Jump to content
Tuts 4 You

[keygenme] Ecrypt7.2008.foff


Encrypto

Recommended Posts

hello again :)

Here is my new KeyGenme.7.0

Hope you like this.

people who think this is easy ... stay away ..

id love to get feedback ..

incidentally 7 is my lucky number :P

http://www.mediafire.com/?8mnbb0d0uzs

ECrypt7.2008._FOFF.zip

Edited by Encrypto
Link to comment
  • 2 weeks later...
  • 2 weeks later...

Well, I found the name manipulation and the RSA part straight forward and easy. I coded a keygen to do all but the MD5 part in c++, however, I don't know if I can be bothered to do the modified MD5 bit. Did you really have to change ALL the constants? :blink:

name: melatonin

sn: 89945942253298C96BD5B1AFE4ADD0C01C46586E2B77778D88E82B30F3F20CE2

For those that are interested, I whipped up an IDA flirt lib based off of latest FGint since I could only find some older sigs by bLaCk-eye from around ~2004.

FGintPackage.rar

Edited by Melatonin
Link to comment
For those that are interested, I whipped up an IDA flirt lib based off of latest FGint since I could only find some older sigs by bLaCk-eye from around ~2004.

Great stuff, thanks for the share Mel, much appreciated mate!

Link to comment
Well, I found the name manipulation and the RSA part straight forward and easy. I coded a keygen to do all but the MD5 part in c++, however, I don't know if I can be bothered to do the modified MD5 bit. Did you really have to change ALL the constants?

Watch for FF, GG, II and HH functions, they are changed, now there are 2 dword arguments more,

also new Init values are added so there are > 6 < of them so take care to add two more lines in

Transform procedure (e.g. State[4] and State[5]) to make it work..

I'v coded it myself but i havent done an 100% correct md5 match, on long strings i get wrong hashes,

i havent been able to figure it completely whats cousing it :)

Have fun with it, its a pretty good keygen me because of this heavy modified md5, im sure Ziggy would

have phun reversing it also ;)

BR, ChupaChu!

Edited by ChupaChu
Link to comment

@ChupaChu: Yep I know, I already did a batch of analysis on MD5 function and started to code it. Granted since I've already done most of it, I think I'll try to sort MD5 when I'm not too busy.

Also, those sigs you posted were the ones by bLaCk-eye and they don't pick up functions as well as the newer one I made. Well, atleast for this keygenme. You only really need to save FGintPackage.sig which is the AIO sig. There were only three overlapping functions and atleast in mine I correctly did it so one of em would be picked up (ithey were identical so didn't matter) instead of ignoring both. It might be useful to have those on hands if you run into an older target.

@Encrypto: Thanks for making the keygenme. :smile:

Edited by Melatonin
Link to comment

Melatonin, i tried to code the whole md5 routine, from delphi to C but

it seems to be not working good. If you want, i can send you my md5.c/md5.h files.

Regards!

Link to comment
Zool@nder, good one but i think you ripped the whole md5 routine ;)

I don't think ripping was forbiden,

Any way, ripping is always a good thing, especially when an algorithm suth MD5 (if we can call it an MD5) was wrecked/destroyed ;)

Try to collect the modf values and U will see that it takes much more time than ripping the hole stuff and because of my laziness, I've chosen the easiest way (After all, Why should I choose the difficult one, This is not brainy at all) :P

Although, It was a nice crackme, THANK YOU ENCRYPTO

Edited by Zool@nder
Link to comment

You ripped it badly.. try name: ChupaaaaaaChuuuuu

your keygen spits out: 91CEB44C891469604663151ACE4220F13C51FA7B62AFC77CBC9AD06A9C554DB1

and correct shud be : 505D16E4D3EDB8D9B569377EA5AE9B6D4031C5A804C9C55AD377846A631A091A

BR, ChupaChu!

Link to comment
You ripped it badly.. try name: ChupaaaaaaChuuuuu

your keygen spits out: 91CEB44C891469604663151ACE4220F13C51FA7B62AFC77CBC9AD06A9C554DB1

and correct shud be : 505D16E4D3EDB8D9B569377EA5AE9B6D4031C5A804C9C55AD377846A631A091A

BR, ChupaChu!

Don't expect form a 1h10 keygen to work as it shoud

And don't talk about ripping (The algo wasn't a new one neither the scheme)

There was no rule (nor in this challenge nor elsewhere that says : ripping when keygening is forbiden)

and correct shud be : 505D16E4D3EDB8D9B569377EA5AE9B6D4031C5A804C9C55AD377846A631A091A

bizzare, that's what it gave me

AND IF YOU WANT, I CAN DELETE THE KEYGEN, NOT BECAUSE IT WAS "partialy ripped" BUT TO TO SATISFY YOU ;)

Edited by Zool@nder
Link to comment

No man you got me totaly wrong, i dont have anything against you or the way you wrote it.

I like your work and your keygen is cool. Keep up the good work :thumbsup:

I just wonted to point out the problem with this keygenMe, as 4 persons (me included) have keygenend it and none of them was able to keygen it 100% working versions (to my knowledge).

I think i have found where problem was. TRy doing this in exact order:

1. load your keygen fresh

2. enter generate for default name you get:

16B90FA0C0EAED72C1DF72A9DE03B2D0B1380D2C1D3134F1D02670A8203DC713

3. enter "ouumfxshnfdsicwreonfcwoqzcw9twcfqown3fo8qw3" for name

and generate will give you:

44C8DF0C2CC254BBD172631D74F2C5E9D5812B585009C8A6044223E39703C966

4. enter "2g9c2j3962j3c26t4rj94384wt0E7EJO7Z5O87W4EZ" for name nad generate will give you:

D36B411C0AA6DAAD8CBA1FBB56E82040A371472D06828569579EF57CE84A5F3C

Now *restart* your keygenerator and try:

5) enter "2g9c2j3962j3c26t4rj94384wt0E7EJO7Z5O87W4EZ" for name nad generate will give you:

5450BFB2E282401A1F84F584776E1A0DB5A207EA58B008CED97552121E57701B

and not the value it gave you earlier

D36B411C0AA6DAAD8CBA1FBB56E82040A371472D06828569579EF57CE84A5F3C

I think this md5 is so heawy moded that it does not clean up correctly, acording to Encrypto his

personal keygen gives out correct numbers, so it must be still a small thing that we have overseen.

I just cant find what it is :(

BR, ChupaChu!

Edited by ChupaChu
Link to comment

Soory for the misundestanding

In fact, The problem was not the ModMD5

It was just an overflow between the 4 buffers that will recieve the first 4 name transformations (the 4 transf before entering in the ModMD5 algo) that will be concatenated

as delphi take cares of the size of the buffers so no problem with the KGme,

But I've coded the KG in ASM, so I had to dynamically allocate buffers following the calculated ones, thing that I haven't do.

So when a first produced string is too large, there is a buffer overflow, and when the next string is generated, it overwrite a part of the precedent

now, I have just increased the size of the buffer so the the largest entered name can't cause this behaviour (theoritically :P )

dEcrypt7_Fixed__I_hope____.zip

Edited by Zool@nder
Link to comment

Hey Zool@ander, i don't have anything against you or the way you wrote it as Chupa already said!

With "ripping" i didn't want to accuse you, sorry if you understand this!

Rip is allowed so no problem ;)

Link to comment

Hey Zool@nder, You still have the problem of buffer overwriting the md5 hash at 4049C0t, and when it gets overwriten RSA part canot be correct.

Second and more important thing is i checked md5 validity also; and it seems you have not ripped it good enough. Check it out wit this simple example:

Name: "11111111111111aaaaaaaaaaaaaaaaa22222222222defrgt333333335555555555777777777

777777777" without "" marks

MD5 part (easy way to check is at 00480DAB inside crackme) shud be:

843149029FC78D63D789BBC00FEB0E25

.. but in your case it wil be like this:

9095D4511C87209FFC30D280BDE99246

so RSA part cannot be correct, this is what i wanted to point out, nobody seems to be able to reproduce the whole md5 moded part corectly, at least not for longer names.

BTW what tools did you use to ripp so big chunks of code, can you share it maybe?

BR, ChupaChu!

Link to comment
Hey Zool@ander, i don't have anything against you or the way you wrote it as Chupa already said!

With "ripping" i didn't want to accuse you, sorry if you understand this!

Rip is allowed so no problem ;)

No prob

when I've read the replays, I was very nervous :angry: , so maybe I took them with +/- sensitivity :kick:

Sorry again :dunno::D

Link to comment
Second and more important thing is i checked md5 validity also; and it seems you have not ripped it good enough. Check it out wit this simple example:

Name: "11111111111111aaaaaaaaaaaaaaaaa22222222222defrgt333333335555555555777777777

777777777" without "" marks

I still don't agree with you, recheck the stuff and you will notice that it's still the buffer overflowing problm

To ovoid this, we have to allocate dinamically a buffer that is exactly == NameLen * 5

and in your expml above, The generated string that will be hashed is 420 byte while my buffer is just 400 bytes, that's why.

OK, now to solve the problem, I'll add a file hasher with the same algo. Then I'll allocate the needd space and you'll see that it will be OK

BTW what tools did you use to ripp so big chunks of code, can you share it maybe?

BR, ChupaChu!

It's still an alpha stage ollyPlgin, and it needs some more optimisation and some fixup. I hope to complete it sooner

And Of course it will be published.

BTW, It's also possible to rip the code with IDA and even code ripper because of the relative contiguity of the different parts of the algo

Edited by Zool@nder
Link to comment

Good work people :)

you are actually right. code ripping was allowed.

i can post my personal keygen that works..

i just need to find it in my collection of harddrives lol...

just a note : i just developed a selfmade crypto... its not the best but it is original lol ...

hopefully i can finish up soon and code Keygenme 8 :P

Thanks to all for trying this Keygenme and keep up the good work people.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...