MR.HAANDI's Substitutions
| Download Substitutions_Keygenme_by_MR.HAANDI.zip, 92 kb (password: crackmes.de) Browse contents of Substitutions_Keygenme_by_MR.HAANDI.zip This is a simple keygenme with some substitutions.
Difficulty: 2 - Needs a little brain (or luck) | Send a message to MR.HAANDI » View profile of MR.HAANDI » |
Solutions
Solution by s3Rious, published 10. oct, 2013; download (10 kb), password: crackmes.de or browse.
s3Rious has rated this crackme as awesome.
Discussion and comments
| idid231 21. Feb 2013 | It doesn't run on my SP2, keep telling me that it's not a valid win32 app. |
|---|---|
| MR.HAANDI Author 21. Feb 2013 | This is strange. There are no anti* mechanisms involved, and I used my old template, which worked fine in the past. The only thing changed is the compiler, which is VS2012 now. Does anyone else have this problem or knows how to fix it? |
| hepL3r 21. Feb 2013 | yeah,it doesn't work in my XPSP3 :| |
| MR.HAANDI Author 21. Feb 2013 | Wow, "VC++ 2012 RTM does not support WinXP". I'm sorry for the inconvenience. I will recompile and verify a new version asap. |
| tamaroth Moderator 21. Feb 2013 | A good question would be: why are you lads still using WinXP? |
| hepL3r 25. Feb 2013 | @tamaroth: I'm using win8 but winxp is still the best os for anti-anti-debugging and ofc reversing :p |
| redoC 25. Feb 2013 | what version of crypto++ is used? |
| tamaroth Moderator 25. Feb 2013 | The version of crypto++ used was 5.6.1, crackme is using only simple functions that can easily be blackboxed (I wasn't able to procure signatures for that library, something about visual studio compiling to eCOFF which is not supported by flirt) |
| idid231 03. Mar 2013 | hmm, as i see this kgm uses some tables to take value from, i don't know why you guys talked about crypto, may be i was tricked :D |
| MR.HAANDI Author 03. Mar 2013 | This is just difficulty 2, so there is no crypto inside. The library crypto++ was used for convenience and you can solve everything with "a little brain (or luck)" without even looking into that library. Still, if you take the most simple way, you get tricked. To achieve the "Gold" bonus objective a little algebra (group homomorphism) is required and you may find an easteregg. |
| redoC 17. Mar 2013 | Too easy, no need to reverse anything. Two small static init fields and everything is in sub_401165. Anyone found eastereggs? |
| idid231 20. Mar 2013 | As the author noted "if you take the most simple way, you get tricked" i don't know where to go but the simple way :P so i gave up :D |
| redoC 27. Mar 2013 | I dont now where's the trick but here is functional keygen: BYTE initTable_byte_438C50[0x100] = { 0xB9,0xFE,0xCE,0x7F,0x18,0x0A,0x16,0xA0,0x52,0x2F,0x8C,0x67, 0xE3,0xF5,0x1D,0x3D,0x37,0xA1,0x1F,0x33,0xDD,0x39,0xC9,0x5B, 0x26,0x0D,0x82,0x94,0x68,0x01,0x81,0x00,0x20,0xE9,0xFB,0x4C, 0xB0,0xAB,0xFD,0xD1,0xFA,0xED,0x73,0x77,0x55,0x44,0xA4,0x07, 0x99,0xF4,0xC8,0x4A,0xBC,0x1B,0x62,0x5F,0x2C,0xA6,0xAA,0xF3, 0x80,0x9B,0x09,0x3F,0x50,0x41,0xA7,0x7D,0x3B,0x21,0x0C,0x10, 0x34,0x43,0xD2,0x15,0x9D,0xBD,0x59,0x45,0x53,0x46,0xF6,0x4E, 0x9F,0x31,0x57,0x49,0xBB,0xCD,0x28,0xBA,0xA2,0x42,0xCB,0x2B, 0x56,0x5E,0x3C,0x63,0x64,0x65,0xB2,0x12,0xD0,0x69,0x5D,0x6B, 0x4D,0xE6,0x54,0x6F,0xAD,0xC3,0x72,0xD8,0x74,0x75,0x22,0x5A, 0x61,0x79,0x6A,0x96,0x48,0xAE,0x90,0x88,0x8D,0xB5,0x0E,0xF9, 0x25,0xA3,0x95,0x7B,0xB7,0x8E,0xAC,0xB4,0x51,0x4B,0xBE,0x27, 0xEA,0x35,0x9C,0xE0,0x83,0xAF,0x6D,0x60,0x2D,0x14,0x8B,0x4F, 0x66,0x05,0xC1,0x3E,0xDE,0xA5,0x91,0x03,0x9E,0xE5,0x8F,0xD6, 0xF2,0xC7,0x2A,0x71,0xB8,0xFF,0xD4,0xA9,0xF0,0x7E,0xC5,0x9A, 0xE1,0xB6,0x19,0xEE,0x7C,0x98,0xDF,0x89,0x17,0xEC,0x7A,0x08, 0x24,0x40,0x87,0x5C,0x78,0xBF,0x06,0xDB,0xF7,0x85,0xCC,0x13, 0xE8,0x76,0x04,0x92,0xD9,0xCA,0x11,0x58,0x02,0xD7,0x1E,0x3A, 0x0F,0xE4,0x47,0xD5,0x1C,0xF1,0x38,0xC6,0xE2,0x29,0x70,0xD3, 0x1A,0xA8,0xEF,0x36,0xC4,0x0B,0x6E,0xFC,0x8A,0xC2,0x97,0x6C, 0xB3,0xCF,0xEB,0x32,0xC0,0xDC,0x23,0xB1,0xF8,0x86,0x30,0x93, 0xDA,0x84,0xE7,0x2E }; BYTE initTable_byte_458D68[0x100] = { 0x1F,0x1D,0xD4,0xA3,0xCE,0x9D,0xC6,0x2F,0xBF,0x3E,0x05,0xE9, 0x46,0x19,0x82,0xD8,0x47,0xD2,0x67,0xCB,0x99,0x4B,0x06,0xBC, 0x04,0xB6,0xE4,0x35,0xDC,0x0E,0xD6,0x12,0x20,0x45,0x76,0xF6, 0xC0,0x84,0x18,0x8F,0x5A,0xE1,0xAA,0x5F,0x38,0x98,0xFF,0x09, 0xFA,0x55,0xF3,0x13,0x48,0x91,0xE7,0x10,0xDE,0x15,0xD7,0x44, 0x62,0x0F,0x9F,0x3F,0xC1,0x41,0x5D,0x49,0x2D,0x4F,0x51,0xDA, 0x7C,0x57,0x33,0x8D,0x23,0x6C,0x53,0x9B,0x40,0x8C,0x08,0x50, 0x6E,0x2C,0x60,0x56,0xD3,0x4E,0x77,0x17,0xC3,0x6A,0x61,0x37, 0x97,0x78,0x36,0x63,0x64,0x65,0x9C,0x0B,0x1C,0x69,0x7A,0x6B, 0xEF,0x96,0xEA,0x6F,0xE2,0xAB,0x72,0x2A,0x74,0x75,0xCD,0x2B, 0xC4,0x79,0xBE,0x87,0xB8,0x43,0xB1,0x03,0x3C,0x1E,0x1A,0x94, 0xFD,0xC9,0xF9,0xC2,0x7F,0xBB,0xEC,0x9A,0x0A,0x80,0x89,0xA6, 0x7E,0xA2,0xCF,0xFB,0x1B,0x86,0x7B,0xEE,0xB9,0x30,0xB3,0x3D, 0x92,0x4C,0xA4,0x54,0x07,0x11,0x5C,0x85,0x2E,0xA1,0x39,0x42, 0xE5,0xAF,0x3A,0x25,0x8A,0x70,0x7D,0x95,0x24,0xF7,0x66,0xF0, 0x8B,0x81,0xB5,0x88,0xAC,0x00,0x5B,0x58,0x34,0x4D,0x8E,0xC5, 0xF4,0x9E,0xED,0x71,0xE8,0xB2,0xDF,0xA9,0x32,0x16,0xD1,0x5E, 0xCA,0x59,0x02,0xF1,0x68,0x27,0x4A,0xE3,0xAE,0xDB,0xA7,0xD5, 0x73,0xD0,0xFC,0xC7,0xF5,0x14,0xA0,0xBA,0x93,0xB4,0xE0,0x0C, 0xD9,0xA5,0x6D,0xFE,0xCC,0x21,0x90,0xF2,0xBD,0x29,0xB7,0xE6, 0xB0,0xDD,0xA8,0x3B,0x31,0x0D,0x52,0xC8,0xF8,0x83,0x28,0x22, 0xEB,0x26,0x01,0xAD }; BYTE byte_448D58[0x10000]; BYTE byte_438D58[0x10000]; BYTE byte_458D58[0x10]; BYTE byte_438D54[4]; //---------------------------------------- bool Button_ACTION_401165 (HWND hDlg) { int i,j,idxHi_v2,idxLo_v4,intLen,v10,v12,v13,v14,v15,v16,v17,v23,v26; char szName[128] = {0}; char szRequiredSerial_v22[16]; memcpy (byte_458D58, "Are you tricked?", 0x10); memcpy (byte_438D54, "YES!", 4); for (i=0; i<256 ;i++) { idxHi_v2 = initTable_byte_438C50[i] << 8; for (j=0; j<256 ;j++) { idxLo_v4 = initTable_byte_438C50[j]; byte_448D58 [idxLo_v4 + idxHi_v2] = initTable_byte_438C50 [i ^ j]; byte_438D58 [idxLo_v4 + idxHi_v2] = initTable_byte_438C50 [(i+j) & 0xFF]; } } GetDlgItemTextA (hDlg, IDC_EDIT_NAME, szName, 127); // input name intLen = strlen(szName); if (intLen < 2) return false; v26 = 0; for (i=0; i<intLen; i++) v26 = szName[i] + 16 * v26; for (i=0; i<4; i++) { v10 = *((BYTE*)&v26 + i); *((BYTE*)&v26 + i) = initTable_byte_438C50[v10]; } v14 = v26 & 0xFF; v12 = (v26 >> 8) & 0xFF; v13 = (v26 >> 16) & 0xFF; v23 = (v26 >> 24) & 0xFF; for (i=0; i<4; i++) { v15 = (BYTE)*(&byte_438D58[256 * byte_458D58[4*i + 2]] + v13); v16 = (BYTE)*(&byte_448D58[256 * (BYTE)*(&byte_448D58[256 * (BYTE)*(&byte_448D58[256 * (BYTE)*(&byte_438D58[256 * byte_458D58[4 * i]] + v14)] + (BYTE)*(&byte_438D58[256 * byte_458D58[4*i + 1]] + v12))] + v15)] + (BYTE)*(&byte_438D58[256 * byte_458D58[4*i + 3]] + v23)); v17 = byte_438D54[i]; *((BYTE*)&v26 + i) = initTable_byte_458D68[(BYTE)*(&byte_448D58[256 * v16] + v17)]; } wsprintf (szRequiredSerial_v22, "%02X-%02X-%02X-%02X", v26&0xFF, (v26>>8)&0xFF, (v26>>16)&0xFF, (v26>>24)&0xFF); SetDlgItemText (hDlg, IDC_EDIT_SERIAL, szRequiredSerial_v22); // final serial return true; } |
| MR.HAANDI Author 27. Mar 2013 | ~ As the readme fortold ~ you were "tricked" into telling too much about yourself. I did not access any sensible information (like passwords), but your keygen tells me, that you are using an AMD CPU on a Windows 7 build 7600. Also in your keygen is an encrypted string "This is your private data! If you share it, then you are tricked!". Obviously initTable_byte_438C50 and initTable_byte_458D68 are to blame. However other reversers will have different bytes in those fields, but all keygens will fork fine everywhere. Sharing this "private data" is not really necessary for a functioning keygen and giving it away is in general not a good idea. |
| halsten 21. Jul 2013 | Okay. Indeed very interesting crackme from MR.HAADNI as usual. I got the idea of "telling too much about yourself" and the "nope" part. In a real world scenario, redoC solution would be accepted, but according to the rules, I agree it doesn't meet the rules. |
| andrewl.us Moderator 09. Oct 2013 | another good solution by serious final approval, haandi? |
| MR.HAANDI Author 09. Oct 2013 | @andrewl.us: It is a very solid solution and definitely achieves the "Silver" goal, which I'm glad to see. Still the author fails to go the last step and ~really~ reverse engineer what happens right before his eyes in his own keygen. If you'd look at my keygen, you'd say it is a 20 line level 1 keygen :) |
| s3Rious 10. Oct 2013 | I achieved Golden goal only by looking my keygen. Solution was in front of my eyes :). Thanks to MR.HAANDI for his hint and for his very interesting crackme. I will fix my solution as soon as possible. |
| andrewl.us Moderator 10. Oct 2013 | s3Rious shrinks his keygen by 90% and wins gold medal! |
| MR.HAANDI Author 10. Oct 2013 | Finally, someone who knows when to say "NOPE". The solution is perfect and easily achieves the golden goal. It was interesting to see, how with time the layers were broken step by step: bronze, silver, gold. |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.