I'm working on a Crypkey protected program, and have read through the past discussions on Crypkey. Found the master key, sitekey, and sitecode, as well as a entry key and restriction key. I've run these keys through ckinfo to get more information from them.

Now, I need a crypkey key-gen to play with, so I've downloaded the Crypkey 5.7 SDK and used WinRAR to bypass the InstallShield password protection, and installed the SDK. Obviously SKW.EXE will not run as it can't find a valid license, so need to unpack and then patch it.

I've disassembled the EXE with both w32dasm and IDA, but get lost in the code and never end up with a working dump (using ProcDump).

Has anyone got any pointers on how to attack this kind of EXE wrapping ? It seems like the unpacking part of Crypkey is the least talked about subject on this board.

As I remember unpacking CrypKey is very easy for old versions.

It doesn't seem that simple from where I'm looking at it. The only place talked about unpacking it when searching was using w32dasm to step through it, and then use procdump and revirgin.

However, w32dasm on my version of SKW just causes w32dasm to crash. Going to try ollydbg now.

[... time passes ...]

Yup, Ollydbg worked a treat, found the OEP, dumped it, revirgin on it, and it worked. Oh yeah, changed the EP in PE section too, obviously.

CrypKey does not touch the IT/IAT, so ......

hi there,
What target did you work on? I successfully unpacked a Crypkey protected a while ago, and it was amazingly easy. I'm just curious about another one of these proggies, and it could be nice if you named your target...


Mail me if you want...

hobgoblin

It was the SKW.EXE from the Crypkey 5.7 SDK. w32dasm wouldn't touch the file, but, like you say, it was incredibly easy using Ollydbg.

Ahhh

Crapkey rears it head again. Wonder if 6.0 will ever come out

Unpacking the SKW.EXE is very simple even with w32dasm.

Just step over the code until the EIP is in the correct range and then procdump. No need to fix IAT or anything else (execpt EP in header)

Once that is done a simple two byte mod and voila a full key gen interface.

Catch Ya

Peterg70

PS you might want to do a search for crapkey on this board It may pop up some more info for ya

Crapkey. LOL Thanks.

As for w32dasm it won't even load the file into memory, so I can't use the debugger to step through the code, it just crashes. This might be because it's doing something naughty that WinXP doesn't like. Like I say though, Ollydbg had no problems with it and after that it was unpacked and working in about 5 minutes.

To test out the protection before I do my main target, I decided to grab the nearest disk next to me, which just happened to be a copy of PC Format with UK Info on it. Loaded up both IDA and w32dasm, and found a nice breakpoint which gave me loads of keys in EAX to view.

So, now I have the master key, 3 different site keys (7 day, 30 day and 20 runs), 4 restriction keys, a user key, 3 site codes and finally an entry code. Decrypted them all with ckinfo and found the company info, password, etc. All I need do now is transplant this info into the key gen and then run it. I've already patched the SKW to generate key belonging to any company.

All done. Got Crypkey Site Key Gen to generate a key for itself, registered it, and then proceeded to generate keys for several other Crypkey applications, which all worked first time without any problems.

I really thought Crypkey would be more interesting than this. Ah well

If you want more fun you should try the following

Try getting the correct password and company ID etc without using CKINFO.

Look for V6.0 which will have Harddisk ID encoded into it somewhere.

Took me a while originally to get the password as we didn't have CKINFO. So don't rely on tools like CKINFO since they will not work with the next version and if they are not update you will get stuck big time and you be begging for info again on this board.

You now know what you need to achieve as a compiled code but try to understand how to collect the info without other programmed tools.

That is exactly what I am trying to do know. I know I can create keys for any application, but I want to know now how the keys are encoded from the data that ckinfo generates (eg. Company number/etc). That way, when a new version is released, It shouldn't be too difficult to find out what is new in the algorithms.

I agree with your tools also, although the tools provided are very helpful, it is also extremely useful to be able to get the information without such tools. This is the same for unpacking and many other RE tasks - sure, there may be an unpacking for X, but the next version is bound to work around it, and you know how to do it manually, you'll know what has changed.