yonkie's Yonkie's keygenme #3
| Download y_keygenme3.zip, 53 kb (password: crackmes.de) Browse contents of y_keygenme3.zip Here is an archive contain 3 versions of my keygenme: win32, linux-IA64 and macosx-powerpc. There are also 3 sample key files.
Difficulty: 3 - Getting harder | RatingVotes: 5 View profile of yonkie » |
Solutions
Solution by hound, published 04. jul, 2010; download (28 kb), password: crackmes.de or browse.
hound has rated this crackme as quite nice.
Discussion and comments
| alex_ls 29. Jun 2010 | What a tough thing! As far as i understood the main point of this keygenme is to generate the last 3 double words of a key for the XTEA block cipher algo. After two days working on it i couldn't quite catch a trick. I wonder, does anybody has some ideas about this one? |
|---|---|
| hound 01. Jul 2010 | Hmm, this is tough. I think you are spot on alex_ls; it comes down to choosing the XTEA keys so that the first block of the cipher text is equal to the first 32-bit key. The only progress I have really made is noticing that with the chosen delta, the key schedule for the second Feistal block only uses the 1st and 3rd keys (k[0] and k[2]). Whether this helps, I am not sure .... |
| brangelito 01. Jul 2010 | 2^32..? Sounds bruteforce-able in worst case. |
| hound 01. Jul 2010 | Yeah, I suppose it is 2^32 in the worst case. If you fix k[0] and k[2], then you have a 64-bit input k[1]:k[3] which maps onto 32-bit (ignoring second cipher DWORD). It works *OK*, but it is still less than ideal ... |
| alex_ls 01. Jul 2010 | I tried to bruteforce it. Yes, it works but this process is very slow. And i even atempted to make an equation systems for 2 variables k[1] and k[3] assuming serial,sign,featureset and crc sum of an user name are known numbers (before and after encryption of course) but there are to many rounds - 45x2 complicate it to much. I think hound is right the main clue in delta, but how to use this trick? |
| alex_ls 01. Jul 2010 | I have found a solution already! That was so easy :) The answer consists in an enumeration of keys by order k2,k1,k3 using the first and last states of the cipher rounds. Thanks to yonkie, it's a very nice stuff. |
| Numernia Moderator 01. Jul 2010 | cool crackme |
| alex_ls 01. Jul 2010 | Sorry men, I've made a mistake in my algo, there's no solution yet. |
| hound 01. Jul 2010 | Haha, I've been thinking about your comment for the last 20 minutes and was trying to see how you had nutted it out :-). |
| andrewl.us Moderator 01. Jul 2010 | going to message author to respond if there's a non-brute way to do it.... 2^32 space is not too bad; for example it took a little over a minute to pass first condition: uint32_t key[4] = { 0x09E40965, 0xDEADBEEF, 0xCAFEBABE, 0xAAAAAAAA }; uint32_t plain[2] = { 0x09E40965, 0xBBBBBBBB }; |
| yonkie Author 02. Jul 2010 | Yes, my "official" keygen do bruteforce. Yes, this is modified XTEA, it takes 4 DWORDs as key and 2 DWORDs as input data and make 2 DWORDs on output. My keygen try 4 random keys until first key will be the same as first output encrypted DWORD. It is not very fast, but on my intel dual core it takes up to 10 minutes... The trick is that 4 key values are not fixed anywhere... main condition is equality of first key to the first enciphered DWORD in first encryption block. |
| hound 02. Jul 2010 | Sweet as, then it is all done. Personally, I don't think it is possible to "craft" the cipher text so that the first DWORD is equal to the first key, as this would hugely undermine its possible use as a hashing function. Thoughts? |
| brangelito 02. Jul 2010 | hound: That would depend on which mode-of-operation you use to convert the cipher into a hash function. But yeah, it behaves randomly until stated otherwise. :) |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.