![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2011\/09\/somekeygen.jpg\" "\\"somekeygen\\"")
<\/a><\/p>\nThis is going to be a multi-parter.\u00a0 This first section is going to go over the very basics.<\/p>\n
<\/p>\n
For starters, most copy protection schemes today (and for the last 15 years or so) use some sort of key based authentication. The two most common bypasses for these forms of authentication are either a patch, or a generated key. A patch is when we just jump over the crap don’t like (ie; a code patch that makes consideration always true, false or not operate at all). A keygen is a program that emulates (or as will see, flat out rips off) the copy protection algorithm.<\/p>\n
<\/p>\n
What I have below is something I wrote recently as a keygen for a web spider application. The program is kind of stupid(although so was the copy protection scheme in place), but it works. It builds upon the simple concept that copy protection schemes are easy to copy. I’m not allowed to disclose which one since that’s against the rules (and I’m sick of the letters from my host).<\/p>\n
<\/p>\n
#include <windows.h>
\n#include <stdio.h>
\n#define LoWord(l) ((WORD)(l))
\n#define HiWord(l) ((WORD)(((DWORD)(l) >> 16) & 0xFFFF)) \/\/ pelles doesnt support hi \/ lo words
\n\/\/ which just splits and shifts the double word. whatever.
\nunsigned long GenKey(DWORD);<\/p>\n
int main(int argc, char *argv[])
\n{
\nchar root[MAX_PATH] = “C:\\\\”;
\nchar volname[MAX_PATH];
\nDWORD serial, maxname, flags;
\nchar fsName[128];
\nDWORD fsNameLength;
\nfsNameLength = sizeof(fsName)-1;
\nGetVolumeInformation(root, volname, MAX_PATH,&serial, &maxname, &flags, fsName, fsNameLength);
\nprintf(“Name of System: %s\\r\\n”,fsName);
\nif(volname[0] == ‘\\0’) \/\/ lol null
\n{
\nprintf(“No Volume name present\\r\\n”);
\n}
\nelse
\n{
\nprintf(“Volume Name: %s\\r\\n”,volname);
\n}
\nprintf(“Volume Serial Number: %x\\r\\n”,serial);
\nprintf(“Your Special key: %x\\r\\n”,GenKey(serial));
\nreturn 0;
\n}<\/p>\n
unsigned long GenKey(DWORD serial)
\n{
\nDWORD seed1 = 4096;
\nDWORD seed2 = HiWord(serial);
\nDWORD retme = seed1 ^ serial * seed2;
\nreturn retme;
\n}<\/p>\n
<\/p>\n
The first 2 values displayed are topical, and made only to look nice. The last 2 are the more interesting of values. Our volume serial number assigned by NTFS(windows) when the drive is first formatted. There are 3 values that go into generating the special key value. seed1, seed2, and the volume serial number. Value one is static at 4096, the next value is the High word (that is the first 4 bytes of the double word aka the first encountered word). What is the High word of the volume serial number? Depends on the drive, but for me its 9801H or 36993 in decimal.<\/p>\n