Applied Cryptography Intro - Keygen ExeShield Yourself

A step by step applied cryptographic intro - Keygen ExeShield v2.8a Yourself, without touching its code.
(Sorry for the delay...)

I've chosen ExeShield v2.8a as our target, just because it's the latest "security system to protect your applications from unauthorized use, copying or distribution". Huh, hopefully that was only a qoute from its help file. If we would believe these profession, we wouldn't ever touch it. But, as we like to learn what new security professionals have invented, we are ready to verify their assurances. Let's assume we want to buy their protector but before that, we want to verify if it is as good as they claim. ExeShield stays for a system protection, but... it's protected with the latest and the strongest competitive protector called Xtreme Protector! Yeah, I was a bit surprised too. Who is selling protector protected with another competetive protector??? Ok. That's not bad anyway... It must be much harder for us then. Furthermore, we should gain some undiscovered knowledge and last, but not least: THE SATISFACTION. Intentionally I've skipped describing exe protecion itself - it's too hard and too long for our first meeting. Crypted text, injected files, embeeded executables, anti soft-ice tricks (not only well known "MeltIce" but some newer ones, VERY boring) and XProtector itself - it would take me few hours to describe these procedures. Hope I'll find some time next month. Ok. Let's go:
I bet You've seen keygenerators where crackers were writing something like this: "...PROTECTION: MD5 RC4 SHA...". I can imagine Your face: "Oh my God! He is the best! Maybe he's Bill Gates himself! How does he knows how to force these algos?? How does he knows these certain types were used???, I would give everything to meet a guy like him!...". Read this small tutorial and You'll be one step closer to him .
We are taking ExeShield on the table only because I've discovered "some" (it really outgrowed my expectations) people being interested with this protector. Ok. we know ES (shortly: ExeShield) is using some crypto just because it's modern nowadays . We know ES is using USERNAME and KEY to verify proper registration. We also know it's based on the computer we use, certainly: COMPUTER NAME (GetComputerNameA from Kernel32.dll), MAINBOARD BIOS DATE (the string located at 1FFF5 to 1FFFD), FPU calculated result and some strange static string: GVS-1782&-gvs-0019981. Also we know during executing ES is searching for a file called Exeshield.lic. Well... it's VERY QUICK TUTORIAL so don't blame me (if I hear Your opinion and feel my time didn't get wasted - I'm open to write some other, more serious tutorials (dumping, rebuilding, hooking, crypto, reversing at the lowest level (drivers), dongles, assembly optimizing...).
After running ES, at the left side of the main window, we can see a picture with an strange code (for me it's 410753AE) - that's Your registration number, which You'll be asked for if You would like to buy ES. Where should we start? Well, as always, fistly we must discover how this unique number is calculated. I did all the things for You.

***CUT*** Please download attachment to full tutorial and printable Mirosoft Word version (You can still keygen it by reading this one).

Suppose ES is using MD5 for hashing (crypting) this string. Hash, or better: hashing function, is a mathematical function with a variable length input. This function returns a fixed length value (for MD5 it's 128 bits) which we call a hash. Some people call it one-way hash function. The most important thing to remember is: the hash function is public (it enables people computing hash values by themselves) and You can't reverse it (if I would give You a hash, You can't be able to find the input). I hear You: "What this jester is talking about??? He must show me how he found it was MD5". Ok. but please remember: everything is simple only if You are trying to uderstand the point. Ron Rivest introduced the MD5 (MESSAGE DIGEST) in 1992 as the stronger version of the MD4 algorithm which has been found the "collision master" (that's only my naming. More on collisions maybe at our next meeting). If You want to resolve it a little deeper I reccomend RFC1321 (w*w.faqs.org/rfcs/rfc1321.html). Also remember there are some Australian extensions of MD5 known as HAVAL (128-256 bits) by Z.P.S. What more should You know about it? I don't want to make You confused in the beginning, so just remember it generates 128 bit hash (in assembler we would call it a paragraph which represents length of 16 bytes) from Your input. How? It's not so complex: it divides Your data into 512bit blocks and then divides it into 32 bit integers which are ready for later mixing. It sounds simple as it is indeed. I hear Your wise question: "What if data is less than 512bit?". More about it maybe in the future - IT'S ONLY INTRO and I'm not sure if someone needs this tutorial in this way.
We're missing the point, so back to the subject: we have ROMBURAK01/27/03-127716252GVS-1782&-gvs-0019981. Let's hash it with MD5. We get: 410753A60E420C37453F2D707F249B4E. Now let's look at my Registration number I've seen on ExeShield and mentioned in the beginning: 410753AE. Doesn't it look familiar? Yeah, it's our first 4 chars from MD5 result with last char exchanged. The last char of ExeShield Registration number was replaced with last char of MD5 hash. Why? I suppose the author just wants to make sure the whole calculation cumputed correctly. Now we know how this unique number is calculated. That's something. Let's call it "HDID" later. What's next? We need to make something... Something to make the program read our inputs - the user name and key. If You've read carefully, You know ES reads Exeshield.lic file. The file should look like this: the first ASCIIs are taken as user name, the name ends when $0d, $0a values occurs. Then next chars are taken as a key - which has to be correct length (29 ASCIIs - with dashes), the last char of key should be last byte of the file (I mean it doesn't search for $00 or $0d, $0a). In the simpliest way, we can say: the licence file contains two ASCII strings: first for the user name and second for the key.
Let's assume that user name, Exeshield.lic string (xor'ed by $32 value), HDID and "ExeShield" string are joined together into single string (for me it looks like this: dyn!owJWAZ[W^V.^[Q410753AEExeShield). Now pay attention for the moment: after xor'ing Exeshield.lic string we have: JWAZ[W^V.^[Q but the tenth char ISN'T A DOT ($2e) but non-ASCII char: ($1c). You have to enter this string in any hex-editor, then replace tenth char ($2e) with $1c - then copy ASCII to Damn Hash Calc. If You won't notice that, the final key will be useless. Back to work... let's hash dyn!owJWAZ[W^V.^[Q410753AEExeShield with MD5 again. We obtain: 54DD0D4BC970DBAFA98BB6DBA89CC99D. As I've written before, the final code is calculated with MD5, so we are few steps away from dealing with whole registration scheme. If You can't follow up, I suggest a little break... some coffe should help . And believe me, this example is not a tough one, moreover, it's the simpliest one - if You want to become crypto master, better forget about Your family and friends, also start earning for eyeglasses .
So, how do we know application x1 is using CRC, x2 is using IDEA, x3 is using RC4, etc.? There are few methods (tracing the code, reversing, searching declared functions, etc.) but as we want this tutorial in a SIMPLE and SHORT way, we will learn something very quickly and very simply (I hope so) - but for reversers and crackers, very interesting and useful. For our purposes we will use DAMN Hash Calc 1.5.1 by Ivanopulo/DAMN (sadly, he is absent, also DAMN is off for a long time ) - I've attached this tool with this post.

**** CUT ***

Hmm... we know the final key consist of five strings with four bytes length, each is splitted with single dash. Maybe it's time to start trying registering ExeShield. Why not? Let's insert the dashes: 54DD-0D4B-C970-DBAF-A98B-B6DB-A89C-C99D, now lets make it 20 ASCII bytes long: 54DD-0D4B-C970-DBAF-A98B. Now, let's make the Exeshield.lic file. For me it looks just that:

dyn!o
54DD-0D4B-C970-DBAF-A98B

Run ExeShield, check about dialog. And what? Nothing. Hmm... We remember the author was pretty accurate during HDID calculating, so let's try again his trick: replace the last char of the code with last char of hash result. We get: 54DD-0D4B-C970-DBAF-A98D. Trying again. Now it's properly registered. If You'll take a look at the about box, You'll find it's a STANDARD LICENCE. We want PROFESSIONAL LICENCE. Well, just not to make You bored, I won't write all the steps again. All You have to do, to obtain professional licence, is repeating whole procedure, except when joining user namer, Exeshield.lic string, HDID and "ExeShield" string, You must replace ExeShield string with ExeShield-Pro string (ofcourse all the strings are case sensitive). You'll get a key, which will be recognized as professional licence.
Now You see how easy keygenerators are... The hardest thing is to find all the steps, their proper order and finally, locate functions responsible for code calculating. Then You'll need about 15-30 minutes to write Your keygenerator. Remember: every application can be reversed and keygenned. Average coder needs about 10 minutes to write proper function of MD5 hashing (if he knows at least that, what You're actually reading). In assembly we would need about 30 lines of code for this function - so, is there anything You should be afraid? I doubt. From now, I hope You won't be scaried anymore .

I've tried to write this intro as simply and short as possible. My goal was to make Yourself wiser and braver immediately after the very first reading.

*** CUT ***

Regards.
dyn!o

I've visited now ExeShield homepage and downloaded their latest version. It's 2.8b - in this version they have removed Xtreme Protector envelope!.
I can only suppose they have tried XProtector (there is option like this on XProtector page) but after reading ExeTools forum they changed their mind...

I'm still trying uploading the version described in this tutorial to FTP (I've problems with password - dunno why....)

Done. I've successfully uploaded ExeShield 2.8a which is Xtreme Protected to FTP under "ExeShield 2.8 (XProtectected)" directory.

I won't touch ExeShield in the future, since without XProtector it's not fun anymore.

Regards.

[bunion]

Hey Dynio big THANKS for all the trouble getting your tutorial out its much appreciated !!!

paul333

dyn!o thanks! BTW plz correct your bold tags on your 2nd post. You're great!

Thanks Paul3333 and Koncool... I always appreciate every opinion (even bad) from other people. l will still try to help You all as much as I can.

And about bolding... All what I was trying to say was: I'm VERY SURPRISED and disappointed they don't use Xtreme Protector anymore... I won't touch ExeShield then - it's not a challenge anymore .

Regards.

Dynio be praised - very good stuff. Hope NOT the last one

Uban.

[Squidge]

Good work dynio! I'm quite surpised there registration routine was so simplistic. But then again, everythings simple when you describe exactly how it works

Be ready... If I find something interesting we will meet again... Sadly, from october I won't have free time .
Please pay attention for the moment: I did a small (?) mistake within full txt tutorial (the one which describes how Registration # is calculated).
The mistake is: I've written that You've to replace nineth char (which isn't a dot). Of course I had in mind tenth char (which is a dot). Sorry.

So far I've seen this file being 77 times downloaded. I've reattached this one, so the counter has been reseted and You can download the attachment, which is now corrected.

Regards.

@dynio

Thanks for this great tute, well written and explained,
I am looking forward to your next installment hopefully
on import rebuilding and dumping

Many Thanks

R@dier

I hope so...

[Squidge]

Well, no one seems to want to write an exeshield keygen, but they complain about the one in the exetools FTP?

Doesn't anyone want to learn?

To help you on your way if your having problems, I've attached a small C program that is the start of an exeshield keygen. It contains all the MD5 routines required, and gives you all the information needed. Simply take the information from this thread to turn it into a fully featured keygen.

This is a console application so should work in any compiler capable of making console applications (and if not, just turn it into a windows app).

Squidge - great post.
That's what I meant it to be. The question is: are we here for downloading or learning? It's always nice to see Your work being used...
A lot of people ask: "how to write a keygen??". I think this thread is a great deal for the ones who begin writing keygens.

Regards.