| Greetings Reverser...
Welcome to part III in the series of thoughts on Zen Reversing. My apologies to those I haven't had chance to reply to, but rest assured, your comments and suggestions have been noted. In particular, Zogan emailed me a few weeks ago asking me how he could apply -Zen- towards learning how to understand and create Key Generators. If I take this question at face value then I would suggest that Zogan should first learn the basics of Assembly Language before thinking about creating his own Key Gens but that is not strictly true.. My own interpretations of -Zen Reversing- is that it should be FUN & CHALLENGING to learn and if that means covering aspects of RCE that is not normally written about then so much the better. Therefore, if we take another look at Key Gens, but this time through the eyes of a Zen Reverser, we can indeed see that there are some interesting aspects to them in which we can further explore on our own. But first, put away your reversing tools, they are not needed or required here, but you may want to grab a pen and a piece of paper and also a calculator, the calculator built into in Windows will do just nicely. I am going to explain one example of how we can Zen reverse a key generator which will then allow us to register our target program via valid serial number which *you* will have worked out -WITHOUT- ever using Softice,W32Dasm,Regmon,Filemon or any other tool you care to name. That's right, we're going to grab a Key Generator
from the web and study it using only our brain.
Lets now go fishing... OK, the first thing to remember is to not go over-board and attempt to -reverse- a serial based protection system too soon that is clearly -advanced-.. By advanced I mean those that require many digits (usually in hex or a combination of Ascii & Hex characters) in order to register the program. There are enough -simple- serial based protection systems around for us to practice on. You will see why shortly.. A quick search for Keygens using www.google.com reveals that there is a web page called "KEYGEN STUDiO" found at http://202.103.100.253/hambo/ that contains many keygens for us to use. From here I selected a keygen for a program that I had never heard of and which, was for an early version. The reason why we would look for an early version of our target program is because the programmer will have not have yet spent any time in designing a robust and secure serial protection system, so he will most likely create one that takes the least amount of his time to code. Don't forget, he/she wants to get their program released as quickly as possible and adding a protection system to it is usually the last thing they do before releasing it. Another thing to bear in mind when selecting a program to -Zen Reverse- is to find one that is limited in it's usefulness to people. This will further ensure that you find an -easy- to reverse serial protection system because the programmer will not worry too much about upgrading their protection system because their program will be of use to only a small minority of people. From our point of view, these programs make excellent targets for us to reverse. With these guidelines I picked out a Keygen for a program called "Blubber Patrol V1", which I later found out was for helping and assisting in maintaining records of diets. At this point there is no need to find or download the actual program, instead, lets take a closer look at the keygen for this program and see if we can learn from it.. Keygen Name: Blubber Patrol V1
The great thing about these types of KeyGens is that once you type in the letters for the UserName it automatically starts to generate valid serial numbers, which in turn will help us to work out the algorithm used within our target program. Here's how we can do this... As with any serial based protection system it is important to first find the base values of each ascii letter used within this protection system. We do this by entering one letter at-a-time into our KeyGen and noting what value is assigned to it. Here's what I found.. a=5529 b=5586 c=5643
d=5700 e=5757 f=5814 g=5871 h=5928 i=5985
A=3705 B=3762 C=3819
D=3876 E=3933 F=3990 G=4047 H=4104 I=4161
1=2793 2=2850 3=2907
4=2964 5=3021
<Space>=1824 +=4275 !=3705 [=5187 ]=5301 OK, these are our base values, now we must try and work out how these values are used within the serial protection system. We can do this by first entering into our Keygen two letters of our choice and observing the -resulting- values given. We select two values only at this stage because it will be easier to see any -patterns- that may emerge. For this example I will select the letters: GO for our UserName Our Keygen shows us that our -serial- number is now: 8550 Hmmm, lets see... From our base values shown above the Letter G has a value of 4047 and the letter O has the value of 4503. Lets try the following... 4503 - 4047 = 456
(Wrong, value too low)
It can't be.. Surly we don't just add the base values of each letter we want to use for our UserName to arrive at the correct serial?. In this case it is. If we now type in the letters OG, we will find that we will still arrive at the SAME serial code of 8550 because the order of the letters plays no part in the resulting serial code. So adding 4503 + 4047 is exactly the same as adding 4047 + 4503 together..) So, if our UserName is to be: Pirate Copy then our serial number would be: 60192 Which is worked out like this... P
i
r
a
t
e Space C
o p
y
And if we jumble these letters around, making sure we maintain the case letters and single space character like this: apryo iCePt then our serial number would STILL be the same: 60192 Now for the final test.. will the knowledge of what we have learned here work on the latest version of this program?. Why not see for yourself? Homepage: http://www.techsono.com/
I know that this is
a pretty lame example to use but it serves my purpose well in order to
introduce to you, the Zen challenge of this page..)
First, download the following KeyGen (filename: cr-bpl11.zip) This Keygen is for the program B-Puzzle V1.1 Your challenge is to figure out as much as you can about how the serial code is generated. Here's what I can tell
you...
The serial code will be between 7 & 8 decimal numbers.
The first number of the serial code determines the starting value of the
registration code.
The subsequent registration numbers appears to add a pre-determined value
to the overall serial code.
Check for -regular- patterns in your base key values.
My Congratulations on completing this challenge goes to the following Zen Students:
Dya-Blo
Completed: 25th April 2000 (GREAT
WORK!)
Good luck. +Sandman How then do you reverse a reverser? Simple, you take all his knowledge & Ethics and turn it all inside & backwards on him!. |