 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
zart
Master Cheater
 Reputation: 0
Joined: 20 Aug 2007
Posts: 351
Location: russia
|
 Posted: Thu Aug 23, 2007 6:07 pm Post subject: |
 |
|
| Kaspersky wrote: | | SunBeam wrote: | Due to a very popular request...
| Kaspersky wrote: | | Please Teach me, I've been sitting on it 5 hours. |
...I'll try to record something and who ever wants to watch it, go ahead. I'll show the nooby way of doing it, although it requires trial/error and a bit of patience...
It's up to you to figure out the simple/fast way of doing it  |
dude, I'm serious i've sit on it 5 hours 
Not funny, just trying to learn this funny KeyGen.
Edit: i allready toled you, i don't keygen, i patch. |
Then stop trying to act bad ass - your not, we all know - just act like a normal person and STOP TROLLING;
Here is the long and bad way to do it... it has some of my notes on it still
| Code: |
00401AE1 . 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+24] ; hash you obtained
00401AE5 . 8D4C24 54 LEA ECX,DWORD PTR SS:[ESP+54] ; hash you want to obtain
00401AE9 . 8DA424 0000000>LEA ESP,DWORD PTR SS:[ESP]
00401AF0 > 8A01 MOV AL,BYTE PTR DS:[ECX] ; compare first byte of hash
00401AF2 . 3A02 CMP AL,BYTE PTR DS:[EDX] ; compare first byte of myhash with first byte of yourhash
00401AF4 0F85 0F010000 JNZ KeygenMe.00401C09 ; NOP OUT to cause any serial to work
00401AFA . 84C0 TEST AL,AL ; anything else left in buff? if not jump
00401AFC . 74 16 JE SHORT KeygenMe.00401B14 ; nothing in buffer? JUMP
00401AFE . 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; load second byte
00401B01 . 3A42 01 CMP AL,BYTE PTR DS:[EDX+1] ; compare second byte of myhash to your hash
00401B04 0F85 FF000000 JNZ KeygenMe.00401C09 ; NOP out to make nay serial work
00401B0A . 83C1 02 ADD ECX,2 ; skip two bytes since we've checked them on mine
00401B0D . 83C2 02 ADD EDX,2 ; skip two on yours since we checked em
00401B10 . 84C0 TEST AL,AL ; anything else left in buffer?
00401B12 .^75 DC JNZ SHORT KeygenMe.00401AF0 ; Repeat to 00401AF0
00401B14 > 33C0 XOR EAX,EAX ; set eax to 0
|
bp the first two lines i've posted. The first is the "hash" that the program generates from your serial. The second is the "hash" that the program generates itself to check it against.
You need your serial to generate the same "hash" as the second one....
You should be able to trace backwards and find out HOW it creates the hashes - which is what you SHOULD do instead of just trial-erroring it.
Though, you could trial and error it from here and it would be easy enough...
One last thing... I honestly think people wouldn't mind helping you if you asked and tried to learn stead of trolling in EVERY post... I know I don't mind helping people who ask. Don't say "i only patch", you should say "i only patch, but i'm trying to learn more". If you continue to only patch - you'll never learn how to actually crack a program.
_________________
0x7A 0x61 0x72 0x74
TEAM RESURRECTiON |
|
| Back to top |
|
 |
Pseudo Xero
I post too much
![]() Reputation: 0
Joined: 16 Feb 2007
Posts: 2607
|
| Posted: Thu Aug 23, 2007 6:11 pm Post subject: |
|
|
| Kaspersky wrote: | | SunBeam wrote: | Due to a very popular request...
| Kaspersky wrote: | | Please Teach me, I've been sitting on it 5 hours. |
...I'll try to record something and who ever wants to watch it, go ahead. I'll show the nooby way of doing it, although it requires trial/error and a bit of patience...
It's up to you to figure out the simple/fast way of doing it |
dude, I'm serious i've sit on it 5 hours
Not funny, just trying to learn this funny KeyGen.
Edit: i allready toled you, i don't keygen, i patch. |
You don't even know how to patch a trial though. 
If you only patch, don't try keygenmes then.
Last edited by Pseudo Xero on Thu Aug 23, 2007 7:43 pm; edited 1 time in total |
|
| Back to top |
|
|
zart
Master Cheater
Reputation: 0
Joined: 20 Aug 2007
Posts: 351
Location: russia
|
| Posted: Thu Aug 23, 2007 6:16 pm Post subject: |
|
|
if you actually want to learn look at this function call.
this is where your hash is being generated. walk through it - learn what it's doing... and make a keygen in delphi 
| Code: |
00401AB8 . E8 43F5FFFF CALL KeygenMe.00401000 ; generate my hash
|
look at this to see how the hash is generated from the name...
| Code: |
0040189B . EB 03 JMP SHORT KeygenMe.004018A0 ; start gen myhas
0040189D 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
004018A0 > F6C3 01 TEST BL,1
004018A3 . 75 33 JNZ SHORT KeygenMe.004018D8
004018A5 . 0FBE441C 15 MOVSX EAX,BYTE PTR SS:[ESP+EBX+15] ; first letter ?
004018AA . 0FBE4C1C 14 MOVSX ECX,BYTE PTR SS:[ESP+EBX+14] ; second letter?
004018AF . 0FAFC3 IMUL EAX,EBX
004018B2 . 33C1 XOR EAX,ECX
004018B4 . 99 CDQ
004018B5 . B9 19000000 MOV ECX,19 ; move in static divider 0x19 (decimal 25)
004018BA . F7F9 IDIV ECX
004018BC . 6A 01 PUSH 1 ; /maxlen = 1
004018BE . 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+28] ; |
004018C2 . 80C2 41 ADD DL,41 ; |
004018C5 . 885424 13 MOV BYTE PTR SS:[ESP+13],DL ; |This is the byte we want - this is the letter we generated
004018C9 . 8D5424 13 LEA EDX,DWORD PTR SS:[ESP+13] ; |
004018CD . 52 PUSH EDX ; |src
004018CE . 50 PUSH EAX ; |dest
004018CF . FF15 78304000 CALL DWORD PTR DS:[<&MSVCR80.strncat>] ; \strncat
004018D5 . 83C4 0C ADD ESP,0C
004018D8 > 83C3 01 ADD EBX,1
004018DB . 83FB 10 CMP EBX,10 ; go through 10 times
|
And just for the hell of it, i figure out another patch that could be done cause i'm bored..
| Code: |
00401AE1 . 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+54] ; hash you obtained
00401AE5 . 8D4C24 54 LEA ECX,DWORD PTR SS:[ESP+54] ; hash you want to obtain
|
So you could do this instead of my other patch... and it basicly compares it's own hash to it's own hash...
cheers, have fun learning! best way to do that is tracing with pen and paper - write down everything that happens and how the registers change.
_________________
0x7A 0x61 0x72 0x74
TEAM RESURRECTiON |
|
| Back to top |
|
|
SunBeam
I post too much
 Reputation: 65
Joined: 25 Feb 2005
Posts: 4022
Location: Romania
|
|
| Back to top |
|
|
zart
Master Cheater
Reputation: 0
Joined: 20 Aug 2007
Posts: 351
Location: russia
|
|
| Back to top |
|
|
zart
Master Cheater
Reputation: 0
Joined: 20 Aug 2007
Posts: 351
Location: russia
|
|
| Back to top |
|
|
zart
Master Cheater
Reputation: 0
Joined: 20 Aug 2007
Posts: 351
Location: russia
|
|
| Back to top |
|
|
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
| Posted: Fri Aug 24, 2007 1:29 am Post subject: |
|
|
I think i understanded now, i allways got some freaky password like "AWUVPGT" <-- wtf ?
anyways
I think i understand now..
I'll try searching a serial for Kaspersky anyhow..
|
|
| Back to top |
|
|
zart
Master Cheater
Reputation: 0
Joined: 20 Aug 2007
Posts: 351
Location: russia
|
| Posted: Fri Aug 24, 2007 6:32 am Post subject: |
|
|
| Kaspersky wrote: | I think i understanded now, i allways got some freaky password like "AWUVPGT" <-- wtf ?
anyways
I think i understand now..
I'll try searching a serial for Kaspersky anyhow.. |
That's the hash that gets compared.... Don't search for a serial... We've given you the keys of the program - looks at HOW it's made and why, then get a key. The point isn't to just find it (and win a prize) it's to understand how it works - that means you properly reversed it.
_________________
0x7A 0x61 0x72 0x74
TEAM RESURRECTiON |
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Fri Aug 24, 2007 9:23 am Post subject: |
|
|
nice movie sunbeam!
but i didn't understand how you calculated the keygen in the end...
why is I = PO? why is it 8x2? :O i didnt understand the last part...
i got IQJNHOIR so i can tell the first digits are PO =) now how do i calculate it?
|
|
| Back to top |
|
|
zart
Master Cheater
Reputation: 0
Joined: 20 Aug 2007
Posts: 351
Location: russia
|
| Posted: Fri Aug 24, 2007 9:29 am Post subject: |
|
|
@Kasp
Read my posted it has the comment on that line;
| Code: |
00401AE1 . 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+24] ; hash you obtained
|
That is loading the hash generated from the serial you had entered.
@symbol
Read my posts - it will point you to the functions that are generating those hashes. Why is PO = I? Thats what YOU need to analyze the function for, if we TELL you how it is done, you won't learn how to do this yourself.
_________________
0x7A 0x61 0x72 0x74
TEAM RESURRECTiON |
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Fri Aug 24, 2007 10:04 am Post subject: |
|
|
no i dont see there anything that can tell me what is what...
at the loop i see "I" and then Q etc... my code is IQJNHOIR
when i loop i dont see anything intreasting and i did everything exacly like in the movie =(
i dont get it... he saw in the dump "I" and he wrote PO and then IA and he wrote TA -.- why?
|
|
| Back to top |
|
|
zart
Master Cheater
Reputation: 0
Joined: 20 Aug 2007
Posts: 351
Location: russia
|
| Posted: Fri Aug 24, 2007 10:12 am Post subject: |
|
|
| Symbol wrote: | no i dont see there anything that can tell me what is what...
at the loop i see "I" and then Q etc... my code is IQJNHOIR
when i loop i dont see anything intreasting and i did everything exacly like in the movie =(
i dont get it... he saw in the dump "I" and he wrote PO and then IA and he wrote TA -.- why? |
Put a breakpoint on 00401AB8, and step into that function call. It is where your hash is generated. Analyze that - it will show you how it is created.
_________________
0x7A 0x61 0x72 0x74
TEAM RESURRECTiON |
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
 Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
|
| Back to top |
|
|
SunBeam
I post too much
Reputation: 65
Joined: 25 Feb 2005
Posts: 4022
Location: Romania
|
| Posted: Fri Aug 24, 2007 1:19 pm Post subject: |
|
|
There are infinite matching combinations, as in : I = PO or N5 or P4 or some other. That's what the hash string was in my case - IAROKNBW (yes, it's DYNAMIC).
Why 2x8? Because the author mentioned the key is 20 digits long. Since first 4 are ULT-, then there's 16 left And since the output hash (in my case, IAROKNBW) is comprised of 8 characters, that means:
16 characters left for the serial
8 characters in the string hash
------------------------------------
16/8 = 2
So, you input 2 characters, and expect 1 to be calculated
In my case: POTADEN5QRX2TBPQ is what has to be inputted so the program generates IAROKNBW.
POTADEN5QRX2TBPQ = 16
IAROKNBW = 8
The noob way is to do trial/error. Input 16 random characters and see what you get. Say my hash was IAROKNBW. I input 16 random characters after ULT-, and check the buffer - if I see one of the letters in the hash I'm supposed to generate, I look at the pair of 2 characters which caused the letter to be returned Takes a bit, but I left the easy way for you to figure out...
@nog_lorp: Yes, what exceeds 20, is truncated and converted to long int (using atol) =]
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
I recorded and edited this bitch, and now what? 
i didn't think i could post two in a row?! oh well... like kasp would say "OMG PWNING J000!" jhahahah