How to produce KeyGENs
A general appropoach to the goal



Target: Zip Manager 5.3
Author: Software Excellence By Design
Protection: Name/Serial
Tools used - lcc
- SoftICE 3.2
Level (X) Beginner
(X) Intermediate
( ) Advanced
( ) Expert

Disclaimer

Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. BTW, It's illegal to use cracked Software!

If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.



As a matter of fact there is growing interest in essays dealing HOW TO KEYGEN a target ... writing such essays requires a lot of time and extra work. Now holidays have started and I decided to write this essay, which shows in detail HOW TO PRODUCE KEYGENS.

The appropoach I've chosen here should work on quite a lot of target's and is so kinda GENERIC APPROPOACH to the goal of coding a KeyGEN for a target ...

To understand this essay and the KeyGEN coding process you need at least a basic knowledge of ASM. For that matter an excellent document has been written by CoRN2: Assembly for Crackers.



Step 1: How to start?
Of course, first of all you need to execute your target and find the Registration Screen. After that little work, you can start with the real process. So enter your Registration Details and enter SoftICE. Now set a BPX HMEMCPY, leave SoftICE and press the 'OK' button in the Registration Dialog. Now SoftICE should pop up. BD (disable) your BPX and start the tracing ... here is where all the fun starts :)


Step 2: The fun starts
For me the real fun is tracing through the target's code and find the instructions that are used for generating serials (or parts of them) or whatsoever of your Registration Details. This can be done (often) easier using a disassembler (hope you have a fast CPU) ... if you know what you are looking for :)

Back to the tutorial: Things generated must be checked ... either NOW or on start of the target. Very often the things are checked NOW; that eases your work (often) a lot. But what's next? Well your Registration Details have to be manipulated in some way so a number or whatsoever is generated out from them ... all this is done using ASM instructions.

A KeyGEN routine or whatsoever is CALLed (often) right before the real check if the enterd data is either correct or not; so the CALLs before the real check are quite interesting ... you don't need however to trace them all ... just find out by observing registers, ... what CALL you need to trace and what NOT. It's easy :)


Step 3: Starting to work on the algo
After having successfully found the algorithmus what does the manipulation used to generate the correct Registration Data, you have to work out how this works (of course). Here is where you need your basic ASM knowledge. Watch out for instructions like ADD, AND, ...

I highly suggest making notes on a piece of paper how this routine works and after that, use your favourite coding language to code a routine that does EXACTLY the same ... mostly it's just a simple algo ... but there are examples where the algo is really complex and a KeyGEN takes a lot of time. Working out a KeyGEN in such cases might however help you to improve your knowledge on KeyGEN coding :)


Step 4: What do I have to take care of?
Well this is just an addendum to the last step, however I suggest you to really find out if special chars are allowed in the Registration Data and what the minimal length of your name needs to be. Also be sure to check if spaces are allowed.


Step 5: Using the described technique
Now it's time for some real work with the technique I (tried) to explain in the above steps. If you haven't understand them all, there is now another chance you do so :)

As a target I've chosen an in my opinioun EASY target. I could've chosen a DIFFICULT target, but that's not really needed here, because if you want to KeyGEN DIFFICULT things you FIRST need the basic technique to work perfectly. That's the key to success! Enough theory now; let's use the technique.


I do assume you have the basic knowledge of cracking and a little experience so that you can actually find the compare between the real serial and the wrong one. If you don't have that experience you should read some more tutorials and then come back to this one. This is definately not a tutorial for a complete beginner to cracking, although lots of beginners might (hopefully) understand :)



After having enterd your Registration Details and after tracing a little bit throught the code you'll come accross the code, which calculates your serial (CALL, JNZ is always very suspicious):

   :0045D7BD  C745F800000000      MOV       DWORD PTR [EBP-08],00000000
   :0045D7C4  C745F400000000      MOV       DWORD PTR [EBP-0C],00000000
   :0045D7CB  C745F000000000      MOV       DWORD PTR [EBP-10],00000000
   :0045D7D2  C745EC00000000      MOV       DWORD PTR [EBP-14],00000000
   :0045D7D9  C745E800000000      MOV       DWORD PTR [EBP-18],00000000
   :0045D7E0  C745E438270000      MOV       DWORD PTR [EBP-1C],00002738
   :0045D7E7  8B4508              MOV       EAX,[EBP+08]
   :0045D7EA  8945FC              MOV       [EBP-04],EAX
   :0045D7ED  66C745D80000        MOV       WORD PTR [EBP-28],0000
   :0045D7F3  E904000000          JMP       0045D7FC
   :0045D7F8  66FF45D8            INC       WORD PTR [EBP-28]
   :0045D7FC  0FBF45D8            MOVSX     EAX,WORD PTR [EBP-28]
   :0045D800  83F82B              CMP       EAX,2B
   :0045D803  0F8D5B000000        JGE       0045D864
   :0045D809  0FBF45D8            MOVSX     EAX,WORD PTR [EBP-28]
   :0045D80D  8B4DFC              MOV       ECX,[EBP-04]
   :0045D810  0FBE0408            MOVSX     EAX,BYTE PTR [ECX+EAX]
   :0045D814  8945E0              MOV       [EBP-20],EAX
   :0045D817  8B45E0              MOV       EAX,[EBP-20]
   :0045D81A  69C049870100        IMUL      EAX,EAX,00018749
   :0045D820  0145F8              ADD       [EBP-08],EAX
   :0045D823  8B45E0              MOV       EAX,[EBP-20]
   :0045D826  69C061870100        IMUL      EAX,EAX,00018761
   :0045D82C  0145F4              ADD       [EBP-0C],EAX
   :0045D82F  8B45E0              MOV       EAX,[EBP-20]
   :0045D832  69C095860100        IMUL      EAX,EAX,00018695
   :0045D838  0145F0              ADD       [EBP-10],EAX
   :0045D83B  8B45E0              MOV       EAX,[EBP-20]
   :0045D83E  69C037870100        IMUL      EAX,EAX,00018737
   :0045D844  0145EC              ADD       [EBP-14],EAX
   :0045D847  8B45E0              MOV       EAX,[EBP-20]
   :0045D84A  69C057870100        IMUL      EAX,EAX,00018757
   :0045D850  0145E8              ADD       [EBP-18],EAX
   :0045D853  8B45E0              MOV       EAX,[EBP-20]
   :0045D856  69C0D9860100        IMUL      EAX,EAX,000186D9
   :0045D85C  0145E4              ADD       [EBP-1C],EAX
   :0045D85F  E994FFFFFF          JMP       0045D7F8
   :0045D864  8B45F0              MOV       EAX,[EBP-10]
   :0045D867  0345F4              ADD       EAX,[EBP-0C]
   :0045D86A  0345F8              ADD       EAX,[EBP-08]
   :0045D86D  0345E4              ADD       EAX,[EBP-1C]
   :0045D870  0345E8              ADD       EAX,[EBP-18]
   :0045D873  0345EC              ADD       EAX,[EBP-14]
   :0045D876  B93DBB0D00          MOV       ECX,000DBB3D
   :0045D87B  99                  CDQ
   :0045D87C  F7F9                IDIV      ECX
   :0045D87E  8D4201              LEA       EAX,[EDX+01]
   :0045D881  8945DC              MOV       [EBP-24],EAX
   :0045D884  8B450C              MOV       EAX,[EBP+0C]
   :0045D887  3945DC              CMP       [EBP-24],EAX
   :0045D88A  0F850F000000        JNZ       0045D89F
   :0045D890  B801000000          MOV       EAX,00000001
   :0045D895  E90C000000          JMP       0045D8A6
Now you have to understand the calculation instructions ... that's mostly quite easy once you found them all. Try to work out how the serial is generated yourself and then read on ...


So you know how it's generated, right? Well for a maximum of 2B h times (0045D800), a char of your name is read out and

   - multiplicated by 18749 h and added to [EBP-08] (0045D81A and 0045D823)
   - multiplicated by 18761 h and added to [EBP-0C] (0045D826 and 0045D82C)
   - multiplicated by 18695 h and added to [EBP-10] (0045D832 and 0045D838)
   - multiplicated by 18737 h and added to [EBP-14] (0045D83E and 0045D844)
   - multiplicated by 18757 h and added to [EBP-18] (0045D84A and 0045D850)
   - multiplicated by 186D9 h and added to [EBP-1C] (0045D856 and 0045D85C)
If your name is not 2B h chars long, then the rest of the chars will be just ignored.

After that multiplication thing, [EBP-08], [EBP-0C], [EBP-10], [EBP-14], [EBP-18] and [EBP-1C] were added together (0045D867 up to 0045D873) and then divided by (0045D876 and 0045D87C) DBB3D h. Finally the remainder of that division is increased by 1 (0045D87E) - and that's the real serial then. It's that easy :)


I don't see an interest in the whole KeyGEN source, so I've just added that calculation part to this tutorial:

   short int Calculate(HWND hDialog)
   {
    unsigned char name[50]      = {0};
    unsigned char serial[100]   = {0};
    unsigned long EAX           = 0;
    unsigned long TMP           = 0;
    unsigned long EBP_10        = 0;
    unsigned long EBP_0C        = 0;
    unsigned long EBP_08        = 0;
    unsigned long EBP_1C        = 0x2738;
    unsigned long EBP_18        = 0;
    unsigned long EBP_14        = 0;
    unsigned long i             = 0;
    static HWND hControl;
   
    hControl = GetDlgItem(hDialog, EDIT_NAME);
    GetWindowText(hControl, &name, 43);
   
    for (i = 1; i <= 0x2B; i++)
    {
      if (i <= strlen(name))
      {
       EAX = name[i-1];
       EBP_08 += (EAX * 0x18749);
       EBP_0C += (EAX * 0x18761);
       EBP_10 += (EAX * 0x18695);
       EBP_14 += (EAX * 0x18737);
       EBP_18 += (EAX * 0x18757);
       EBP_1C += (EAX * 0x186D9);
      }
    }
   
    EAX  = EBP_10 + EBP_0C + EBP_08 + EBP_1C + EBP_18 + EBP_14;
    TMP  = EAX / 0xDBB3D;
    EAX  = EAX - (TMP * 0xDBB3D);
    EAX += 1; 
   
    wsprintf(serial, "%lu", EAX);
   
    hControl = GetDlgItem(hDialog, EDIT_CODE);
    SetWindowText(hControl, serial);
   
    return 0;
   }
Feel free to e-mail me feedback, questions or whatever (NO crack requests!!). You can also talk to me on IRC (EFNet) at #ImmortalDescendants, #PhrozenCrew or #cracking4newbies.



Another lesson has just finished. Hopefully you have learned something useful from it! Feel free contacting me anytime ... till next time, I highly recommend you to visit (or better download completely) +Fravia's excellent site, which has unfortunately been frozen!


Greetings (no specific order):

+Aesculapius, +Fravia, +MaLaTTiA, +ORC, +wAj, ^TheDevil, /Miz, ACiD BuRN, adenozin, alpine, AntiMaterie, AppBusta, Artex, Black Check, BJanes, ByteBurn, cALiGo, CoRN2, Carpathia, CrackZ, Crashtest, Cruehead, Da GRiM ReaPeR, DEATH, DEZM, DnNuke, douby, duelist, Eternal Bliss, FireWorx, G-RoM, HarvestR, Icecream, Iczelion, Jeff, josephCo, Kaparo, knotty, Kwai_Lo, LagPRO, LaZaRuS, Lord Soth, Lucifer48, MisterE, MiZ, McCodEMaN, Mr. NOP, Mr. WhiTe (WKT), NeuRaL NoiSE, nIabI, NiKai, Nitrus, Noos, Northpole, pain, Pedro, PeeGee, PeeWee, ^PlAyEr^, Predator NLS, Prof. X, Quantico, r4lph, R!SC, Rhytm, rudeboy, Santa Clawz, Scribe, SiONiDE, Steinowitz, TaG^, TaMaMBoLo, The +Sandman, The AntiXryst, The OWL, Thesmurf, Tin, tKC, viny, VisionZ, Vladimir, Volatility, yAtEs, yosh, ytc, WarezPup, WhizKiD, widYa@cL 2011.

Copyright © 1999 by TORN@DO [ID/PC]. All Rights Reversed.