Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


New - KeygenMe

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
Zand
Master Cheater
Reputation: 0

Joined: 21 Jul 2006
Posts: 424

PostPosted: Fri Aug 15, 2008 6:41 am    Post subject: New - KeygenMe Reply with quote

Added some anti-debugging tricks.

The objective is to find a user/serial that works and then to make a keygenme.

You can patch it, but the point of this is to get a valid serial.

Attached.


Last edited by Zand on Fri Aug 15, 2008 8:06 am; edited 2 times in total
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Fri Aug 15, 2008 7:52 am    Post subject: Reply with quote

Hiding the desktop while running lol... thats more annoying then anti-hacking.

1. Bypassing the timer, open in Olly, locate the single call to CreateThread, either nop out the full call, call+pushes, or jump from the first push. I prefer jumping from the first push making it look like this instead:

Code:
0040123D   /EB 0E           JMP SHORT KeygenMe.0040124D
0040123F   |56              PUSH ESI
00401240   |68 80184000     PUSH KeygenMe.00401880
00401245   |56              PUSH ESI
00401246   |56              PUSH ESI
00401247   |FF15 60304000   CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; kernel32.CreateThread
0040124D   \68 40114000     PUSH KeygenMe.00401140
00401252    E8 4E120000     CALL KeygenMe.004024A5


2. Stopping the Crack! button from being disabled, there is a single call to EnableWindow:

Code:
004023D2    6A 00           PUSH 0
004023D4    51              PUSH ECX
004023D5    FF15 08314000   CALL DWORD PTR DS:[<&USER32.EnableWindow>; USER32.EnableWindow


Change push 0 to push 1 or just nop the call.

3. Removing the kill window behind this effect.. Rather more annoying then anti-hacking. Anyway to remove this.. locate the reference to WindowFromPoint, directly after should be a call to ShowWindow. Either jump,nop,kill the calls to both if you want, or jump from the starting push before WindowFromPoint.

On a side note, this does cause glitches with Windows since you get random window handles each time depending on whats behind the keygen when its loaded. I suggest directly hiding the Desktop with HWND_DESKTOP or just not doing this at all. Result:

Code:
004015A6   . /EB 1E         JMP SHORT KeygenMe.004015C6
004015A8     |90            NOP
004015A9     |90            NOP
004015AA     |90            NOP
004015AB   . |B8 4E010000   MOV EAX,14E
004015B0   . |51            PUSH ECX                                 ; /pt.Y
004015B1   . |50            PUSH EAX                                 ; |pt.X => 14E (334.)
004015B2   . |FF15 2C314000 CALL DWORD PTR DS:[<&USER32.WindowFromPo>; \WindowFromPoint
004015B8   . |6A 00         PUSH 0                                   ; /ShowState = SW_HIDE
004015BA   . |50            PUSH EAX                                 ; |hWnd
004015BB   . |A3 10464000   MOV DWORD PTR DS:[404610],EAX            ; |
004015C0   . |FF15 14314000 CALL DWORD PTR DS:[<&USER32.ShowWindow>] ; \ShowWindow
004015C6   > \5F            POP EDI


So now the anti-hacking stuff is removed. Left to do is making a working serial.

Somethin I didn't bother digging into is finding out why it wont run correctly after the patches are removed once the above is done, only if its started through Ollydbg. So close Olly, run the keygen normally, then attach olly to it instead. This way we can locate the keygen stuff.


Last issue, the serial code is bugged I think the last part of the check determines if the length is 4 bytes long, then attempts to compare to CL which is (for me at least) always 00:

Code:
00401F1B   .  83F8 04       CMP EAX,4
00401F1E   .  75 2A         JNZ SHORT KeygenMe.00401F4A
00401F20   .  384D E0       CMP BYTE PTR SS:[EBP-20],CL
00401F23   .  74 25         JE SHORT KeygenMe.00401F4A
00401F25   .  384D E1       CMP BYTE PTR SS:[EBP-1F],CL
00401F28   .  74 20         JE SHORT KeygenMe.00401F4A
00401F2A   .  384D E2       CMP BYTE PTR SS:[EBP-1E],CL
00401F2D   .  74 1B         JE SHORT KeygenMe.00401F4A
00401F2F   .  384D E3       CMP BYTE PTR SS:[EBP-1D],CL
00401F32   .  74 16         JE SHORT KeygenMe.00401F4A
00401F34   .  E8 D7010000   CALL KeygenMe.00402110


So anything 4 letters long works as a serial for me.

Name: Wiccaan
Serial: Anything as long as its for chars long. (aaaa, bbbb, 1234, etc.)

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Zand
Master Cheater
Reputation: 0

Joined: 21 Jul 2006
Posts: 424

PostPosted: Fri Aug 15, 2008 7:55 am    Post subject: Reply with quote

That's because of your name I think. Very Happy

Also, if you're getting to the part where the crack button gets disabled you're on the wrong trail.

Try with a name other than Wiccaan

PS. It wasn't meant to hide your desktop. If OllyDbg is open normally it hides the CPU window.

EDIT - Reuploaded, fixed bug.
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Fri Aug 15, 2008 9:11 am    Post subject: Reply with quote

Zand wrote:
That's because of your name I think. Very Happy

Also, if you're getting to the part where the crack button gets disabled you're on the wrong trail.

Try with a name other than Wiccaan

PS. It wasn't meant to hide your desktop. If OllyDbg is open normally it hides the CPU window.

EDIT - Reuploaded, fixed bug.


That would only hide the CPU window of Olly when Olly is behind the exe itself. (Which it does work if Olly is behind it.) Easy way around it is just to move Olly off side of the screen and then click play. It will disable the desktop then. (But just patch it like stated above.)

Edit: Hidden name/pass combo?

Name: try
Serial: again

Makes it crash lol but it brings up a message box with an non-standard message Razz (Easily found because it was hard coded into it..)

Seems to only work when being debugged though Razz

Message Caption: In the woods.
Message: Ok I better try again.

-------------------------------

Edit again, found the Olly debug detection. Was kinda obvious but I overlooked it lol. Startup calls 401000 first, which has all the checks and anti-debug tricks. Function starts by storing esp, after the esp is stored subs 10, there you can write a jump to skip the full function and land back to restoring esp. Which becomes:

Code:
00401000    55              PUSH EBP
00401001    8BEC            MOV EBP,ESP
00401003    E9 BF000000     JMP KeygenMe.004010C7
00401008    90              NOP
00401009    90              NOP
0040100A    90              NOP
0040100B    33C5            XOR EAX,EBP


Skipping the checks and runs fine now in Olly. ( To an extent that is. )

Edit: eh.. ok I see whats up with the issue with that, instead of skipping the full function it needs to do certain parts of it. Bypass the checks by removing the JE's with JMPs instead.

-> IsDebuggerPresent
-> Checks BeingDebugged flag in PEB
-> Checks NtGlobalFlag in PEB
-> Checks ProcessHeap debug flag. (+18h->+10h)
-> Calls OutputDebugString to check if hooked.
-> Self-checks for 43h after xor (not sure what you did for this, didnt really bother checking into it, but I assume its based on setting the ebp-10 to 1 if the other checks fail.)

Skipping the jumps resumes default execution from the looks of things. After the above it does a compare to ECX to the stored value in 404000 for another detection thing, not 100% sure what this does though.

Anyway, fixed up the checks, cleaned out the anti-debug tricks. End result:

Name: Wiccaan
Serial: 760053688420658

Making a keygen? Eh.. not my strong point.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Zand
Master Cheater
Reputation: 0

Joined: 21 Jul 2006
Posts: 424

PostPosted: Fri Aug 15, 2008 10:35 am    Post subject: Reply with quote

Bravo! Now let others try it......

PS. There is another serial for your name. Designed specifically for you Smile
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sat Aug 16, 2008 5:13 am    Post subject: Reply with quote

Zand wrote:
Bravo! Now let others try it......

PS. There is another serial for your name. Designed specifically for you Smile


As in me Wiccaan? o.O Finding the strings is annoying cause of the hidden string things you do in this lol. Mind pm'ing me the source? Surprised I wanna see how you did parts of this.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites