sKiller's skilLa_keyGenMe#3
| Download skilLa_keyGenMe#3.zip, 1 kb (password: crackmes.de) Browse contents of skilLa_keyGenMe#3.zip This crackme was coded in pure asm, it has an anti-debuger trick and a special feathure. This is very easy for newbies.
Difficulty: 2 - Needs a little brain (or luck) | RatingVotes: 5 View profile of sKiller » |
Solutions
Solution by Kostya, published 27. sep, 2006; download (30 kb), password: crackmes.de or browse.
Kostya has rated this crackme as nothing special.
Discussion and comments
| geeko 26. Sep 2006 | Your proggy does not run on my Win 2k |
|---|---|
| geeko 26. Sep 2006 | What kind of trick is that? The proggy starts with 'exitprocess' ?!?!!? and we cannot patch ?!?!! |
| BaKaE 26. Sep 2006 | patch means the algo or good-boy-jump, i believe, something like that (exitprocess) can be patch |
| jB_ 26. Sep 2006 | geeko : no patching means that the program can be registered with a keygen without any patch. To study the algo you can obviously patch it. sKilLa: nice crackme. You should increase the difficulty now. |
| geeko 26. Sep 2006 | Any proggy is supposed tu start before 'register it' At least we must know if that 'exitprocess' is intentionally or bug? |
| jB_ 26. Sep 2006 | the "ExitProcess" routine is anti-debug. If your program doesn't start when you don't debug it, it is a bug. Else it is ok. |
| l0calh0st 26. Sep 2006 | Good trick...hahaha..... geeko....look where it is jumping ;) |
| geeko 26. Sep 2006 | U didnt understand. The proggy doesn run at all inside nor outside de debugger! I dont see any jump before the exit.I tried it on win 2000 and NT. |
| BoR0 26. Sep 2006 | ExitProcess protection is at 004011C8. Just nop the jump. |
| geeko 26. Sep 2006 | skiller, the prog is supposed not to run at all? |
| BoR0 26. Sep 2006 | Ah, SEH tricks. :) Algo is pretty simple. We should trick the SEH so it lands us here: 0040116C $ 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] ; Structured exception handler 00401170 . 8BA1 C4000000 MOV ESP,DWORD PTR DS:[ECX+C4] 00401176 . 64:8F05 000000>POP DWORD PTR FS:[0] 0040117D . 83C4 04 ADD ESP,4 00401180 .^EB 8E JMP SHORT skilLa's.00401110 Nice crackme, anyhow. |
| geeko 26. Sep 2006 | I passed the SEH. Now I am backtracing from 00401137 |
| HMX0101 26. Sep 2006 | I have bypassed the exitprocess and SEH sucessfully, but i can't get the first condition :P |
| geeko 26. Sep 2006 | what first condition? at 401071 checks for the length of name. |
| HMX0101 26. Sep 2006 | 004010A0 . 8B06 MOV EAX,DWORD PTR DS:[ESI] 004010A2 . 8D3D 46304000 LEA EDI,DWORD PTR DS:[403046] 004010A8 . 8B1F MOV EBX,DWORD PTR DS:[EDI] 004010AA . 33C3 XOR EAX,EBX 004010AC . 3D 37130000 CMP EAX,1337 I know here it load the last 4 chars of the serial, and the first 4 chars of the name and xor it, but i can't reverse that :( |
| l0calh0st 26. Sep 2006 | And it could be level 2 :) |
| ghostz 26. Sep 2006 | Hi, HMX0101, you can reverse it easy! First routine of serial Name = ghostz Constant = 1337 hex value Inverse 4 characters ghos = sohg sohg hex value = 736F6867 1337 = sohg xor (part of serial) (part of serial) = 1337 xor sohg 736F7B50 = 1337 xor 736F6867 736F7B50 = so{P Inverse it so{P = P{os Part of serial = P{os I use 32bit calculator v1.7 by cybult ---------------------------------------------------- I bypass SEH tricks without patching, I put a Breakpoint, Hardware on execution in 40104A Run and trace with F8. Good job sKiller ;) |
| HMX0101 26. Sep 2006 | After i leave the last message, i found the way to reverse it... Anyway thanks, ghostz :) |
| D4ph1 26. Sep 2006 | The last part confuses me. It must be : (3rdChar)^2 - (4thChar)*68h +0A8Ch = 0 . But if we solve by 3rd or 4th char the result is wrong! I cant understand why.... |
| HMX0101 26. Sep 2006 | @D4ph1: I think it must be: ((1stChar)^2 - ((2thChar)*68h) + 0A8Ch = 0 |
| Kostya 26. Sep 2006 | Hm..Maybe it is level 1.6.. |
| D4ph1 26. Sep 2006 | @HMX0101: No I mean the second check before the second bad boy message here : 00401130 . 2BC3 SUB EAX,EBX 00401132 . 05 8C0A0000 ADD EAX,0A8C 00401137 . 83F8 00 CMP EAX,0 Not the check with "DIV AL"... |
| D4ph1 26. Sep 2006 | Now i see what i missed :p |
| Kostya 26. Sep 2006 | I write a solution.. |
| EvOlUtIoN 26. Sep 2006 | Solved! the first part of serial need some brain more, but is equally simple...very nice crackme! |
| sKiller Author 26. Sep 2006 | Thanks for your nice comments. :) For the second part of the code, you just must feel it :D I think in a few days I'll code an harder one. |
| HMX0101 26. Sep 2006 | This is a easy one, i'm waiting for a really harder keygenme :) Anyway, good job sKiller :P |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.