How to rip music out of keygen?
You've just downloaded keygen, launched it and hear nice music. You wanna have that music ripped and listen to it in WinAmp, XMPlay or other player. But you don't know how to rip it. If you wanna know read more!
Well at first you need some tools. This are must-have tools:
PE Tools - to dump exe file PE tools page
PE Explorer (or any other resource editor/viewer) - extracts recources from unpacked/dumped exe.
WinHEX / Hex Workshop (or any other hex-editor) Web/downloadsite winhex
ModPlug Tracker - can fix some corrupted tracker modules modplug player and tracker site
Fast Module Extractor - tool to extract music from any file ( in the attachment )
WinRipper - same as FME but works better with IT modules ( in the attachment )
MilkyPlayLite - plays MXM modules and converts it to XM
XMLITE - can fix and reduce size of some XM modules ( in the attachment )
This is also recommended to have tools:
PEiD – analyzes exe structure, can be useful in some cases. PEiD Softpedia site
Quick Unpack – automatically unpacks most(not all) of packed exes. Quick Unpack ahteam site
ArtMoney - this is game training(money, health) tool but it also can save a full memory dump used by application
UNMO3 - converts MO3 to XM
To find those tools in the attachment here or google it.
I'll explain easiest way of ripping that applies to any keygen.
1. Try to open keygen with resource viewer (PE Explorer or any other). If it can see recourses find music and save it:
If resource viewer has problems opening that file it usually means that keygen's exe is packed. In that case easiest way is to launch keygen, now launch PE Tools, find keygen in the list, right-click on them and choose "Dump full..." and save dumped exe. This exe won't launch if you try to launch it, but it usually has all resources. Now open dumped exe with resource viewer. (You can try to use Quick Unpack instead of PE Tools if you wanna get working unpacked exe)
2. Usually music is in "RC Data", "MUSIC" or "XMMOD" resource type. As you can see on the picture above music recourse has some junky bytes at the beginning. XM module starts with words "Extended Module:". Now just right-click and save it and do not forget to rename it to proper extension (xm, mod, s3m). If module has some junky bytes(like on the picture) just delete it with your favorite hex-editor:
Delete, save it, try to play it. Enjoy!
3. But, sometimes you won't find any music in resources. In that case make a dumped exe with PE Tools (like explained above). Now copy dumped exe to same folder with Fast Module Extractor (FME). Launch FME, type dumped exe's name. FME will search for music, if it finds one, save it, listen to it, enjoy! :) If FME fails try to open that exe with WinRipper. If it also fails, probably music is in some specific format like MXM, MO3 or V2M. In that case open dumped exe in hex editor and search for "MXM" or "MO3" (MXM files begin with "MXM", MO3 begin with "MO3", as you can see :)). If you find it, copy about 100-200 kbytes from the "MXM" or "MO3" (including "MXM"/"MO3"), save those copied bytes to a new file. Now try to play it (MO3 plays with XMPlay). This files will contain useless junk in the end of file, because you don't know their actual size and just copied 100-200 kbytes. If MXM file plays OK in MilkyPlay just resave them from MilkyPlay. Else if it fails to play or it's MO3 you have to delete those junky bytes at the end of file manually, just look on file in hex-editor and try to understand where is the real end of file, that's not easy, but i don't know other way.
Well if you didn't find MXM or MO3 try to find V2M - it usually (not always) starts with 80 00 00 bytes. You should also manually (visually) determine where is the end of music file.
4. If still no luck try ArtMoney to save full dump. To do it select keygen's process, press search, in new window search->save memory dump, Type->ALL. Press OK. Now do not close ArtMoney! and go to artmoney\temp dir. You'll see memtemp.a01 file. Try to search music in it
If even still no luck, music sometimes can be encrypted (just XOR'ed usually)