Help at newbie KeygenMe [Archive] - RCE Messageboard's Regroupment

View Full Version : Help at newbie KeygenMe

opc0d3

March 1st, 2013, 07:41

Hello guys!

Well, i'm here to learn!
So i'm newbie at this and this keygenme that i'm trying to solve is classfied as newbie keygenme, but it's very complicated to me.

So.. It have a simple interface.. i see a window and a EDIT.
Coded in c++ we have 2 ways to get the function with keygen check..

Search at GetDlgItemText or simply search at strings (faster and simpler)

I tried hard to get where it generate original keygen..
But it uses stack to store everything.. it's complicate to me.. because in Olly it puts "LOCAL.1", "LOCAL.5" and so on..
But it mean "PTR SS:[EBP-0C8]" for example..

I've attached the file in the post... Link >> 2737
If anyone can help me to find out..
I don't want the answer i just want clues to find out by myself..

Thanks!!!

greenoaktree

March 2nd, 2013, 08:25

sub_40A924 is a importent point:
analyze this ,and two sub:

reverse the black sub ,you may find the answer

opc0d3

March 2nd, 2013, 21:18

Helo greenaktree.. you found out how it generate the key ?

I'm feeling very confuse code and hard to find out...
I've been analysing the "CALL 0040A924".. but It's very complicated, it uses only the stack..

I see that it reads some high addresses..
You just analyzed 40A924 and found the "key function generator" ?

thanks

greenoaktree

March 3rd, 2013, 03:53

Sorry,I didn't dig in.
this is the main piece:
00401FD2 . E8 DD560000 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
00401FD7 . 83EC 10 sub esp,0x10
00401FDA . 8D45 F7 lea eax,dword ptr ss:[ebp-0x9]
00401FDD . 894424 08 mov dword ptr ss:[esp+0x8],eax
00401FE1 . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
00401FE4 . 895424 04 mov dword ptr ss:[esp+0x4],edx
00401FE8 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
00401FEB . 890424 mov dword ptr ss:[esp],eax
00401FEE . C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x3
00401FF8 . E8 67810000 call Crackme.0040A164
00401FFD . C685 38FFFFFF>mov byte ptr ss:[ebp-0xC8],0x0
00402004 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
00402007 . 894424 04 mov dword ptr ss:[esp+0x4],eax
0040200B . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
0040200E . 890424 mov dword ptr ss:[esp],eax
00402011 . C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x1
0040201B . E8 E8810000 call Crackme.0040A208
00402020 . C685 38FFFFFF>mov byte ptr ss:[ebp-0xC8],0x1
00402027 . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
0040202A . 890424 mov dword ptr ss:[esp],eax
0040202D . E8 9EF7FFFF call Crackme.004017D0
00402032 . 84C0 test al,al
00402034 . 0F85 86000000 jnz Crackme.004020C0
0040203A . C685 40FFFFFF>mov byte ptr ss:[ebp-0xC0],0x0
00402041 > 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
00402044 . 890424 mov dword ptr ss:[esp],eax
00402047 . C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x2
00402051 . E8 CE880000 call Crackme.0040A924
00402056 . 80BD 40FFFFFF>cmp byte ptr ss:[ebp-0xC0],0x0 ; |
0040205D . 74 30 je XCrackme.0040208F ; |
0040205F . C74424 0C 000>mov dword ptr ss:[esp+0xC],0x0 ; |
00402067 . C74424 08 5BD>mov dword ptr ss:[esp+0x8],Crackme.0040D>; |ASCII "gratz !!"
0040206F . C74424 04 64D>mov dword ptr ss:[esp+0x4],Crackme.0040D>; |ASCII "now keygen it !"

except 0x40a924,there are 3 call after GetDlgItemTextA that get the key from UI
0x40a164
0x40a208
0x4017d0

these three subs are more complicated than 0x40a924
I think may the three are library subs,so I search strings in the .exe file ,and find this:
ASCII "../../../../gcc-4.4.1/libgcc/../gcc/config/i386/cygming-shared-data.c"
So ,maybe it static linked with gcc library.Maybe the three are gcc library subs.

some clue:
ASCII "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"

blabberer

March 3rd, 2013, 13:06

Quote:

[Originally Posted by opc0d3;94338] because in Olly it puts "LOCAL.1", "LOCAL.5" and so on

alt+o ->analysis1 -> check / uncheck show args and locals in procedure for enabling / disabling above disassembly for odbg1.1 version

alt+o -> analysis -> show recognized args and locals in procedure / comments for odbg 2.01h

greenoaktree

March 6th, 2013, 10:15

I saw this keygenme was solved by hepL3r in http://www.crackmes.de
see here:http://www.crackmes.de/users/revme/szi_keygenme/solutions/hepl3r/browse/tut.txt

opc0d3

March 17th, 2013, 16:54

yeah!! i saw it there too.. but it's so complicate.. haha i could fish the serial..
But understand how keygen it.. THAT's complicate like hell... haha

Thanks.. i think i need to crack more and then learning more and more to start keygening..

if you have some tip or advise to me i'll appreciate..

thanks a lot..

Indy

March 23rd, 2013, 08:11

IDA dont true(is bad). Graph useless.

Quote:

yeah!! i saw it there too.. but it's so complicate.. haha i could fish the serial..
But understand how keygen it.. THAT's complicate like hell... haha

Stop the using drugs

Study.

Indy

March 23rd, 2013, 08:37

Code:

	%NTR TPROC, R0



TPROC:

	%GPAL MOD_USER32, 5B9E46FEH	; @MessageBoxA() -> TR0

		

	%ICDT$ R1, "VM"



	%ICDT$ R2, "Hello"



	OP VM_SPUSH

		BYTE 4	; N

		%SDB MB_OK

		%SDR R1

		%SDR R2

		%SDB NULL	; HMOD



	%SCALL R0, 4



	OP VM_ET

vm: hello world

2743