Algorithm for generating keys (figure)

CommentsThe ripping algorithm is a simple and effective method for creating a key generation program. The idea is very simple: locate the function that calculates the legal serial number in the protected program (maybe more than one function), and transplant it to your key generation program. The beauty of this method is that you don't need to really understand this algorithm.
Ripping is a simple and effective method for creating a key generation program. The idea is very simple: locate the function that calculates the legal serial number in the protected program (maybe more than one function), and transplant it to your key generation program. The beauty of this method is that you don't need to really understand this algorithm, you just need to find the (or something) that generates the legal serial number) function and try to call it in your own program ).
The first task you must complete is to locate the Key Generation Algorithm in the crackme program. There are many methods to be taken, but one method rarely fails, that is, to find the code to read the two text boxes that you enter the user name and serial number. Assuming that the main window of the KegenMe-3 is a dialog box (this is easily proven by finding the API function of the create dialog box in the program initialization Code ), it is very likely that the program will use the GetDlgItemText function or send the WM_GETTEXT message to the text box. If this program uses GetDlgItemText, you can return to the "Name (Name)" Window of OllyDbg to find the code that calls GetDlgItemTextA or GetDlgItemTextW. As expected, you will find that the program calls the GetDlgItemTextA function. Open the "Find References to Import (search for Import item reference)" window, and you will see two pieces of code calling the GetDlgItemTextA function (excluding the directly redirected JMP command, it is an entry in the import address table of this function ).
500) this. width = 500 "title =" Click here to browse images in a new window "/>

List 11.1 conversion algorithms for the first input string in the KeygenMe-3
500) this. width = 500 "title =" Click here to browse images in a new window "/>

500) this. width = 500 "title =" Click here to browse images in a new window "/>

500) this. width = 500 "title =" Click here to browse images in a new window "/>

List 11.1
Before you try to extract the conversion algorithm from the code given in list 11.1, let's take a look at this function at Key4.00401388, which is clearly part of the algorithm.
500) this. width = 500 "title =" Click here to browse images in a new window "/>

List 11.2 conversion algorithms for the second input string in the KeygenMe-3
500) this. width = 500 "title =" Click here to browse images in a new window "/>

List 11.2
By viewing this code, you can see that there are two sections of code that contain the key generation algorithm. The first section is the Key4.0040130B section in list 11.1, and the second section is the entire function given in list 11.2. The code in list 11.1 generates the value in the ESI register, and the function in list 11.2 assigns the return value to the EAX register. Then compare the two values. If the two values are equal, the program will report that the verification is successful (that is, the part we fixed just now ).
We start with the code snippet at Key4.0040130B to determine what input data it will receive. Before this code starts, the ECX register has stored the length of the input first string (from the string entered in the text box above). After that, the address of the string (40303F) is displayed in the code) and an unknown hard-coded address (40351F ). Note that this code does not process every character in the string one by one. Instead, it only reads the first four characters of the string and treats them as a double character. To transplant the code to your own key generation program, you must first find out what is stored in 40351F. First, you can see that this address is always added to the value in the EAX register before it is referenced. In the first iteration, the value of the EAX register is 1, so the actual address accessed is 403520. In the next iteration, the EAX value is always 4, so you should check the 403524 address now. Read 403520 of the memory in the OllyDbg. You can see that the address contains the following data:
500) this. width = 500 "title =" Click here to browse images in a new window "/>

Note that this line of code uses this address as a single byte for access, rather than access by full DWORD. Therefore, the program only accesses the first byte (0x25) and the fourth byte (0x65.
Check the first algorithm in list 11.1. You will find that this is a 32-digit key generation algorithm that converts the user name into a 32-digit one (stored in the ESI register after the conversion ). So what is the second algorithm in list 11.2? Through quick browsing, we can see that this Code does not have any complicated processing. It only checks Each number in the Input Serial number one by one. Each check deducts its value from 0x30 (0x30 is exactly the "0" encoding in the ASCII code) multiply the result by 10 repeatedly until the value in the ECX register is 0. Multiplication 10 for each character in the source string is completed in an internal loop, and the number of times multiplied by 10 depends on the position of the digit in the source string.
After debugging this code in the debugger, we can see some information that experienced reverse engineers can only obtain by observing this function. This function is actually to convert the string passed in through the parameter into a binary DWORD (dual-word), which is equivalent to the atoi function in the C Runtime Library, however, it looks more like a personal implementation version of The atoi function (atoi is a little more complex, if there is a corresponding library file, and because OllyDbg can recognize the warehouse function-if the atoi function is used in the program, it will certainly be identified by OllyDbg, but OllyDbg does not find any relevant information in the KeygenMe-3 ).
Therefore, it seems that the first algorithm (the algorithm in list 11.1) uses a special algorithm to convert a user name to a 32-bit DWORD, the second algorithm simply converts the input content in the text box below into numbers. The text box below contains the number generated by the first algorithm. Based on this clue, it seems that we only need to "Strip" the first algorithm and put it in our key generation program to generate a serial number for us. Let's try it.
Table 11.3 provides the obtained subroutine for the Key Generation Program. It is actually a C function (Compiled using Microsoft's C/C compiler), which is a piece of inline directly inserted from the OllyDbg anti-assembler. Compilation code. Commands in lower case are manually added and contain the name LoopStart.
500) this. width = 500 "title =" Click here to browse images in a new window "/>

List 11.3 conversion algorithms for processing the first string taken from the KeygenMe-3
500) this. width = 500 "title =" Click here to browse images in a new window "/>

List 11.3
I inserted this function (called ComputeSerial) into a short console-mode application. This program requires the user to enter the user name, the Return Value of the ComputeSerial function is displayed in decimal format. All this program has to do is call the ComputeSerial function and display the return value of ComputeSerial in decimal format. Below is the entry program of my Key Generation Program:
500) this. width = 500 "title =" Click here to browse images in a new window "/>

It seems that any name is entered in the text box above the main interface of the KeygenMe-3 (the name should be the same as the name passed to the ComputeSerial function as a parameter ), then, type the return value of the ComputeSerial function into the second text box on the KeygenMe-3 main interface, so that the KeygenMe-3 displays the success message box. Let's try it. You can pass "John Doe" as a parameter to our key generator program and write down the generated serial number. Figure 11.9 shows the output page of the Key Generation Program.
500) this. width = 500 "title =" Click here to browse images in a new window "/>

Figure 11.9 KeygenMe-3 Key Generation Program Running
The final serial number is 580695444. Run the KeygenMe-3 (version not patched), enter "John Doe" in the first text box, and enter "580695444" in the second text box ". Again! The KeygenMe-3 accepts the two input values as valid values. Congratulations! Your second cracking course is over.