KeyGENs and more?
The ease of KeyGEN coding


Target: Internet Maniac 1.2
Author: Sumit Birla
Protection: Name/Serial
Tools used - lcc
- SoftICE 4.0
Level ( ) Beginner
(X) Intermediate
( ) Advanced
( ) Expert
Disclaimer

Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. BTW, It's illegal to use cracked Software!

If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.


Well school started today again and before I was getting too busy with it, I just decided writing another tutorial for the people needing knowledge. This time I'll show you people once more that there's really nothing hidden in a program. Everything can be used with the right knowledge for the right solution ... that's enough :)

First of all you have to perform the basic taks (entering the name/serial, tracing a little bit). After you've done this, you'll come accross the following code snippet: 
   :00407E10  83EC20              SUB       ESP,20
   :00407E13  56                  PUSH      ESI
   :00407E14  8B742428            MOV       ESI,[ESP+28]
   :00407E18  56                  PUSH      ESI
   :00407E19  FF1558104100        CALL      [KERNEL32!lstrlen]
   :00407E1F  83F804              CMP       EAX,04
   :00407E22  7D07                JGE       00407E2B
   :00407E24  33C0                XOR       EAX,EAX
   :00407E26  5E                  POP       ESI
   :00407E27  83C420              ADD       ESP,20
   :00407E2A  C3                  RET
   :00407E2B  0FBE4601            MOVSX     EAX,BYTE PTR [ESI+01]
   :00407E2F  0FBE4E02            MOVSX     ECX,BYTE PTR [ESI+02]
   :00407E33  D1E0                SHL       EAX,1
   :00407E35  50                  PUSH      EAX
   :00407E36  0FBE4603            MOVSX     EAX,BYTE PTR [ESI+03]
   :00407E3A  C1E102              SHL       ECX,02
   :00407E3D  51                  PUSH      ECX
   :00407E3E  B90A000000          MOV       ECX,0000000A
   :00407E43  99                  CDQ
   :00407E44  F7F9                IDIV      ECX
   :00407E46  B8A0C634FA          MOV       EAX,FA34C6A0
   :00407E4B  8BCA                MOV       ECX,EDX
   :00407E4D  D3E0                SHL       EAX,CL
   :00407E4F  8D4C240C            LEA       ECX,[ESP+0C]
   :00407E53  50                  PUSH      EAX
   :00407E54  68303B4100          PUSH      00413B30
   :00407E59  51                  PUSH      ECX
   :00407E5A  FF1580114100        CALL      [USER32!wsprintfA]
   :00407E60  8B542440            MOV       EDX,[ESP+40]
   :00407E64  83C414              ADD       ESP,14
   :00407E67  8D442404            LEA       EAX,[ESP+04]
   :00407E6B  52                  PUSH      EDX
   :00407E6C  50                  PUSH      EAX
   :00407E6D  FF1524104100        CALL      [KERNEL32!lstrcmp]
   :00407E73  F7D8                NEG       EAX
   :00407E75  1BC0                SBB       EAX,EAX
   :00407E77  5E                  POP       ESI
   :00407E78  40                  INC       EAX
   :00407E79  83C420              ADD       ESP,20
   :00407E7C  C3                  RET
Somehow after showing the calculation routine it's always getting too easy - and quite boring. Don't you share this thought? Well I'm working on a way to get that changed ... very probably my next tutorial will be of a totally different style :)

So what does all this above routine?
First of all it checks if your enterd name has the right length, which is at least 4 chars. After that small check, it gets the first char of the name and saves it in EAX. Then it gets the second char of the name and saves it in ECX. EAX is then shift left by 1 and the result is saved for later use. Then it gets the third char of the name and saves it in EAX. ECX is shift left by 2 and the result is again saved for later use. Finally ECX is divided by A h and EAX, which has been assigned the value of FA34C6A0 h, is shift left by it.
Then the output is formatted ...

That was again quite simple, right? Well next time I'll choose very probably another way of producing a KeyGEN for a target. As always I've added just the calculation routine's source.

   short int Calculate(HWND hDialog)
   {
    unsigned char name[5]       = {0};
    unsigned char serial[100]   = {0};
    unsigned long EAX           = 0;
    unsigned long ECX           = 0;
    unsigned long EDX           = 0;
    unsigned long S02           = 0;
    unsigned long S03           = 0;
    unsigned long TMP           = 0;
    static HWND hControl;

    hControl = GetDlgItem(hDialog, EDIT_NAME);
    GetWindowText(hControl, &name, 5);
   
    if (strlen(name) < 4)
    {
      hControl = GetDlgItem(hDialog, EDIT_CODE);
      SetWindowText(hControl, "Name must be at least 4 chars long");
      return -1;
    }

    EAX = name[1];
    ECX = name[2];
    EAX = EAX << 1;
    S03 = EAX;
    ECX = ECX << 2;
    S02 = ECX;

    EAX = name[3];
    TMP = EAX / 0x0A;
    EDX = EAX - (TMP * 0x0A);
   
    EAX = 0xFA34C6A0 << EDX;
   
    wsprintf(serial, "%010lu-%lu%lu", EAX, S02, S03);
   
    hControl = GetDlgItem(hDialog, EDIT_CODE);
    SetWindowText(hControl, serial);
   
    return 0;
   }
Feel free to e-mail me feedback, questions or whatever (NO crack requests!!). You can also talk to me on IRC (EFNet) at #ImmortalDescendants, #PhrozenCrew or #cracking4newbies.



Another lesson has just finished. Hopefully you have learned something useful from it! Feel free contacting me anytime ... till next time, I highly recommend you to visit Iczelion's Win32 ASM Site, which is the best source in learning Win32 ASM on the web! Learn how to really code now :)

Greetings (no specific order):

+Aesculapius, +Fravia, +MaLaTTiA, +ORC, +wAj, ^TheDevil, /Miz, ACiD BuRN, aCiDHaC, aDancer, adenozin, alpine, AntiMaterie, AppBusta, Artex, Azrael, Black Check, BJanes, ByteBurn, cALiGo, CoRN2, Carpathia, CrackZ, Crashtest, Cruehead, CyberBobJr, Da GRiM ReaPeR, dbCooper, DEATH, DEZM, DnNuke, douby, duelist, Eternal Bliss, FireWorx, G-RoM, HarvestR, Icecream, Iczelion, Jeff, josephCo, Kaparo, knotty, Kwai_Lo, LagPRO, LaZaRuS, Lord Soth, Lucifer48, MisterE, MiZ, McCodEMaN, Mr. NOP, Mr. WhiTe (WKT), NeuRaL NoiSE, nIabI, NiKai, Nitallica, Nitrus, Noos, Northpole, pain, Pedro, PeeGee, PeeWee, ^PlAyEr^, Predator NLS, Prof. X, Quantico, r4lph, R!SC, Rhytm, rudeboy, Santa Clawz, Scribe, SiONiDE, Steinowitz, Stone, TaG^, TaMaMBoLo, The +Sandman, The AntiXryst, The OWL, Thesmurf, Tin, viny, VisionZ, Vladimir, Volatility, yAtEs, yosh, ytc, WarezPup, WhizKiD, widYa@cL 2011.
Copyright © 1999 by TORN@DO [ID/PC]. All Rights Reversed.
al Bliss, FireWorx, G-RoM, HarvestR, Icecream, Iczelion, Jeff, josephCo, Kaparo, knotty, Kwai_Lo, LagPRO, LaZaRuS, Lord Soth, Lucifer48, MisterE, MiZ, McCodEMaN, Mr. NOP, Mr. WhiTe (WKT), NeuRaL NoiSE, nIabI, NiKai, Nitrus, Noos, Northpole, pain, Pedro, PeeGee, PeeWee, ^PlAyEr^, Predator NLS, Prof. X, Quantico, r4lph, R!SC, Rhytm, rudeboy, Santa Clawz, Scribe, SiONiDE, Steinowitz, Stone, TaG^, TaMaMBoLo, The +Sandman, The AntiXryst, The OWL, Thesmurf, Tin, tKC, viny, VisionZ, Vladimir, Volatility, yAtEs, yosh, ytc, WarezPup, WhizKiD, widYa@cL 2011.