Log in

View Full Version : My New KeygenMe --- Give it a try ;-)


GodsJiva
January 7th, 2002, 14:46
Aloha...

Just finished coding a nice keygenme, thought some people here might enjoy it!

[Get fixed version from first reply; scroll down]

Smile...

GodsJiva
January 8th, 2002, 21:33
gahh... PEditor's hardcore realign (just done to save a few bytes :P ) causes random crashes on some machines apparently...

here's the exe without realignment if yr having crashes. its functionally the same as above so if it dun crash for you, dun worry

free choccy biscuit for first person to keygen it, btw!

nikolatesla20
August 9th, 2002, 19:36
As you know, I have been working on this, and I posted some results in another thread.


Anyway, I did spot your hash, now that I think about it, hehheh it's the 32 char string, this is 256 bits.

Thanx for the tip maybe now I can figure it out.

-nt20

GodsJiva
August 9th, 2002, 19:38
Hehe, have fun

Lateral thinking!

nikolatesla20
August 9th, 2002, 19:39
I would not consider this a keygenme #1, I think its too hard, it would be more like a number 5 or 6 in my opinion...

-nt20

GodsJiva
August 9th, 2002, 19:39
It was #1 cos its my first. Not rated on any scale crackmes.de gave it a 2/10! seemed low

nikolatesla20
August 9th, 2002, 20:47
crackmes.de ?

Well maybe its because they were just cracking it, not keygenning it? Cracking it would be simple, its the keygen ...

Keygenning is just hard for me to get my head around sometimes, I am very very good at unpacking and even code injection (really good at code injection, as my logo indicates), but keygenning just always seems hard for me.

Maybe a person doesn't have to be good at everything...

-nt20

GodsJiva
August 9th, 2002, 21:24
Fair enough, I'm not complaining... you're only the second person to have a go.

Do whatever you want, whether you're good at it or not, as long as you enjoy it and maybe learn sth

banshee
August 18th, 2002, 09:40
Hi, GodsJiva!
Working on your keygenme. Finally, I think, I'm at the same point as nikolatesla20 described. Just one question: can routine called at 00401639 reversed just theoretically? You said something about md5.
Anyway very nice work I studied a lot working on it.

GodsJiva
August 18th, 2002, 13:49
I'm glad you're enjoying it and you're learning something, thats what it was made for :-)

That is the md5 call, yes.

All you need to know is that it will produce a hash of whatever is passed to it, there isnt any way to reverse it, the chances of having two similar inputs giving the same md5 output is very very small, and its far too slow to bruteforce.

Oh and also there is no need to brute force it or reverse it.

Welcome to the lateral thinking part of my keygenme

Look around!

nikolatesla20
August 21st, 2002, 22:01
Ok, I am back from vacation, and would not mind MAYBE taking some more time looking at this.

Now, as I explained before, I am not very experienced in keygenning. I've only done one so far, and I used TMG Ripper to rip it and it worked great !

However, I start to get lost in all the instructions after a while, it's not just necessarily the FPU stuff, that's not that hard altogether, just keeping track of where everything is gets frustrating to me after a while.

So, I ask GodsJiva, is there any way you can guide a new guy to keygen like me, with just a few clues in some way to your keygenme.

It's a well known fact you have to start small, and you said this is a keygen #1, so I am starting small, but I still can't get my head around it yet. As you saw before, I got some of it, but I start to get lost after a while. I know that there is some table translation going on (with xlat) , and it appears to do some work on the first 8 chars of the serial. But I haven't nailed down the details.

My gut tells me ever since I started working on this thing, that the md5 hash stuff seems like a distraction. I mean the whole theory behind md5 is that no two message digests will be the same if even a little bit of the input changes. So how can you get the same hash from different user/ passwords? The program compares the generated hash to a hardcoded hash, you would have to have the exact same inputs I would think to get the exact same output, or at least take the input and somehow CONVERT it to a valid input to create the hash...

Can you give me a small trail to get back out of the woods? Not asking for answers, just some hints or clues or something. I realize now that the md5 routine wont be able to be worked with too much...

Thanks either way, I guess...

-nt20

GodsJiva
August 22nd, 2002, 13:54
you said this is a keygen #1

Its only keygenme #1 cos its the first one i wrote! Not on any scale of difficulty!


but I start to get lost after a while.

I suggest you do what I do when I'm keygenning something... take it slow, work out each stage at a time, and WRITE EVERYTHING DOWN!


or at least take the input and somehow CONVERT it to a valid input to create the hash...

*g* You'll like that bit. But as you say, not relevant yet

You were doing well with the equations and stuff... work out exactly whats going on it that section first. How much is input? How much is output? Which bits are lost?

I'm afraid this keygenme isn't very typical of things that are usually keygenned... simply because doing it logically is a head-fuck. In some parts looking at the details is absolutely necessary, in some parts its insane. That's why I made it.

Sorry to be so cryptic but I dun want to give too much away just yet Take it slow, write things down, and think think think is my advice.

Hope you had a nice vacation btw


Anyone else out there trying this? Hows your go coming banshee?

Smile and Enjoy,

banshee
August 22nd, 2002, 15:59
Didn't have much time, but I'm still alive
Gonna continue on weekend.

banshee
August 26th, 2002, 09:34
OK I think I've found something interesting:
after comparing two hash strings there is "call ecx", and at ecx there is md5 input string converted to hex. One thing - the string must be valid instructions (4 bytes), it must set eax 1 and return. The most simple is

xor eax, eax
inc eax
ret

but it doesn't seems to be valid. Am I on the right way?

cyberheg
August 26th, 2002, 09:47
You are correct and it is the only real solution, just remember to encode the message in the correct form (hint: use uppercase) and you're one step further.

// CyberHeg

GodsJiva
August 26th, 2002, 13:37
Nicely done!

The trick was to look ahead and not shout bruteforce-impossible!!! as soon as you saw the md5 hash :-)

Cyberheg - have you successfully keygenned it?

Smile

nikolatesla20
August 26th, 2002, 14:10
Yes, I saw too, I did do the look ahead. One thing I have learned while learning to keygen is that it doesn't matter what all math and crap is being done, what matters most is what the program checks for, so you should look there first, which is what I did.

When I first started, I noticed that the return value from this function would never be a 1 unless the call ecx was performed correctly. And this call was loaded from the hash value.

So yes, I saw it too, I just didn't feel like doing anything about it until after vacation. And by then I forgot again about it.

The only problem is the hash is still compared with the hardcoded hash BEFORE it gets to the call ecx.

-nt20

cyberheg
August 26th, 2002, 15:15
Easy, peasy.

No GodsJiva, I am not entirely done with it because of lack of time.

However I spent part of saturday and sunday on it and would consider myself 95% done. I found out whats worth finding out, rewrote the whole serial check to C and only need to finish reversing a last part of it.
I would say it's not really hard, all it takes is time. As for the md5 hash I got my guess correct in 2nd attempt. Again you don't need alot fantasy of what the program wants.

What makes it more time consuming then other targets is that you wrote it entirely in asm. Normally if it would be written in C there are patterns more easy to recognize and at some points your code could have been optimized better but then again it would only have come to my advantage then.

One thing which annoys me is that the serial check is beeing run every time the dialog is updated. This means whenever you switch window or do anything else it's beeing called atleast twice. This is annoying because you have to enable and disable breakpoints all the time unless you want the program to break whenever it feels like it.

To answer nt20's comments:

I learned the hard way exactly the opposite of what you write. If you overlook all the math and crap and go directly to the end result at some point of time you will wonder how the values ended up like they did. All this work just to go from start again and see how it's performed.

So what if the hash is done before the code is called. You should consider this as a service so you wouldn't have a crashing crackme instead.

// CyberHeg

GodsJiva
August 26th, 2002, 16:55
Easy, peasy.

Goodie, I was hoping someone would say that so I can make an even more evil kgme number 2...


However I spent part of saturday and sunday on it and would consider myself 95% done. I found out whats worth finding out, rewrote the whole serial check to C and only need to finish reversing a last part of it.

Cool, I'd like to see it in C... I'll pm my email if thats ok with you. Which part are you still reversing? The fp bit?


What makes it more time consuming then other targets is that you wrote it entirely in asm. Normally if it would be written in C there are patterns more easy to recognize and at some points your code could have been optimized better but then again it would only have come to my advantage then.

Not much point optimising sth short like this. And I like asm


One thing which annoys me is that the serial check is beeing run every time the dialog is updated.

Hehe, sowwy

Hope you enjoyed it.


Smile!

nikolatesla20
August 26th, 2002, 18:54
cyberheg,

I agree with you that eventually you will have to go back and see how things are calculated, but my main point was - you might go thru all the math routines and calculation routines and then when it gets time to do the comparison, you find out for example that only the last three characters matter.

So like I am saying my point is there is no reason reading thru calculations unless you know they are actually being used. Some of them may simply be for distraction, to drive you crazy trying to work them out. Find out what the program actually wants first, and then go back and see where it comes from. That way you dont waste time on stuff it doesn't care about.

That was what I was trying to say

-nt20

cyberheg
August 31st, 2002, 08:46
OK, finished.

I'd like to either post my source of the keygen or just a valid serial but before I do that I'd like to hear of it's ok. Not that I fear that there is anything illegal about it but I might spoil some fun for others.

// CyberHeg

cyberheg
September 1st, 2002, 15:41
Ok here is a valid serial combination from my keygen. Hopefully this encourages others to finish it too:

Name: CyberHeg
Serial: JA,7<2 B%$$Q@(^8

// CyberHeg

nofurs
September 1st, 2002, 16:13
Hi Cyberheg,
I just don't believe my eyes you are giving cracks in here?!?

cyberheg
September 1st, 2002, 16:35
Heh!
I don't believe my eyes you can't read.

In my opinion a crack is a program which will defeat a comercial program.
If this would be a comercial program I would agree with you and not do it. However there is nothing comercial about this crackme. It was made as a task to defeat and has nothing to do with warez. You can call is "name and serial" or "trial and response" if you like those terms better. It doesn't change anything as there are noone getting unhappy here. I even got permission by the guy writing the crackme before doing it. Ofcourse if the gang behind this webboard feel this is incriminating they are free to remove it but since there are no company behind it and the program was written only to be broken I don't see any problem with it.

// CyberHeg

nofurs
September 1st, 2002, 16:50
Hi again,
Once a cracker always a cracker
its a crack doesn't matter if its a commercial program

ZaiRoN
September 1st, 2002, 17:55
hi cyberheg/cluesurf,

it seems just that your argument is ended here; in any case i would want to add two words in order to prevent that other persons join to the argument.

cluesurf, what you have said about crack_release is right but this time it's different; the proggie is only a crackme and (like cyberheg said) it is only planned for being resolved.
i'll leave the name/serial where it is because cyberheg has put it in order to only help the others to solve this keygenme.
i don't like this type of approach but sometimes a name/serial combination can help much more than words...

please, leave this thread only for those who wants to solve the crackme

regards,
ZaiRoN

nofurs
September 1st, 2002, 18:11
Hi Zairon,
>it seems just that your argument is ended here; in any case i >would want to add two words in order to prevent that other >persons join to the argument.

Dunno maybe its my attitude thats how I feel and if you think its
ok that's settled But a question if everyone cracking other crackmes in this mini project and they post the same thing user and serial what will ya do

ZaiRoN
September 1st, 2002, 18:30
Hi cluesurf!

>if everyone cracking...what will ya do
i'll ban them!!!

oh, i'm only joking
i hope and i don't believe that someone will make it

regards,
ZaiRoN