News Generator v3.0.17 *KEYGEN*
DISCLAIMER: I AM A
NEWBIE REVERSER AS WELL, THUS IT IS VERY, HIGHLY, LIKELY THAT I
HAVE MADE A MISTAKE OR TWO, OR THAT I HAVEN'T TAKE THE "BEST
APPROACH" SO, BE WARNED! =)
TOOLS NEEDED -
SoftICE Windows
Debugger
DJGPP(or some
other C compiler)
First thing to do
is run the target, a window pops up with three buttons Ok(greyed
out for liek 10 secs, lame) Register, and Help. Click on register
and enter in name/dummy reg, for example I entered in metaray /
90210
Click Ok, and we
just exit, no box saying invalid serial or anything, click
Register again[and enter your info], and lets set some
breakpoints, use GetWindowTextA, hit Ok, we break, hit 'x' to exit
sice, we break again, this time when it calls GetWindowTextA on
our name. A simple way to crack this would be to get the serial
from memory, it's very easy, when you break in you should be
looking at the following instructions:
MOV
PUSH
CALL
JMP // step
through the call to here.
Now type "d
ecx", we see the dummy code we entered in the data window,
scroll down about 10 lines, and you will see a long number, yep,
it's the real registration number. Mine is metaray /
139805429319182629466950, I enter that in and it says "Thank
You for registering" wow, lame. This is all good, we have a
registered program, but we want to make a keygen, so we can
generate values for any name, and give it out to our stupid
friends who don't know how to use softice:))) So, lets do that,
delete the registry values for the right key in your registry, and
lets continue. Ok, set the breakpoint on GetWindowTextA again, and
hit Ok, we break, hit x, break again, this time on the code, now,
this time, when we're in sice, we'll locate our NAME in memory, to
do this use the following:
s 0 l ffffff
'name' it should come back with something similar to: PATTERN
FOUND AT XXXX:00D34250 <- for me
so, now set a breakpoint on that memory location, we'll use bpr(breakpoint on
memory range) use the following
bpr 00D34250
00D34250+7 rw ^addrstart ^addrend ^ read/write // we use +7 for
the length of our name, you could just as easily use bpm
Now do bc 00(clear
getwindowtexta breakpoint), and exit sice, you should be back at
the main screen, click on Register again, and enter in your info,
hit Ok, now sice should break and you should be at MOV [EDI], AL
Now, a lot of stuff happens to your name before the "main"
algo, I won't go over it all, I'll just explain it in plain
english here, without code, first, the program will add "ZA"
to the start of your name, making "ZAmetaray"
it will then add
QS to the end of that, "ZAmetarayQS", it will then add
your name to the end of that, making "ZAmetarayQSmetaray"
and ffinally, it seems he's a fan of the honeymooners, as he adds
"Bamrightinthekisser" to the end of all that, for
"ZAmetarayQSmetarayBamrightinthekisser", the bpr we set,
will break a total of 20 times, before its done manipulating our
name to "ZAmetarayQSmetarayBamrightinthekisser", the
19th time, stay in SICE, and step through code(F10) until you
reach here:
// main algorithm
!
movsx eax, byte
ptr[edi+eax] // d edi+eax, yes, your name with ZAQS etc, moves
first char to eax
sub eax,41 //
subtract eax(which is hex val of your first char in name) by 0x41
add esi,eax // add
it to esi, *NOTE* esi is 0x22 when we enter the loop
inc edi // inc edi
inc ecx // inc ecx
cmp ecx,04 //
compare ecx to 04,
jl addr // if less
than, get next char
test esi,esi ->
makes sure ESI isn't negative > 0x80000000
jge // if its not,
we jump and perform maths on the esi value we got from the first 4
chars(jump past neg esi )|
neg esi //
otherwise we multiply esi by -1 |
mov eax,esi // set
eax =esi <
mov ecx, 00003e8
// set ecx to 1000
CDQ
IDIV ecx // divide
ecx(1000) by eax, remainder is put in edx, check "d edx"
< first 3 numbers in regcode
push edx // save
edx its important :)
lea edx, [esp+14]
push addr
push edx
call addr // if
you want to understand what this call does, trace it;) what you
need to know, is eax=3 upon return
add esp,0c // fix
stack
lea ecx, [esp+10]
lea eax,
[esi*8+esi] // setting up esi for the next time we go around
lea esi,
[eax*2+esi] // more maths on it
call
mov x,x
mov x,x
cmp edi,esp // esp
holds length of name, edi = counter we started up in the main algo
jl // get the next
4 chars;) notice what ESI equal here, after the maths have been
done on it;) it will affect the
next set of 3 reg
numbers
So, in english,
this is the algorithm... get each letter in our name, subtract its
hex value with 41, add it with esi(starts off with 0x22 the very
first time only!) increase our counter which makes sure we only
get 4 chars at a
time, increase the
whole routine counter, which checks that we got ALL the chars in
our name, compare ecx(the first counter) with 4(only 4 chars), if
it got the 4 values all added up to esi, it jumps, sets eax equal
to esi, sets ecx
equal to 1000,
divides ecx by eax, why 1000?? to ensure that we only have 3
regnumbers for each loop, the remainder gets stored in edx(this is
part of the real regcode!) now, all along esi hasn't changed, it
now does the following to esi, first, it does maths to eax, eax =
3 on returning from the call above it, it then does esi*8+esi to
eax, then wit thta eax valuem we do eax*2+esi = NEW esi value, we
then loop again and add the next 4 chars to esi, come back and
divide them by 1000 and remainder = next 3 digits in regcode!
One note, make
sure, you know, EDX = HEX VALUE, you gotta convert it to DECIMAL,
an thats the 3 digits;) Thats it, you can find my keygen source
here: http://sdf.lonestar.org/code/ngrabkey.c ; very ugly/shitty
code, but it works! ;)
email me with
questions/comments/reporting errors on my tutorials.
1.)
Advanced
Password Generator *CRACK* -
metaray!abrams
2.)
News
Generator v3.0.17 *KEYGEN* -
metaray!abrams
3.)
Introduction
to PAM - Bryan Ericson
4.)
Taxonomy
of Communications Intelligence
- Psyops
5.)
A
look into Wiretapping - Psyops
