Keygenning Checksum based algos

Hi,
I have come across many keygenmes etc. which finds some checksum of a serial and then performs some XORs etc. on it and finally checks it against a value. How can I crack such protections? Is brutforcing he only way?

Thomas Antony

Correct way is to analyze serial checking algorithm and reverse it (build function which generates correct serial for any name). In some cases (strong asymmetric crypto or table-based serial checking) algorithm can not be reversed, and building the keygen is impossible.

Hi,
Yeah, for most algos that depend on the name, I can do that. But some just take the serial, calculate its checksums in a complicated manner and performs some more calculations b4 it is compared to a value. I am mostly able to reverse till I find the correct checksum for the key. But I can go no further.

Thomas Antony

[k2k2000]

babylon pro v4x protection.
Use Similar Tactics for serial key verification

If you mean that the algorithm is independent of the given name, then it might be something other than user locked. Besides user lock, you may try to find any sign of system lock, hardware lock, time lock, etc., that has something to do with the serial, if the serial changes along with those environments.
If you are lucky, the serial is not locked against anything, then it might be a self checked serial. So some parts of the serial are bait things, the rest are for validating. That all depends upon the design ... where you should have known before you get a clue how to defeat it, I think

Hi,
Sorry for the late reply. Suppose I get a crackme program. (I did get one :-) ). It takes the name and finds the checksum using a function whcih uses some ROL's etc. Then it takes the serial and find its checksum using ANOTHER function. Then the serial is valid only if bothe the cksums are equal. How do I solve this?

Thomas Antony

Let's name function that takes the name and finds the checksum as F1(), and name another function (for serial) as F2().
You need build function F2'() which is inverse of F2() i.e. F2(F2'(x)) == F2'(F2(x)) == x.

After that to get valid serial for any name just calculate F2'(F1(Name)).

Hi,
I tried that way. I can't seem to be able to reverse the algo. I get wierd chars in the code and that also doesn't work in the actual program. The function they use on the name is

mov esi,OFFSET NameBuffer
cdq
@@:
mov eax,dword ptr [esi]
inc esi
add edx,eax
shr eax,18h
test eax,eax
jnz @B

Then they do this with the code:

mov esi,OFFSET CodeBuffer
xor edx,edx
xor ecx,ecx
@@:
inc ecx
movzx eax,byte ptr [esi+ecx]
not al
add dh,al
rol edx,5
not al
mov dl,al
cmp ecx,16
jne @B

It compares edx with the previous cksum. I tried reversing the second algo like this:

mov ecx,10h
xor eax,eax
mov edi,OFFSET CodeBuffer
@@:
mov al,dl
not al
ror edx,5
sub dh,al
not al
stosb
dec ecx
jne @B

Its not working. Please help!!

Thomas Antony

Look at the code block 2, it reads from CodeBuffer[ 1 .. 16 ] to give the EDX; but in your so-called "reversed" code block, it writes to CodeBuffer[ 0 .. 15 ] or CodeBuffer[ -15 .. 0 ] depending upon the direction flag ...

They are NOT reversed to each other at all ((

I am afraid you should revise the "reversed" code block to write to CodeBuffer[ 16 .. 1 ] instead, not only the ROR/SUB etc ....

[TQN]

Hi thomasantony !
I saw some wrong in your reversed code. Can you attach that keygenme/crackme ?

Hi,
Can someone help me with that one. I also found another algo which I can't reverse. It is
00401380 . BE E0324000 MOV ESI,KEYGENME.004032E0 ; Key1 (DWORD)
00401385 . BF 0B334000 MOV EDI,KEYGENME.0040330B ; Key2 (DWORD)
0040138A . B9 09000000 MOV ECX,9
0040138F > 0FBE0433 MOVSX EAX,BYTE PTR DS:[EBX+ESI]
00401393 . 0FC1C1 XADD ECX,EAX
00401396 . 03CB ADD ECX,EBX
00401398 . 66:0FACC2 04 SHRD DX,AX,4
0040139D . FEC2 INC DL
0040139F . 32D6 XOR DL,DH
004013A1 . 88143B MOV BYTE PTR DS:[EBX+EDI],DL
004013A4 . 43 INC EBX
004013A5 . 83FB 04 CMP EBX,4
004013A8 .^ 75 E5 JNZ SHORT KEYGENME.0040138F

I have Key2. I want to get key1. How do I do it?

BTW, I had made a post earlier but it didn't appear .Maybe the old man deleted it cuz I didn't have 15 posts then.

Thomas Antony