ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º Keygen de NettWin 2001 º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ Intro ~~~~~ Tools: Sice, Tasm ~~~~~~ Dispo: nettwin.free.fr ~~~~~~ Faire un Keygen ~~~~~~~~~~~~~~~ On va tout d'abord tenter de reperer l'endroit ou est verifie le serial afin de pouvoir obtenir une combinaison nom/serial valide. Pour ce faire on rentre des infos bidons dans la boite d'enregistrement on pose un bpx Hmemcpy et on valide. SoftICE Break, F5 une fois, F12 jusqu'a arriver dans le code de l'exe :004697F9 8B45F0 mov eax, dword ptr [ebp-10] :004697FC 5A pop edx :004697FD E87AFAFFFF call 0046927C :00469802 8D55E8 lea edx, dword ptr [ebp-18] :00469805 8B45FC mov eax, dword ptr [ebp-04] :00469808 8B80F8020000 mov eax, dword ptr [eax+000002F8] :0046980E E8F920FCFF call 0042B90C :00469813 8B45E8 mov eax, dword ptr [ebp-18] :00469816 8D55EC lea edx, dword ptr [ebp-14] :00469819 E8C6E3F9FF call 00407BE4 :0046981E 8B45EC mov eax, dword ptr [ebp-14] :00469821 BA6C9F4600 mov edx, 00469F6C :00469826 E841A5F9FF call 00403D6C :0046982B 742B je 00469858 :0046982D 8D55E0 lea edx, dword ptr [ebp-20] :00469830 8B45FC mov eax, dword ptr [ebp-04] :00469833 8B80F8020000 mov eax, dword ptr [eax+000002F8] :00469839 E8CE20FCFF call 0042B90C :0046983E 8B45E0 mov eax, dword ptr [ebp-20] :00469841 8D55E4 lea edx, dword ptr [ebp-1C] :00469844 E89BE3F9FF call 00407BE4 << Met notre nom en Majuscule :00469849 8B45E4 mov eax, dword ptr [ebp-1C] << Notre nom dans eax :0046984C BA809F4600 mov edx, 00469F80 << QUAKER BILL dans edx (BlackList ?) :00469851 E816A5F9FF call 00403D6C << cmp KAHEL, QUAKER BILL :00469856 7554 jne 004698AC << si on s'appelle pas quaker bill on degage :00469858 A1C8284700 mov eax, dword ptr [004728C8] :0046985D C60001 mov byte ptr [eax], 01 :00469860 8B03 mov eax, dword ptr [ebx] :00469862 8B80D0020000 mov eax, dword ptr [eax+000002D0] :00469868 83C034 add eax, 00000034 :0046986B BA949F4600 mov edx, 00469F94 :00469870 E8BBA1F9FF call 00403A30 :00469875 8B03 mov eax, dword ptr [ebx] :00469877 8B80D0020000 mov eax, dword ptr [eax+000002D0] :0046987D 83C038 add eax, 00000038 :00469880 BAA89F4600 mov edx, 00469FA8 :00469885 E8A6A1F9FF call 00403A30 :0046988A 8B03 mov eax, dword ptr [ebx] :0046988C 8B80D0020000 mov eax, dword ptr [eax+000002D0] :00469892 E8555BFEFF call 0044F3EC :00469897 6A00 push 00000000 :00469899 668B0DAC9F4600 mov cx, word ptr [00469FAC] :004698A0 B202 mov dl, 02 :004698A2 B8B89F4600 mov eax, 00469FB8 :004698A7 E80056FEFF call 0044EEAC :004698AC 8D55DC lea edx, dword ptr [ebp-24] << On arrive ici :004698AF 8B45FC mov eax, dword ptr [ebp-04] :004698B2 8B8000030000 mov eax, dword ptr [eax+00000300] :004698B8 E84F20FCFF call 0042B90C :004698BD 8B45DC mov eax, dword ptr [ebp-24] :004698C0 50 push eax :004698C1 8D55D8 lea edx, dword ptr [ebp-28] :004698C4 8B45FC mov eax, dword ptr [ebp-04] :004698C7 8B80F8020000 mov eax, dword ptr [eax+000002F8] :004698CD E83A20FCFF call 0042B90C :004698D2 8B45D8 mov eax, dword ptr [ebp-28] :004698D5 5A pop edx :004698D6 E8A1F9FFFF call 0046927C << Si on execute ce call, le code a l'interieur :004698DB 8B15C8284700 mov edx, dword ptr [004728C8] [Ressemble a une generation de serial :004698E1 8802 mov byte ptr [edx], al :004698E3 8D55D4 lea edx, dword ptr [ebp-2C] :004698E6 8B45FC mov eax, dword ptr [ebp-04] :004698E9 8B8000030000 mov eax, dword ptr [eax+00000300] :004698EF E81820FCFF call 0042B90C :004698F4 8B45D4 mov eax, dword ptr [ebp-2C] :004698F7 50 push eax :004698F8 8D55D0 lea edx, dword ptr [ebp-30] :004698FB 8B45FC mov eax, dword ptr [ebp-04] :004698FE 8B80F8020000 mov eax, dword ptr [eax+000002F8] :00469904 E80320FCFF call 0042B90C :00469909 8B55D0 mov edx, dword ptr [ebp-30] :0046990C 8B03 mov eax, dword ptr [ebx] :0046990E 59 pop ecx :0046990F E82C500000 call 0046E940 << Pareil qu'en 4698D6 :00469914 8B15C8284700 mov edx, dword ptr [004728C8] :0046991A 8802 mov byte ptr [edx], al :0046991C A1A4254700 mov eax, dword ptr [004725A4] :00469921 C60000 mov byte ptr [eax], 00 :00469924 8D55CC lea edx, dword ptr [ebp-34] :00469927 8B45FC mov eax, dword ptr [ebp-04] :0046992A 8B8000030000 mov eax, dword ptr [eax+00000300] :00469930 E8D71FFCFF call 0042B90C :00469935 8B45CC mov eax, dword ptr [ebp-34] :00469938 50 push eax :00469939 8D55C8 lea edx, dword ptr [ebp-38] :0046993C 8B45FC mov eax, dword ptr [ebp-04] :0046993F 8B80F8020000 mov eax, dword ptr [eax+000002F8] :00469945 E8C21FFCFF call 0042B90C :0046994A 8B55C8 mov edx, dword ptr [ebp-38] :0046994D 8B03 mov eax, dword ptr [ebx] :0046994F 59 pop ecx :00469950 E83B520000 call 0046EB90 << Call qui va verifier le serial :00469955 84C0 test al, al << al = 0 ? :00469957 0F84BA000000 je 00469A17 << Si al = 0 jmp code_mauvais On va donc s'interesser aux calls a 46EB90, 46927C & 46E940: Call 46927C: :0046927C 55 push ebp :0046927D 8BEC mov ebp, esp :0046927F 83C4F4 add esp, FFFFFFF4 :00469282 53 push ebx :00469283 56 push esi :00469284 57 push edi :00469285 33C9 xor ecx, ecx :00469287 894DF4 mov dword ptr [ebp-0C], ecx :0046928A 8955F8 mov dword ptr [ebp-08], edx :0046928D 8945FC mov dword ptr [ebp-04], eax :00469290 8B45FC mov eax, dword ptr [ebp-04] :00469293 E878ABF9FF call 00403E10 :00469298 8B45F8 mov eax, dword ptr [ebp-08] :0046929B E870ABF9FF call 00403E10 :004692A0 33C0 xor eax, eax :004692A2 55 push ebp :004692A3 6886934600 push 00469386 :004692A8 64FF30 push dword ptr fs:[eax] :004692AB 648920 mov dword ptr fs:[eax], esp :004692AE 33DB xor ebx, ebx :004692B0 8B45FC mov eax, dword ptr [ebp-04] :004692B3 E8A4A9F9FF call 00403C5C :004692B8 8BF0 mov esi, eax :004692BA 85F6 test esi, esi :004692BC 7E6A jle 00469328 :004692BE BF01000000 mov edi, 00000001 :004692C3 8B45FC mov eax, dword ptr [ebp-04] :004692C6 0FB64438FF movzx eax, byte ptr [eax+edi-01] :004692CB F7EF imul edi :004692CD 03D8 add ebx, eax :004692CF 69C3FE3F1102 imul eax, ebx, 02113FFE :004692D5 99 cdq :004692D6 33C2 xor eax, edx :004692D8 2BC2 sub eax, edx :004692DA 8BD8 mov ebx, eax :004692DC 81FB00464575 cmp ebx, 75454600 :004692E2 7C06 jl 004692EA :004692E4 81EB00464575 sub ebx, 75454600 :004692EA 81FB00CA9A3B cmp ebx, 3B9ACA00 :004692F0 7C06 jl 004692F8 :004692F2 81EB00CA9A3B sub ebx, 3B9ACA00 :004692F8 81F358174125 xor ebx, 25411758 :004692FE 81FB00943577 cmp ebx, 77359400 :00469304 7C06 jl 0046930C :00469306 81EB00943577 sub ebx, 77359400 :0046930C 81FB00CA9A3B cmp ebx, 3B9ACA00 :00469312 7C06 jl 0046931A :00469314 81EB00CA9A3B sub ebx, 3B9ACA00 :0046931A 8D55F4 lea edx, dword ptr [ebp-0C] :0046931D 8BC3 mov eax, ebx :0046931F E814ECF9FF call 00407F38 :00469324 47 inc edi :00469325 4E dec esi :00469326 759B jne 004692C3 :00469328 8B45F4 mov eax, dword ptr [ebp-0C] :0046932B E82CA9F9FF call 00403C5C :00469330 83F809 cmp eax, 00000009 :00469333 7D23 jge 00469358 :00469335 8B45F4 mov eax, dword ptr [ebp-0C] :00469338 E81FA9F9FF call 00403C5C :0046933D BE09000000 mov esi, 00000009 :00469342 2BF0 sub esi, eax :00469344 85F6 test esi, esi :00469346 7E10 jle 00469358 :00469348 8D45F4 lea eax, dword ptr [ebp-0C] :0046934B BAA0934600 mov edx, 004693A0 :00469350 E80FA9F9FF call 00403C64 :00469355 4E dec esi :00469356 75F0 jne 00469348 :00469358 8B45F4 mov eax, dword ptr [ebp-0C] :0046935B 8B55F8 mov edx, dword ptr [ebp-08] :0046935E E809AAF9FF call 00403D6C :00469363 7504 jne 00469369 :00469365 B301 mov bl, 01 :00469367 EB02 jmp 0046936B :00469369 33DB xor ebx, ebx :0046936B 33C0 xor eax, eax :0046936D 5A pop edx :0046936E 59 pop ecx :0046936F 59 pop ecx :00469370 648910 mov dword ptr fs:[eax], edx :00469373 688D934600 push 0046938D :00469378 8D45F4 lea eax, dword ptr [ebp-0C] :0046937B BA03000000 mov edx, 00000003 :00469380 E87BA6F9FF call 00403A00 :00469385 C3 ret Call 46EB90: :0046EB90 55 push ebp :0046EB91 8BEC mov ebp, esp :0046EB93 83C4F4 add esp, FFFFFFF4 :0046EB96 53 push ebx :0046EB97 56 push esi :0046EB98 57 push edi :0046EB99 33DB xor ebx, ebx :0046EB9B 895DF4 mov dword ptr [ebp-0C], ebx :0046EB9E 894DF8 mov dword ptr [ebp-08], ecx :0046EBA1 8955FC mov dword ptr [ebp-04], edx :0046EBA4 8B45FC mov eax, dword ptr [ebp-04] :0046EBA7 E86452F9FF call 00403E10 :0046EBAC 8B45F8 mov eax, dword ptr [ebp-08] :0046EBAF E85C52F9FF call 00403E10 :0046EBB4 33C0 xor eax, eax :0046EBB6 55 push ebp :0046EBB7 689AEC4600 push 0046EC9A :0046EBBC 64FF30 push dword ptr fs:[eax] :0046EBBF 648920 mov dword ptr fs:[eax], esp :0046EBC2 33DB xor ebx, ebx :0046EBC4 8B45FC mov eax, dword ptr [ebp-04] :0046EBC7 E89050F9FF call 00403C5C :0046EBCC 8BF0 mov esi, eax :0046EBCE 85F6 test esi, esi :0046EBD0 7E6A jle 0046EC3C :0046EBD2 BF01000000 mov edi, 00000001 :0046EBD7 8B45FC mov eax, dword ptr [ebp-04] :0046EBDA 0FB64438FF movzx eax, byte ptr [eax+edi-01] :0046EBDF F7EF imul edi :0046EBE1 03D8 add ebx, eax :0046EBE3 69C3DDCACA01 imul eax, ebx, 01CACADD :0046EBE9 99 cdq :0046EBEA 33C2 xor eax, edx :0046EBEC 2BC2 sub eax, edx :0046EBEE 8BD8 mov ebx, eax :0046EBF0 81FB00943577 cmp ebx, 77359400 :0046EBF6 7C06 jl 0046EBFE :0046EBF8 81EB00943577 sub ebx, 77359400 :0046EBFE 81FB00CA9A3B cmp ebx, 3B9ACA00 :0046EC04 7C06 jl 0046EC0C :0046EC06 81EB00CA9A3B sub ebx, 3B9ACA00 :0046EC0C 81F358171D22 xor ebx, 221D1758 :0046EC12 81FB00943577 cmp ebx, 77359400 :0046EC18 7C06 jl 0046EC20 :0046EC1A 81EB00943577 sub ebx, 77359400 :0046EC20 81FB00CA9A3B cmp ebx, 3B9ACA00 :0046EC26 7C06 jl 0046EC2E :0046EC28 81EB00CA9A3B sub ebx, 3B9ACA00 :0046EC2E 8D55F4 lea edx, dword ptr [ebp-0C] :0046EC31 8BC3 mov eax, ebx :0046EC33 E80093F9FF call 00407F38 :0046EC38 47 inc edi :0046EC39 4E dec esi :0046EC3A 759B jne 0046EBD7 :0046EC3C 8B45F4 mov eax, dword ptr [ebp-0C] :0046EC3F E81850F9FF call 00403C5C :0046EC44 83F809 cmp eax, 00000009 :0046EC47 7D23 jge 0046EC6C :0046EC49 8B45F4 mov eax, dword ptr [ebp-0C] :0046EC4C E80B50F9FF call 00403C5C :0046EC51 BE09000000 mov esi, 00000009 :0046EC56 2BF0 sub esi, eax :0046EC58 85F6 test esi, esi :0046EC5A 7E10 jle 0046EC6C :0046EC5C 8D45F4 lea eax, dword ptr [ebp-0C] :0046EC5F BAB4EC4600 mov edx, 0046ECB4 :0046EC64 E8FB4FF9FF call 00403C64 :0046EC69 4E dec esi :0046EC6A 75F0 jne 0046EC5C :0046EC6C 8B45F4 mov eax, dword ptr [ebp-0C] :0046EC6F 8B55F8 mov edx, dword ptr [ebp-08] :0046EC72 E8F550F9FF call 00403D6C :0046EC77 7504 jne 0046EC7D :0046EC79 B301 mov bl, 01 :0046EC7B EB02 jmp 0046EC7F :0046EC7D 33DB xor ebx, ebx :0046EC7F 33C0 xor eax, eax :0046EC81 5A pop edx :0046EC82 59 pop ecx :0046EC83 59 pop ecx :0046EC84 648910 mov dword ptr fs:[eax], edx :0046EC87 68A1EC4600 push 0046ECA1 :0046EC8C 8D45F4 lea eax, dword ptr [ebp-0C] :0046EC8F BA03000000 mov edx, 00000003 :0046EC94 E8674DF9FF call 00403A00 :0046EC99 C3 ret Call 46E940: :0046E940 55 push ebp :0046E941 8BEC mov ebp, esp :0046E943 83C4F4 add esp, FFFFFFF4 :0046E946 53 push ebx :0046E947 56 push esi :0046E948 57 push edi :0046E949 33DB xor ebx, ebx :0046E94B 895DF4 mov dword ptr [ebp-0C], ebx :0046E94E 894DF8 mov dword ptr [ebp-08], ecx :0046E951 8955FC mov dword ptr [ebp-04], edx :0046E954 8B45FC mov eax, dword ptr [ebp-04] :0046E957 E8B454F9FF call 00403E10 :0046E95C 8B45F8 mov eax, dword ptr [ebp-08] :0046E95F E8AC54F9FF call 00403E10 :0046E964 33C0 xor eax, eax :0046E966 55 push ebp :0046E967 684AEA4600 push 0046EA4A :0046E96C 64FF30 push dword ptr fs:[eax] :0046E96F 648920 mov dword ptr fs:[eax], esp :0046E972 33DB xor ebx, ebx :0046E974 8B45FC mov eax, dword ptr [ebp-04] :0046E977 E8E052F9FF call 00403C5C :0046E97C 8BF0 mov esi, eax :0046E97E 85F6 test esi, esi :0046E980 7E6A jle 0046E9EC :0046E982 BF01000000 mov edi, 00000001 :0046E987 8B45FC mov eax, dword ptr [ebp-04] :0046E98A 0FB64438FF movzx eax, byte ptr [eax+edi-01] :0046E98F F7EF imul edi :0046E991 03D8 add ebx, eax :0046E993 69C3CE710F05 imul eax, ebx, 050F71CE :0046E999 99 cdq :0046E99A 33C2 xor eax, edx :0046E99C 2BC2 sub eax, edx :0046E99E 8BD8 mov ebx, eax :0046E9A0 81FB00943577 cmp ebx, 77359400 :0046E9A6 7C06 jl 0046E9AE :0046E9A8 81EB00943577 sub ebx, 77359400 :0046E9AE 81FB00CA9A3B cmp ebx, 3B9ACA00 :0046E9B4 7C06 jl 0046E9BC :0046E9B6 81EB00CA9A3B sub ebx, 3B9ACA00 :0046E9BC 81F358171D22 xor ebx, 221D1758 :0046E9C2 81FB00943577 cmp ebx, 77359400 :0046E9C8 7C06 jl 0046E9D0 :0046E9CA 81EB00943577 sub ebx, 77359400 :0046E9D0 81FB00CA9A3B cmp ebx, 3B9ACA00 :0046E9D6 7C06 jl 0046E9DE :0046E9D8 81EB00CA9A3B sub ebx, 3B9ACA00 :0046E9DE 8D55F4 lea edx, dword ptr [ebp-0C] :0046E9E1 8BC3 mov eax, ebx :0046E9E3 E85095F9FF call 00407F38 :0046E9E8 47 inc edi :0046E9E9 4E dec esi :0046E9EA 759B jne 0046E987 :0046E9EC 8B45F4 mov eax, dword ptr [ebp-0C] :0046E9EF E86852F9FF call 00403C5C :0046E9F4 83F809 cmp eax, 00000009 :0046E9F7 7D23 jge 0046EA1C :0046E9F9 8B45F4 mov eax, dword ptr [ebp-0C] :0046E9FC E85B52F9FF call 00403C5C :0046EA01 BE09000000 mov esi, 00000009 :0046EA06 2BF0 sub esi, eax :0046EA08 85F6 test esi, esi :0046EA0A 7E10 jle 0046EA1C :0046EA0C 8D45F4 lea eax, dword ptr [ebp-0C] :0046EA0F BA64EA4600 mov edx, 0046EA64 :0046EA14 E84B52F9FF call 00403C64 :0046EA19 4E dec esi :0046EA1A 75F0 jne 0046EA0C :0046EA1C 8B45F4 mov eax, dword ptr [ebp-0C] :0046EA1F 8B55F8 mov edx, dword ptr [ebp-08] :0046EA22 E84553F9FF call 00403D6C :0046EA27 7504 jne 0046EA2D :0046EA29 B301 mov bl, 01 :0046EA2B EB02 jmp 0046EA2F :0046EA2D 33DB xor ebx, ebx :0046EA2F 33C0 xor eax, eax :0046EA31 5A pop edx :0046EA32 59 pop ecx :0046EA33 59 pop ecx :0046EA34 648910 mov dword ptr fs:[eax], edx :0046EA37 6851EA4600 push 0046EA51 :0046EA3C 8D45F4 lea eax, dword ptr [ebp-0C] :0046EA3F BA03000000 mov edx, 00000003 :0046EA44 E8B74FF9FF call 00403A00 :0046EA49 C3 ret Maintenant il va falloir trouver lequel de ces 3 call est celui qui genere le bon serial, la on a 2 solutions ou on recopie maintenant l'algo et on teste les 3 combinaisons jusqu'a avoir celle qui nous donnera le bon serial ou on regarde dans le code si on peut trouver des indices qui nous permettront de trouver le bon call. Si on regarde de plus pres le dernier call on voit qu'a la fin on a : :0046EC6C 8B45F4 mov eax, dword ptr [ebp-0C] << Le bon serial (celui genere) :0046EC6F 8B55F8 mov edx, dword ptr [ebp-08] << Le mauvais serial (celui qu'on a rentre) :0046EC72 E8F550F9FF call 00403D6C << cmp eax, edx :0046EC77 7504 jne 0046EC7D << Si eax != edx on se casse :0046EC79 B301 mov bl, 01 << Sinon on met bl a 1 :0046EC7B EB02 jmp 0046EC7F << et on se casse :0046EC7D 33DB xor ebx, ebx << bl = 0 si serial faux :0046EC7F 33C0 xor eax, eax << bl = 01 si serial bon :0046EC81 5A pop edx << Restaure les registres :0046EC82 59 pop ecx :0046EC83 59 pop ecx :0046EC84 648910 mov dword ptr fs:[eax], edx :0046EC87 68A1EC4600 push 0046ECA1 :0046EC8C 8D45F4 lea eax, dword ptr [ebp-0C] :0046EC8F BA03000000 mov edx, 00000003 :0046EC94 E8674DF9FF call 00403A00 << met eax a 0 si serial mauvais :0046EC99 C3 ret << Retour Donc on est maintenant presque sûrs que la derniere routine est celle qui genere le bon code. Il ne nous reste plus qu'a recopier l'algorithme present dans le dernier call: Key proc, Nom :dWord, Taille :Dword uses edi, ebx xor ebx, ebx mov esi, Taille mov edi, 1 xor edx,edx xor ecx, ecx NextCar: Mov eax, Nom movzx eax, byte ptr [eax+edi-1] imul edi add ebx, eax imul eax, ebx, 01CACADDh cdq xor eax, edx sub eax, edx mov ebx, eax cmp ebx, 77359400h jl ELite1 sub ebx, 77359400h ELite1: cmp ebx, 3B9ACA00h jl Elite2 ebx, 3B9ACA00h Elite2: xor ebx, 221D1758h cmp ebx, 77359400h jl Elite3 sub ebx, 77359400h Elite3: cmp ebx, 3B9ACA00h jl Elite4 sub ebx, 3B9AcA00h Elite4: mov ecx,ebx mov edx,ebx inc edi dec esi jne NextCar mov eax,eBx ret Key EndP Kahel - kahel@milliardaires.com