neotren's CryptoME
| Download CryptoME.zip, 130 kb (password: crackmes.de) Browse contents of CryptoME.zip Your task is to register and be able to play this small game.
Difficulty: 7 - Very hard | RatingWaiting for at least 3 votes View profile of neotren » |
Solutions
Solution by andrewl.us, published 30. mar, 2010; download (110 kb), password: crackmes.de or browse.
andrewl.us has not rated this crackme yet.
Discussion and comments
| neotren Author 10. May 2008 | anyone working on this atm?? Perhaps a comment on the level 5 rating. Is it to hard/easy? |
|---|---|
| DigitalAcid 11. May 2008 | Yeah, i tried it and patching is indeed hard =). I kinda gave up atm. I can't make a keygen anyway. |
| Zaphod 12. May 2008 | It is hard, all right! I can patch it so it says all the above, the "verification" and "GOOD"-stuff, but that doesn't make the program run... |
| MACH4 12. May 2008 | I think the game crashing when its patched is because it isn't finding the information required to run , mainly because of the patching. If that makes any sense! Also patching loses the Registered name (which is a requirement) Might be just as hard to completely patch, as it is to solve it properly! All pivots on the verification call, its a BIG place in there, lol! Wish I had more experience in that direction! Anyway, very nice Crackme, will be most interested to see a tutorial on it... MACH4 |
| DigitalAcid 12. May 2008 | I think it's modifying the original code to make the game run, so if you patch, you modify the bytes and therefore it won't run properly. if you patch, there is no registered name anyway =). I can't seem to find where it checks my input with the correct input =). PS: i'm changing the Z or whatever flag, not actually patching and it still doesn't work O.o. Can't wait to see a tutorial either, i think i know wich type of hash it's using. |
| HMX0101 12. May 2008 | Hey ppl, the game need a correct key in order to play the game, this is because that part of the executable is encrypted with AES (this is just a guess ;) and can be decrypted only with a good key ;) |
| Zaphod 12. May 2008 | hmx0101, PeID says 2 versions of RIJNDAEL, SHA1 and 3 versions of Big Number. I am also looking forward to see a solution, though I haven't quite given up yet :) |
| neotren Author 12. May 2008 | Hi, HMX0101: Your guessing is correct but it's solvable. I just talked to a friend and he might think that the rating is a bit low and rated it like 7-8. |
| HMX0101 13. May 2008 | Zaphod, if you've IDA you can use CryptoSig by Cauchy to see what's going on with Bignums... ;) I'll be taking a look closer, later :D |
| TaGaDaPaF! 30. May 2008 | Is it solvable without knowing the modulus factors ? |
| neotren Author 31. May 2008 | TaGaDaPaF!: No (I really hope not :)) |
| TaGaDaPaF! 02. Jun 2008 | Are we supposed to factor the modulus with the given informations contained in your crackme (without spending 100 years of computation) ? I don't see any backdoors to factor it -- maybe i'm not looking deep enough |
| MR.HAANDI 02. Jun 2008 | How came that I oversaw this nice crackme? Yes, finding the group oder of the field does not see obvious, lets see... |
| neotren Author 02. Jun 2008 | TaGaDaPaF!: There should be a faster way :) Look deeper. |
| MR.HAANDI 03. Jun 2008 | Are you saying that if one looks deeper, one can find the factorization or are you saying that if one looks deeper, one can find a way without the (full) factorization? |
| TaGaDaPaF! 03. Jun 2008 | You need one of the non trivial factor in you license file. Anyway its beginning is the AES key |
| neotren Author 03. Jun 2008 | MR.HAANDI: I say you can find a way to factor. The AES part is only implemented to make it "impossible" to crack and RSA part is to make it look "impossible" to break. When you have the AES key you have 90% of the information you need to make a keymaker so plz dont patch it. |
| neotren Author 01. Aug 2008 | Anyone working on this atm? |
| DigitalAcid 01. Aug 2008 | Not me. It's way above my league, even though i know most of the stuff you mention =). |
| neotren Author 02. Oct 2008 | Perhaps some one with more crypto experience could have a look at it? Perhaps level 5 is a bit low on this one? Can any one comment on that? |
| neotren Author 07. Jun 2009 | one year and no solution? :) Need any help? |
| neotren Author 16. Aug 2009 | First small hint: ASProtect SKE :) |
| VaZoNeZ 17. Aug 2009 | Can I pack/protect my Crackme with a commercial protector even if it is free? No. The only packers/protectors allowed are those that you wrote yourself. This website is not meant to be a place where commercial protectors are disabled for you by other reverse code engineers. |
| neotren Author 17. Aug 2009 | VaZoNeZ: Did you think that the hint was for which packer that was used? The hint is for factoring the modulo. Nothing from asprotect ske is used here. Even the algo is home made. (The packer itself is made by me) |
| neotren Author 15. Sep 2009 | Hint 2: The modulo used in the RSA part is also used in the signature algo. You can assume that the modulo n = p*q where p and q is prime numbers. When you look at the signature size you can also assume that the order of g != phi(n). Now since n is a multiplicative group you know that Zn depends on Zp and Zq. Also g^(p-1) == 1 mod p and g^(q-1) == 1 mod q and g^((p-1)*(q-1)) == 1 mod n. When the order of g != phi(n) then there might be a subgroup to work in?? Perhaps you can use this info to factor n??? So when you have p and q you need to solve DLP in Zpq and Zqq, use CRT and you should have all the info you need to make a keygen to this crackme. Also using same p and q you should be able to obtain rsa d. |
| andrewl.us Moderator 15. Sep 2009 | if g is the generator of some subgroup of order q-1, doesn't g^((q-1)*k)=1 for any integer k? (vs. specific case that you mention g^((q-1)*(p-1)) How do you read "Zpq" and "Zqq"? |
| artif 15. Sep 2009 | I found the way to factor it I think ... |
| neotren Author 15. Sep 2009 | andrewl.us: yes g^((q-1)*K) == 1 mod q. When I wrote Zpq and Zqq I was referring to that there is a subgroup q in Zp and there is also a subgroup q in Zq. I see now that this could mess thing up so what I meant is that there is a subgroup q1 in Zp and there is also a subgroup q2 in Zq. (q1 is a prime factor of p-1 and q2 is a prime factor of q-1). |
| andrewl.us Moderator 16. Sep 2009 | finding the size of the hinted subgroup still seems infeasible...only thought to try is assume one of big numbers 016B2835(etc.) or 017A1EB5(etc.) generates the group, but finding its order (and thus the size of the group) is as hard as factoring - not asking for more clues, let's keep the challenge a challenge :) go go artif :) |
| artif 16. Sep 2009 | yep let's keep the challenge ;) too much hint now ... :D |
| neotren Author 28. Sep 2009 | artif: Any luck factoring? :) |
| neotren Author 11. Feb 2010 | New hint: There is a factoring algo called p-1. Perhaps modifying it might solve the problem. |
| andrewl.us Moderator 12. Feb 2010 | are you certain the subgroup is so evident? your signature scheme is nearly Schnorr: e = (4 bytes) s = (7 bytes) g = 17A1EB... y = 016B28... you compute: r_v = g^s * y^e (mod N) e_v = hash(m || r_v) (mod 0xFABF1234) (must match e) - the size constraints on e and s are really confusing - am assuming you reduce e_v by that composite just to reduce it to 4 bytes (the range of e) ? have tested all g^exp (mod N) for 32-bit exp and got neither 1 nor y... am scared that your s (the 7 byte) is reduced (mod q) (like in Schnorr) and q is the subgroup size... would be way too large a search space if you could answer questions as minimally as possible (fewest clues) |
| neotren Author 14. Feb 2010 | e is just the hash here and is not important. however s is which is the signature. You can look at the sig to determine the size of the group. (sub group) So as you say. sig size is 7 bytes max then you know the order of g in N should be ~same size. So 7 bytes order gives you max 56 bit. So now try to look at the problem in Zp and Zq. The order of g in Zp or Zq can be like 56/2 bit. Using the properties of g and the algo Pollard's p-1 might sole the problem :) Look at the alog p-1 and you will see it all clear then. (oh and you should not need to search all the way up to 32 bit :)) |
| neotren Author 11. Mar 2010 | any luck using Pollard's p-1? |
| Xspider 02. Apr 2010 | c0ol you did it man :D |
| andrewl.us Moderator 03. Apr 2010 | only with alot of help/hints :) cool to learn about pollard p-1 though - hopefully neotren will write more fun things |
| Xspider 03. Apr 2010 | but you did it anyway ;) |
| neotren Author 10. Apr 2010 | Nice job. And now for next challenge is to fly and land your ship at the base :) |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.