Ever wondered how a keygen works? You have probably used keygens at least once before, so I am sure you are curious as to what happens under the hood. Here is a simple tutorial on how to obtain a valid name an keypair using a debugger. I will be using a really old crackme from 2005, which you can download from here.
So first, lets look at the instructions:
When we first run the crackme program, there is a pop-up message which is quite irritating. Let us load the binary in a debugger and patch the pop-up.
Once loaded in the debugger, the obvious way to remove the irritating pop-up is to patch the call instruction at ‘0040104A’ to NOPs. However, for this crackme program, simply patching that address does not work.
This is because the instructions at ‘00401037’ reverts the NOPs that we have placed at ‘0040104A’. In order to quickly bypass this protection check, we can simply replace the call instruction at ‘00401037’ to NOPs. Save the executable and run it. You should notice that the pop-up message box is no longer appearing.
From here, you should notice that clicking the ‘Check’ button closes the application immediately. What we need to do now is find out where the button’s click event is handled. We could add the following breakpoint:
After that is set, proceed to click on the button. The binary execution should pause and hit the breakpoint at ‘0040113E’.
Proceed to step through the instructions one by one you will reach a point where an access violation occurs, which causes the program to crash at address ‘004015C2’ as shown in the snapshot below.
If we backtrack from this location, we could avoid this access violation by simply patching the call instruction at ‘00401449’ with NOPs as shown below. Proceed to save the changes and re-run the executable. Clicking the button now should no longer crash.
From here, we can start the process of obtaining the name and key pair. For my case I chose the string ‘v00d00sec’. However, it still did not work. I realised why it did not worked as the algorithm checks the that the length of the name must not be lesser than 5 characters and not greater than 8 characters (CMP EAX,5 and CMP EAX,8). So, I chose ‘v00d00’ instead.
Now that we know what is going on, we can proceed to step through the instructions and see what is happening. It takes a bit of trial and error, but you will soon realise that the address at which the full key is generated is at address ‘00401373’.
So there we have it, the password for the username ‘v00d00’ is ‘Q]-CWUAB-DEf’!