noukeys's noukeys_KeygenME!#1
| Download keygenme_1.zip, 223 kb (password: crackmes.de) Browse contents of keygenme_1.zip Try to code a keygen, no patching.
Difficulty: 4 - Needs special knowledge | Send a message to noukeys » View profile of noukeys » |
Solutions
Solution by _InSaNe_, published 09. jul, 2007; download (238 kb), password: crackmes.de or browse.
_InSaNe_ has rated this crackme as nothing special.
Discussion and comments
| ChupaChu 29. Jun 2007 | Name must be 8 letters, 3rd letter must be "x" serial must be: T(*@2*5*** * - important char! 2 and 5 are 2nd and 5th char from name! I think this is all.. |
|---|---|
| ChupaChu 29. Jun 2007 | no no no.. i said wrong.. there is a string "NoM!RyT$NoM!RyT$=]%." form where important char is pulled out.. Last 6 chars of solution are OK, bu first 4 are not.. still have to figure that part out.. maybe tumorrow, now im to tired ;) |
| TiGa 30. Jun 2007 | Sounds like something is not working right. for the name: ABxDEFGH with random char: % needs the serial: rH%(null)B%E%(null)% with random char: + needs the serial: &H+%B(null)E+++ with random char: ] needs the serial: aG](0x01)B]D(0x00)]] Please test your stuff before sending it in. |
| ChupaChu 30. Jun 2007 | TiGa, none of your name/serial does not work for me ;) (I always get * or ! or h or N for importan chars - never %,+, or ]) And solution always has ending like this: 2nd char from name, *, 5th char from name, *** where * is important char. First, second and 3rd letters of serial are changed some way, I will try to figure it out just now. I have a question for you - How do you type in (null) character ?! |
| TiGa 30. Jun 2007 | Of course they don't work. That's what I'm saying. If you need to input a (null) character in the good serial MAYBE there is something wrong with the crackme don't you think? |
| noukeys Author 30. Jun 2007 | You never need to input a (null) character in te good serial. :) |
| noukeys Author 30. Jun 2007 | I´m going to try to explain better. (null) (space)! (null)" <==> � !�" I wish you can now write a tuto and a keygen :P |
| TiGa 30. Jun 2007 | Here it is in detail: .bss:00462624 RandomChar db 3Dh .text:0045B4C7 mov edx, ds:RealSerial .bss:0046262C RealSerial dd 0A7C7D8h debug028:00A7C7D8 db 22h ; " debug028:00A7C7D9 db 48h ; H debug028:00A7C7DA db 3Dh ; = debug028:00A7C7DB db 0 debug028:00A7C7DC db 42h ; B debug028:00A7C7DD db 3Dh ; = debug028:00A7C7DE db 1 debug028:00A7C7DF db 3Dh ; = debug028:00A7C7E0 db 3Dh ; = debug028:00A7C7E1 db 3Dh ; = For random character = and name ABxDEFGH this is the serial I have to enter. It is compared to the serial I entered in the end. |
| noukeys Author 30. Jun 2007 | Other solution is, patching te random function in order tu generate numbers between (5-27) and the serial never need a null caracter. :P |
| TiGa 30. Jun 2007 | Here is your problem: .text:0045B6AF mov eax, 31 .text:0045B6B4 call @System@Random$qqrxi .text:0045B6B9 add eax, 5 .text:0045B6BC mov dword ptr ds:Random31, eax Random value up to 30 + 5 => Max Value 35 .text:0045B46F mov ecx, dword ptr ds:Random31 .text:0045B475 movzx edx, byte ptr [edx+ecx+2] .text:0045B47A mov [eax+3], dl Character is read from the string but [edx+ecx+2] has a maximum value of 37. What is the 37th char of the string? 00 .text:0045B497 mov edx, ds:NoukeysString .text:0045B49D mov ecx, dword ptr ds:Random31 .text:0045B4A3 movzx edx, byte ptr [edx+ecx+3] Same thing again, 35 + 3 => Max Value of 38. What is the 38th char in the string? 01 I understand the algo, I wrote a keygen. I'm just pointing out there is bug in your crackme but you don't seem to care. |
| ChupaChu 30. Jun 2007 | Hey Tiga i did a keygen too, but it only works for most letters. I think it you are correct when you say that a letter puled from hardcoded string can be read outside the string. Anyway it was an interesting keygen me :) |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.