                                                                      
                                                                  
                                          ܲ    ܲ
          ܲ      ۲ ܰ    
ܲ       ۲   ۲ 
  ۲   ۲         ۲ݰ    ۲ 
۲          ߲޲   ۲        
    ۲                   ܲ       
ް  ܱ          ݰ          
ݱ     ۱ ܲ  ޱ   ޲ݲ   ޱ     ߱
 ޲   ۲߲  ޲ ۲  ۲     ܲ޲   
  ۲۲ ۲۲۲޲  ߲   ۲ܲ۲ 
           ߲      ߲
   ߰  ߲             ߱     ߰    ߲  
  ߱                                                        <Eboy>  
                                                                      
                   E     C      L      i      P      S      E            

                             
                                 p r e s e n t s
                             


                  ͻ
                    How to keygen Kremlin International 2.21  
                  ͼ

level : easy



ͻ
 1) What is Kremlin ? 
ͼ

To quote cryptographer Bruce Schneier, cryptography is harder than it looks.
Windows was not designed as a cryptographically secure environment. 
Your keyboard strokes are often written to buffer files, your word processor 
saves scraps of your sensitive documents to disk, and your Internet browsing 
history is dutifully recorded and saved by your browser.

Kremlin helps you build a wall around your computer system. Not only does it 
feature strong cryptography to protect your sensitive files (using the RC4 
algorithm), but it includes utilities that securely erase sensitive data from 
your computer.

And Kremlin is easy to use, too. Want to encrypt a file? Just right-click on 
it and hit Encrypt. Secure deletion can be done by dragging your sensitive 
documents to the Kremlin Secure Recycle Bin. And when you log off, Kremlin 
clears sensitive areas of your hard disk and wipes all records of your 
activities. Kremlin can also automatically encrypt your sensitive documents 
when you log off your computer and decrypt them when you log back on, 
automatically protecting your files from nosy snoops. Kremlin also includes 
powerful and intelligent file compression; who needs .zip files when you can 
have encrypted and compressed Kremlin files?

www.kremlinencrypt.com



ͻ
 2) Forewords 
ͼ

Maybe these guys should again read Bruce Schneier book : they say their
product uses RC4... but the registration algo has nothing to do with
crypto and can be keygenned in a few minutes !

you don't have to download the whole proggy to follow this tutorial
because the registration part is contained in 'register.exe' (that
could be a crackme ;)
So, you need these files :

- register.exe
- kremDLL.dll
- kremSDK.dll



ͻ
 3) Let's go 
ͼ

we'll use "1234567890" as our dummy serial.


OK, fire WDASM, open register.exe and use the stringdatas to find
this :


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

* Reference To: USER32.GetWindowTextA, Ord:013Fh
                                  |
:0040121D FF15B8814000            Call dword ptr [004081B8]
:00401223 8D542404                lea edx, dword ptr [esp+04] -> our serial
:00401227 52                      push edx

* Reference To: KremDLL.IsRegisteredCode, Ord:0019h
                                  |
:00401228 E815010000              Call 00401342
:0040122D 83C404                  add esp, 00000004
:00401230 85C0                    test eax, eax
:00401232 6A30                    push 00000030

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Well well, the serial check routine is in KremDLL.dll, let's do it :


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Exported fn(): IsRegisteredCode - Ord:001Ah
:100061F0 56                      push esi
:100061F1 8B742408                mov esi, dword ptr [esp+08] -> our serial
:100061F5 56                      push esi
:100061F6 E895FCFFFF              call 10005E90 -> serial_check #1
:100061FB 83C404                  add esp, 00000004
:100061FE 85C0                    test eax, eax
:10006200 750F                    jne 10006211 -> REGISTERED
:10006202 56                      push esi
:10006203 E818FEFFFF              call 10006020 -> serial_check #2
:10006208 83C404                  add esp, 00000004
:1000620B 85C0                    test eax, eax
:1000620D 7502                    jne 10006211 -> REGISTERED
:1000620F 5E                      pop esi
:10006210 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10006200(C), :1000620D(C)
|
:10006211 B801000000              mov eax, 00000001
:10006216 5E                      pop esi
:10006217 C3                      ret

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Curious : there are 2 serial_check routines.
We will only have a look at the first one :


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

* Referenced by a CALL at Addresses:
|:100061F6   , :1000638D   , :10006546   
|
:10005E90 83EC08                  sub esp, 00000008
:10005E93 83C9FF                  or ecx, FFFFFFFF
:10005E96 33C0                    xor eax, eax
:10005E98 53                      push ebx
:10005E99 55                      push ebp
:10005E9A 56                      push esi
:10005E9B 8B742418                mov esi, dword ptr [esp+18] -> our_serial
:10005E9F 57                      push edi
:10005EA0 8BFE                    mov edi, esi
:10005EA2 F2                      repnz
:10005EA3 AE                      scasb
:10005EA4 F7D1                    not ecx
:10005EA6 49                      dec ecx
:10005EA7 83F90A                  cmp ecx, 0000000A -> len(serial) = 10 ?
:10005EAA 7408                    je 10005EB4
:10005EAC 5F                      pop edi
:10005EAD 5E                      pop esi
:10005EAE 5D                      pop ebp
:10005EAF 5B                      pop ebx
:10005EB0 83C408                  add esp, 00000008
:10005EB3 C3                      ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005EAA(C)
|
:10005EB4 33C0                    xor eax, eax
:10005EB6 6A04                    push 00000004
:10005EB8 8D4C2414                lea ecx, dword ptr [esp+14]
:10005EBC 89442414                mov dword ptr [esp+14], eax
:10005EC0 56                      push esi
:10005EC1 51                      push ecx
:10005EC2 BF01000000              mov edi, 00000001
:10005EC7 88442420                mov byte ptr [esp+20], al

* Reference To: MSVCRT.strncpy, Ord:02BCh
                                  |
:10005ECB FF155CE20010            Call dword ptr [1000E25C]
:10005ED1 83C40C                  add esp, 0000000C
:10005ED4 8D542410                lea edx, dword ptr [esp+10] -> "1234" (if serial = "1234567890")
:10005ED8 52                      push edx

* Reference To: MSVCRT.atoi, Ord:0238h -> STRING TO INTEGER
                                  |
:10005ED9 FF1544E20010            Call dword ptr [1000E244]
:10005EDF 8BC8                    mov ecx, eax

"1234" -> ECX = 0x4D2 (1234)
From now we will call 'serial_1' this value : serial_1 = 0x4D2 = 1234


:10005EE1 83C404                  add esp, 00000004
:10005EE4 85C9                    test ecx, ecx
:10005EE6 7508                    jne 10005EF0
:10005EE8 5F                      pop edi
:10005EE9 5E                      pop esi
:10005EEA 5D                      pop ebp
:10005EEB 5B                      pop ebx
:10005EEC 83C408                  add esp, 00000008
:10005EEF C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005EE6(C)
|
:10005EF0 8BC1                    mov eax, ecx
:10005EF2 BBEF000000              mov ebx, 000000EF
:10005EF7 99                      cdq
:10005EF8 F7FB                    idiv ebx

EDX = serial_1 % 0xEF

:10005EFA 8BC1                    mov eax, ecx
:10005EFC BD7B000000              mov ebp, 0000007B
:10005F01 8BDA                    mov ebx, edx
:10005F03 99                      cdq
:10005F04 F7FD                    idiv ebp

EDX = serial_1 % 0x7B

:10005F06 03DA                    add ebx, edx
:10005F08 8BC3                    mov eax, ebx
:10005F0A BB0A000000              mov ebx, 0000000A
:10005F0F 99                      cdq
:10005F10 F7FB                    idiv ebx

EDX = ((serial_1 % 0xEF) + (serial_1 % 0x7B)) % 0x0A

 :10005F12 0FBE4604                movsx eax, byte ptr [esi+04] -> "5" if serial="1234567890"
:10005F16 83C230                  add edx, 00000030
:10005F19 3BC2                    cmp eax, edx

=> serial[4] = (((serial_1 % 0xEF) + (serial_1 % 0x7B)) % 0x0A) + 0x30


:10005F1B 7402                    je 10005F1F
:10005F1D 33FF                    xor edi, edi -> FUCK OFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005F1B(C)
|
:10005F1F 8BC1                    mov eax, ecx
:10005F21 BB01010000              mov ebx, 00000101
:10005F26 99                      cdq
:10005F27 F7FB                    idiv ebx

EDX = serial_1 % 0x101

:10005F29 8BC1                    mov eax, ecx
:10005F2B BDC9000000              mov ebp, 000000C9
:10005F30 8BDA                    mov ebx, edx
:10005F32 99                      cdq
:10005F33 F7FD                    idiv ebp

EDX = serial_1 % 0xC9

:10005F35 03DA                    add ebx, edx
:10005F37 8BC3                    mov eax, ebx
:10005F39 BB0A000000              mov ebx, 0000000A
:10005F3E 99                      cdq
:10005F3F F7FB                    idiv ebx

EDX = ((serial_1 % 0x101) + (serial_1 % 0xC9)) % 0x0A

:10005F41 0FBE4605                movsx eax, byte ptr [esi+05] -> "6" if serial="1234567890"
:10005F45 83C230                  add edx, 00000030
:10005F48 3BC2                    cmp eax, edx

=> serial[5] = (((serial_1 % 0x101) + (serial_1 % 0xC9)) % 0x0A) + 0x30;

:10005F4A 7402                    je 10005F4E
:10005F4C 33FF                    xor edi, edi -> FUCK OFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005F4A(C)
|
:10005F4E 8BC1                    mov eax, ecx
:10005F50 BB85000000              mov ebx, 00000085
:10005F55 99                      cdq
:10005F56 F7FB                    idiv ebx
:10005F58 8BC1                    mov eax, ecx
:10005F5A BD61000000              mov ebp, 00000061
:10005F5F 8BDA                    mov ebx, edx
:10005F61 99                      cdq
:10005F62 F7FD                    idiv ebp
:10005F64 03DA                    add ebx, edx
:10005F66 8BC3                    mov eax, ebx
:10005F68 BB0A000000              mov ebx, 0000000A
:10005F6D 99                      cdq
:10005F6E F7FB                    idiv ebx
:10005F70 0FBE4606                movsx eax, byte ptr [esi+06] -> "7" if serial="1234567890"
:10005F74 83C230                  add edx, 00000030
:10005F77 3BC2                    cmp eax, edx

=> serial[6] = (((serial_1 % 0x85) + (serial_1 % 0x61)) % 0x0A) + 0x30;

:10005F79 7402                    je 10005F7D
:10005F7B 33FF                    xor edi, edi -> FUCK OFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005F79(C)
|
:10005F7D 8BC1                    mov eax, ecx
:10005F7F BB97000000              mov ebx, 00000097
:10005F84 99                      cdq
:10005F85 F7FB                    idiv ebx
:10005F87 8BC1                    mov eax, ecx
:10005F89 BD45000000              mov ebp, 00000045
:10005F8E 8BDA                    mov ebx, edx
:10005F90 99                      cdq
:10005F91 F7FD                    idiv ebp
:10005F93 03DA                    add ebx, edx
:10005F95 8BC3                    mov eax, ebx
:10005F97 BB0A000000              mov ebx, 0000000A
:10005F9C 99                      cdq
:10005F9D F7FB                    idiv ebx
:10005F9F 0FBE4607                movsx eax, byte ptr [esi+07] -> "8" if serial="1234567890"
:10005FA3 83C230                  add edx, 00000030
:10005FA6 3BC2                    cmp eax, edx

=> serial[7] = (((serial_1 % 0x97) + (serial_1 % 0x45)) % 0x0A) + 0x30;

:10005FA8 7402                    je 10005FAC
:10005FAA 33FF                    xor edi, edi -> FUCK OFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005FA8(C)
|
:10005FAC 8BC1                    mov eax, ecx
:10005FAE BBAB000000              mov ebx, 000000AB
:10005FB3 99                      cdq
:10005FB4 F7FB                    idiv ebx
:10005FB6 8BC1                    mov eax, ecx
:10005FB8 BD35000000              mov ebp, 00000035
:10005FBD 8BDA                    mov ebx, edx
:10005FBF 99                      cdq
:10005FC0 F7FD                    idiv ebp
:10005FC2 03DA                    add ebx, edx
:10005FC4 8BC3                    mov eax, ebx
:10005FC6 BB0A000000              mov ebx, 0000000A
:10005FCB 99                      cdq
:10005FCC F7FB                    idiv ebx
:10005FCE 0FBE4608                movsx eax, byte ptr [esi+08] -> "9" if serial="1234567890"
:10005FD2 83C230                  add edx, 00000030
:10005FD5 3BC2                    cmp eax, edx

=> serial[7] = (((serial_1 % 0xAB) + (serial_1 % 0x35)) % 0x0A) + 0x30;

:10005FD7 7402                    je 10005FDB
:10005FD9 33FF                    xor edi, edi -> FUCK OFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005FD7(C)
|
:10005FDB 8BC1                    mov eax, ecx
:10005FDD BBD9000000              mov ebx, 000000D9
:10005FE2 99                      cdq
:10005FE3 F7FB                    idiv ebx
:10005FE5 8BC1                    mov eax, ecx
:10005FE7 B96F000000              mov ecx, 0000006F
:10005FEC 8BDA                    mov ebx, edx
:10005FEE 99                      cdq
:10005FEF F7F9                    idiv ecx
:10005FF1 B90A000000              mov ecx, 0000000A
:10005FF6 03DA                    add ebx, edx
:10005FF8 8BC3                    mov eax, ebx
:10005FFA 99                      cdq
:10005FFB F7F9                    idiv ecx
:10005FFD 0FBE4609                movsx eax, byte ptr [esi+09] -> "0" if serial="1234567890"
:10006001 83C230                  add edx, 00000030
:10006004 3BC2                    cmp eax, edx

=> serial[8] = (((serial_1 % 0xD9) + (serial_1 % 0x6F)) % 0x0A) + 0x30;

:10006006 7402                    je 1000600A
:10006008 33FF                    xor edi, edi -> FUCK OFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10006006(C)
|
:1000600A 8BC7                    mov eax, edi
:1000600C 5F                      pop edi
:1000600D 5E                      pop esi
:1000600E 5D                      pop ebp
:1000600F 5B                      pop ebx
:10006010 83C408                  add esp, 00000008
:10006013 C3                      ret

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


ͻ
 4) The keygen 
ͼ

Well, nothing to add : you can cut&paste the ASM code, or make a high-level keygen.

The first 4 digits of the serial can be anything you want, you simply use them to
generate the other 6 digits.


ͻ
 5) Final words 
ͼ

Take care.

Wizard [ECLiPSE] 25/01/2001