__imp__'s KeygenMe #3
| Download __imp__keygenme3.zip, 5 kb (password: crackmes.de) Browse contents of __imp__keygenme3.zip Hi!
Difficulty: 8 - *VERY VERY* hard | Send a message to __imp__ » View profile of __imp__ » |
Solutions
Solution by Trundle, published 17. dec, 2007; download (541 kb), password: crackmes.de or browse.
Trundle has not rated this crackme yet.
Discussion and comments
| MR.HAANDI 18. Oct 2007 | nice work! a very good combination of a little anti debug, a little anti trace and a clever vm. |
|---|---|
| __imp__ Author 19. Oct 2007 | @MR.HAANDI: Thanks! I'm looking forward to your solution... |
| jB_ 19. Oct 2007 | Good crackme, as MR.HAANDI said. Great work, __imp__. |
| lilcw 19. Oct 2007 | pretty nice one u managed to freeze my ida hehehe |
| __imp__ Author 22. Oct 2007 | I'm glad to hear that my efforts haven't been futile :) Does anybody have a solution by now? |
| killbug2004 24. Oct 2007 | http://bbs.pediy.com/showthread.php?t=53779 There is an article Is it a solution |
| __imp__ Author 24. Oct 2007 | I don't know Japanese, sorry... Nevertheless, from what I've seen, this solution is incorrect. The goal ISN'T to display a 'good boy' message, but to make a key generator (or self key generator, which is preferred). As for hidden message, you have to find a message itself (not the words "the hidden message is:"). I haven't seen this in the solution. Maybe I get something wrong? |
| hawking_china 25. Oct 2007 | Pediy is a Chinese forum , not japanese!!! |
| __imp__ Author 25. Oct 2007 | I'm sorry. Anyway, I don't know Chinese too. |
| ulaterck 27. Oct 2007 | Hello, I am now trying to see the routine generator which is a Little dificult because I never used MMX registers ;P In any event mint obfuscated the code but what we can eliminate nops jumps, good emulation IsDebuggerPresent and NtSetInformationThread:) good we can pass with this generic solutio to create the file custom.ev and write v EV. # (45 56 12 23) and write any type of serial xxxx-xxxx-xxxx-xxxx and press check, but now I find quiet routine as to the name and records MMX is the case but just to have a little more time to do the tutorial greetings and good crackme ;P |
| __imp__ Author 19. Nov 2007 | It's been more than a month since I submitted it. That's why I give some remarks in order to help you solve it (for those who wants to do it). 1. Yes, this is a virtual machine with mostly non-elementary opcodes (in fact, routines). 2. The keygenme has ALL the necessary opcodes for self keygenning. You just need to solve a simple math problem and to modify the checking vm routine accordingly. 3. Placing 12h opcode IS NOT A SOLUTION. Only keygen is acceptable. 4. And final hint: the name processing doesn't matter for the solution, so don't waste your time on it. I hope that it will be solved soon :) |
| __imp__ Author 19. Nov 2007 | As for the hidden message, you just need to demand from the prog to show it, and very earnestly :) |
| jE! 25. Nov 2007 | heillou! i think, here is not enouf l0gic. you NOT want patch, ye? then if we allow file CUSTOM.EV, then it will (self but) PATCH! if allowed 'vm' self-PATCH, what should be then KeyGenned??? so, this question needs answer: 1. must Keygen work WITH-OUT file CUSTOM.EV? 2. seems 32 times we must send WM_CHAR for "hidden msg". and then 32 other bytes XOR this!? why must we kill ourselves by brutting "hidden msg"?? many month you will wait.. or brutting not need? some guess need? 3. about BUGS. many times i cryed, when crackmes NOT PRESERVES registers in WIN_MAIN or DLG_FUNC... ehhhh.. |
| __imp__ Author 26. Nov 2007 | Hello! 1. When I said 'patching is prohibited' I meant that modification of EXECUTABLE is inappropriate. IMO, if you add an external file that is supported by the crackme, it will not be patching. So, you may either add a PROPER file 'custom.ev' or write your own keygen. 2. The second task is optional. If you want, you can find this message without total bruteforce (see a hint in my previous post). The first word of the sequence that makes the msg appear is there ;) And the other words can be guessed. 3. "about BUGS. many times i cryed, when crackmes NOT PRESERVES registers in WIN_MAIN or DLG_FUNC..." Does it make any problems? I've not encountered any... I know, maybe, it's not a good style... but for what to add extra strings if they are not necessary in this case? Regards, __imp__ |
| jE! 28. Nov 2007 | I did KeyGEN, will thimk about HIDDENmsg.. now about that HIDDEN msg.. BUG is BAD, for example W9x.. that is nothing hard, just add in future to 'wnd_proc' USES EBX,ESI,EDI |
| jE! 28. Nov 2007 | BTW, writing of 'custom.ev' NOT reqiured by your statement. |
| jE! 29. Nov 2007 | but! 'custom.ev' DONE! wow!! now, i have little englich, so can't guess even well known phrase.. what to do with your HIddenmswg?? any msg injection with CRC spooff?? |
| __imp__ Author 29. Nov 2007 | @jE!: 1. "BUG is BAD, for example W9x.." Well, see above: _Platform: Windows 2000/XP only_. It'll not work under win9x at all! So, *IN THIS CASE* it was not necessary. 2. Yes, 'custom.ev' file is not required. 3. You may abandon the hidmsg and submit a solution. If you really want to do it, just find the 1st word and try to restore the others char-by-char (some guess is needed here). A hint: all the letters are lowercase, but there're some non-alpha chars in the both sequences. "any msg injection with CRC spooff??" If you want to replace the msg by your own, that won't do. |
| jE! 02. Dec 2007 | i'm waiting, when you reveal Hiddenmsg, then i will write tut..:) 422 bytes is custo.. :) |
| __imp__ Author 03. Dec 2007 | TOO MANY bytes. I have only 20 :) |
| jE! 03. Dec 2007 | bigger is better! |
| __imp__ Author 11. Dec 2007 | Well done, Trundle! Nevertheless, there is a more elegant solution (I mean self keygen), and I really want to see that 20-byte file custom.ev :) So, now that the cm has been solved I give some additional info: Let P(X) be a permutation of an n-element set X. P^[-1](X) is a reverse permutation, and P^k(X)==P(P...P(X)..) (k times). Then for any integer k there exists integer m>=0 such that (P^k)^[-1]==P^m. The proof of this statement is trivial, and this should be enough to make a self keygen. Good luck! |
| jE! 11. Dec 2007 | blah, don't i said, i did self keygen? but you not reveal that "GREATEST" hiddenmsg.. eh, maybe i write solution.. maybe you loss me.. |
| Trundle 11. Dec 2007 | @jE!: I did reveal the hidden message in my solution. @__imp__: I thought a real keygen is the most elegant solution. Nevertheless, as you expected a selfkeygen using a custom 'custom.ev', I will submit an updated solution... |
| jE! 11. Dec 2007 | i read your solution of course. all good except terribl C++:) |
| __imp__ Author 11. Dec 2007 | @Trundle: IMO, the most elegant solution is the shortest in time and space :) @jE!: I really don't understand what the _"GREATEST"_ hiddenmsg is... |
| jE! 14. Dec 2007 | i have time from write tut & did check for 20byte "custom.ev"; 20 byte "custom.ev" produces correct key for char "a"; while my big produces for all names; are sure? did you check your 20byte "custom.ev" for many cases of name? |
| __imp__ Author 14. Dec 2007 | @jE!: Of course, I did. It's not a matter of number of bytes, but of a correct inverse function in terms of the internal opcodes. I think, I have the shortest one, and it definitely works for at least 5 different names. I can't see the reason why it might not work for the other names :) btw, 20 bytes is not a requirement. You may submit a solution with 100s of bytes. If it works then it's OK. |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.