<-- back

MMC Keygen

September 5, 2025

3 minute read

Tags: Among Us, software


Building a Keygen

When looking at third-party mods, you often find authentication systems designed less for security and more for gating access. In this case, I examined a setup that used layered obfuscation, ads (Linkvertise), and a remote server to control distribution of authentication keys. Here’s what the system looked like:

The Flow

Request Auth Token

The client first requests a token from the server. Tokens themselves are easy to generate and not rate-limited in any meaningful way.

Exchange Token for a Key

With the token, the client then requests a key. Here’s where the restrictions appear:

  • Keys are bound to a user’s IP address.
  • Maximum 5 keys per IP per ~55 minutes.
  • After 5 keys, the server will still hand out tokens, but key requests fail.

Rate Limit Enforcement

When the quota is exceeded, the server responds with HTTP 413 (odd choice, since 413 normally means “Payload Too Large”). In practice, this error essentially means: “You’ve hit your IP’s limit.”

Loophole in Design

Here’s the kicker: instead of hard-blocking clients, the server exposes an endpoint that returns all currently valid keys associated with that IP. So once you’ve hit your limit, you don’t actually need new keys—you can just fetch the existing pool and reuse.

Observations

  • The obfuscation in the client was meant to prevent discovery of these endpoints. Once stripped away, the actual flow was trivial. Additionally, none of the auth logic existed within the game mod itself.
  • The use of Linkvertise + server gating is more about monetization than actual security.
  • Overloading HTTP 413 for rate limiting is unconventional and confusing. A more appropriate choice would have been 429 Too Many Requests.

Takeaways

This setup highlights an important principle: security through obscurity fails quickly once motivated users inspect the system.

Proper rate limiting, key rotation, and meaningful token validation would have been stronger deterrents.

Even though this was just a niche modding environment, the same lessons apply to production-grade systems. If your business relies on access control, invest in more than obfuscation + ads. Design for resilience.

You can try out the keygen here for use with MMC in Among Us.


about the author

Pablo Gracia is a high school student from California. He is passionate about technology and music. He is the creator of this blog and the author of all the posts. He is also the creator of the Supernova Experience.

View more blog posts