Basic Keygen Creation Process

Ever wondered how a keygen works? You have probably used keygens at least once before, so I am sure you are curious as to what happens under the hood. Here is a simple tutorial on how to obtain a valid name an keypair using a debugger. I will be using a really old crackme from 2005, which you can download from here.

So first, lets look at the instructions:

00_first

When we first run the crackme program, there is a pop-up message which is quite irritating. Let us load the binary in a debugger and patch the pop-up.

01_program_loaded

Once loaded in the debugger, the obvious way to remove the irritating pop-up is to patch the call instruction at ‘0040104A’ to NOPs. However, for this crackme program, simply patching that address does not work.

02_0_patching_this_with_nop_doesnt_help

This is because the instructions at ‘00401037’ reverts the NOPs that we have placed at ‘0040104A’. In order to quickly bypass this protection check, we can simply replace the call instruction at ‘00401037’ to NOPs. Save the executable and run it. You should notice that the pop-up message box is no longer appearing.

02_1_after_patching_w_nops

From here, you should notice that clicking the ‘Check’ button closes the application immediately. What we need to do now is find out where the button’s click event is handled. We could add the following breakpoint:

03_0_set_breakpoint_winproc

After that is set, proceed to click on the button. The binary execution should pause and hit the breakpoint at ‘0040113E’.

03_01_check_btn_handler

Proceed to step through the instructions one by one you will reach a point where an access violation occurs, which causes the program to crash at address ‘004015C2’ as shown in the snapshot below.

03_2_access_violation_here_crashed

If we backtrack from this location, we could avoid this access violation by simply patching the call instruction at ‘00401449’ with NOPs as shown below. Proceed to save the changes and re-run the executable. Clicking the button now should no longer crash.

06_clicking_check_crashes_so_patch_the_access_violation

From here, we can start the process of obtaining the name and key pair. For my case I chose the string ‘v00d00sec’. However, it still did not work. I realised why it did not worked as the algorithm checks the that the length of the name must not be lesser than 5 characters and not greater than 8 characters (CMP EAX,5 and CMP EAX,8). So, I chose ‘v00d00’ instead.

07_1_v00d00_username

Now that we know what is going on, we can proceed to step through the instructions and see what is happening. It takes a bit of trial and error, but you will soon realise that the address at which the full key is generated is at address ‘00401373’.

07_final_password

So there we have it, the password for the username ‘v00d00’ is ‘Q]-CWUAB-DEf’!

08_done

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s