qpt^J's KeyGenMe 1
| Download KeyGenMe.zip, 14 kb (password: crackmes.de) Browse contents of KeyGenMe.zip Rules are:
Difficulty: 4 - Needs special knowledge | Send a message to qpt^J » View profile of qpt^J » |
Solutions
Solution by alex_ls, published 17. mar, 2010; download (65 kb), password: crackmes.de or browse.
alex_ls has not rated this crackme yet.
Solution by KernelJ, published 17. mar, 2010; download (20 kb), password: crackmes.de or browse.
KernelJ has rated this crackme as boring crap.
The submission of solutions is closed.
Discussion and comments
| cobrasniper555 02. Nov 2009 | Well, I have been able to reverse the algorithm for the second part of the serial but the first 7 bytes are the tricky part. They are put through a StrToInt function and xor'd by 5050h. This result is an address that is followed after lstrcmp returns positive. Without the correct first 7 bytes, the program fails. Help? |
|---|---|
| mazuki 18. Nov 2009 | i didn't find any variable pushes to the stack for message boxes either, and there are only 4 wsprintfa calls, none of which have variable pointers, so no way to really modify those with a unique or crafty jump the only way i found was to patch the invalid serial number box so that it reports the 40C07E string instead |
| qpt^J Author 18. Nov 2009 | mazuki, like cobrasniper555 said, >>the first 7 bytes are the tricky part. They are put through a StrToInt function and xor'd by 5050h. then it's converting to an address which must be goodboy message address, and not need to patch the program |
| _ghandi_ 05. Mar 2010 | Looking at the lstrcat at 00401116, there is an element of randomness as you have saved the ESP value to 0041C385. As the address is stored little endian, it is included in the string added to the entered name. Havent reversed it any further yet so i dont know how or even if this influences anything. |
| KernelJ 09. Mar 2010 | As _ghandi_ pointed out, the current value of ESP (and other junk on the stack in fact) is included in the serial calculation mechanism. Changing the ESP at the program entry point (the OS doesn't have to give you the same one) gives you completely different valid serial, meaning it's impossible to write a proper keygen for this, the only solution is to fish for the serial or copy the code so that you get the same behaviour. Basically you have to self-keygen it, there's no other way worth mentioning. Finding the first 7 bytes was slightly enjoyable with analysis tools, but only because the chain of instructions was fairly short and could be traced back easily. Very poorly written keygenme in general... I've submitted a tutorial on how to reverse the required parts of this, find the first bytes, and selfkeygen. |
| qpt^J Author 09. Mar 2010 | thanks KernelJ for solving this shit. I knew that serials could be different in each computer. Maybe I will agree with selfkeygen, because there is no way to write keygen. p.s: this is my first keygenme, thats why it has a stupid protection |
| alex_ls 10. Mar 2010 | gpt^J Would be nice crackme but this an unfortunate bug! I have patched a few bytes into SHA1 modified function (just put 0 to address 41c385) and created a keygen which works for every name. Very liked the obfuscated part of code :) |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.