Hi all,

I came across this crackme and it interests me as it would make a very good storming session. The object of the crackme is to complete all 5 stages and keygen where required.

There is no file protection and it appears to have been coded in ASM. It would be nice if a few of us could get involved here and maybe a few of the more experienced guys could show us how to rip the algorythms from the file and use it in a keygen.???? A keygen could be programmed in any other language but it would be better to see how the algo is ripped.

I have already passed the first two stages (Without keygenning the first) and have come a bit stuck on the third, I will get there though. Have a look and see if you think it might be worth the effort.

Hoof

Cannot get the file up, 3k to big.

can u up to another sight and link it?

Ok, here it is.

h**p://royalaxx.host.sk/files/tutorial/ra_crckm2-nob.zip

I think it is interesting anyway. Newbies will like it as it has several levels. The object, is to sniff and keygen as per the NFO.

Keen to hear some comments, especially on the 3rd stage.

Hoof

when dled it comes back as a bad zip

which browser are you using?
i had the same problem using opera.
strange but explorer work well...

ZaiRoN

useing ie 6 here
finely now i got the file

Stage 1

It would appear as though all the action happens here:

00403F57 . FF15 30F34300 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
00403F5D . 8BF0 MOV ESI,EAX
00403F5F . 83FE 02 CMP ESI,2
00403F62 . 8935 40CA4300 MOV DWORD PTR DS:[43CA40],ESI
00403F68 . 0F8C 22010000 JL ra_crckm.00404090
00403F6E . 83FE 23 CMP ESI,23
00403F71 . 0F8F 19010000 JG ra_crckm.00404090
00403F77 . BA 01000000 MOV EDX,1
00403F7C . 33C9 XOR ECX,ECX
00403F7E . 85F6 TEST ESI,ESI
00403F80 . 8915 18794300 MOV DWORD PTR DS:[437918],EDX
00403F86 . 7E 40 JLE SHORT ra_crckm.00403FC8
00403F88 . BF 60C94300 MOV EDI,ra_crckm.0043C960 ;ASCII "Hoof Arted"
00403F8D . 4F DEC EDI
00403F8E > 83F9 12 CMP ECX,12
00403F91 . 7D 2F JGE SHORT ra_crckm.00403FC2
00403F93 . 69D2 7ED31252 IMUL EDX,EDX,5212D37E
00403F99 . 0FBE440F 01 MOVSX EAX,BYTE PTR DS:[EDI+ECX+1] ;Next chr to EAX
00403F9E . 41 INC ECX ;Next chr
00403F9F . C1FA 09 SAR EDX,9
00403FA2 . 81E2 80CFCFFF AND EDX,FFCFCF80
00403FA8 . 0FAFC2 IMUL EAX,EDX
00403FAB . 40 INC EAX
00403FAC . 35 9F9F0000 XOR EAX,9F9F
00403FB1 . C1C0 05 ROL EAX,5
00403FB4 . 0FAFC1 IMUL EAX,ECX
00403FB7 . 99 CDQ
00403FB8 . 33C2 XOR EAX,EDX
00403FBA . 2BC2 SUB EAX,EDX
00403FBC . 3BCE CMP ECX,ESI ;Reached end of Username ?
00403FBE . 8BD0 MOV EDX,EAX
00403FC0 .^7C CC JL SHORT ra_crckm.00403F8E ;Not, so go back to f8e

When the name is received, it cycles through one character at a time and does it little magic trick on the val of EAX. It then compares your HEX value of your entered serial with the Value in EAX. In my case, "Hoof Arted" = 72467A80 so I would need to enter the serial "1917221504" to pass Stage 1.

Now, following the little algo used above, it is quite easy to see what it is doing and you could probably sit and work it out with a calculator. Trying to code it is another thing. I will try work on a visual basic keygen (only language I know) the problem is that it cannot handle large numbers easily.

This is where the ripping of the algo comes in. It would be great to see a little tutorial on how the rip the asm and create a keygen. Any takers ?


Stage 2

Stage 2 is a "password" stage but the password is not hardcoded. You need to "beat" the algo. The action happens here:

00403CFA . FF15 2CF34300 CALL DWORD PTR DS:[<&USER32.GetDlgItemIn>; \GetDlgItemInt
00403D00 . 8BC8 MOV ECX,EAX
00403D02 . 81F9 78563412 CMP ECX,12345678
00403D08 . 890D 1C794300 MOV DWORD PTR DS:[43791C],ECX
00403D0E . 7D 1B JGE SHORT ra_crckm.00403D2B


Above we can see that our HEX val of our serial is tested for >= to 0x12345678. So we meet the first criteria by entering, as a password , "305419896". This then enables us to go to the next part of the checking routine.


00403D2B > B8 EFCB6672 MOV EAX,7266CBEF
00403D30 . 890D C0C84300 MOV DWORD PTR DS:[43C8C0],ECX
00403D36 . F7E9 IMUL ECX
00403D38 . 8BC2 MOV EAX,EDX
00403D3A . C1F8 14 SAR EAX,14
00403D3D . 8BD0 MOV EDX,EAX
00403D3F . C1EA 1F SHR EDX,1F
00403D42 . 03C2 ADD EAX,EDX
00403D44 . 25 452E0000 AND EAX,2E45
00403D49 . 03C1 ADD EAX,ECX
00403D4B . 35 15180000 XOR EAX,1815
00403D50 . 03C1 ADD EAX,ECX
00403D52 . 25 82790000 AND EAX,7982
00403D57 . 03C1 ADD EAX,ECX
00403D59 . 25 9A810000 AND EAX,819A
00403D5E . 03C1 ADD EAX,ECX
00403D60 . A3 CCC84300 MOV DWORD PTR DS:[43C8CC],EAX
00403D65 . 05 F07FFFFF ADD EAX,FFFF7FF0
00403D6A . 3BC1 CMP EAX,ECX (ECX = 12345678, EAX = 1233D700)

It stores a copy of our serial entered and proceeds to run a little algo. The end result is then compared to our serial again. This is quite a strange thing as how can what we enter be the same as the serial that has been changed? I sort of got this by chance. A bit of zen helped me I suppose but just check this out.

You enter serial 0x12345678 and the modified version is then 1233D700. No match there.

The difference between these two is 7F78. Dont know if it means anything but add it to your 0x12345678 and you get 0x1234D5F0. Convert to dec and enter it as a password and you will see EAX = 1234D5F0, ECX = 1234D6F0 ( Close).

The difference again is 0x0100. Add this to serial and you have your required password.

To complete stage 2, password is 305452784. Now, I am sure, due to the way the calculation is done, that there are possibly other passwords that would work. I have not checked. Any mathematic geniuses could give some input?

That is as far as I have gone. I will be working on the other stages when I can and will be trying to keygen the first stage. My source code will be attached. Dont care if you dont like VB.

Hoof

Well im on the case, post a keygen as soon as i get too it. Hoof Arted you should have put a warning or somthing i wana figure it out too!! but good job!

-Rage

Rage, I thought about posting the info I have. This way, it is sort of a tutorial for those who know alot less then me but at the same time, generates interest in the remaining 3 tasks.

For those who are actually following this thread, it is in your best interest to look at all the data and see HOW it works, and not that it does work. I am very keen to see what other do with Stage 3 and onwards. . I will not post direct answers to the remaining tasks untill you guys have made some progress.

Have a good time.

Hoof

finished level one and read your comments, i would be more then happy to walk you guys through making an assembly keygen i did it for javilins, on to stage 2...

-Rage

level 2 is some odd sheet, but i think i can clear something up....



basicaly it does nothing but preform a few calculations to see if you serial is within the routine.... so basicaly if you xor you serial with 1815, and add your orriginal serial to that, then add your serial with 7982(h) and then with your original serial again and then AND eax (which is your current serial in generation) with 819A(h), add eax with your origianl serial again and add FFFF7FF0(h) to it you will find out if it falls within the routine... mabe i'll write a program to figure it out...
(h) = hex

Well im outa here for now... onto level 3...

-Rage

I decided to code the program (which doesnt really work too well, without a debugger you cant tell what the values are.... and gets into a weird loop..
Here are a few more that will work for Level 2 (tested and approved):

305422032
305427472
305446928
305427472
305739248

once i rework the program ill see how many there are but how many do you need for a keygen huh?

Off to level 3 woo!

-Rage

We can almost copy the algo exactly as it is =) w00t i love asm.
-----------------------------------
mov edx, 1
mov esi, namelength
mov edi, name
xor ecx, ecx
calc:
cmp ecx, 12h ; Calculates only 12 characters of the name
jge finish
imul edx, 5212D37Eh ; Simple maths
movsx eax, byte ptr [edi+ecx] ; move character into EAX
inc ecx
sar edx, 9
and edx, ffcfcf80h
imul eax, edx
inc eax
xor eax, 9f9fh
rol eax, 05
imul eax, ecx
cdq
xor eax, edx
sub eax, edx
mov edx, eax
cmp ecx, esi
jl calc

finish:
; EDX is our calculated serial. Use wsprintf and use whatever you want to display the serial =)
----------------------------------

Make whatever changes you need to get it to work in your compiler. I prefer masm.
Step2 will come later, i had a theory for a keygen but further testing proved it wrong heh. Brute forcer works fine but sucks.

the valid serials follow a specific cyclic scheme.
these are all valid serials (numbers in dec):

- 305422032 305422033 305422036 305422037
add 32 to 305422032 and you'll find:
- 305422064 305422065 305422068 305422069
add 288 to 305422064 and you'll find:
- 305422352 ...
+32 to 305422352:
- 305422384 ...
+160 to 305422384:
- 305422544 ...

+32, +288, +32, +160, +32, +288 and so on...
so, there are a lot of valid serials.

ZaiRoN

This is very good stuff. I just hope that you are all making notes as a full tutorial for newbies would be a good idea.

I am still stuck on stage 3, but will deliver a report on what I have found soon.

Hoof

lol, im getting closer, i would be done if i didnt have to work but i have a general format for the serial:

rA-xxxxxxxx-xxxxxxxx-xxxxxxxx


anyways the x's must be of hex value equal to or less then the letter F in just that case.

It first checks that it is 1D(h) letters long then for the 'r' then the 'A' and finaly for the three '-'s and then splits up the routine into 3 seperate memory locations.... trying to figure out the rest... will have done soon...

-Rage9

Im kinda 'zen-ing' my way through the encryption code, and i think i just hit a rock....

I trace through the code but it is taking for ever so i just breakpoint on the cmp routine at the end of the serial routine and take a look where its being stored... I convert the 3 sections of hex into dec and plug them in.... and it didn't work.... so i ran it with the serial i 'thought' was it in there break pointed on the end and took a look.... it was a different serial... hypothosis:

Its alot like stage 2, only with your name mixed in there, ouch!
the routine is not small at all either!!! well i think im done for tonight, ill pick it up tommorow...

-Rage

This is really starting to get to me now. It would appear as though the programmer has copied code from system DLL's and things to limit the use of function calls. This is what is catching us. I think that the best way to tackle this problem is to see what each call in stage 3 does. Here is a bit of info I have:

004039C2 . 68 B8C94300 PUSH ra_crckm.0043C9B8
004039C7 . 6A 10 PUSH 10
004039C9 . 68 D0C94300 PUSH ra_crckm.0043C9D0 ; ASCII "12345678"
004039CE . 890D B4C84300 MOV DWORD PTR DS:[43C8B4],ECX
004039D4 . E8 773D0100 CALL ra_crckm.00417750
004039D9 . 68 BCC94300 PUSH ra_crckm.0043C9BC
004039DE . 6A 10 PUSH 10
004039E0 . 68 E0C94300 PUSH ra_crckm.0043C9E0 ; ASCII "77777777"
004039E5 . E8 663D0100 CALL ra_crckm.00417750
004039EA . 68 C0C94300 PUSH ra_crckm.0043C9C0
004039EF . 6A 10 PUSH 10
004039F1 . 68 F0C94300 PUSH ra_crckm.0043C9F0 ; ASCII "0ABCDEF1"
004039F6 . E8 553D0100 CALL ra_crckm.00417750
004039FB . A1 BCC94300 MOV EAX,DWORD PTR DS:[43C9BC] ; Section 2 to EAX byt it is now "37777777"
00403A00 . 8B0D B8C94300 MOV ECX,DWORD PTR DS:[43C9B8] ; Section 1 to ECX is still "12345678"
00403A06 . 68 E4C84300 PUSH ra_crckm.0043C8E4
00403A0B . 50 PUSH EAX
00403A0C . 51 PUSH ECX
00403A0D . E8 7E560100 CALL ra_crckm.00419090 ; XOR EAX and ECX - Result in EDX
00403A12 . 8B15 C0C94300 MOV EDX,DWORD PTR DS:[43C9C0] ; Section 3 to EDX is still "0ABCDEF1"
00403A18 . A1 E4C84300 MOV EAX,DWORD PTR DS:[43C8E4] ; XOR'ed total to EAX
00403A1D . 68 E8C84300 PUSH ra_crckm.0043C8E8
00403A22 . 52 PUSH EDX
00403A23 . 50 PUSH EAX
00403A24 . E8 B7BF0000 CALL ra_crckm.0040F9E0 ; Something is done with values. Total in EAX is "049F4A96"

The call "CALL ra_crckm.00417750" would appear to be nothing more than a function to push the literal hex value of our serial parts to memory. But, it does something strange. The "77777777" I origionally entered for part 2 of my serial is now "37777777". This could just be due to size issues. Any info ?


The second call of interest is "CALL ra_crckm.00419090". This appears to be used to XOR the first and second part of my serial.

The third call, I have no idea. Looks like some floating point math going on there but I am not sure.

Hoof

Im moving in for the kill, i found the routine.... i think.... but i wana help you with the above part, its quite simple really:



The tracing of the call is a bitch, but how i found what i think is the routine (I use OllyDbg, it is awsome!) just keep holding F7 to step trough the code and then when i see the serial being writen to memory breakpoint on on it and at the start of the routine... now im not totaly sure if im in the right spot but im pretty sure because it gets broken on a hell of alot...

l8er

-Rage

Ok, start tracing at 0040D100 that is the start... its writen to memory at ... 0040D133 , its really long, lots of calls.. hehe


-Rage

I am officially stuck on stage 3. Would it be possible for someone who has done this more than I have to have a look and see what is going on ?

If i'm reading this right the numbers , or is it , go through a final one-sided check see

:0040394A 8A81D0C94300 MOV AL,[ECX+0043C9D0]
:00403950 3C2F CMP AL,2F
:00403952 7E04 JLE 00403958
:00403954 3C3A CMP AL,3A
:00403956 7C18 JL 00403970
:00403958 3C40 CMP AL,40
:0040395A 7E04 JLE 00403960
:0040395C 3C47 CMP AL,47
:0040395E 7C10 JL 00403970
:00403960 3C60 CMP AL,60
:00403962 0F8E49010000 JLE 00403AB1
:00403968 3C67 CMP AL,67
:0040396A 0F8D41010000 JGE 00403AB1


now am I wrong or does this show that if al is less or equal to 60h or 96 ascii or " ' " then it should jump to the bad boy
also i think it shows that if it is greater or equal to 67h or 103 ascii or "g" then it should jump to the bad boy again

if im right the x's in rA-xxxxxxxx-xxxxxxxx-xxxxxxxx should be the letters a,b,c,d,e,f.

so would this be right or did i just jump the fence in left field and run into trafic

oh i almost forgot it does this for each of the three groups

BTW i found the start at 4038A2

You are somewhat correct.

As far as I can tell, the serial has to be of the same format but the characters can be 0 - 9 and A - F. (Must be upper case - for conversion to hex value)

My previous posts show what happens next. It would be nice if the writer of this crackme was able to give some info on this as it is interesting the way he has done things.

Hoof

PS. If Stage 3 is considered easy, then stage 4 and 5 are going to make us stop reversing all together.

sheet man, theres two more levels?? sorry i kinda took a break to catch up on some mic. things, but ill jump back in and see if we cant figure this out...

-Rage

oh i forgot, thereticaly we COULD cheat and figure out a serial the way we figured out one for level 2 (just keep adding the diffences until we get the right one....), and just skip this and move on.... up to you guys i guess, i would prefer though that we figure it out and keygen it... l8er

-Rage

ok what i dont get is why it compares to G
i see what u mean about 0-9 but the hex value for "A" is greater the it is for "a" so that would make it jump to the bad boy address

does any body else see it this way too
0-9
G
a-f
i think thats all it really wants to see

once it finds G it just goes to the next call other wise it continues to check lowercase a-f


conversion of letters and numbers can take place wether their upper or lower case just returns a diffrent hex code

ie:
A = 41h
a = 61h

also while deep deep in the many calls i found it useing what i entered in stage 1

could it be useing previous stages to figure the serial in the current stage??

Just takeing a chance to correct my self , please correct this if it wrong, trying to figure the third one out . its getting to me too .

ok here goes: this checks if you between 0-9 [ includeing 0 and 9]

:00403950 3C2F CMP AL,2F " / " one up is 0
:00403952 7E04 JLE 00403958
:00403954 3C3A CMP AL,3A " : " one down is 9
:00403956 7C18 JL 00403970

this checks to see if were between A-F [ again includeing A and F]

:00403958 3C40 CMP AL,40 " @ " one up is A
:0040395A 7E04 JLE 00403960
:0040395C 3C47 CMP AL,47 " G " one down is F
:0040395E 7C10 JL 00403970

this checks to see if were between a-f [ includeing a and f]

:00403960 3C60 CMP AL,60 " ` " one up is a
:00403962 0F8E49010000 JLE 00403AB1
:00403968 3C67 CMP AL,67 " g " one down is f
:0040396A 0F8D41010000 JGE 00403AB1

any thoughts on this??

Ok, I now understand why you say that you can use lower case char's.

As far as I understand it, the app calls a function to send back the hex value of each CHR. i.e. 1A2B3c4d = 0X1A2B3C4D. So I suppose it does not matter if the chars are lowercase or not.

Hoof

I am following your instructions and I am trying to rip the ASM as you have show. I am using RADasm to do the keygen but it is having a probem with the line "AND EDX,ffcfcf80h"

The error is "Test.asm(104) : error A2006: undefined symbol : ffcfcf80h"

Any suggestion ???

try this:

and edx, 0ffcfcf80h

ZaiRoN

100% - Thanks

as we already know, the serial is something like that: rA-s_1-s_2-s_3
the fundamental thing in this level is how the "call 417750" manages our s_i (i=1,2,3).
the returned values of this call are 3 dword:
1° dword 0000000b
2° dword s_i'
3° dword 0000000b'
where (values in hex):
- b=1, b'=0 if (s_i < 40000000) or
- b=2, b'=1 if (s_i < 80000000) and obviously s_i >3fffffff
- b=2, b'=2 if (s_i < 40000000) and..
- b=3, b'=3 if otherwise

but what's s_i'? i wrote it because if s_i < 40000000 then s_i is modified in some way (for the moment it doesn't interested us) ;otherwise s_i' = s_i.

after that, 4 calls:
- call 419090: take s_1' and s_2' as input and make foo = (s_1 xor s_2). then convert foo in "b foo' b'" as before

- call 40f9e0: take s_3' and serial_level1 (oh yes...look in the first part of this level, you'll found some lines of code used in the level1 and return a particular value:
if s_3 > tot (i don't know yet the specific value of tot but 60000000 < tot < 70000000...) the returned value is "b foo' b'"
if s_3 < tot it's another story...

- call 40d100: converts serial_level1 in the right format (b serial_level1' b')

- call 40d840: compare "b foo' b'" with "b serial_level1' b'" and if equals we are registered

so, now you can found a right name/serial combo but the level isn't still complete!
in particular: if s_3 < tot, what happens??? the answer is in the "call 40f9e0".

for the moment it's all. it's not much detailed because I don't have spent much time on it but (i think) it could be a good starting point for the final goal

ciao,
ZaiRoN

man i hate fpu code
has any body else found this in the code as well??

.text:0040F9E0 sub esp, 10h
.text:0040F9E3 fld dbl_434C50
.text:0040F9E9 fcomp ds:dbl_432008
.text:0040F9EF push ebx
.text:0040F9F0 push ebp
.text:0040F9F1 push esi
.text:0040F9F2 mov esi, [esp+1Ch+arg_8]
.text:0040F9F6 push edi
.text:0040F9F7 mov eax, [esi]

i havent had much experance with fpu although iv dled the manual from intel.

anybody here good with this??
BTW this is only a sample of what i found but it is part of 3rd level crackme

ok seem somebody has seen it judging by the referance to 40f9e0

oh yes!
what you have posted is only the beginning... in that call you will find much more fpu instruction....
btw, we are here to learn so put here the code that makes problems to you and someone (i hope) will help you

ZaiRoN

where can i get a manual on fpu? i have never hurd of it until now, no wonder this has us all going bloody insaine.........

-Rage

h**p://developer.intel.com/design/pentium4/manuals/245471.htm

hope somebody can make sence of it
naturaly i can copy what the calls mean from the manual but what do they mean\do??

.text:0040CF80 ; sub_40F470+2Ep ...
.text:0040CF80 fld ds:dbl_432010
.text:0040CF86 fcomp ds:dbl_432018
.text:0040CF8C fld ds:dbl_432010
.text:0040CF92 fld ds:dbl_432018
.text:0040CF98 fstp dbl_434C50
.text:0040CF9E fnstsw ax
.text:0040CFA0 test ah, 40h
.text:0040CFA3 jnz short loc_40CFCC

anybody still working on this crackme??

maby the senior members can point us in the right direction

Hmmmmm... this is a newbie crackme? I can see why most are stuck at lvl 3 and up. That floating point code that Viper posted is from a function in freelip (a bigint package). I haven't taken any sort of close look at the code yet, but zen instinct says level 3 has a bit of crypto to it. I can see for sure that levels 4 and 5 do. Level 5 uses MIRACL though, not freelip. The crypto's caught my attention enough that I think I just might have to work on this one a bit and help you all out

[edit: Ok, level 3 is actually a very simple algorithm. It just looks all fugly because it uses freelip. Why the author used freelip for it, I don't know. It can be done entirely with 3 DWORDS. Anywho, for those of you working on this, I would suggest downloading freelip and miracl. You *will* need them for levels 4 and 5. Grabbing the pack of keygen sources and the crypto tools from tE! would be highly advisable as well. If anyone has any questions, just post 'em or PM me. ]

Cheers!
Kythen

when u say freelip and miracl are these apps or source code in c++??

Both are bigint C source code libraries. You can get MIRACL from from:
f*p://ftp.compapp.dcu.ie/pub/crypto/miracl.zip
and freelip from:
h**p://www.und.nodak.edu/org/crypto/crypto/numbers/programs/freelip/freelip_1.1.tar.gz

thanks for the links