Sunday, March 14, 2010

Keygenme - Find Serials

Kegenme…… This particular piece of code is not packed or protected with anything. So it’s pretty easy getting the keys – find the algorithm and start reading to find what the algo does else we do a serial fishing.
We’ve got the EXE with us and we load them into Olly and see what it has got for us. Yes the same old method of seeing out for the strings and we find this.

We see those TEXT strings there and set BP’s on 00401495 and 00401487 and press F9 to run the program.

Enter fake serials so that we continue debugging the program.

Bad luck with this one and we break on the bad part of the code that will terminate the program.

Without continuing further we analyze which part of the code has brought us here. It’s seen that a JNZ from the address 0401483 has got us here. Just above there is a TEST EAX ,EAX instruction that decides which way our program has to branch – either to the “Good job, now keygen this…” or “No no, try again”. It probably should be the call before it that decides which way our program goes CALL DWORD PTR DS:[<&MSVCRT._mbscmp>]
We can go further up and see there’s a function _itoa that may play a part in generating the key for the input that we have provided. Well before that we can see an IMUL EAX,EAX,0BA2CD0, SAR EAX, 1, ADD EAX, 200H EAX holds the number of characters entered in the “Name” field when it goes into IMUL. The result of that is fed into “_itoa” function. But you can generate a keygen just with this ;)
IMUL EAX,EAX,0BA2CD0HSAR EAX, 1 ADD EAX, 200H But still here is what the function _itoa does from Olly

I’ve managed to write a small keygen in MASM32 that will generate the key for us. Don’t blame me if it doesn’t work though :P

PS: The keygen has been removed from the hosting site by the admins deeming it to be a malware (shame). I will try to post the code when I have time.

No comments:

Post a Comment