Good evening awesome people. Today I'll tell how I was making a keygen for a simple crackme program. So we'll analyse program algorithm and will cook a keygen that will give us required serial key.
The crackme can be taken from here CrackmeLesson2.exe
OllyDbg can be downloaded from previous tutorial. Я думаю вы уже запускали наш крекми2 и пробовали ввести серийник. Вам выдало сообщение о том что серийный номер неправильный, содержание строчки было "Bad Boy!". Ну вот из этого и начнем. Попробуем найти, какой участок кода ссылается на эту строку. Search for -> All Referenced Text Strings. Среди них будет наше сообщение. Кликните дважды на нем. Text strings referenced in Crackme2:.text, item 6 Address=00401114 Text string=ASCII "Bad Boy!" Смотрим, от кудова будет выполнен прыжок в диалог неправильного серийного номера. Клик правой кнопкой мыши на начало диалога и смотрим откудова будет переход Go to -> JNZ ...
JNZ is an operator of conditional jump to some part of code if zero flag Z is not set. This flag is usually set by some comparisons that will be done before JNZ. Take a look at this part of code:
So, TEST EAX, EAX. This is something that should set our flag Z. To make a jump to our string we need here flag Z to be set to 0 (so it means that Z flag is not set). From googling I found out that TEST EAX, EAX sets Z flag only in case if EAX is equal to 0.
Take a look in the code a little bit above this part. We can see that KERNEL32 is calling lstrcmpA function. MSDN docs say that this one compares two strings. The result of the comparison is written into the EAX register. So lstrcmpA will write 0 into EAX only if both strings are equal. So this is the place where we compare provided serial key with the necessary one. And we also see that String1 and String2 parameters are passed into this function through EDX and ECX registers. And a little bit above that you'll find a code that verifies length of the entered serial key is longer then 4 symbols. The jump that goes over this part code is here: 0040108C JG SHORT Crackme2.004010AE And it goes here: 004010AE XOR ECX,ECX Put a breakpoint here (F2). Lets analyse code flow in the program after this point. Start debugging process by pressing F9. Enter some serial key longer than 4 symbols. Now get back to OllyDbg. Now your are at the breakpoint. It sets our ECX registers to 0 here. Press F8 to move to next command. Now we are at the 004010B0 TEST EAX,EAX Take a look at the registers information (right upper corner of the OllyDbg). Currently EAX is equal set to some number. After several runs I noticed that here EAX contains length of the entered serial key. We know, that TEST EAX, EAX sets 0 flag only if EAX contains 0. As length of the entered serial key is longer than 0 code will not do this jump: 004010B2 JL SHORT Crackme2.004010C0 Lets continue to run debugging by F8. Now we are here: 004010B4 MOVSX EDX,BYTE PTR [ESP+ECX+8] Take a look at registers info. Now EDX contains part of our entered name. This line will write into EDX one byte from address saved in [ESP+ECX+8]. That will be first letter of our name. Press F8. We are now here: 004010B9 ADD EDI,EDX Pay attention that EDI is set to 0 now. EDX contains ASCII code of the first letter in our name in hexadecimal format. ADD command adds to EDI value of the EDX register. Run further until you are here: 004010BB INC ECX 004010BC CMP ECX,EAX INC command increases value of the ECX register by 1. Command CMP compares values of the ECX and EAX. EAX now contains length of our name. Take a look at JLE jump after CMP. It will be done only in case ECX is equal to EAX. So far we know that algorithm of the serial key is the sum of all ASCII codes of letters in your name. This sum is preserved in EDI register. Lets continue to run program until we are here: 004010C0 IMUL EDI,EDI,539 This command multiplies value of the EDI register to 0x539 (this is 1337 in decimal). So the next step in our algorithm is to multiply our previous sum by 1337. If you continue to run this programm further you will not see other interesting parts in of serial key generation. So looks like that all, we know algorithm. Now it is time to write a keygen. I will use python script for that and will call it "keygen.py". import sys
You can run this script from command line next way: python keygen.py Artur
As a result I got 703262 for my name. And this number works as a serial. So we are done. Keygen is ready. As always I ask you to support me by clicking a banner with advertising below or even by paypal coffee transactions and only in case you liked this articles. Chao! See you in part 3.
0 Comments
Leave a Reply. |
NoticeI have removed Russian content from my website and now will post articles in English only. This is not because of some politics, Russian speaking people you are great, but just it is very hard to support bilingual web site in Weebly. For those who read my articles as usual I ask to click on a single advertisement banner on my web site. This gives me some credits and is free of charge for you. Archives
August 2016
Categories
All
|