downloadbrowseals pom's crackme2

Download crackme_2.zip, 27 kb (password: crackmes.de)
Browse contents of crackme_2.zip

This is a simple crackme written in Visual C++ 6.0.
You have to make a keygen of it.

Difficulty: 1 - Very easy, for newbies
Platform: Windows
Language: C/C++

Published: 24. Nov, 2009
Downloads: 1252

Rating

Votes: 3
Crackme is quite bad.

Rate this crackme:

Send a message to als pom »

View profile of als pom »

Solutions

There are no solutions to this crackme yet.

The submission of solutions is closed.

Discussion and comments

Skandal87
25. Nov 2009		My first one, liked it ;)

Spent most time on keygen, didnt code for a lot of time...decided to write it in delphi, next time im gonna write it in java, and then in c++, just to learn more ^^

Solution submitted.
qHF;
27. Nov 2009		Ummm... BLODYALBO that is not right.
Yes, the key may work on your computer. But if you even glanced at the checking routine you would have found it gets the user name of the current person logged in. The key CANNOT be serial fished. You have to code a keygen. Perhaps it's not as "easy" as you thought?

As far as the actual crackme goes, I think I am almost done. I have half of the key, I just need to figure out the rest. At first I thought it was pretty easy, but it's a bit harder than I thought.

It's a nice routine, fun to figure out. Thanks for the nice crackme, als pom.
Skandal87
28. Nov 2009		Yeah qHF; you are right.. damn so my solution is wrong at the moment ;)

But it seems to get computername, not the username.

..workin on it ;)
Skandal87
28. Nov 2009		Hmm no i was wrong. Its the Username.

Nice number you have there as base alspom, remembers me of the good old days :P
lordram
29. Nov 2009		I'm quite sure you can make it work as a KeyGen by modifying the 00401393 to "PUSH ECX".

At least it seems to work...
sffs
04. Dec 2009		I want to keygen it,but it only worked on my computer.

How to get the '%lu' 's num in "RS-%ld-%lu"?
On my computer,the ' %lu' 's mu is 1243984
The keygen is not full correct.
=========================
procedure TForm1.Button1Click(Sender: TObject);

Var
User:pchar;
x:Cardinal;
Name,Username:String;
i,m,n,sn1,sn,sn2:Integer;

begin
x:=255;
GetMem(User,255);
GetUserName(User,x);
Username:=User;
Name:=name1.text;
m:=Length(UserName);
n:=Length(Name);
if n<5 then exit;
sn1:=0;
for i:=1 to m do
begin
sn1:=sn1+ord(UserName[i])+$186A0;
end;

sn:=sn1;
i:=0;

for i:=1 to n do
begin
sn:=sn+ord(Name[i])+$186A0;
end;


regnum.text:='RS-'+inttostr(sn+$7A69)+'-1243984';


end;

end.
=========================

Who can write a real solution,wait for your solutions.
qHF;
05. Dec 2009		I am having the same problem as sffs....
I have wrote the keygen for %ld but I cannot find where %lu is generated... can anyone throw some hints our way?
_pusher_
05. Dec 2009		Its a bug when he formats the values.. so second value is randomized.

this is what i think could be closest:

var
i, RegCode,BufferSize: dword;
Buff : array[0..100] of char;
StrName: string;
pUser:pchar;
begin

BufferSize:=0;
GetUserName(nil, BufferSize);
pUser := StrAlloc(BufferSize);
GetUserName(pUser, BufferSize);
RegCode:=0;

for i:=1 to Length(pUser) do
inc(RegCode,dword(ord(pUser[i-1])+$186A0 ));


StrName:=Edit1.Text;

if (Length(StrName)<5) then exit;
for i:=1 to Length(StrName) do
inc(RegCode,dword(ord(StrName[i])+$186A0 ));
inc(RegCode,$7A69);

wvsprintf(buff, 'RS-%d-%u',@LongInt(RegCode)); << bug here
Edit2.Text:=buff;
StrDispose(pUser);


end;

should maybe stop the submissions now :)
als pom
Author
11. Dec 2009		I have made a solution with keygen but it was refused i dont know why
_pusher_
12. Dec 2009		als pom: do notice the "bug here" and learn from it.
your submission to your own crackme, is not valid, the keygen generates same error... and thats why it would never work.
als pom
Author
10. Jan 2010		for the moderator pusher
the string wsprintf(buff,RS-%ld-%lu,@LongInt(RegCode));
pasharp
25. Sep 2010		I traced the stack change ,found that ,the "%lu" value are edi;

dlgFunc: // dlg callback proc
text:00401150 push ebp
.text:00401151 mov ebp, esp
.text:00401153 sub esp, 14Ch
.text:00401159 push ebx
.text:0040115A push esi
.text:0040115B push edi //"%lu" =this edi

but that the edi are assigned by Windows;
jE!
28. Sep 2010		then just grab that EDI-FROM-WINDOWS in your KGen
KAiN.iDC
04. Oct 2010		How is the serial generated ?
We can see that the serial is generated in 3 parts. The first and the third part of the serial are constants :
Part 1 = “RS-“
Part 3 = “-1243984”
How to Calculate the second part ?
The second part of the serial is separated in two Subparts for a total length of 7 characters.
The first SubPart is 4 Characters length and the second SubPart is 3 characters Length.
Let’s calculate the 1st Subpart :
We start from the constant integer 431 and we add 100 for each char.
Let’s calculate the 2nd part :
We start from the constant integer 656 and we add the ASCii value of each char to 656.
But over 5 chars, we have a problem the second part will be over 3 chars length.
So we take the last 3 numbers and add the first number to the Subpart1.
Example for ABCDEF Calculation :
1st subpart: = 431 + (Length(ABCDEF) *100)
= 431 + (6*100)
= 1031.
2nd subpart: = 656 + (Ord(A)+ Ord(B)+ Ord(C)+ Ord(D)+ Ord(E)+ Ord(F)).
= 656 + (65+66+67+68+69+70)
= 656 + 405
= 1061.
The Length of 1061 is over 3 chars, so we keep the right part “061” and add the left part (“1”) to the first
subpart.
SERIAL SECOND PART will be : 1031 +1 = “1032” and “061”.
And the final SECOND PART SERIAL will be “1032061”.
The final serial will be “RS-“+“1032061”+ “-1243984”  “RS-1032061-1243984”.
KAiN.iDC
04. Oct 2010		I forgot the user name !!! Sigh...
johnnycannuk
08. Nov 2010		Stepping through it now... looks like it takes your logged in username and uses it to determine something. My guess it generates part 3 since on my box it is NOT 1243984 - the last 3 digits are different.
johnnycannuk
09. Nov 2010		Ok, it looks like its generating a kind of Hash...I think I have it figured out, just need to write a python app to test the theory.

Very clever.
johnnycannuk
09. Nov 2010		pasharp,

It actually appears to be esi not edi on my box. edi is off by 3C (60) from the correct number.
johnnycannuk
09. Nov 2010		Hmm, not esi per se but at 0012F8D4 on the stack, which is the address esi contains.

Its always there right after the dialog func...
johnnycannuk
09. Nov 2010		Ok, looks like als pom is gone - his account is suspended and locked.

Anyone else have any luck determining the %lu - I know where to find it in my debugger, I can serial fish anything that is on my machine, but creating a keygen that works across machines? Not exactly easy.

Anyone get this yet?
HungrySNAKE
10. Nov 2010		guys, it's crack me right. IT MEANS YOU HAVE TO CRACK IT NOT TO FIND THE SERIAL OF IT '-.-
johnnycannuk
11. Nov 2010		Oh dear, HungrySNAKE appears not to have been reading the comments (no, apparently tried to crack this himself)

Have a look up at moderator _pusher_ 's comment above. This crackme is broken such that it cannot be keygened. It appears to rely on the fact that wsprinfA is not a safe function...it is grabbing the %lu off the stack and its value seems to be not just unique to each platform, but unique to each program.

It looks like he is calling wsprintfA with 2 format string place holders and only supplyong one value - meaning the second one is picking up that last value off the the stack (mine it is the value just above the return address) - the EBP. Meaning you can't access it from OUTSIDE the application and thus, cannot properly keygen it.

Of course if I am wrong and you DO have a keygen for this, feel free to share it and prove me wrong. I'd be happy to learn from it.

Otherwise, seriously, drop the snarky elite H4x0r crap...
B@zz!
19. Jun 2013		char* GenerateKey(char* Username)
{
int first_part = 0;
int second_part = 0;
char key[MAX_PATH];
char pcname[MAX_PATH];

GetUserName(pcname,MAX_PATH);

for(int i=0;i<strlen(Username);i++)
{
first_part += Username[i] + 10000;
}

for(int i=0;i<strlen(pcname);i++)
{
first_part += pcname[i] + 1000;
}

first_part += 31337;

printf(key,"RS-%ld-%lu",first_part,second_part);
return key

}

basic algo how i get the second one i dont know but it's static..
botanyaki
07. Apr 2014		Hint: crack without prejudice.
d4rK_r3v3rs3R
21. Dec 2014		I did a working keygen but I guess, reading those comments it will only works for me. But try it if you want (in the description is the file written in Python): http://youtu.be/a0AynC9ub6s

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.