challenge, where the protected program takes the volume serial number and the
username and generates a challenge, which is just a long number. The user is
then given that number and is supposed to call the software vendor and ask for
a valid product key that will be generated based on the supplied number. In
such cases, a keygen would simply convert the challenge to the product key.
As its name implies, KeygenMe-3 was meant to be keygenned, so by patch-
ing it you were essentially cheating. Let’s rectify the situation by creating a
keygen for KeygenMe-3.
Ripping Key-Generation Algorithms
Ripping algorithms from copy protection products is often an easy and effec-
tive method for creating keygen programs. The idea is quite simple: Locate the
function or functions within the protected program that calculate a valid serial
number, and port them into your keygen. The beauty of this approach is that
you just don’t need to really understand the algorithm; you simply need to
locate it and find a way to call it from your own program.
The initial task you must perform is to locate the key-generation algorithm
within the crackme. There are many ways to do this, but one the rarely fails is
to look for the code that reads the contents of the two edit boxes into which
you’re typing the username and serial number. Assuming that KeygenMe-3’s
main screen is a dialog box (and this can easily be verified by looking for one
of the dialog box creation APIs in the program’s initialization code), it is likely
that the program would use GetDlgItemTextor that it would send the edit
box a WM_GETTEXTmessage. Working under the assumption that it’s GetDlg
ItemTextyou’re after, you can go back to the Names window in OllyDbg and
look for references to GetDlgItemTextA or GetDlgItemTextW. As
expected, you will find that the program is calling GetDlgItemTextA, and in
opening the Find References to Import window, you find two calls into the API
(not counting the direct JMP, which is the import address table entry).
004012B1 PUSH 40 ; Count = 40 (64.)
004012B3 PUSH Key4.0040303F ; Buffer = Key4.0040303F
004012B8 PUSH 6A ; ControlID = 6A (106.)
004012BA PUSH DWORD PTR [EBP+8] ; hWnd
004012BD CALL <JMP.&USER32.GetDlgItemTextA> ; GetDlgItemTextA
004012C2 CMP EAX,0
004012C5 JE SHORT Key4.004012DF
004012C7 PUSH 40 ; Count = 40 (64.)
004012C9 PUSH Key4.0040313F ; Buffer = Key4.0040313F
004012CE PUSH 6B ; ControlID = 6B (107.)
004012D0 PUSH DWORD PTR [EBP+8] ; hWndListing 11.1 Conversion algorithm for first input field in KeygenMe-3. (continued)
Breaking Protections 365