Jump to content
Tuts 4 You

Ziggy's Keygenme #0


Ziggy

Recommended Posts

For anyone wanting to start KeyGenning here is another very simple KeyGenMe to learn the basics on. Some found keygenme#1 too hard when it came to writing the MASM code - so this keygenme is even simpler :D .

Ziggy's KeyGenMe#0 - very easy - about as simple as they get.

The registration algorithm is simple and has been ripped from a real app - CTP Software Find It! 1.09. As far as I could make it, the registration algo code is the same as the real app. If you write your own keygen, you can use it on the real app. By following this tutorial, you will easily recognise the algo code in the real app.

This KeyGenMe is a learning opportunity and the the aim is to provide help step by step. Best learning is when you understand and do it yourself.

What You Need

- Download the ZiggysKeyGenMe#0.zip file (install notes included)

- OllyDbg 1.10 (all the help etc will be based on this). You need to know the basics of how to use it.

- Masm32 v8.2 (to write and assemble your KeyGen). You can get this from www.masm32.com. MASM32 is not a real beginner's package so you need at least some basic understanding about assembler coding (or be prepared to try the simple examples in the MASM package and learn). You will not have to write much code for this KeyGenMe#0.

How to get Help

I will post help in stages - first topic is "Getting Started" included in the download.

Message me if your stuck - I'll try my best to help those wanting to learn.

Ok I KeyGen'ed it - now what?

Post your solution and tutorial. Idea here is to help others.

Happy Keygenning

Ziggyskeygenme_0.zip

Link to comment

Nice one ;)

Quick Tutorial

-=-=-=-=-=-=-

Ok first of all we load the keygenme#0.exe into Olly and let it run with F9. After this we enter our fake details to register. I will use this:

NAME : Jada^AoC

SERIAL: 1234567890

Now we go back in Olly and put a bp on GetDlgItemTextA. After pressing the "Register" button Olly will break here:

00401172   . E8 93020000    CALL <JMP.&user32.GetDlgItemTextA>      ; \GetDlgItemTextA
00401177   . 6A 50          PUSH 50                                 ; /Count = 50 (80.)
00401179   . 68 9A334000    PUSH keygenMe.0040339A                  ; |Buffer = keygenMe.0040339A
0040117E   . 68 EA030000    PUSH 3EA                                ; |ControlID = 3EA (1002.)
00401183   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
00401189   . E8 7C020000    CALL <JMP.&user32.GetDlgItemTextA>      ; \GetDlgItemTextA
0040118E   . 68 9A334000    PUSH keygenMe.0040339A                  ; /String = "Jada^AoC"
00401193   . E8 C0020000    CALL <JMP.&kernel32.lstrlenA>           ; \lstrlenA
00401198   . 0BC0           OR EAX,EAX
0040119A   . 75 1A          JNZ SHORT keygenMe.004011B6
0040119C   . 68 14304000    PUSH keygenMe.00403014                  ; /Text = "Please Enter Your Name"
004011A1   . 68 F1030000    PUSH 3F1                                ; |ControlID = 3F1 (1009.)
004011A6   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
004011AC   . E8 7D020000    CALL <JMP.&user32.SetDlgItemTextA>      ; \SetDlgItemTextA
004011B1   . E9 9F010000    JMP keygenMe.00401355
004011B6   > E8 A1010000    CALL keygenMe.0040135C
004011BB   . 0BC0           OR EAX,EAX
004011BD   . 75 53          JNZ SHORT keygenMe.00401212
004011BF   . 68 EE304000    PUSH keygenMe.004030EE                  ; /Text = " :: Ziggy's KeyGenMe #0 - REGISTERED ::"
004011C4   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
004011CA   . E8 65020000    CALL <JMP.&user32.SetWindowTextA>       ; \SetWindowTextA
004011CF   . 6A 50          PUSH 50                                 ; /Count = 50 (80.)
004011D1   . 68 9A334000    PUSH keygenMe.0040339A                  ; |Buffer = keygenMe.0040339A
004011D6   . 68 EA030000    PUSH 3EA                                ; |ControlID = 3EA (1002.)
004011DB   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
004011E1   . E8 24020000    CALL <JMP.&user32.GetDlgItemTextA>      ; \GetDlgItemTextA
004011E6   . 68 9A334000    PUSH keygenMe.0040339A                  ; /Text = "Jada^AoC"
004011EB   . 68 F0030000    PUSH 3F0                                ; |ControlID = 3F0 (1008.)
004011F0   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
004011F6   . E8 33020000    CALL <JMP.&user32.SetDlgItemTextA>      ; \SetDlgItemTextA
004011FB   . 68 A3304000    PUSH keygenMe.004030A3                  ; /Text = "Registration Accepted - Thanks for your support"
00401200   . 68 F2030000    PUSH 3F2                                ; |ControlID = 3F2 (1010.)
00401205   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
0040120B   . E8 1E020000    CALL <JMP.&user32.SetDlgItemTextA>      ; \SetDlgItemTextA
00401210   . EB 51          JMP SHORT keygenMe.00401263
00401212   > 68 D3304000    PUSH keygenMe.004030D3                  ; /Text = " :: Ziggy's KeyGenMe #0 ::"
00401217   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
0040121D   . E8 12020000    CALL <JMP.&user32.SetWindowTextA>       ; \SetWindowTextA
00401222   . 68 79304000    PUSH keygenMe.00403079                  ; /Text = "UNREGISTERED"
00401227   . 68 F0030000    PUSH 3F0                                ; |ControlID = 3F0 (1008.)
0040122C   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
00401232   . E8 F7010000    CALL <JMP.&user32.SetDlgItemTextA>      ; \SetDlgItemTextA
00401237   . 68 3C364000    PUSH keygenMe.0040363C                  ; /Text = " "
0040123C   . 68 F2030000    PUSH 3F2                                ; |ControlID = 3F2 (1010.)
00401241   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
00401247   . E8 E2010000    CALL <JMP.&user32.SetDlgItemTextA>      ; \SetDlgItemTextA
0040124C   . 6A 10          PUSH 10                                 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0040124E   . 68 3E364000    PUSH keygenMe.0040363E                  ; |Title = " Ziggy's KeyGenMe #0"
00401253   . 68 86304000    PUSH keygenMe.00403086                  ; |Text = "Invalid registration details"
00401258   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hOwner = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
0040125E   . E8 B9010000    CALL <JMP.&user32.MessageBoxA>          ; \MessageBoxA
...

Now we trace slow through the code you will see some interesting things.

0040118E   . 68 9A334000    PUSH keygenMe.0040339A                  ; /String = "Jada^AoC"

Yep that's our Name we entered ;) Now continue tracing until here:

000401198   . 0BC0           OR EAX,EAX
0040119A   . 75 1A          JNZ SHORT keygenMe.004011B6

Ok EAX=00000008 = our entered name have 8char but if EAX = 0 (0char) Msgbox "Please Enter Your Name". Ok now we jump to a call.

004011B6   > E8 A1010000    CALL keygenMe.0040135C
004011BB   . 0BC0           OR EAX,EAX
004011BD   . 75 53          JNZ SHORT keygenMe.00401212
004011BF   . 68 EE304000    PUSH keygenMe.004030EE                  ; /Text = " :: Ziggy's KeyGenMe #0 - REGISTERED ::"
004011C4   . FF35 54374000  PUSH DWORD PTR DS:[403754]              ; |hWnd = 00160500 (' :: Ziggy's KeyGenMe #0 ::',class='#32770')
004011CA   . E8 65020000    CALL <JMP.&user32.SetWindowTextA>       ; \SetWindowTextA
004011CF   . 6A 50          PUSH 50                                 ; /Count = 50 (80.)
004011D1   . 68 9A334000    PUSH keygenMe.0040339A                  ; |Buffer = keygenMe.0040339A
004011D6   . 68 EA030000    PUSH 3EA                                ; |ControlID = 3EA (1002.)
...

Looks interesting right? Let us step into this Call by pressing F7 and we will land here:

0040135C  /$ 8D05 9A334000  LEA EAX,DWORD PTR DS:[40339A]
00401362  |. A3 34364000    MOV DWORD PTR DS:[403634],EAX
00401367  |. 68 1A364000    PUSH keygenMe.0040361A                  ; /String2 = "FIT-"
0040136C  |. 68 56324000    PUSH keygenMe.00403256                  ; |String1 = keygenMe.00403256
00401371  |. E8 DC000000    CALL <JMP.&kernel32.lstrcpyA>           ; \lstrcpyA
00401376  |. 68 9A334000    PUSH keygenMe.0040339A                  ; /String = "Jada"
0040137B  |. E8 D8000000    CALL <JMP.&kernel32.lstrlenA>           ; \lstrlenA
00401380  |. A3 96334000    MOV DWORD PTR DS:[403396],EAX
00401385  |. 83F8 05        CMP EAX,5
00401388  |. 7C 67          JL SHORT keygenMe.004013F1
0040138A  |. 8D2D 38364000  LEA EBP,DWORD PTR DS:[403638]
00401390  |. 8D3D 96334000  LEA EDI,DWORD PTR DS:[403396]
00401396  |. 52             PUSH EDX
00401397  |. 53             PUSH EBX
00401398  |. 57             PUSH EDI
00401399  |. 51             PUSH ECX
0040139A  |. 50             PUSH EAX
0040139B  |. BA BCF46A4E    MOV EDX,4E6AF4BC
004013A0  |. 8D5D FC        LEA EBX,DWORD PTR SS:[EBP-4]
004013A3  |. 36:8B3B        MOV EDI,DWORD PTR SS:[EBX]
004013A6  |. 8B4F FC        MOV ECX,DWORD PTR DS:[EDI-4]
004013A9  |. 83E9 03        SUB ECX,3
004013AC  |> 8B07           /MOV EAX,DWORD PTR DS:[EDI]
004013AE  |. 33D0           |XOR EDX,EAX
004013B0  |. 47             |INC EDI
004013B1  |. 49             |DEC ECX
004013B2  |.^75 F8          \JNZ SHORT keygenMe.004013AC
004013B4  |. 8955 F8        MOV DWORD PTR SS:[EBP-8],EDX
004013B7  |. 58             POP EAX
004013B8  |. 59             POP ECX
004013B9  |. 5F             POP EDI
004013BA  |. 5B             POP EBX
004013BB  |. 5A             POP EDX
004013BC  |. 8B45 F8        MOV EAX,DWORD PTR SS:[EBP-8]
004013BF  |. 50             PUSH EAX                                ; /<%d>
004013C0  |. 68 1F364000    PUSH keygenMe.0040361F                  ; |Format = "%d"
004013C5  |. 68 DA344000    PUSH keygenMe.004034DA                  ; |s = keygenMe.004034DA
004013CA  |. E8 29000000    CALL <JMP.&user32.wsprintfA>            ; \wsprintfA
004013CF  |. 83C4 0C        ADD ESP,0C
004013D2  |. 68 DA344000    PUSH keygenMe.004034DA                  ; /StringToAdd = "471830476"
004013D7  |. 68 56324000    PUSH keygenMe.00403256                  ; |ConcatString = "FIT-471830476"
004013DC  |. E8 65000000    CALL <JMP.&kernel32.lstrcatA>           ; \lstrcatA
004013E1  |. 68 56324000    PUSH keygenMe.00403256                  ; /String2 = "FIT-471830476"
004013E6  |. 68 16314000    PUSH keygenMe.00403116                  ; |String1 = "1234567890"
004013EB  |. E8 5C000000    CALL <JMP.&kernel32.lstrcmpA>           ; \lstrcmpA
004013F0  |. C3             RETN
004013F1  |> B8 01000000    MOV EAX,1
004013F6  \. C3             RETN

Very interesting ;) Seems that our Serial will start wit FIT-XXXXXX our generated serial. But hey maybe i'm wrong let us continue tracing.

00401385  |. 83F8 05        CMP EAX,5
00401388  |. 7C 67          JL SHORT keygenMe.004013F1

Well yes Ziggy wrote not less than 5char so here is the check ladies and gents. If EAX = 5 or under 5 JL will jump above our routine. Maybe if you are excited you can try to nop the JL and see if you will find a serial for your 5char name ;) but this is not our lesson here. Let's continue.

004013B4  |. 8955 F8        MOV DWORD PTR SS:[EBP-8],EDX

mmh interesting. Look this:

EDX=1C1F8FCC
SS:[00403630]=1C1F8FCC

Not interesting? Sure if you trace next you will see your serial but how does it work? Well Hexadecimal = 1C1F8FCC, but Signed = 471830476 ;)

Ok why? As i told you it will become your serial just continue tracing until here:

004013E1  |. 68 56324000    PUSH keygenMe.00403256                  ; /String2 = "FIT-471830476"

Then you will see what i mean ;)

I hope i explained it as good as i can to all of you.

Cheers J

Link to comment

Hi self keygen is done I have also packed the selfkeygenned file.

How abt unpacking it ;) & telling me the procedure :)

check PM for link if anybody else wants to try to unpack PM me or Ziggy for the link.

Link to comment

Jada, I don't think posting solution same day as keygen was out is good for learning something. People should have at least some days for trying out, and then solution should be posted. ;)

Link to comment
Teddy Rogers

If they want to learn they could choose to ignore the solution and work their own way out... :D

Ted.

Link to comment
Post your solution and tutorial. Idea here is to help others.

Hehe you are right Veperger sorry about that but as Ziggy told (see Quote) i posted it here only for helping ;)

Jada^AoC

Link to comment
SuperCRacker

@Jada : I think you helped in serial fishing, so it's good ... the second matter is to code a keygen ... So the explanation of the algo will be posted as soon as Ziggy gives us the green light !! :D

Link to comment

Go ahead and post your solutions and tuts if you like. You guys are a hellofalot faster than me writing the tutorials. :D

And I think it really helps to give others some different ideas how to go about keygenning.

Regards

Ziggy

Link to comment

Here is the third help file which describes the Keygenme#0 registration algorithm in detail step by step :D .

Once you understand what the registration algorithm does then you can decide how best to keygen it - and that will be in the next help file.

If anyone wants to add their own help or tut - go ahead. :thumbs:

Keygenme_0_help3.zip

Link to comment

Here is the 4th and last part of the keygeme#0 tutorial. It's about writing and testing the keygen itself and includes a basic MASM template for keygens.

The helpfile includes detailed instructions describing how to rip the algoritm code and getting the algoritm to work in your keygen :D .

Keygenme_0_help4.zip

Link to comment

Attached is the full tutorial package for Keygenme #0. The package includes all of the files and help info you need to complete the keygenme.

Read the Readme in the Zip file!

If anyone gets stuck, message me and I will do my best to help those wanting to learn. :D

Any comments and suggestions are welcome. It would be great to see some aspiring keygeners improve their skills.

Thanks to those SnD members who have given their time to write tutorials and solutions :thumbs:

Ziggy

ZiggysKeygenme0_Full_Tutorial.zip

Link to comment
  • 2 months later...
MaRKuS_TH-DJM

@The Old Pirate: you forgot that a direct call is not a ALL-system solution. you should always use IAT-calls instead of direct calls. it doesn't work here (crash). i guess you are using XP with no SP / SP1

Link to comment
  • 4 months later...
  • 5 months later...
Guest bubbajones

Cool tutorial. I accidently did this one after your second keygenme. lol. Made this one seem like cake. :)

BubbaJones

FIT-270904271

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...