Finding the Algorithm of a keygenme

In previous post, I wrote about how to Self Keygen a crackme. Now, we are going to find the algorithm which the program uses to calculate from the ID we enter. I have made a very very simple KeygenMe program. Download link is given below

---------------------------------------------------------------------------------------------------------
Download the keygenme : Download

First open the keygenme program to see what are the Good and Bad messages :

So we see the Bad message is "Lol you lose ! try again !" .

Now, open the file in ollydbg and search for referenced strings. We see this :

Double click on ''ID(only numbers) : " String to goto to its reference.

You can see that there is a "scanf" function called at "CALL 004015DB" which takes our input of Serial.

Keep a Breakpoint at the instruction after scanf call and run the program. Enter any ID and serial and we will land at ADD ESP, 10 .

As you can see, I have entered 123 and 456 . The instructions after ADD ESP, 10 is the algorithm of this keygen me :

We see some Instructions which we don't normally see in many crackmes. They are FLD, FADD, FUCOMPP and FSTSW . Here is an explanation of what these instructions does :

These are Floating point instructions. A floating-point unit (FPU, colloquially a math coprocessor) is a part of a computer system specially designed to carry out operations on floating point numbers. Typical operations are addition, subtraction, multiplication, division, square root, and bitshifting.

The FPU has 8 registers, st0 to st7, formed into a stack. Numbers are pushed onto the stack from memory, and are popped off the stack back to memory. FPU instructions generally will pop the first two items off the stack, act on them, and push the answer back on to the top of the stack. 

FLD instruction - Pushes the source operand onto the FPU register stack.

FADD instruction - Adds the destination and source operands and stores the sum in the destination location. For example, FADD [00401000] Add the value at location 401000 to ST(0) and store result in ST(0).

FUCOMPP - Compare ST(0) with ST(1) and pop register stack twice.

FSTSW - Store FPU status word in operand, which is in our case, AX for pending unmasked float-pointing exceptions .

So, we now understand every instruction in the Algorithm of our keygenme.  Lets have a look at it.

Press F7 To execute each instruction step by step. Have a look at the FPU REGISTER STACK shown on the right side in Registers windows :

You can see the registers ST0 to ST7 .

As you step-into each instruction one by one of the algorith, the FPU REGISTER STACK changes as shown in the images below :

We see that first, our ID 123 is loaded into the ST0 , and then it by FADD instruction, it turns to 246. So, we need to know what was added to 123 . Simple math, 123 + x = 246 , x = 123. So, 123 was added to our ID and it was stored in ST0. Now, 456 which is the serial we entered is pushed on to the top of fpu stack, so it is in ST0 now. Now by FUCOMPP , it compares both ST0, and ST1 and stores that status in AX, after that there are AND and XOR instructions which will perform on the AX to set the flags and decide the jump.

So, now we know that , since our ID 123 was added 123 to make it 246 , and it was compared to the serial we entered, we can conclude that the program adds the number 123 to the ID we enter and decides the original Serial number which will later compared to the serial we enter.

so, 123 is the key. Its so simple to create a keygen. I will write a keygen for this program in BATCH :

@echo off

title Keygen

set /p u=ID (Only numbers):

set /a r=(u+123)

echo %r% is your Serial number. Thanks !

pause

Save the above code as keygen.bat and run it.

And that is how we figure out the algorithm of keygens. Its a very very basic version, but at the same time very very helpful for newbies. Thanks bros ! :)