8/12/2019 Key Generators

1/7

raZZia's Tutorial on Key Generators

presented by Bibliothek.dl.am

Tools!For tools you need a minimum of debugger like SoftIce for Windows (hence WinIce), and a C

compiler with Dos libraries

Content!In this tutorial I will show how to make a key!gen for I"e and Swiftsearch #he protection thatthese programs use is the well known $nter!%ame!and!&egistration!%umber method 'fterselecting register, a window pops up where you can enter your name and your registrationnumber #he strategy here is to find out where in memory the data you enter is stored and then tofind out what is done with it efore you go on make sure you configure the SoftIce dat fileaccording to the *WD tutorial +

Part 1: Sanline Si"tsearh #.$!

Swiftsearch is a useful little program that you can use to search on the web I will e-plain step bystep how to crack it

step Start the program .)

step /. Choose register from the menus 0ou will now get a window where you can enter your name andyour registration number

step 1. $nter SoftIce (ctrl!d)

step 2. We will now set a breakpoint on functions like 3etWindow#e-t(a) and 3etDlgItem#e-t(a) to findout where in memory the data that we 4ust entered is stored #he function that is used by this

program is 3etDlgItem#e-ta (trial and error, 4ust try yourself .) so, in SoftIce type *53etDlgItem#e-ta and e-it SoftIce with the g command

step 6. %ow type a name and a registration number (I used ra""ia and /126) and press 78, this will putyou back in SoftIce Since you are now inside the 3etDlgItem#e-ta function press F to get outof it 0ou should see the following code.

lea eax, [ebp-2C] :

8/12/2019 Key Generators

2/7

entered ;ust type g and return and when back in SoftIce press F 0ou should see thefollowing code.

push 0000000 lea ecx, [ebp-1] :

8/12/2019 Key Generators

3/7

whats in $'5 ' 9 $'5 re:eals .

????1?1 ?????/126 G?G

ingo #hats what we entered as the registration number It should ha:e been whats inside$SI 'nd we know whats inside $SI, the sum of the letters of the name we enteredE

Step H. %ow we know how the program computes the registration code we can make a key!genut we should not forget that the program checks also that the registration number has ?

digits' simple C code that will compute the registration number for this program could look like this.

;inclu.e

8/12/2019 Key Generators

4/7

registrationnumber #he strategy in this case is still the same . Find out where in memory the entered

informationis stored and then find out what is done with that information

Step . Start I"e Chose register and enter a name and a number I used ra""ia and /126

Sterp /. $nter (C#&B!D) Softice and set a breakpoint on 3etDlgItem#e-t'

Step 1. Bea:e SoftIce and press 78 #his will put you back in Softice 0ou will be inside the3etDlgItem#e-t'

function #o get out of it press F 0ou should see the following code .

*o esi, [esp + 0C]push 00000074

push 0040C%0 .!!7n this memory location the %'A$ we entered will be stored

*o e.i, [!"#$%2&'et(lg)te*ext] .!!Boad edi with adress of 3etDlgItem#e-t'push 00004##push esi

call e.i .!! Call 3etDlgItem#e-t'

push 00000074 .!! (you should be here now)push 0040C210 .!!7n this memory location the %>A$& we entered will be storedpush 00004##push esi

call e.i .!! Call 3etDlgItem#e-t'

We see that the function 3etDlgItem#e-t' is called twice in this code fragment #he first call hasalready happened With $D 2?C1'? we can check that the name we entered is stored on that

location#o allow the program to read in the number we entered we type 3 and enter %ow we are inside

the 3et!DlgItem#e-t' function again and we press f to get out of it We check memory location 2?C/?

andwe see the number we entered is stored there

%ow we know the locations were the name and the number are stored,we note those downE

Step 2. 7k, what ne-t9 We now know where in memory the name and the number are stored We need tofind out

what the program does with those :alues In order to do that we could set breakpoints on thosememory

locations to see where they are read ut in this case it wont be necessary #he answer is right afterthe

abo:e code .

push 0040C210 .!!sa:e the location of the number we entered (as a parameter for the ne-t

call)call 0040440 .!! call this unknown functiona.. esp, 00000004

*o e.i, eax .!! sa:e $'5 (hmmmm)

We see a function being called with the number!location as a parameter We could trace into the

function and see what it does, but that is not needed With your e-perience of the Swiftsearche-ample you should be able to guess what this function does It calculates the numerical :alue of

the registration number and puts it in $'5 #o be sure we step further using F? untill we arepast the call and check the contents of $'5 (with 9 $'5) In my case it showed . ????1?1?????/126 G?G

8/12/2019 Key Generators

5/7

8nowing that $DI contains our registration number we proceed.

push 0040C%0 :!! sa:e the location of the name we entered (as a parameter for the ne-t

call)

push 004000 :!! sa:e an unknown memory!location (as a parameter for the ne-t call)

call 00404%0 .!!call to an unknown functiona.. esp, 0000000

c*p e.i, eax .!!compare $DI (reg + we entered) with $'5 (unknown, since the pre:ious

call changed it)

3ne 004011 .!!4ump if not e@ual

We see that a function is called with two parameters 7ne of the parameters is the location of thename

we entered #he other we dont know, but we can find out with $D 2??

8/12/2019 Key Generators

6/7

right reg+):0040444 *o e.i, ebx .!!these lines compute the lenght of the name we entered

:0040444 sub eax, eax .!!these lines compute the lenght of the name we entered

:0040444C repnM .!!these lines compute the lenght of the name we entered

:0040444( scasb .!!these lines compute the lenght of the name we entered:0040444# not ecx .!!these lines compute the lenght of the name we entered

:004044N0 .ec ecx .!! $C5 now contains the lenght of the name:004044N1 c*p ecx, esi

:004044N% 3a 0040442N .!! If its not the end of the name , go do the same with the ne-t letter

:004044NN *o eax, ebp .!! S'L$ $* #7 $'5 EEEE:004044N9 pop ebp:004044N pop e.i:004044N pop esi:004044N pop ebx:004044N ret

MMMMM:00404490 *o eax, [00402] .!! *ut GkeyG in $'5:0040449N *ul eax, eax, 01N4#%N .!! $'5$'5 J 6'2$16

:0040449 inc eax .!! $'5$'5 K :0040449C *o [00402], eax .!! &eplace the GkeyG with the new :alue of $'5

:0040441 an. eax, 90000 .!! $'5$'5 NN HFFF????

:0040447 shr eax, 10 .!! $'5$'5 OO?:004044 ret

#he abo:e code consists of a loop that goes trough all the letters of the name we entered With

eachletter some :alue is calculated, all these :alues are added up together (in $*) #hen this :alue is

storedin $'5 and the function &$#urns 'nd that was what we were looking for, we wanted to know

how $'5 got its :alueE

Step =. %ow to make a key!gen we ha:e to translate the abo:e method of calculating the right reg+ into ac program It could be done in the following way .(%ote . I am a bad c programmer .)

;inclu.e A

printf=E#nter 8our na*e: E>A gets=@a*e>A @a*eBengthDstrlen=@a*e>A for =ffsetD0Affset ?

BetterD@a*e[ffset]A (u**8DOe8A (u**8D(u**8I0x1Na4e%NA

(u**8D(u**8+1A Oe8D(u**8A

8/12/2019 Key Generators

7/7

(u**8D(u**8 P 0x9fff0000A (u**8D(u**8 0x10A BetterDBetterI(u**8A

(u**8DOe8A (u**8D(u**8I0x1Na4e%NA

(u**8D(u**8+1A Oe8D(u**8A

(u**8D(u**8 P 0x9fff0000A (u**8D(u**8 0x10A

BetterDBetterI(u**8ABetterDBetterI=ffset+1>A

@u*berD@u*ber+BetterA J

printf=EGnKour registration nu*ber is : LluGnE,@u*ber>AJ

Final %otes

For feedback and suggestions pls contact me .)

raZZia