qpt^J's Crackme2
| Download Crackme2.zip, 9 kb (password: crackmes.de) Browse contents of Crackme2.zip For this crackme you must find Serial number
Difficulty: 2 - Needs a little brain (or luck) | RatingVotes: 3 View profile of qpt^J » |
Solutions
Solution by mjones, published 24. aug, 2009; download (8 kb), password: crackmes.de or browse.
mjones has rated this crackme as awesome.
Discussion and comments
| kstangl 23. Aug 2009 | Is there any way other than brute force to solve for the first part of the key? |
|---|---|
| qpt^J Author 23. Aug 2009 | This crackme can be solved only by bruteforcing |
| Lone.Wolf 24. Aug 2009 | Wow, this crackme is a hard one (for me) by implementing the function at $4012BA i figured (brute forced) out the string format: - 18 characters long - 4th and 10th character must be "-" e.g: 123-12345-12345678 that function almost equals to this equation: ( SQR( ( SQR(x) * 4 + 9*x + $746 ) div 5 ) * 2 + 4 * ( ( SQR(x) * 4 + 9*x + $746 ) div 5 ) + $153F - $15F1F ) div 4 + $5A2D9 - $BBD59 EXCEPT for 1 iteration (ebx = 1) I hope someone could dig deeper .. xD Best regards |
| qpt^J Author 24. Aug 2009 | mjones very nice solution |
| Lone.Wolf 24. Aug 2009 | wow, im impressed; i thought about analyzing the function and solving the equation for key/serial creation, but bruteforcing also leads to victory xD thanks |
| Torpor 25. Aug 2009 | You can analyze the function, but not realistically reverse it. The hash method is: a = (4*a*a + 9*a + 1862) / 5; a = (2*a*a + 4*a - 84448) / 4; a -= 400000; (the use of IDIV should mean the number is signed, however, the program operates on the unsigned number for me -- so if you use the above, declare "a" as unsigned.) The problem with trying to reverse the hash is the use of integer division. The inverse is not a function -- it maps many-to-one. i.e.: int(6/5) = int(7/5) = int(8/5) = int(9/5) = 1 (in fact, with x/n, there are n-1 values for x that are equivalent). So without the knowing the modulus result, each loop has (5-1)(4-1) = 12 possibilities. The calculation of the first three digits loops 0x1C4 (452) times. Thus, Reversal: 452 * 12 = 5,424 possible solutions. Brute Force: 10^3 = 1,000 possible solutions. In the end reversing the algorithm is basically a less efficient version of brute force. |
| ringzro 10. Sep 2009 | I may be wrong, but I think LoneWolf's equation could be brought to a 2nd grade equation of the form ay^2 + by + c = 0; where y equals to (4 * sqr(x) + 9 * x + 746) / 5; For each y found, solve the equation of x. So you end up with at most 4 values for x, some of which may be negative or complex. Of course, as x is the length of the code, it can only be a positive number. For ebx > 1, you can still solve it by repeatedly propagating the result for the nth step to the nth-1 step. |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.