If you've ever heard software piracy terminology being discussed, I'm sure the term KeyGens came up. KeyGens is short for key generator, which is a program that exploits algorithmic faults in software by generating software license keys that appear to be genuine. Normally used as a technique to protect the source code software and prevent piracy, a key generator exploits the key algorithm to effectively nullify the need for any software licenses. For example, we must try to find patterns in the keys, such as three 5s in every key, all even numbers, etc. Any way that the program could validate a program without being online could be a way that software is protected.
Normally, something like this would be of no use, but everything has its purpose. Suppose that you lose source to one of your programs, wouldn't you want to have the ability to reverse it and recover the source code? Alternatively, if you made a tool that people enjoyed, and decided to sell it via licenses, you need to check it for vulnerabilities such as these to mitigate the chances of your own software being stolen.
In today's Null Byte, let's go over how a KeyGen could work by cracking the algorithm used to verify software keys in a few examples. I will not be walking you through how to actually crack a program, because I can't just crack a program for demonstration, but the techniques applied to my examples should give you the foundation needed to create your own. At that point, it's a test of your morals if you want to use your knowledge for good or bad.
You must follow The Hacks Behind Cracking, Part 1 through until just before the final step, and then you can begin the tutorial below.
Step 1 Step Into the Function
- Run the program with the debugger and resume where you are asked to enter the key again with an interrupt on it.
- Strike F7 to go inside the function.
- Keep striking F7 until you find the credentials and key you entered in the disassembler again, followed by a jump.
- Shortly thereafter, you should find CMP 2D, DL, or something similar. This is the function that is validating our key.
Step 2 Start Reversing for the Key
- You should see a bunch of CMP and shorts on the screen, likely alternating in pattern.
- Click on, and examine CMP and what it is looking for, as opposed to what you entered.
- This shows that it is looking for a dash, so let's try adding a dash anywhere in the key we are testing to see how far we can get in the validation. Remove all breakpoints and set a new one here.
- Scroll down to the next null byte and find the one where the EAX is equal to the first part of your serial in decimal. You can use the converter built in to the Windows calculator.
- Remove all previous breakpoints and set the new breakpoint to the CMP section that, when clicked on, shows our key value in hex being compared to the value it should be (because keys are generated based upon the name entered in the registration process).
- The value here is actually the first correct part of the key written in the field, so if we convert it from hex to decimal, we now have the next part of our key. Set your new breakpoint, and rinse and repeat the past two steps until you receive a full key code and register successfully.
To make a key generator program, you have to repeat the steps at least one or two more times with different usernames so you can get different and working keys. These keys will be compared and examined for commonalities for algorithmic reversing. I hope you learned something.