Академический Документы
Профессиональный Документы
Культура Документы
Maybe the best protection today are game protections. Altough such
protections are very hard to unwrapp, it interesting how their key
checks stayed very simple in most cases. Indeed, they are simple but the
hardest problem is to actually find where keygen algo lies in
application. This tutorial will show on couple examples how game CD key
can be fished or keygened more or less with ease in some cases.
1. HL1
Half Life 1 is now pretty much old game from 10/30/98, but still
impressive one and better than some todays. Game has very simple key
check and this was first game that I manage to keygen. CD check is very
simple too, but that is not objective of this tutorial. After installing
game you will probably want to play it. At game start we get nice dialog
asking us for game key. On inserting some fake key , we will normally
get BadBoy message. Loading game exe in Olly, placing bp on
GetWindowTextA, we can break when game is grabbing key from dialog:
[IMAGE1]
But main problem is to find where key check is. Games are big and find
such algo is usually mayor problem. But after returning from api, I
placed memory bp on serial in memory and found where algo reading it.
This first check will read my serial:
This TEST EAX,EAX and CALL abowe are interesting. Tracing in we can see
another length check:
That algo will take al characters except last one. Then that summ in EAX
is divided by 0Ah and we get reminder in EDX. Reminder is placed in AL
then, and to EDX is placed last
2. STEF2
Easy approach for finding key routine is to attach Olly to main exe,
which is probably install louncher. In this example, application gets
key characters using GetWindowTextA api. After entering fake serial,
Olly stopped in user32.dll on api. Returning from api brings me to
subroutine which is part of another one:
This subroutine just collects characters from those 5 fields. And that
routine is subroutine of main key check one:
00AE15C0 PUSH
00AE15C1 MOV ESI,DWORD PTR SS:[ESP+8]
00AE15C5 XOR EAX,EAX
00AE15C7 XOR ECX,ECX
00AE15C9 SUB ESI,ef2dll.00AFA4C0
00AE15CF /MOV DL,BYTE PTR DS:[ESI+ECX+AFA4C0] <------ This first small
loop cuts serial: 1111222233334444.
00AE15D6 |MOV BYTE PTR DS:[ECX+AFA4C0],DL
00AE15DC |INC ECX
00AE15DD |CMP ECX,10
00AE15E0 \JB SHORT ef2dll.00AE15CF
00AE15E2 MOV CL,BYTE PTR DS:[AFA4C0]
00AE15E8 POP ESI
00AE15E9 TEST CL,CL
00AE15EB JE SHORT ef2dll.00AE1611
00AE15ED MOV ECX,ef2dll.00AFA4C0
00AE15F2 /XOR EDX,EDX <------------------------------ This loop here
will just get some calculus from those
00AE15F4 |MOV DL,BYTE PTR DS:[ECX] first characters
1111222233334444. That calculus, stored
00AE15F6 |XOR EAX,EDX in EAX will be
WORD size (two bytes) and that are last
00AE15F8 |INC ECX 4 characters of
serial. In my case EAX=000057EF.
00AE15F9 |MOV EDX,8
00AE15FE |/TEST AL,1
00AE1600 ||JE SHORT ef2dll.00AE1607
00AE1602 ||XOR EAX,14002
00AE1607 ||SHR EAX,1
00AE1609 ||DEC EDX
00AE160A |\JNZ SHORT ef2dll.00AE15FE
00AE160C |CMP BYTE PTR DS:[ECX],0
00AE160F \JNZ SHORT ef2dll.00AE15F2
00AE1611 RETN
3. FF
[IMAGE3]
Finding place where serial is taken from dialog is not easy since all
api's that can do that are triggered numerous times. GetWindowsTextA is
api that takes serial, but I tok different approach. On "Next>" click,
program shows error message giving user information that serial is
invalid. I just placed bp on MessageBoxA and found routine that calls
it. Then I placed bp on beggining of that procedure. Rest was easy ,
just tracing and I found algo. However, there is second way. This
registration app uses CRC32 table while producing serial. We can simply
scan app with PEiD and found where is CRC32 referenced. And all EA games
have same registration scheme (that means hundreds of games).
ASCII "1234567890ABCDEFGHIJ"
ASCII "1IDJEF7G90ABH3568C24"
It takes 13 chars from such serial and caculate some summ of it:
ASCII "1IDJEF7G90ABH"
16FA0346
16FBC8B8
ASCII "6MRZU9A"
On a base of that string characters, algo picks dwords from CRC32 table
and calculates some summ's and then new string is created:
ASCII "FTGLRUP"
ASCII "1IDJEF7G90ABHFTGLRUP")
ASCII "1UFPTG7L90ABRDEFGHIJ"
Algo easily can be ripped for making generic keygen. As said before, ALL
EA games from that year has same register algo. I sow that in "Medal Of
Honnor - Paccific Assault" , algo is little different. They probably
every year change algo a little.
4. Conclusion
As you can see, it is not so hard to fish serial or to keygen some game.
Some games uses Wise Installer and there serial check differ because
wise installer uses scripts (.msi files). In this case finding serial
can be hard but there are some decompilers like "Wise For Windows
Installer" that can help.
That's it and I hope that this small tutorial will give you some
pointers. Sorry for usual grammar mistakes.
Greets flies to all good peoples on this great site, to arteam comunity
and to best crackmes site crackmes.de. See you :)
haggar 22.02.2006