As mentioned on my other blog site, I was on vacation (parental leave) and had nothing much to do with some exceptional free time on my hand. I was just going through the normal computing stuff. I remembered some of the things that I used to do during my study days and I thought I should just try it again and see if my brain has rusted or if I can still code … Well, I certainly have my concerns after working as a product manager now for almost a year and a half. But thank god, I can still code. And well, I downloaded a keygenme and downloaded the tools I needed and sat to work and create some fun and excitement. I had nothing more to write so thought why not write something about this keygenme and teach many of my readers basics of assembly, reverse engineering, tools, etc. But I must admit that all the sites that I used to browse during my college days are long pulled down now (barring a couple of them) so you guys will have to search really hard to get the tools required. But once you get a link to one site, you will get links to all other sites and tools.
Before I write anything, I pledge that I am writing this article only for information and knowledge sharing and not with any ulterior motives. Having said that, I am also sorry for the author of this keygenme as I am putting the solution out for everybody to see. Hopefully, nobody is using it anymore to become a member of your estemeed crew.
Okay no more talk. Lets get down to serious work. As you can see, the file to be reverse engineered is a keygenme file i.e. we need to create a keygen for this particular file and not patch it. Keygenning requires a lot more skills then patching. So lets do it step by step. We will first reverse-engineer and patch the file, then create a patch file which will be generated using a tool to compare the original and patched file and generate the patcher. After that we will create a keygen for this file. This blog entry hence would be broken down into multiple entries. And I will also try to keep it as simple as possible as well as explain all the steps but still at times, it will get a bit complicated.
Anyways, so lets list the tools of the trade. First you need the original keygenme file which you can download from the link which is hidden somewhere in this article (I want to make it all the more exciting for all you budding/experience hackers/crackers/reverse engineers!). So use your basic knowledge about internet and find the hidden link and download the file. Once downloaded, unzip and place it in a directory convinient for you. Double click on the exe file. Don’t worry, the file is completely checked and doesn’t have any viruses or trojans. Running the file shows you a dialog box with 6 text entry fields and 3 command buttons. Write your nickname in the first box (Easiest), and press >> button next to it. It will show a message "Too short name or serial…" in the second text entry. Clicking on >> button once again will show a message "Of course no…".
Hopefully now you get the idea of what needs to be done. When you enter a name, you need to generate a corresponding serial number according to the algorithm in the file. You need to make a keygen (key generator). Lets start with the first step. We patch the file. You will need to have the following tools before you can start doing that:
– W32Dasm (preferably v8.93) – Windows Disassembler is a very good reverse engineering tool. It can attach itself to a process, disassemble an exe or a dll, show string references, import functions, etc. The more you play with it, the better your understanding will get about it. We will use it to disassemble the keygenme file and look into the code flow, etc. to get the exact idea of where to patch the file.
– Hiew (preferably v6.11) – Hiew is a DOS based Hex editor. It can also show the assembly view of a particular file. We will use this tool to go to a particular offset and then patch/replace the instruction there with an assembly instruction of our choice so that our file works perfectly fine as we want it to work.
You will have to download these programs yourself and let me tell you, they are pretty easy to find. I would not be able to give them to you so please don’t ask. Okay, so fire up W32Dasm and load the file. You will now see a disassembled file with a lot of information and things and it might look pretty confusing at first. But don’t worry, the more you play with it, the more you will understand. Also please do read some books on assembly programming. You should be aware of atleast the basics.
Open the string data references and look for the string "Of course no…". Double click on that and you will be taken to a code location inside the disassembly. Look into the status bar which should read something like "Line:667 Pg 8 and 9 of 25 Code Data @:….". I have not written the entire message but it basically says that the code data is 25 page long and we are in page 8 and 9 at line 667. It will also show the code and data offset with the file name. The disassembler is telling that it is one of the places where the string data is referenced.
Repeat the above steps and you should see 2 more locations where that particular string has been referenced. Come back to the first reference. We see a lot of "nop" just above the push which is highlighted. This plays a very important part for the patch process which is a bit complicated so we will tackle it last. Anyways, we go to the second reference of the string data. This should take you to line 1570 Pg 19 of 25…
Look a line above that and we see an instruction "jbe 00401DB4". Cool, if you are aware of a little bit assembly, then we find that jbe stands for jump if below or equal. Above jbe instruction, we find a call to a procedure and a cmp instruction. We got our first location and instruction to patch. Without much mind, we know that we are putting a wrong serial number. Hence the jbe is never executed. To confirm our suspicions, double click on jbe and in the toolbar above, a button "Jump to" would be enabled. Click on that and voila, we reach line: 1585 which references to a string data object "Good!".
Great, now we know that we should always take the jump even if we enter a wrong serial. So lets take the jump all the time. What is the easiest way to do it? Change the jbe to a ja which stands for jump if above (cause we know that we are not able to take the jump if it is below or equal and hence we are always above). Now comes the interesting part. Open a command window and goto the location where you have unzipped Hiew. Open Hiew with the full path to the keygenme as a command line argument. Now press F4 and select the asm mode. You will see the assembly listing here. Go back to W32Dasm, and double click on the jbe instruction. In the status bar, look for @offset. You will find something like 0000119BH. This is the offset of the instruction in the executable file. The last letter H stands for Hexadecimal.
Go back to Hiew and select F5 (Goto). Type in the above location (0000119B). We now see the jbe instruction. Press F3 (Edit) and the cursor blinks on the 7617. Change the 76 to 77. It should now look like 7717 and press F9 (Update). This saves the changes we have done in the editing to the file. Now press F10 (Quit). So finally we have patched the third keygen. Run the executable again, enter something in the fifth box, enter something in the next box and click >>. It will now show you a message "Good!".
Repeating the same process and patching the instruction at offset 00000647H, we will achieve similar results for the first keygen. This one will display the message "Good, try next test…". Great going. We patched 2 keygens, the first and the last one. Now lets patch the middle one. Try doing that as I have said above. Take some time, think before you go on reading now if you really want to learn how to patch.
So here I end this blog entry. The middle one is bit tricky and lets see how you guys fare up. Take care and happy reverse engineering for now.