KeyGenMe 1 by Taliesin

Window32 - Tested on XP and Win98.
Assembler - MASM32.

To complete:

1. Bypass debugger checks.
2. Write a keygenerator.
3. Submit keygen and tutorial.

Completion should be relatively easy. Only a few debugger checks. Algorithm for serial is not too complex.

Greetings go out to:


Difficulty: 2 - Needs a little brain (or luck)
Platform: Windows 2000/XP only
Language: Assembler

Published: 14. May, 2006
Downloads: 774


Solution by indomit, published 17. may, 2006; download (11 kb), password: or browse.

indomit has not rated this crackme yet.

Solution by l0calh0st, published 17. may, 2006; download (12 kb), password: or browse.

l0calh0st has rated this crackme as awesome.

Discussion and comments

15. May 2006
Nice work Tal :)
Debugger checks were different from what i have seen till now :)
15. May 2006
Good Job, Taliesin

I have fished a serial for my name, but i can't understand when the crackme use my name :(

Debugger checks, not is working for me :D
15. May 2006
yes, very nice work! i don't understand the debug tricks however not working for me!! =)
15. May 2006
I say it wonderful debugger checks! :) Very nice!
The idea to check BP is good :)
15. May 2006
Maybe it bug?
when you check first letter you do next:

00401423 . 80EE 41 SUB DH,41 <<-- not need!!!
00401426 . 8AF2 MOV DH,DL <<<<

and when you check 3rd and other letters you do:

0040145F . 80EE 41 SUB DH,41
00401462 . 8AD6 MOV DL,DH <<<<

it isn't important for solution, but... ;)
15. May 2006
not need!!! = have no effect...

sorry for spam and my poor english %)
15. May 2006
indomit ...are you sure what you said is right
15. May 2006
I'm not sure that is bug, but I sure that first operation SUB have no effect :)

PS... I mistake... it is about 3rd and 4..9 symbols =)
15. May 2006
indomit, the minus 41 is used for the table...table is only 24 characters.
Originally, when I wrote it, I had self-modifying code in it - Olly instead of skipping breaks, just told me I had overwritten it's Int3 instruction. That gave me the idea.
The first call after GetDlgItemTextA does do something, it checks part of the serial format, among other things.
15. May 2006
Arrrgh %) I want say that Mov dh, dl and mov dl, dh is not the same!
In first case u use minus 41 but on next operation u overvrite result stored in dh by dl. )
In second case all fine...

Anyway, I wrote the tut and upload it yet :)
17. May 2006
Good job indomit & l0calh0st, nice tutorials. And thanks to everyone that tried this one. I see I'll have to increase the challenge so my next one isn't solved in 3 days. ;)

