Manual to create key generators (keygens)
Manual for creating key generators (keygens)
INTRODUCTION
This manual is dedicated to explaining how to create a key generator or keygen so you first have to explain it.
A key generator (keygen in English) is a program that, as its name implies, generates a key program to record the famous "TRIAL". These keys or serial may depend on a name or can be independent, this manual will try to rely on the name.
Insurance programs have found that ask you to register your name and serial, and buy the program to send you a serial according to your name. Well, this manual explains how to create a serial KEYGEN to get that for any name you specify.
It must be said that a common crack for these programs, ie, patches for things like accepting any serial is much easier to do than creating a KEYGEN, so many are asking to make one.
Well, I find most challenging (and rewarding) make a simple patch KEYGEN, plus as I read in some text about cracking, when making a keygen "really is in compliance with crack philosophy (reverse engineering) to understand the program," at the same time acquire more knowledge, because it requires a deeper analysis of the program, there are many other advantages, like not having to crack a future version of the program (with the same key generation algorithm), and also takes up less cracked program space, making it easier to spread.
This book is dedicated to people who have a basic knowledge of cracking, to know that you are the CALL and JMP and how to change a JE to JNE, already serves, if not, there are very many courses that can read basic cracking would also be desirable to have some basic knowledge of OllyDbg. It is also necessary to know any programming language (any) to create the KEYGEN, saying, I mean knowing how to enter and display text, know how to add, multiply, and other arithmetic operations, ie also suffice here a basic understanding of language.
Well, I started
To use the manual as a tool for the OllyDbg, and as the target program will use the Crackman of Cruehead, Downloadable from
http://www.megaupload.com/?d=X96BJY5U
To create the KEYGEN algorithm need to know the key generation, and this algorithm we obtain by investing what the program to verify the code, in this Crackman algorithm is quite simple so it will not be as difficult to obtain, but in thecommercial programs are usually more complex, and the more complex they are, take more time and effort and most rewarding is getting it.
And as the title of this section. Well, let's begin.
First we open the Crackman and go into Help> Register and put your name and any number as a serial, like this:
and, unless they who match the key will come out the error message
Now open the Crackman with OLLY and do right click on the list and go to Searchfor> All referenced text strings
Now we know the direction in which I call the street, then go there.
INTRODUCTION
This manual is dedicated to explaining how to create a key generator or keygen so you first have to explain it.
A key generator (keygen in English) is a program that, as its name implies, generates a key program to record the famous "TRIAL". These keys or serial may depend on a name or can be independent, this manual will try to rely on the name.
Insurance programs have found that ask you to register your name and serial, and buy the program to send you a serial according to your name. Well, this manual explains how to create a serial KEYGEN to get that for any name you specify.
It must be said that a common crack for these programs, ie, patches for things like accepting any serial is much easier to do than creating a KEYGEN, so many are asking to make one.
Well, I find most challenging (and rewarding) make a simple patch KEYGEN, plus as I read in some text about cracking, when making a keygen "really is in compliance with crack philosophy (reverse engineering) to understand the program," at the same time acquire more knowledge, because it requires a deeper analysis of the program, there are many other advantages, like not having to crack a future version of the program (with the same key generation algorithm), and also takes up less cracked program space, making it easier to spread.
This book is dedicated to people who have a basic knowledge of cracking, to know that you are the CALL and JMP and how to change a JE to JNE, already serves, if not, there are very many courses that can read basic cracking would also be desirable to have some basic knowledge of OllyDbg. It is also necessary to know any programming language (any) to create the KEYGEN, saying, I mean knowing how to enter and display text, know how to add, multiply, and other arithmetic operations, ie also suffice here a basic understanding of language.
Well, I started
To use the manual as a tool for the OllyDbg, and as the target program will use the Crackman of Cruehead, Downloadable from
http://www.megaupload.com/?d=X96BJY5U
To create the KEYGEN algorithm need to know the key generation, and this algorithm we obtain by investing what the program to verify the code, in this Crackman algorithm is quite simple so it will not be as difficult to obtain, but in thecommercial programs are usually more complex, and the more complex they are, take more time and effort and most rewarding is getting it.
And as the title of this section. Well, let's begin.
First we open the Crackman and go into Help> Register and put your name and any number as a serial, like this:
and, unless they who match the key will come out the error message
Exit the program and open the OLLY.
Now open the Crackman with OLLY and do right click on the list and go to Searchfor> All referenced text strings
In the window that appears twice find the text of the error message "No luck there,mate", we double click on the first and appears with 401,370.
As we can see, the message is within a road that begins at 401,362, by clicking onthe address listed below see the message "Local call from 00401245"
Now we know the direction in which I call the street, then go there.
Here is a MOV, which it does is keep our name in the register ESI, we put in 401,382 BP, return to run the program by pressing F9, accept the message of "No Luck" from Crackman and re-register with our name any number and appear again at 401,382 BP, but we can see in the log window that ESI has the ASCII value of our name. In 401382 there is a PUSH, which it does is store the value of ESI, (put name) on the stack (STACK), then we will see to that.
Well, I'll explain what they do the lines below.
In 401383 there is a MOV that it does is pass the first letter of the ESI stored in a byte to the record, I put as the name Kansai, so goes the first letter is K, below is a test that verifies that AL non-zero, meaning that its value is a letter, put a pinch here and F9 BP and see in the log window that the AL (the last two numbers of EAX) have the value of your first letter, but in hexadecimal, 4B appears in my case using the windows calculator I see that 4B is decimal 75, which is the value of K, (try typing ALT + 75 with your keyboard and you will see that written K).
Below this line is an EP that jump if AL is worth nothing now of course not jump.Below is a CMP and then a JB as we see, what they do is to compare the letter with 41 (decimal 65), or the letter A and if less it will take you to the error message that has been used as a non- valid in the name.
Below is another but with a JNB CMP that compares if the letter is greater than 5A (decimal 90), or Z and jump if greater (or a lowercase letter), jump in my case since K (75) is capitalized and therefore less than 90, then see what happens if the letter is lowercase), below is an INC once the above process deletes the first letter of ESI, so "Kansai" leaving "Ansai."
Below is a JMP, always jumps as we know, in this case jumps to 401,383, returning to repeat, as we saw, here spent the first MOV ESI AL, but now the first value of ESI is the second letter, in my case "a", and follows the same process above, but on reaching 40138D, where if it was tiny compared now to point (97) is greater than 90 so if you jump to the address pointed to by the JNB to below, or 401,394, where there is a 4013D2 CALL pointing to, so let's see what's there.
Here is a SUB, which subtracts from AL, 20 (decimal 32) which is the difference between a lowercase letter to uppercase, such as the "a" is 97 if 32 is subtracted from 65, which is the letter "A ". What you do here is to pass the lowercase letters to uppercase, in my case is the "A" to "a", below is a MOV which replaces the letter changed to STACK, remember that 401,382 is the value of ESI step, which at that time was "Kansai" to STACK, and what happens now is that it changes the first "a" that was left on the stack so "Kansai."
Below is a RETN returns you to the line below where CALL is called, leads us to where another 401,399 in ESI Inc., which does the same as above. The ESI value would then be the "Ansai" to "NSAI".
Repeat with all the letters again, changing the character case and jump to the error message if it encounters an invalid character (less than 65). After the last point, the value of which was originally STACK "Kansai" will "KANSAI" we see how all the letters were in upper case. ESI also originally seen as valuable "Kansai", then it was changing to "Ansai", "NSAI", "sai", "ai" and "i". When it reaches the INC delete last letter (the "i"), the ESI will be worth 0, and as we saw you pass 401,383 the first letter of ESI AL, AL now has no value. And also we saw a test 4013C8 checking whether AL was worth something, and as worthless now, the JE below it jumped to 40139C.
Here is a POP, which stores the value that is stored in the highest part of the STACK to ESI, so ESI will now be "KANSAI". Below is a CALL aimed at 4013C2, here is an XOR EDI, EDI., When doing an XOR between two equal values the result is always 0, so that makes EDI to 0, under another XOR EBX also puts to 0.
Below is one that puts MOV BL (the last two numbers of EBX) the first letter of ESI, in my case K. Below is another test similar to that seen before verifying that BL is worth anything, and when it is not worth anything, you have to jump down the JE, but I do not jump. Below this is an ADD JE that it does is add the value of EBX (remember that the last two numbers are BL EBX, now worth 4B, or the letter K) to EDI, and saves the value in EDI . As EDI EBX 0000004B 00000000 and it now EDI is the sum of these two, which is 0000004B, below this the INC we know it does, and below this the JMP jumps back to where it was 4013C6 MOV passing the firstESI letter BL, now the first letter of ESI is 41 in decimal 65 (A), so BL will be 41.Repeat the above process adding EDI to EBX 0000004B worth 00,000,041 worth, as I said the result is stored in EDI, so now worth 0000008C. Repeat this process until the last letter and now with all the letters added, EDI 0000016E it for me.
Now that the JE below to jump TEST BL 4013D1 as worthless.
Here is a RETN returns you to the line below where it was called the CALL, or 4013A2. XOR is performed here between EDI and 5678 (22,136 decimal), the result is stored in EDI (in my case remain 000057CF) and the line below this value is passed in EAX EDI. Below is one that leads to JMP RETN, which in turn brings you back to the line below where they call this CALL, remember where it was?, Well you back to 401,232.
Well, we finished the analysis of the first street and you know what it does.
- First check that the characters entered for the name are valid and passes all letters to uppercase.
- Then add the value of all the letters (and shift).
- Finally, perform an XOR between this amount and the number 5678 (decimal 22 136).
All that we know will be essential to the KEYGEN.
WE COME TO THE MIDDLE OF OUR WORK!
OK, CONTINUE
We had been in line 401232, here's a PUSH EAX holds the value of the STACK. In the line below the number that we put as serial, and PUSH also saves on the STACK. Now comes the second street, see what he does put up with that number.
This points to 4013D8 CALL, we found there and a XOR EAX, EAX, which as we know puts EAX to zero
Well, I'll explain what they do the lines below.
In 401383 there is a MOV that it does is pass the first letter of the ESI stored in a byte to the record, I put as the name Kansai, so goes the first letter is K, below is a test that verifies that AL non-zero, meaning that its value is a letter, put a pinch here and F9 BP and see in the log window that the AL (the last two numbers of EAX) have the value of your first letter, but in hexadecimal, 4B appears in my case using the windows calculator I see that 4B is decimal 75, which is the value of K, (try typing ALT + 75 with your keyboard and you will see that written K).
Below this line is an EP that jump if AL is worth nothing now of course not jump.Below is a CMP and then a JB as we see, what they do is to compare the letter with 41 (decimal 65), or the letter A and if less it will take you to the error message that has been used as a non- valid in the name.
Below is another but with a JNB CMP that compares if the letter is greater than 5A (decimal 90), or Z and jump if greater (or a lowercase letter), jump in my case since K (75) is capitalized and therefore less than 90, then see what happens if the letter is lowercase), below is an INC once the above process deletes the first letter of ESI, so "Kansai" leaving "Ansai."
Below is a JMP, always jumps as we know, in this case jumps to 401,383, returning to repeat, as we saw, here spent the first MOV ESI AL, but now the first value of ESI is the second letter, in my case "a", and follows the same process above, but on reaching 40138D, where if it was tiny compared now to point (97) is greater than 90 so if you jump to the address pointed to by the JNB to below, or 401,394, where there is a 4013D2 CALL pointing to, so let's see what's there.
Here is a SUB, which subtracts from AL, 20 (decimal 32) which is the difference between a lowercase letter to uppercase, such as the "a" is 97 if 32 is subtracted from 65, which is the letter "A ". What you do here is to pass the lowercase letters to uppercase, in my case is the "A" to "a", below is a MOV which replaces the letter changed to STACK, remember that 401,382 is the value of ESI step, which at that time was "Kansai" to STACK, and what happens now is that it changes the first "a" that was left on the stack so "Kansai."
Below is a RETN returns you to the line below where CALL is called, leads us to where another 401,399 in ESI Inc., which does the same as above. The ESI value would then be the "Ansai" to "NSAI".
Repeat with all the letters again, changing the character case and jump to the error message if it encounters an invalid character (less than 65). After the last point, the value of which was originally STACK "Kansai" will "KANSAI" we see how all the letters were in upper case. ESI also originally seen as valuable "Kansai", then it was changing to "Ansai", "NSAI", "sai", "ai" and "i". When it reaches the INC delete last letter (the "i"), the ESI will be worth 0, and as we saw you pass 401,383 the first letter of ESI AL, AL now has no value. And also we saw a test 4013C8 checking whether AL was worth something, and as worthless now, the JE below it jumped to 40139C.
Here is a POP, which stores the value that is stored in the highest part of the STACK to ESI, so ESI will now be "KANSAI". Below is a CALL aimed at 4013C2, here is an XOR EDI, EDI., When doing an XOR between two equal values the result is always 0, so that makes EDI to 0, under another XOR EBX also puts to 0.
Below is one that puts MOV BL (the last two numbers of EBX) the first letter of ESI, in my case K. Below is another test similar to that seen before verifying that BL is worth anything, and when it is not worth anything, you have to jump down the JE, but I do not jump. Below this is an ADD JE that it does is add the value of EBX (remember that the last two numbers are BL EBX, now worth 4B, or the letter K) to EDI, and saves the value in EDI . As EDI EBX 0000004B 00000000 and it now EDI is the sum of these two, which is 0000004B, below this the INC we know it does, and below this the JMP jumps back to where it was 4013C6 MOV passing the firstESI letter BL, now the first letter of ESI is 41 in decimal 65 (A), so BL will be 41.Repeat the above process adding EDI to EBX 0000004B worth 00,000,041 worth, as I said the result is stored in EDI, so now worth 0000008C. Repeat this process until the last letter and now with all the letters added, EDI 0000016E it for me.
Now that the JE below to jump TEST BL 4013D1 as worthless.
Here is a RETN returns you to the line below where it was called the CALL, or 4013A2. XOR is performed here between EDI and 5678 (22,136 decimal), the result is stored in EDI (in my case remain 000057CF) and the line below this value is passed in EAX EDI. Below is one that leads to JMP RETN, which in turn brings you back to the line below where they call this CALL, remember where it was?, Well you back to 401,232.
Well, we finished the analysis of the first street and you know what it does.
- First check that the characters entered for the name are valid and passes all letters to uppercase.
- Then add the value of all the letters (and shift).
- Finally, perform an XOR between this amount and the number 5678 (decimal 22 136).
All that we know will be essential to the KEYGEN.
WE COME TO THE MIDDLE OF OUR WORK!
OK, CONTINUE
We had been in line 401232, here's a PUSH EAX holds the value of the STACK. In the line below the number that we put as serial, and PUSH also saves on the STACK. Now comes the second street, see what he does put up with that number.
This points to 4013D8 CALL, we found there and a XOR EAX, EAX, which as we know puts EAX to zero
Below are two more XOR, which zeroed EDI and EBX respectively. Below is a MOV ESI stored in the number you put, I put "12345". Below is a MOV keeping 0A (decimal 10). Below is a MOV BL stored in the first issue, in my case 1, and below is the famous TEST (with his JE) which verifies that BL is not worth 0.
Under the subtraction is performed JE (SUB) between BL and 30 (48 in decimal), the result of this subtraction is stored in BL. This subtraction is performed to obtain the actual value of the numbers, since these were stored in ASCII value, for example 1, the ASCII value is 49, if we subtract 48 (30 HEX) is 1, see? Under multiplication is performed (IMUL) between EDI and EAX and the result is stored in EAX: EDI. At this time nothing happens because EDI is 0. Below that performs addition (ADD) between EDI and EBX, EDI in my case will now be 00000001. Below are the known INC accompanied by JMP. Repeats this time being worth BL 02 after subtraction.After multiplying EDI becomes EAX (which is 10 in decimal) and the result is added 2 (the value of BL), in my case.
I think I have realized that to multiply this number by 10 and add them. If you do not remember, I remember that this is the way to pass a hexadecimal number to decimal. Security is now agreed.
After doing this with all the numbers JE (the companion of TEST) 4013F5 jumps.Here in my case it EDI 3039, converted to decimal guess how much it costs, you guessed it, 12345, if you want to check with yours erase all previous BP and put one here (in 4013F5), press F9 and look at the value of EDI. Well, here performing a XOR between EDI and 1234 (in decimal 4661) and the result is stored in EDI.Below is an EDI MOV EBX keeping and then comes back to us RETN 40123D.
We're done with the second street, was much easier than the first, right?
Now we just compare. We see a POP EAX returned to the first XOR value between the sum of the letters of our name and number 5678 (decimal 22 136).
These two numbers with the XOR is performed, the 5678 to 1234 with name and number are the "magic number", these numbers are invented by programmers to make the equation that generates the serial key to give them their their customers.
And now the CMP EAX verifying that (the result of XOR with 5678) and EBX (the result of XOR with 1234) are the same, if you are jumping to the message JE "Great work" and if not to "No luck ".
Well, now we needed to create our keygen. Let's review what we know.
- All letters go to uppercase name and add their ASCII values.
- XOR is made between the outcome and the magic number 5678.
- You get the real value of the numbers and passed to decimal.
- XOR is made between our numbers and the magic number 1234.
Well, to create the KEYGEN need to do a program that does the following.
- I ask the user name.
- Pass all letters to uppercase and display an error message if an invalid character found (less than 65) in the name.
- Add the ASCII value of all the letters of the name.
- Realize an XOR between the result and the magic number, in decimal, 22136.
- Realize an XOR between the result of the former and the magic number, in decimal 4661.
- The result of this is the serial, and just show the user.
Now this. You just have to make a program that does this and we have our keygen.As you can see this can be done with any programming language.
We must clarify that this algorithm is quite simple yet, only the high points and made a couple of XOR. In commercial programs with real equations and find the serial will have lots of letters, numbers and symbols up, while you did, the serial is only a 5-digit number. But the more complicated the job more rewarding is the result.
Well, I hope you find this manual served, excuse the spelling, I know I did not put any accent.
And here I leave the code in the KEYGEN I did. I did it in JScript and not have to compile it or anything, just copy and paste into a text file and save with extension htm.
See how one performing the operations that we saw get the serial. Kansai me with my name came out as 17915. Try it, the name can have up to 6 or 7 letters.
Well, here's the code.
Under the subtraction is performed JE (SUB) between BL and 30 (48 in decimal), the result of this subtraction is stored in BL. This subtraction is performed to obtain the actual value of the numbers, since these were stored in ASCII value, for example 1, the ASCII value is 49, if we subtract 48 (30 HEX) is 1, see? Under multiplication is performed (IMUL) between EDI and EAX and the result is stored in EAX: EDI. At this time nothing happens because EDI is 0. Below that performs addition (ADD) between EDI and EBX, EDI in my case will now be 00000001. Below are the known INC accompanied by JMP. Repeats this time being worth BL 02 after subtraction.After multiplying EDI becomes EAX (which is 10 in decimal) and the result is added 2 (the value of BL), in my case.
I think I have realized that to multiply this number by 10 and add them. If you do not remember, I remember that this is the way to pass a hexadecimal number to decimal. Security is now agreed.
After doing this with all the numbers JE (the companion of TEST) 4013F5 jumps.Here in my case it EDI 3039, converted to decimal guess how much it costs, you guessed it, 12345, if you want to check with yours erase all previous BP and put one here (in 4013F5), press F9 and look at the value of EDI. Well, here performing a XOR between EDI and 1234 (in decimal 4661) and the result is stored in EDI.Below is an EDI MOV EBX keeping and then comes back to us RETN 40123D.
We're done with the second street, was much easier than the first, right?
Now we just compare. We see a POP EAX returned to the first XOR value between the sum of the letters of our name and number 5678 (decimal 22 136).
These two numbers with the XOR is performed, the 5678 to 1234 with name and number are the "magic number", these numbers are invented by programmers to make the equation that generates the serial key to give them their their customers.
And now the CMP EAX verifying that (the result of XOR with 5678) and EBX (the result of XOR with 1234) are the same, if you are jumping to the message JE "Great work" and if not to "No luck ".
Well, now we needed to create our keygen. Let's review what we know.
- All letters go to uppercase name and add their ASCII values.
- XOR is made between the outcome and the magic number 5678.
- You get the real value of the numbers and passed to decimal.
- XOR is made between our numbers and the magic number 1234.
Well, to create the KEYGEN need to do a program that does the following.
- I ask the user name.
- Pass all letters to uppercase and display an error message if an invalid character found (less than 65) in the name.
- Add the ASCII value of all the letters of the name.
- Realize an XOR between the result and the magic number, in decimal, 22136.
- Realize an XOR between the result of the former and the magic number, in decimal 4661.
- The result of this is the serial, and just show the user.
Now this. You just have to make a program that does this and we have our keygen.As you can see this can be done with any programming language.
We must clarify that this algorithm is quite simple yet, only the high points and made a couple of XOR. In commercial programs with real equations and find the serial will have lots of letters, numbers and symbols up, while you did, the serial is only a 5-digit number. But the more complicated the job more rewarding is the result.
Well, I hope you find this manual served, excuse the spelling, I know I did not put any accent.
And here I leave the code in the KEYGEN I did. I did it in JScript and not have to compile it or anything, just copy and paste into a text file and save with extension htm.
See how one performing the operations that we saw get the serial. Kansai me with my name came out as 17915. Try it, the name can have up to 6 or 7 letters.
Well, here's the code.
<html>
<head>
<title> KeyGen </ title>
</ head>
<body>
<form method="POST">
<p> Name: </ p>
<input type="text" name="nom" <p> size="25"> </ p>
<input type="submit" name="B1" <p> onClick="generar(this.form)"value="Generar";> </ p>
</ form>
<script language="JScript">
generating function (Formu)
{
var name = Formu.nom.value;
var sum = 0;
for (i = 0; i <13; i + +)
{
letter = nombre.charCodeAt (i);
if (letter> 20)
{
if (point <65)
{
error ();
return (0);
}
if (letter> 90)
{
letter -= 32;
}
sum + = letter;
}
}
xorsuma = sum ^ 4660;
serial = 22136 ^ xorsuma;
document.write ("Name:" + name + "<BR>" + "Serial:" + serial);
}
function error ()
{
document.write ("Please enter the name !!!"); valid characters
}
</ script>
</ body>
</ html>
<head>
<title> KeyGen </ title>
</ head>
<body>
<form method="POST">
<p> Name: </ p>
<input type="text" name="nom" <p> size="25"> </ p>
<input type="submit" name="B1" <p> onClick="generar(this.form)"value="Generar";> </ p>
</ form>
<script language="JScript">
generating function (Formu)
{
var name = Formu.nom.value;
var sum = 0;
for (i = 0; i <13; i + +)
{
letter = nombre.charCodeAt (i);
if (letter> 20)
{
if (point <65)
{
error ();
return (0);
}
if (letter> 90)
{
letter -= 32;
}
sum + = letter;
}
}
xorsuma = sum ^ 4660;
serial = 22136 ^ xorsuma;
document.write ("Name:" + name + "<BR>" + "Serial:" + serial);
}
function error ()
{
document.write ("Please enter the name !!!"); valid characters
}
</ script>
</ body>
</ html>
If you wish to travel far and fast, travel light. Take off all your envies, jealousies, unforgiveness, selfishness, and fears.
Flights to Cape Town
Cheap Flights to Cape Town
Cheap Air Tickets to Cape Town
A fascinating discussion is definitely worth comment.
I believe that you need to write more about this subject, it may not be a taboo
subject but generally folks don't discuss these subjects. To the next! Cheers!!
Check out my web page: http://Jeanniecorner3.Tumblr.com/
Also see my web page :: identi.ca
Hello, its good article on the topic of media print, we all know media is a enormous source of information.
Here is my web site - macro
hello there and thank you for your info – I have certainly picked up anything new from right here.
I did however expertise a few technical points using this website, since I
experienced to reload the site a lot of times previous to I could get it to load correctly.
I had been wondering if your web host is OK? Not that I'm complaining, but sluggish loading instances times will often affect your placement in google and could damage your quality score if ads and marketing with Adwords. Well I'm adding this RSS to my e-mail and could look out for a lot more of
your respective fascinating content. Ensure that you update this again soon.
Here is my blog post; workouts to improve vertical jump
If you would like to get much from this piece
of writing then you have to apply these methods to your
won webpage.
Also visit my page jump high to dunk
Article writing is also a excitement, if you be familiar with
then you can write otherwise it is difficult to write.
Check out my blog: Yasinclub.net