy Posted June 3, 2005 Author Posted June 3, 2005 Attached is the full tutorial package for Keygenme #0. The package includes all of the files and help info you need to complete the keygenme. Read the Readme in the Zip file! If anyone gets stuck, message me and I will do my best to help those wanting to learn. Any comments and suggestions are welcome. It would be great to see some aspiring keygeners improve their skills. Thanks to those SnD members who have given their time to write tutorials and solutions Ziggy ZiggysKeygenme0_Full_Tutorial.zip
Guest Findme Posted August 23, 2005 Posted August 23, 2005 Findme FIT-571316221 Very Good tutorial moving on to the next one
MaRKuS_TH-DJM Posted August 24, 2005 Posted August 24, 2005 @The Old Pirate: you forgot that a direct call is not a ALL-system solution. you should always use IAT-calls instead of direct calls. it doesn't work here (crash). i guess you are using XP with no SP / SP1
The Old Pirate Posted August 24, 2005 Posted August 24, 2005 Thank you, my mistake. I will remember it for the future. Btw, I'm using XP with SP2. Attachment corrected.keygenMe_0_selfkeygen_fixed_TOP.rar
Guest BooGLE Posted December 27, 2005 Posted December 27, 2005 Thankyou Ziggy, for these nice tutorials.and thank you JaDa for the quick into, appriciated.
Guest bubbajones Posted June 2, 2006 Posted June 2, 2006 Cool tutorial. I accidently did this one after your second keygenme. lol. Made this one seem like cake. BubbaJones FIT-270904271
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now