MAKING INTERNAL KEYGENS
 
Intro

In this tutorial we will crack Rith's crackme, and make an internal keygenerator for it.
What is an internal keygenerator? Well, I call it a 'keygen for lazy reversers' The idea is to change the program that way, that it displays the correct serial for you.

TARGET : rith crackme 1.exe

TOOLS USED :Wdasm & HexWorkshop

Why make an internal keygen ?

Well, There are (at least) 2 good reasons :

- You don't have to reverse the algo completely
- You won't make any mistakes decompiling the algo ; )

Here is example and the keygen.
Reversing the code 


004015BC E8E3020000    Call 004018A4 
004015C1 8B7E60        mov edi, dword ptr [esi+60]   ;Name
004015C4 8B5FF8        mov ebx, dword ptr [edi-08]   ;Name length 
004015C7 83FB05        cmp ebx, 00000005             ;Name length < 5 ?
004015CA 7C7E          jl 0040164A                   ;Jump to badguy
004015CC 8B4664        mov eax, dword ptr [esi+64]   ;Serial
004015CF 89442414      mov dword ptr [esp+14], eax 	
004015D3 3958F8        cmp dword ptr [eax-08], ebx   ;NameLength=Serial length?

(*):004015D6 7572      jne 0040164A                  ;if not, jump to badguy

004015D8 83FB14        cmp ebx, 00000014             ;Name length>14 ?
004015DB 7F6D          jg 0040164A                   ;if so, jump to badguy
004015DD 33C9          xor ecx, ecx 
004015DF 85DB          test ebx, ebx 
004015E1 7E54          jle 00401637 			
004015E3 8B742410      mov esi, dword ptr [esp+10] 	;Pi (20 digits)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:00401631(C)
 
004015E7 8A040F        mov al, byte ptr [edi+ecx] 	;(ecx)th byte of Name
004015EA 0FBE2C31      movsx ebp, byte ptr [ecx+esi] ;(ecx)th digit of Pi
004015EE 0FBEC0        movsx eax, al 
004015F1 99            cdq 
004015F2 F7FD          idiv ebp                      ;Divide name-byte by Pi-byte
004015F4 8BC2          mov eax, edx                  ;Move remainder to eax
004015F6 D1E0          shl eax, 1                    ;remainder * 2
        
; The code that follows are just some checks and modification in order to get
; a serial between certain ascii values. (So you can enter it in the proggy)
004015F8 83F87B        cmp eax, 0000007B 

004015FB 7E03          jle 00401600 

004015FD 83E81A        sub eax, 0000001A 


* Referenced by a (U)nconditional or (C)onditional Jump at Address:004015FB(C)



00401600 83F841        cmp eax, 00000041 

00401603 7D09          jge 0040160E 

00401605 BA82000000    mov edx, 00000082 

0040160A 2BD0          sub edx, eax 

0040160C 8BC2          mov eax, edx 


* Referenced by a (U)nconditional or (C)onditional Jump at Address:00401603(C) 



0040160E 83F85B        cmp eax, 0000005B 

00401611 7E12          jle 00401625 

00401613 83F861        cmp eax, 00000061 

00401616 7D0D          jge 00401625 

00401618 99            cdq 

00401619 BD0A000000    mov ebp, 0000000A 

0040161E F7FD          idiv ebp 

00401620 83C230        add edx, 00000030 

00401623 8BC2          mov eax, edx 


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: 0401611(C), :00401616(C)



00401625 8B542414      mov edx, dword ptr [esp+14] 

(**):00401629 38040A   cmp byte ptr [edx+ecx], al ;Serial byte=Our Serial byte?

(**):0040162C 751C     jne 0040164A               ;if not, jump badguy
0040162E 41            inc ecx                    ;point to next byte/digit

0040162F 3BCB          cmp ecx, ebx               ;all bytes done?

00401631 7CB4          jl 004015E7                ;if not, jump for next byte

(***)00401633 8B742418 mov esi, dword ptr [esp+18] 

00401637 6A00          push 00000000


* Possible StringData Ref from Data Obj ->"Congratulations!"



(****)00401639 6834304000 push 00403034 

0040163E 6820304000    push 00403020 

00401643 8BCE          mov ecx, esi 

00401645 E854020000    Call 0040189E             ;Call MessageBoxA

 

Patching the code 

To change this crackme in a keygen, we will need to patch the following :

(**) mov byte ptr [edx+ecx], al 
         HEX : 38 04 0A 75 1C -> 88 04 11 90 90

(***) mov byte ptr [edx+ecx],00h 
         HEX : 8B 74 24 18 -> C6 04 0A 00

(****) push edx 
         HEX : 68 20 30 40 00 -> 52 90 90 90 90

      
(**)   Saves each byte of the calculated serial to address in EDX+Counter

(***)  Add a NULL string terminator to the Serial

(****) Display serial in the MessageBox


When we change ** and *** and **** we have made a very basic, but working internal keygen.
Now enter your name and a serial with the same length, hit the Register-button ... tada ... There is your valid serial!

Have you noticed that we only had to change 14 bytes to change the proggy to an internal keygen? As I said, this is great for lazy programmers :)

To complete this keygen, let's change the program so that we don't have to enter any serial.
Nop the jump at (*), and we're done!
HEX : 75 72 -> 90 90

Name : Detten
Serial : 6|j46j


If you have questions about this tutorial or remarks, mail me at Detn@hotmail.com

Greetings,

Detten
Detn@hotmail.com

www.biw-reversing.cjb.net