downloadbrowse__imp__'s KeygenMe #3

Download __imp__keygenme3.zip, 5 kb (password: crackmes.de)
Browse contents of __imp__keygenme3.zip

Hi!

I'm glad to welcome you to my third crackme. I'm sure that it's much more difficult, than the previous two. I put a great piece of protection to this, hence it may take a long while to understand what's going on. But be patient, the algorithm is not very difficult and the solution is easy, once you catch the key points.

Your job will be:

1. Make a keygen.
2. Find a hidden message.
3. Write a tutorial.

Rules:

This time patching is prohibited, but selfkeygen is *strongly* encouraged ;). Note that keygen must work with the *original* crackme!

The second task is optional, but it will be really cool if you have done it.

Have fun!

Regards,

__imp__

P.S. All the important crackme's functionality has been tested, but if you find a bug please report it to me at crackmes.de.

P.P.S. Be careful when using SoftIce...

Difficulty: 8 - *VERY VERY* hard
Platform: Windows 2000/XP only
Language: Assembler

Published: 17. Oct, 2007
Downloads: 712

Rating

Votes: 4
Crackme is awesome.

Rate this crackme:

Send a message to __imp__ »

View profile of __imp__ »

Solutions

Solution by Trundle, published 17. dec, 2007; download (541 kb), password: crackmes.de or browse.

Trundle has not rated this crackme yet.

Submit your solution »

Discussion and comments

MR.HAANDI
18. Oct 2007
nice work! a very good combination of a little anti debug, a little anti trace and a clever vm.
__imp__
Author
19. Oct 2007
@MR.HAANDI: Thanks! I'm looking forward to your solution...
jB_
19. Oct 2007
Good crackme, as MR.HAANDI said. Great work, __imp__.
lilcw
19. Oct 2007
pretty nice one
u managed to freeze my ida hehehe
__imp__
Author
22. Oct 2007
I'm glad to hear that my efforts haven't been futile :) Does anybody have a solution by now?
killbug2004
24. Oct 2007
http://bbs.pediy.com/showthread.php?t=53779
There is an article
Is it a solution
__imp__
Author
24. Oct 2007
I don't know Japanese, sorry... Nevertheless, from what I've seen, this solution is incorrect. The goal ISN'T to display a 'good boy' message, but to make a key generator (or self key generator, which is preferred). As for hidden message, you have to find a message itself (not the words "the hidden message is:"). I haven't seen this in the solution.
Maybe I get something wrong?
hawking_china
25. Oct 2007
Pediy is a Chinese forum , not japanese!!!
__imp__
Author
25. Oct 2007
I'm sorry. Anyway, I don't know Chinese too.
ulaterck
27. Oct 2007
Hello, I am now trying to see the routine generator which is a Little dificult because I never used MMX registers ;P
In any event mint obfuscated the code but what we can eliminate nops jumps, good emulation IsDebuggerPresent and NtSetInformationThread:) good we can pass with this generic solutio to create the file custom.ev and write v EV. # (45 56 12 23) and write any type of serial xxxx-xxxx-xxxx-xxxx and press check, but now I find quiet routine as to the name and records MMX is the case but just to have a little more time to do the tutorial greetings and good crackme ;P
__imp__
Author
19. Nov 2007
It's been more than a month since I submitted it. That's why I give some remarks in order to help you solve it (for those who wants to do it).
1. Yes, this is a virtual machine with mostly non-elementary opcodes (in fact, routines).
2. The keygenme has ALL the necessary opcodes for self keygenning. You just need to solve a simple math problem and to modify the checking vm routine accordingly.
3. Placing 12h opcode IS NOT A SOLUTION. Only keygen is acceptable.
4. And final hint: the name processing doesn't matter for the solution, so don't waste your time on it.
I hope that it will be solved soon :)
__imp__
Author
19. Nov 2007
As for the hidden message, you just need to demand from the prog to show it, and very earnestly :)
jE!
25. Nov 2007
heillou!

i think, here is not enouf l0gic.

you NOT want patch, ye?
then if we allow file CUSTOM.EV, then it will (self but) PATCH!

if allowed 'vm' self-PATCH, what should be then KeyGenned???

so, this question needs answer:

1. must Keygen work WITH-OUT file CUSTOM.EV?

2.
seems 32 times we must send WM_CHAR for "hidden msg".
and then 32 other bytes XOR this!?
why must we kill ourselves by brutting "hidden msg"??
many month you will wait..
or brutting not need? some guess need?

3. about BUGS. many times i cryed, when crackmes NOT PRESERVES
registers in WIN_MAIN or DLG_FUNC... ehhhh..
__imp__
Author
26. Nov 2007
Hello!

1. When I said 'patching is prohibited' I meant that modification of EXECUTABLE is inappropriate. IMO, if you add an external file that is supported by the crackme, it will not be patching. So, you may either add a PROPER file 'custom.ev' or write your own keygen.

2. The second task is optional. If you want, you can find this message without total bruteforce (see a hint in my previous post). The first word of the sequence that makes the msg appear is there ;) And the other words can be guessed.

3. "about BUGS. many times i cryed, when crackmes NOT PRESERVES registers in WIN_MAIN or DLG_FUNC..."

Does it make any problems? I've not encountered any... I know, maybe, it's not a good style... but for what to add extra strings if they are not necessary in this case?

Regards,

__imp__
jE!
28. Nov 2007
I did KeyGEN, will thimk about HIDDENmsg..
now about that HIDDEN msg..

BUG is BAD, for example W9x..
that is nothing hard, just add in future to 'wnd_proc'
USES EBX,ESI,EDI
jE!
28. Nov 2007
BTW, writing of 'custom.ev' NOT reqiured by your statement.
jE!
29. Nov 2007
but! 'custom.ev' DONE!

wow!!

now, i have little englich, so can't guess even well known
phrase.. what to do with your HIddenmswg??

any msg injection with CRC spooff??
__imp__
Author
29. Nov 2007
@jE!:
1. "BUG is BAD, for example W9x.."
Well, see above:
_Platform: Windows 2000/XP only_. It'll not work under win9x at all! So, *IN THIS CASE* it was not necessary.
2. Yes, 'custom.ev' file is not required.
3. You may abandon the hidmsg and submit a solution. If you really want to do it, just find the 1st word and try to restore the others char-by-char (some guess is needed here). A hint: all the letters are lowercase, but there're some non-alpha chars in the both sequences.
"any msg injection with CRC spooff??"
If you want to replace the msg by your own, that won't do.
jE!
02. Dec 2007
i'm waiting, when you reveal Hiddenmsg, then i will write tut..:)
422 bytes is custo.. :)
__imp__
Author
03. Dec 2007
TOO MANY bytes. I have only 20 :)
jE!
03. Dec 2007
bigger is better!
__imp__
Author
11. Dec 2007
Well done, Trundle!
Nevertheless, there is a more elegant solution (I mean self keygen), and I really want to see that 20-byte file custom.ev :)
So, now that the cm has been solved I give some additional info:
Let P(X) be a permutation of an n-element set X. P^[-1](X) is a reverse permutation, and P^k(X)==P(P...P(X)..) (k times). Then for any integer k there exists integer m>=0 such that (P^k)^[-1]==P^m.
The proof of this statement is trivial, and this should be enough to make a self keygen.
Good luck!
jE!
11. Dec 2007
blah, don't i said, i did self keygen?

but you not reveal that "GREATEST" hiddenmsg..
eh, maybe i write solution.. maybe you loss me..
Trundle
11. Dec 2007
@jE!: I did reveal the hidden message in my solution.
@__imp__: I thought a real keygen is the most elegant solution. Nevertheless, as you expected a selfkeygen using a custom 'custom.ev', I will submit an updated solution...
jE!
11. Dec 2007
i read your solution of course. all good except terribl C++:)
__imp__
Author
11. Dec 2007
@Trundle: IMO, the most elegant solution is the shortest in time and space :)
@jE!: I really don't understand what the _"GREATEST"_ hiddenmsg is...
jE!
14. Dec 2007
i have time from write tut & did check for 20byte "custom.ev";

20 byte "custom.ev" produces correct key for char "a";
while my big produces for all names;
are sure? did you check your 20byte "custom.ev" for many cases of name?
__imp__
Author
14. Dec 2007
@jE!: Of course, I did. It's not a matter of number of bytes, but of a correct inverse function in terms of the internal opcodes. I think, I have the shortest one, and it definitely works for at least 5 different names. I can't see the reason why it might not work for the other names :)
btw, 20 bytes is not a requirement. You may submit a solution with 100s of bytes. If it works then it's OK.

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.