XzzX's XzzX#CrackMe4
| Download XzzX-CrackMe4.zip, 52 kb (password: crackmes.de) Browse contents of XzzX-CrackMe4.zip *******************************************
Difficulty: 5 - Professional problem to solve | Send a message to XzzX » View profile of XzzX » |
Solutions
Solution by alex_ls, published 08. sep, 2007; download (104 kb), password: crackmes.de or browse.
alex_ls has rated this crackme as quite nice.
Solution by red477, published 08. sep, 2007; download (25 kb), password: crackmes.de or browse.
red477 has rated this crackme as awesome.
Discussion and comments
| cobrasniper555 28. Jul 2007 | I've got the key.dat down, and the md5 usage. Now I just need to figure out the rest of the algorithm. If I was wrong about something, it would be that there is no md5 implementation in this crackme, but PeID showed me in KryptoAnalyzer. How much on track am I? |
|---|---|
| XzzX Author 28. Jul 2007 | If you get the crackme running you solved the first stage. @md5: I don't know. ;-) |
| HMX0101 28. Jul 2007 | Its really solvable? ((a xor 0xAB459D9A)*0xA647) + ((b xor 0x3FB5988A)*0x22CF6) + ((c xor 0xABBBAA9A)*0x1074 + (d xor 0x2BE59D46)*0x17293 = Sum name chars This can't return a value lower than 0x0FFFFFFF, so its a trick or a bug? I hope you think its first one ;) |
| MR.HAANDI 28. Jul 2007 | Indeed it can, because the eax is used after imul. E.g. 0xA647 imul 0xFD12377 = 0x00000001. But I don't know whether it is planned or the author just typed in some random values, but 0x6FBD6=457686 and it is even, which is bad for the finite field linear system! |
| TiGa 28. Jul 2007 | Since when can you solve a 4x4 matrix system like this using only integers? |
| KernelJ 28. Jul 2007 | I haven't tried this crackme yet, but surely there would be a fair number of solutions to that equation. Or are there limits on a, b, c, d? |
| cobrasniper555 28. Jul 2007 | I've solved it, and I think it isn't really a 5 on the scale. I'm making a tutorial right now, I have a keygen and everything if you want it, XzzX. Thanks for the crackme. |
| Haykuro 28. Jul 2007 | blah i need a little help, i figured out how to pass the check for the comparison text on the file, but when it does the second or check on ebx, it sais its wrong... helppp? |
| MR.HAANDI 28. Jul 2007 | Check out the GetFileAttributesA API which is called shortly before. |
| TiGa 28. Jul 2007 | @cobrasniper555: Did you get the GoodBoy MessageBox or the "Registered to: Name" message? |
| TiGa 28. Jul 2007 | I think it could spawn a philosophical discussion: If a fake algo is solvable, is it still called a fake algo? ;) |
| Haykuro 28. Jul 2007 | YAY! solved the keyfile check routine, i was missing 1 attribute :P |
| MR.HAANDI 28. Jul 2007 | NOOOOOO! Since hours I reverse the finite field linear system and this is supposed to be the fake algo??? Hey but I still got a "Congratulation! You solved it!" for some names, but not for all. |
| TiGa 28. Jul 2007 | From the description above: goal : write a keygen, which works for EVERY name info : CrackMe is solvable ;-) |
| TiGa 28. Jul 2007 | When i solved the matrix for my name, the answers weren't integers. So I started looking elsewhere. |
| Haykuro 28. Jul 2007 | BLAH fake algo?!?!!? arggghh!! i wasnt paying attention to comments and i was going insane trying to figure out why i wasnt getting registered message. |
| Ox87k 28. Jul 2007 | I don't see this keygenme 'coz i've no time now but reading the comments: E.g. 0xA647 imul 0xFD12377 = 0x00000001. This part seems to be like Euler'stotient function ;) |
| red477 29. Jul 2007 | working on it;) and yes, the real algo is so deep inside:D |
| XzzX Author 29. Jul 2007 | i wasn't online for one day. sorry. i never had so much comments on one of my crackmes. as you found out the equation system is fake. the main factor matrix is very big number. to get a solution for every name it has to be 1 - obviously not the case. i tried to make this clear by stating "EVERY name" but perhaps i should have made it clearer. as TiGa already said for a proper solution you need to get the "Registered to: <name>" message. @cobrasniper555: send me your solution for two names and i'll believe you. @MR.HAANDI: you got some working names/serials? i thought it would be only possible for some strange ones. please send them to me. @all comments: sorry for my late answer have a good day XzzX |
| MR.HAANDI 29. Jul 2007 | Today I let your crackme's fake algo inpire my for my own keygenme (which is not that easy to solve btw). It should appear soon on crackmes.de ;) And that is one of the reasons why I can't tell you some working combinations for the fake algo. But still a hint: How do you solve a 4x4 system? You divide the coefficents, so they become 1. What if you could multiply the coefficents like e.g. 0xA647 imul 0xFD12377 = 0x00000001, so they become 1 without making the system inconsistent. |
| XzzX Author 31. Jul 2007 | I thought about the "fake" equation system. Perhaps it is really solvable with integer overflows. I didn't think that far. I just thought almost all results will be floating-point numbers -> not solvable. What do you think? @MR.HAANDI: how did you find 0xA647? I don't have much experience with mod operations. |
| MR.HAANDI 31. Jul 2007 | Talking about this weakens my first crackme protection. Nevertheless here is a full explanation: en.wikipedia.org/wiki/Modular_multiplicative_inverse. |
| KernelJ 02. Aug 2007 | Still no solutions for this?? |
| TiGa 02. Aug 2007 | @KernelJ: Still no solution for this?? |
| XzzX Author 02. Aug 2007 | perhaps it is too hard ;-) in the end I have to write a solution myself ... |
| cobrasniper555 07. Aug 2007 | I swear I'm so close to finishing this... |
| KernelJ 07. Aug 2007 | @Tiga: I never started doing this one. I was too busy doing MyVM#1. @XzzX: ditto what you said... lol |
| XzzX Author 14. Aug 2007 | Is anyone still trying to solve it? |
| cobrasniper555 16. Aug 2007 | Ya, I found the real encryption algo, how it appears before use and "disappears" after use. Use lazy to reverse the floating point instructions though... |
| leotr 17. Aug 2007 | XzzX, do you still evaluate difficulty of this crackme as 3 |
| XzzX Author 17. Aug 2007 | 3? It is rated 5. I think 5 or perhaps 6 is correct. But I didn't want to overrate it as I did with my first one. ;-) @cobrasniper555: I'm waiting for a solution. ;-) |
| cobrasniper555 18. Aug 2007 | Lol, XzzX, this algo man...you're something else. |
| XzzX Author 20. Aug 2007 | It isn't as hard as it looks like. ;-) 11/16 are easy. The rest is a little bit more complicated. :-D |
| alex_ls 07. Sep 2007 | Has anybody solved this crackme already? I've coded keygen that works for every name with the EVEN length. The system has collisions with overflows when the right part of equation (vector b) consists in the convergence parity of the numbers (b1-even,b2-odd,b3-even,b4-even)(Sum of evens doesn't equal sum of odds) In my case the system is solvable when the evens equal odds of the vecor B numbers, So If it's not so, I just added the space (0x20) to the end of the name and system is getting solvable! I wanted to write a solution but I may wrong with this conclusions. XzzX: give some info about this stuff please. |
| XzzX Author 07. Sep 2007 | Sorry I can't follow you. I'm not a native speaker. Please leave me a more detailed pm. ;-) I'm interested in your solution. But I think you're talking about the "fake"-algo. I didn't think about these overflows by the time of writing this crackme. I should spend more time in writing my fake algos. ;-) I'll accept a solution for the "fake" algo aswell. Although you miss the real fun. ;-) A solution covering both would be really nice. But I'm not sure if the "fake" algo can be solved. *lack of maths* ;-) |
| alex_ls 08. Sep 2007 | XzzX: Ok! I'll try to write a solution. |
| red477 08. Sep 2007 | alex_ls, wow, interesting solution. I like it. Absolutely another way. @XzzX, I forgot to mention the OutputDebugStringA, because I changed the entry point before analysis. And the "Sun Symbolizing Song" is so nice that I enjoyed it for a whole night;) |
| XzzX Author 09. Sep 2007 | Congratulation to both authors. I got to different solutions for one crackme. ;-) @alex_ls: I'll study your solution since I don't know how to solve it. @read477: Nice solution - everything mentioned. Unfortunately I found a bug in my "real" algo. If you input a name which xor-sum is 0 you get an unhandled fpu-div0-error which makes it unsolvable. :-( But since it would make your keygen not working anymore I won't patch it. You can simply circumvent it by adding one more space. Solved after one month -> next target two months ;-) |
| alex_ls 09. Sep 2007 | @XzzX:I have fallen in your trap with the fake algo 2-3 weeks ago, but after working with Solvet1 by MR.HAANDI I had an idea how to perform the system without the modular arythmetic. Well, I returned to this task. (the real algo I've not figured out yet. ) Very good job man! @Red477: Thanks for the real algo solution, I just now understood the whole idea of this crackme:) |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.