|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Zand Master Cheater Reputation: 0
Joined: 21 Jul 2006 Posts: 424
|
Posted: Fri Aug 15, 2008 6:41 am Post subject: New - KeygenMe |
|
|
Added some anti-debugging tricks.
The objective is to find a user/serial that works and then to make a keygenme.
You can patch it, but the point of this is to get a valid serial.
Attached.
Last edited by Zand on Fri Aug 15, 2008 8:06 am; edited 2 times in total |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Fri Aug 15, 2008 7:52 am Post subject: |
|
|
Hiding the desktop while running lol... thats more annoying then anti-hacking.
1. Bypassing the timer, open in Olly, locate the single call to CreateThread, either nop out the full call, call+pushes, or jump from the first push. I prefer jumping from the first push making it look like this instead:
Code: | 0040123D /EB 0E JMP SHORT KeygenMe.0040124D
0040123F |56 PUSH ESI
00401240 |68 80184000 PUSH KeygenMe.00401880
00401245 |56 PUSH ESI
00401246 |56 PUSH ESI
00401247 |FF15 60304000 CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; kernel32.CreateThread
0040124D \68 40114000 PUSH KeygenMe.00401140
00401252 E8 4E120000 CALL KeygenMe.004024A5 |
2. Stopping the Crack! button from being disabled, there is a single call to EnableWindow:
Code: | 004023D2 6A 00 PUSH 0
004023D4 51 PUSH ECX
004023D5 FF15 08314000 CALL DWORD PTR DS:[<&USER32.EnableWindow>; USER32.EnableWindow |
Change push 0 to push 1 or just nop the call.
3. Removing the kill window behind this effect.. Rather more annoying then anti-hacking. Anyway to remove this.. locate the reference to WindowFromPoint, directly after should be a call to ShowWindow. Either jump,nop,kill the calls to both if you want, or jump from the starting push before WindowFromPoint.
On a side note, this does cause glitches with Windows since you get random window handles each time depending on whats behind the keygen when its loaded. I suggest directly hiding the Desktop with HWND_DESKTOP or just not doing this at all. Result:
Code: | 004015A6 . /EB 1E JMP SHORT KeygenMe.004015C6
004015A8 |90 NOP
004015A9 |90 NOP
004015AA |90 NOP
004015AB . |B8 4E010000 MOV EAX,14E
004015B0 . |51 PUSH ECX ; /pt.Y
004015B1 . |50 PUSH EAX ; |pt.X => 14E (334.)
004015B2 . |FF15 2C314000 CALL DWORD PTR DS:[<&USER32.WindowFromPo>; \WindowFromPoint
004015B8 . |6A 00 PUSH 0 ; /ShowState = SW_HIDE
004015BA . |50 PUSH EAX ; |hWnd
004015BB . |A3 10464000 MOV DWORD PTR DS:[404610],EAX ; |
004015C0 . |FF15 14314000 CALL DWORD PTR DS:[<&USER32.ShowWindow>] ; \ShowWindow
004015C6 > \5F POP EDI |
So now the anti-hacking stuff is removed. Left to do is making a working serial.
Somethin I didn't bother digging into is finding out why it wont run correctly after the patches are removed once the above is done, only if its started through Ollydbg. So close Olly, run the keygen normally, then attach olly to it instead. This way we can locate the keygen stuff.
Last issue, the serial code is bugged I think the last part of the check determines if the length is 4 bytes long, then attempts to compare to CL which is (for me at least) always 00:
Code: | 00401F1B . 83F8 04 CMP EAX,4
00401F1E . 75 2A JNZ SHORT KeygenMe.00401F4A
00401F20 . 384D E0 CMP BYTE PTR SS:[EBP-20],CL
00401F23 . 74 25 JE SHORT KeygenMe.00401F4A
00401F25 . 384D E1 CMP BYTE PTR SS:[EBP-1F],CL
00401F28 . 74 20 JE SHORT KeygenMe.00401F4A
00401F2A . 384D E2 CMP BYTE PTR SS:[EBP-1E],CL
00401F2D . 74 1B JE SHORT KeygenMe.00401F4A
00401F2F . 384D E3 CMP BYTE PTR SS:[EBP-1D],CL
00401F32 . 74 16 JE SHORT KeygenMe.00401F4A
00401F34 . E8 D7010000 CALL KeygenMe.00402110 |
So anything 4 letters long works as a serial for me.
Name: Wiccaan
Serial: Anything as long as its for chars long. (aaaa, bbbb, 1234, etc.)
_________________
- Retired. |
|
Back to top |
|
|
Zand Master Cheater Reputation: 0
Joined: 21 Jul 2006 Posts: 424
|
Posted: Fri Aug 15, 2008 7:55 am Post subject: |
|
|
That's because of your name I think.
Also, if you're getting to the part where the crack button gets disabled you're on the wrong trail.
Try with a name other than Wiccaan
PS. It wasn't meant to hide your desktop. If OllyDbg is open normally it hides the CPU window.
EDIT - Reuploaded, fixed bug.
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Fri Aug 15, 2008 9:11 am Post subject: |
|
|
Zand wrote: | That's because of your name I think.
Also, if you're getting to the part where the crack button gets disabled you're on the wrong trail.
Try with a name other than Wiccaan
PS. It wasn't meant to hide your desktop. If OllyDbg is open normally it hides the CPU window.
EDIT - Reuploaded, fixed bug. |
That would only hide the CPU window of Olly when Olly is behind the exe itself. (Which it does work if Olly is behind it.) Easy way around it is just to move Olly off side of the screen and then click play. It will disable the desktop then. (But just patch it like stated above.)
Edit: Hidden name/pass combo?
Name: try
Serial: again
Makes it crash lol but it brings up a message box with an non-standard message (Easily found because it was hard coded into it..)
Seems to only work when being debugged though
Message Caption: In the woods.
Message: Ok I better try again.
-------------------------------
Edit again, found the Olly debug detection. Was kinda obvious but I overlooked it lol. Startup calls 401000 first, which has all the checks and anti-debug tricks. Function starts by storing esp, after the esp is stored subs 10, there you can write a jump to skip the full function and land back to restoring esp. Which becomes:
Code: | 00401000 55 PUSH EBP
00401001 8BEC MOV EBP,ESP
00401003 E9 BF000000 JMP KeygenMe.004010C7
00401008 90 NOP
00401009 90 NOP
0040100A 90 NOP
0040100B 33C5 XOR EAX,EBP |
Skipping the checks and runs fine now in Olly. ( To an extent that is. )
Edit: eh.. ok I see whats up with the issue with that, instead of skipping the full function it needs to do certain parts of it. Bypass the checks by removing the JE's with JMPs instead.
-> IsDebuggerPresent
-> Checks BeingDebugged flag in PEB
-> Checks NtGlobalFlag in PEB
-> Checks ProcessHeap debug flag. (+18h->+10h)
-> Calls OutputDebugString to check if hooked.
-> Self-checks for 43h after xor (not sure what you did for this, didnt really bother checking into it, but I assume its based on setting the ebp-10 to 1 if the other checks fail.)
Skipping the jumps resumes default execution from the looks of things. After the above it does a compare to ECX to the stored value in 404000 for another detection thing, not 100% sure what this does though.
Anyway, fixed up the checks, cleaned out the anti-debug tricks. End result:
Name: Wiccaan
Serial: 760053688420658
Making a keygen? Eh.. not my strong point.
_________________
- Retired. |
|
Back to top |
|
|
Zand Master Cheater Reputation: 0
Joined: 21 Jul 2006 Posts: 424
|
Posted: Fri Aug 15, 2008 10:35 am Post subject: |
|
|
Bravo! Now let others try it......
PS. There is another serial for your name. Designed specifically for you
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You cannot download files in this forum
|
|