Rules : No patching.

: No Bruting.

Keygen is the only soln.

This will be a tough nut to crack.

Download

VoLtAgE_KGM.rar
/>http://www.multiupload.com/GKJX1MO8AZ

If ya r not a crypto geek, dont even bother.

Edited May 15, 201015 yr by Teddy Rogers
Added attachment to the topic...

Mmmm, this is indeed a hard nut to crack

• Using ECDSA
  
• Key has to contain a + (so you get "somethinghere+somethingthere") thats because left of it is the r part and right of it is the s part
  
• Completely reversed the ECDSAVerify function so i can dump the arguments and stuff
  
• ECDSASign looks modified from the original library *first glance* *LOL Was looking at ECAddPoints*
  
• Using http://www.koders.com/delphi/fid872E48EC7C07A22D798357AEC0BABAC9E52BD5AE.aspx for the SHA1 engine
  

Assumptions (Some unsure):

• The key can only contain "234567ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  
• User has a static/max size of 16
  
• Password has a static/max size of 20
  

I will post more if i make any progress on this.

Good job

Lol, i think i'm losing my goal here.... hahaha let me refigure out what i'm doing here

Findings:

Base256StringToFGInt("54634094332570460673290453", p);
Base256StringToFGInt("1", a);
Base256StringToFGInt("3114828639257633374313", n
Base256StringToFGInt("45755731989545870856686427", ;
Base256StringToFGInt("26209762790701662855805685", unk1);
Base256StringToFGInt("2551882749847930242152319", Bx);
Base256StringToFGInt("49588612658893045283534677", unk2);

        sub_45DA38(passStr, 1, positionOfPlus - 1, (int)&r);
        passLenght = lenghtOfStr(passStr);
        sub_45DA38(passStr, _positionOfPlus + 1, passLenght, (int)&s);

The function gets the r and s part of the key by using the + as marker of the left and right part

Reversed bVerify function so far

int __usercall bVerify<eax>(int a1<eax>, int a2<edi>)
{
  int lenghtUser; // esi@1
  int v3; // ebx@1
  int positionOfPlus; // eax@3
  int _positionOfPlus; // ebx@3
  int passLenght; // eax@4
  int userCalcNum; // ebx@6
  int passCalcNum; // eax@6
  int v10; // [sp-Ch] [bp-B0h]@1
  int (*v11)(); // [sp-8h] [bp-ACh]@1
  int (*v12)(); // [sp-4h] [bp-A8h]@1
  int v13; // [sp+8h] [bp-9Ch]@7
  int v14; // [sp+Ch] [bp-98h]@6
  int v15; // [sp+10h] [bp-94h]@6
  int v16; // [sp+14h] [bp-90h]@6
  int v17; // [sp+18h] [bp-8Ch]@6
  int v18; // [sp+1Ch] [bp-88h]@6
  int v19; // [sp+20h] [bp-84h]@6
  int v20; // [sp+24h] [bp-80h]@6
  int tmp_s; // [sp+28h] [bp-7Ch]@4
  int tmp_r; // [sp+2Ch] [bp-78h]@4
  char Bx_; // [sp+30h] [bp-74h]@1
  char v24; // [sp+38h] [bp-6Ch]@6
  char B; // [sp+44h] [bp-60h]@1
  char v26; // [sp+4Ch] [bp-58h]@6
  char hash; // [sp+58h] [bp-4Ch]@6
  char n; // [sp+6Ch] [bp-38h]@1
  char a; // [sp+74h] [bp-30h]@1
  char p; // [sp+7Ch] [bp-28h]@1
  char Valid; // [sp+87h] [bp-1Dh]@1
  int M; // [sp+88h] [bp-1Ch]@6
  int passStrH; // [sp+8Ch] [bp-18h]@6
  int userStrH; // [sp+90h] [bp-14h]@6
  int s; // [sp+94h] [bp-10h]@4
  int r; // [sp+98h] [bp-Ch]@4
  int passStr; // [sp+9Ch] [bp-8h]@1
  int userStr; // [sp+A0h] [bp-4h]@1
  int v39; // [sp+A4h] [bp+0h]@1  v3 = a1;
  unknown_libname_73(&p, off_4591A8);
  unknown_libname_73(&a, off_4591A8);
  unknown_libname_73(&n, off_4591A8);
  unknown_libname_73(&B, off_45AE6C);
  unknown_libname_73(&Bx_, off_45AE6C);
  v12 = (int (*)())&v39;
  v11 = loc_45DEBA;
  v10 = *MK_FP(__FS__, 0);
  *MK_FP(__FS__, 0) = &v10;
  Valid = 0;
  Controls__TControl__GetText(*(_DWORD *)(v3 + 764), &userStr);
  lenghtUser = lenghtOfStr(userStr);
  Controls__TControl__GetText(*(_DWORD *)(v3 + 772), &passStr);
  if ( lenghtUser )
  {
    if ( lenghtOfStr(passStr) )
    {
      positionOfPlus = getPositionOfPlus(passStr);
      _positionOfPlus = positionOfPlus;
      if ( positionOfPlus )
      {
        getSubString(passStr, 1, positionOfPlus - 1, (int)&r);
        passLenght = lenghtOfStr(passStr);
        getSubString(passStr, _positionOfPlus + 1, passLenght, (int)&s);
        createKeyPart(r, &tmp_r);
        System____linkproc___LStrLAsg(&r, tmp_r);
        createKeyPart(s, &tmp_s);
        System____linkproc___LStrLAsg(&s, tmp_s);
        if ( (unsigned __int8)validInput(r) == 1 )
        {
          if ( (unsigned __int8)validInput(s) == 1 )
          {
            converToHexUser(userStr, &userStrH);
            SHA1CreateHash((int)&hash, userStr);
            convertToHex((int)&hash, 20, (int)&passStrH, _positionOfPlus, a2, lenghtUser);
            userCalcNum = strEncryptionSomething(userStrH);
            passCalcNum = strEncryptionSomething(passStrH);
            Sysutils__IntToHex(passCalcNum ^ userCalcNum, 0, &M);
            System__LoadResString(&off_45D70C, &v20);
            Base256StringToFGInt(v20, &p);
            System__LoadResString(&off_45D714, &v19);
            Base256StringToFGInt(v19, &a);
            System__LoadResString(&off_45D71C, &v18);
            Base256StringToFGInt(v18, &n);
            System__LoadResString(&off_45D724, &v17);
            Base256StringToFGInt(v17, &;
            System__LoadResString(&off_45D72C, &v16);
            Base256StringToFGInt(v16, &v26);
            System__LoadResString(&off_45D734, &v15);
            Base256StringToFGInt(v15, &Bx_);
            System__LoadResString(&off_45D73C, &v14);
            Base256StringToFGInt(v14, &v24);
            ECDSAVerify(M, r, s, (int)&p, (int)&a, (int)&n, (int)&B, (int)&Bx_, (int)&Valid);
            if ( Valid == 1 )
            {
              System__LoadResString(&off_45D744, &v13);
              Dialogs__MessageDlg(0);
            }
          }
        }
      }
    }
  }
  *MK_FP(__FS__, 0) = v10;
  v12 = loc_45DEC1;
  System____linkproc___LStrArrayClr(&v13, 10);
  System____linkproc___FinalizeArray(&Bx_, off_45AE6C, 2);
  System____linkproc___FinalizeArray(&n, off_4591A8, 3);
  return System____linkproc___LStrArrayClr(&M, 7);
}

Edited June 8, 201015 yr by Intline9

Good work so far..

Waiting for ya keygen mate

Good work so far..

Waiting for ya keygen mate

The stupid r and s key checks/creations are killing me :S, gaaa been at this for hours now with just a little sleep. Going to play some games to let my brain cooldown

Hahaha, thanks again for the awesome challenge!

Edited June 8, 201015 yr by Intline9

haa.. sure.. dont over heat ya engine

Pfff i give up for now, its strange but i can not get the same digest from the username as the keygenme generates so did you mod any functions from the SHA1 lib?

O well perhaps sometimes i have to continue on this.

Pfff i give up for now, its strange but i can not get the same digest from the username as the keygenme generates so did you mod any functions from the SHA1 lib?

O well perhaps sometimes i have to continue on this.

No sha is unmodified..

But there is a modded ****!

Ok.. I'll tell ya, a modded md5

No sha is unmodified..

But there is a modded ****!

Ok.. I'll tell ya, a modded md5

Mmmm, funny i did not find any traces of md5 lawl....... well first gotta crack a simple keygenme for fun. and then back to this (tomorrow)

Thats coz its modified

no scanner detects that

give ya brain a break & startup 2morrow

BOL

Hahaha LOOOOL, while i was trying to reverse a Level 4 keygenme from Crackmes.de i was looking at some strange code. And then all of a sudden it hit me that almost the same code i had seen somewhere else in a keygenme (in the past days i've been doing keygenme's)

so i started opening keygenme's i've been working on and then i finally found your'se again so i was like huu its the exact same. LIBRARY MUCH!

So whats in common, mmm the table ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 (you have reversed it not sure why, win from KANAL )

so i searched google, and base32. LOOOL DOHO. So i searched some more for a library for delphi application and base32

SZCodeBaseX

and after reading some code, yes it matched so by accident i found that out, just fyi. If i can crack that keygenme i will lvl up and go back to this one

HAHAHA

~Intline9

Edited June 9, 201015 yr by Intline9

while i was trying to reverse a Level 4 keygenme from Crackmes.de

You mean my KeygenMe #2?

Btw' date=' for finding out about what units the KGM is using, you could look at the "PACKAGEINFO" with a resource editor.

(ResHack doesn't display it very good, so it's better to use XN Resource Editor or PE Explorer's Resource Editor).

By looking at the PACKAGEINFO, I could find these 'unusual' units:

ECDSA, ECGFp, FGInt, MD5K2, [b']SZCodeBaseX, uFMOD.

My KGM #2 is protected from this though.

Edited June 9, 201015 yr by Saduff

You mean my KeygenMe #2?

Btw, for finding out about what units the KGM is using, you could look at the "PACKAGEINFO" with a resource editor.

(ResHack doesn't display it very good, so it's better to use XN Resource Editor or PE Explorer's Resource Editor).

By looking at the PACKAGEINFO, I could find these 'unusual' units:

ECDSA, ECGFp, FGInt, MD5K2, SZCodeBaseX, uFMOD.

My KGM #2 is protected from this though.

Pfff where is the fun in that but thanks for the hint ^^ you using your own Base85 encryption library. And to bad that site where you hosted it is offline. else my job would be to damn easy

Pfff where is the fun in that but thanks for the hint ^^ you using your own Base85 encryption library. And to bad that site where you hosted it is offline. else my job would be to damn easy

Yeah, I made that KeygenMe only to advertise my unit.

As far as I can see (from the code you posted), you're using C++,

so that unit would be of not much help unless you want to translate

from Delphi To C++. Or do you use Delphi too?

Btw, the site is back online.

Edited June 9, 201015 yr by Saduff

Yeah, I made that KeygenMe only to advertise my unit.

As far as I can see (from the code you posted), you're using C++,

so that unit would be of not much help unless you want to translate

from Delphi To C++. Or do you use Delphi too?

Btw, the site is back online.

call me multilanguage i do not care much about what language it is, i can use a lot including delphi

so dude, whats the status of ya keygen ?

i dont try for ECDSA yet . it need to more time!

so dude, whats the status of ya keygen ?

kind of lost interest, haha, when i refind the motivation i will retry. (I mainly lost motivation because i saw some 1 cracked already ^^)

Hmm.... as u wish

Keygen.rar

Keygen.rar

Hmm.. odd.. But ya keygen doesn't work .. atleast here

& could ya plz explain why is the base32 buggy ?

Hmm.. odd.. But ya keygen doesn't work .. atleast here

& could ya plz explain why is the base32 buggy ?

My keygen doesn't work for some names, because your bintohex functions after the hashes, trim the higher nibble of a byte, if its 0.

i.e. input $07 -> output 7.

Also, i don't code in Delphi, and i don't want to debug the lib functions to reproduce whatever its going on in there.

Also, your base-32 routine is buggy, because to decode a base-32 string of certain length back to the original, one has to multiply the number by 4 before encoding it with the standard base-32 routine.

(Number * 4) -> normal base-32 routine  -> your decoding routine -> Number
or
Number  -> normal base-32 routine  -> your decoding routine -> (Number /4)

Here are some names, that ironically work (put them without quotes):

"Buggy", "buggy" and i' m sure you can find plenty more if you try.

Edited July 7, 201015 yr by HVC

Well.. Yea few names does work

Well done