AK87's KeygenMe #1
| Download keygenme_end.zip, 4 kb (password: crackmes.de) Browse contents of keygenme_end.zip Rules:
Difficulty: 3 - Getting harder | RatingWaiting for at least 3 votes View profile of AK87 » |
Solutions
There are no solutions to this crackme yet. Have you solved it? Please write a tutorial and submit it here!
Discussion and comments
| hound 25. Jun 2007 | 004010D9 |> /8B4D FC /MOV ECX,[LOCAL.1] 004010DC |. |83C1 01 |ADD ECX,1 004010DF |. |894D FC |MOV [LOCAL.1],ECX 004010E2 |> |8B55 FC MOV EDX,[LOCAL.1] 004010E5 |. |3B55 0C |CMP EDX,[ARG.2] 004010E8 |. |7D 4F |JGE SHORT keygenme.00401139 004010EA |. |837D FC 1E |CMP [LOCAL.1],1E 004010EE |. |7D 35 |JGE SHORT keygenme.00401125 004010F0 |. |8B45 08 |MOV EAX,[ARG.1] 004010F3 |. |0345 FC |ADD EAX,[LOCAL.1] 004010F6 |. |0FBE08 |MOVSX ECX,BYTE PTR DS:[EAX] 004010F9 |. |8B55 08 |MOV EDX,[ARG.1] 004010FC |. |0355 FC |ADD EDX,[LOCAL.1] 004010FF |. |0FBE42 03 |MOVSX EAX,BYTE PTR DS:[EDX+3] 00401103 |. |03C8 |ADD ECX,EAX ; adds +0 and + 3 00401105 |. |8B55 08 |MOV EDX,[ARG.1] 00401108 |. |0355 FC |ADD EDX,[LOCAL.1] 0040110B |. |0FBE42 01 |MOVSX EAX,BYTE PTR DS:[EDX+1] 0040110F |. |8B55 08 |MOV EDX,[ARG.1] 00401112 |. |0355 FC |ADD EDX,[LOCAL.1] 00401115 |. |0FBE52 02 |MOVSX EDX,BYTE PTR DS:[EDX+2] 00401119 |. |2BC2 |SUB EAX,EDX ; sub +2 from + 1 0040111B |. |3BC8 |CMP ECX,EAX 0040111D |. |74 04 |JE SHORT keygenme.00401123 0040111F |. |32C0 |XOR AL,AL 00401121 |. |EB 18 |JMP SHORT keygenme.0040113B 00401123 |> |EB 12 |JMP SHORT keygenme.00401137 00401125 |> |8B45 08 |MOV EAX,[ARG.1] 00401128 |. |0345 FC |ADD EAX,[LOCAL.1] 0040112B |. |0FBE08 |MOVSX ECX,BYTE PTR DS:[EAX] 0040112E |. |83F9 6F |CMP ECX,6F ; 'o' 00401131 |. |74 04 |JE SHORT keygenme.00401137 00401133 |. |32C0 |XOR AL,AL 00401135 |. |EB 04 |JMP SHORT keygenme.0040113B 00401137 |>^\EB A0 \JMP SHORT keygenme.004010D9 Uh, I think there must be a mistake in this, as there is no way of a difference in characters to equal their sum, with ASCII characters.... As the last two characters are 'o', then you should be able to work backwards, if you randomly generate a character before the 'o's. E.g. Xkoo. You can then work out X using the sums and differences, but the sums end up about $F0, and this is MASSIVE difference, between any ascii characters. Please correct me, if Im wrong though Cheers -hound |
|---|---|
| TiGa 25. Jun 2007 | There is an anti-debug trick that trips even outside a debugger and sends a "divide by 0" error. If the last 2 chars are 'o', the 3rd to last should be 00. X = 3rd to last char Y = 00 string-ender X+Y = 'o'-'o' X = 'o'-'o'-Y X = 00 Using hound's example of Xkoo, k would have to be 00. Unless I missed something, it doesn't look like it can be solved. |
| hound 25. Jun 2007 | Yeah, I know all the anti debug etc, but it cant be solved because the sum-difference thing etc... The sums are the other way around the Tiga. The 1st char in the set of four is added to the 4th char, and this must equal the difference between the 2nd and 3rd (2nd - 3rd). |
| TiGa 25. Jun 2007 | I don't think you're understanding my example. The sums are the other way around? Let's say serial finishes with koo. Verification is: char[i] + char[i+3] = char[i+1] - char[i+2] To find char[i]: char[i] = char[i+1] - char[i+2] - char[i+3] Let's find what k has to be: char[i] = 'o' - 'o' - 00 What I was trying to say is: The last time the sum-difference is checked, the 4th char is the string-ender 00. At least, we're both agreeing that it cannot be solved. |
| Crosys 25. Jun 2007 | Well, i guess it can be solved, using chars over the standard ASCII. After some calcs i found that the 4 chars "áÑãÃ", can be used the serial. Will correspond in the calcs.. á 0xFFFFFFE1 Ñ 0xFFFFFFD1 ã 0xFFFFFFE3 à 0xFFFFFFC3 So for example, "ã9áu7913451345791345134579134511" will bypass first round, writing a algorithm to solve next-by-next char through the serial should be possible, im gonna look at it more tonight, just took a quick look now. |
| TiGa 25. Jun 2007 | The problem I found is in the last round when ecx = 29. char[ecx+3] = 00 string ender When ecx = 30 or ecx = 31, char must be 'o'. |
| hound 25. Jun 2007 | Yeah TiGa, sorry about that. You did the same thing as myself. I didn't even think about the null character being used however :S. |
| hound 25. Jun 2007 | Crosys, only alpha numeric characters can be used, and there is also a restriction from the 16 letter word aswell... |
| AK87 Author 26. Jun 2007 | First of all, nice analyses, I am impressed, secondly, there seemed to be a problem with the algorithm, sorry about that, here is the source, hope it will help somehow.. http://www.kucuk87.demon.nl/c/algorithm.cpp http://www.kucuk87.demon.nl/c/dialog.cpp http://www.kucuk87.demon.nl/c/main.cpp Problem is here (thanks to TiGa for pointing): for(i = 0;i < len;i++) { if(i < 30) { if((str[i] + str[i+3]) != (str[i+1] - str[i+2])) return 0; } else { if(str[i] != 'o') return 0; } } Since the serial should be 32 characters long, and when i = 29, i+3 (which should be a 0x00 byte) checks for a different character, other than that, it has too few serial combinations. |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.