KKR_WE_RULE Posted April 22, 2010 Posted April 22, 2010 (edited) Rules : No patching. : No Bruting. Keygen is the only soln. This will be a tough nut to crack. Download VoLtAgE_KGM.rar/>http://www.multiupload.com/GKJX1MO8AZ If ya r not a crypto geek, dont even bother. Edited May 15, 2010 by Teddy Rogers Added attachment to the topic...
Intline9 Posted June 7, 2010 Posted June 7, 2010 (edited) Mmmm, this is indeed a hard nut to crack Using ECDSA Key has to contain a + (so you get "somethinghere+somethingthere") thats because left of it is the r part and right of it is the s part Completely reversed the ECDSAVerify function so i can dump the arguments and stuff ECDSASign looks modified from the original library *first glance* *LOL Was looking at ECAddPoints* Using http://www.koders.com/delphi/fid872E48EC7C07A22D798357AEC0BABAC9E52BD5AE.aspx for the SHA1 engine Assumptions (Some unsure): The key can only contain "234567ABCDEFGHIJKLMNOPQRSTUVWXYZ" User has a static/max size of 16 Password has a static/max size of 20 I will post more if i make any progress on this. Good job Lol, i think i'm losing my goal here.... hahaha let me refigure out what i'm doing here Findings: Base256StringToFGInt("54634094332570460673290453", p);Base256StringToFGInt("1", a);Base256StringToFGInt("3114828639257633374313", nBase256StringToFGInt("45755731989545870856686427", ;Base256StringToFGInt("26209762790701662855805685", unk1);Base256StringToFGInt("2551882749847930242152319", Bx);Base256StringToFGInt("49588612658893045283534677", unk2); sub_45DA38(passStr, 1, positionOfPlus - 1, (int)&r); passLenght = lenghtOfStr(passStr); sub_45DA38(passStr, _positionOfPlus + 1, passLenght, (int)&s); The function gets the r and s part of the key by using the + as marker of the left and right part Reversed bVerify function so far int __usercall bVerify<eax>(int a1<eax>, int a2<edi>){ int lenghtUser; // esi@1 int v3; // ebx@1 int positionOfPlus; // eax@3 int _positionOfPlus; // ebx@3 int passLenght; // eax@4 int userCalcNum; // ebx@6 int passCalcNum; // eax@6 int v10; // [sp-Ch] [bp-B0h]@1 int (*v11)(); // [sp-8h] [bp-ACh]@1 int (*v12)(); // [sp-4h] [bp-A8h]@1 int v13; // [sp+8h] [bp-9Ch]@7 int v14; // [sp+Ch] [bp-98h]@6 int v15; // [sp+10h] [bp-94h]@6 int v16; // [sp+14h] [bp-90h]@6 int v17; // [sp+18h] [bp-8Ch]@6 int v18; // [sp+1Ch] [bp-88h]@6 int v19; // [sp+20h] [bp-84h]@6 int v20; // [sp+24h] [bp-80h]@6 int tmp_s; // [sp+28h] [bp-7Ch]@4 int tmp_r; // [sp+2Ch] [bp-78h]@4 char Bx_; // [sp+30h] [bp-74h]@1 char v24; // [sp+38h] [bp-6Ch]@6 char B; // [sp+44h] [bp-60h]@1 char v26; // [sp+4Ch] [bp-58h]@6 char hash; // [sp+58h] [bp-4Ch]@6 char n; // [sp+6Ch] [bp-38h]@1 char a; // [sp+74h] [bp-30h]@1 char p; // [sp+7Ch] [bp-28h]@1 char Valid; // [sp+87h] [bp-1Dh]@1 int M; // [sp+88h] [bp-1Ch]@6 int passStrH; // [sp+8Ch] [bp-18h]@6 int userStrH; // [sp+90h] [bp-14h]@6 int s; // [sp+94h] [bp-10h]@4 int r; // [sp+98h] [bp-Ch]@4 int passStr; // [sp+9Ch] [bp-8h]@1 int userStr; // [sp+A0h] [bp-4h]@1 int v39; // [sp+A4h] [bp+0h]@1 v3 = a1; unknown_libname_73(&p, off_4591A8); unknown_libname_73(&a, off_4591A8); unknown_libname_73(&n, off_4591A8); unknown_libname_73(&B, off_45AE6C); unknown_libname_73(&Bx_, off_45AE6C); v12 = (int (*)())&v39; v11 = loc_45DEBA; v10 = *MK_FP(__FS__, 0); *MK_FP(__FS__, 0) = &v10; Valid = 0; Controls__TControl__GetText(*(_DWORD *)(v3 + 764), &userStr); lenghtUser = lenghtOfStr(userStr); Controls__TControl__GetText(*(_DWORD *)(v3 + 772), &passStr); if ( lenghtUser ) { if ( lenghtOfStr(passStr) ) { positionOfPlus = getPositionOfPlus(passStr); _positionOfPlus = positionOfPlus; if ( positionOfPlus ) { getSubString(passStr, 1, positionOfPlus - 1, (int)&r); passLenght = lenghtOfStr(passStr); getSubString(passStr, _positionOfPlus + 1, passLenght, (int)&s); createKeyPart(r, &tmp_r); System____linkproc___LStrLAsg(&r, tmp_r); createKeyPart(s, &tmp_s); System____linkproc___LStrLAsg(&s, tmp_s); if ( (unsigned __int8)validInput(r) == 1 ) { if ( (unsigned __int8)validInput(s) == 1 ) { converToHexUser(userStr, &userStrH); SHA1CreateHash((int)&hash, userStr); convertToHex((int)&hash, 20, (int)&passStrH, _positionOfPlus, a2, lenghtUser); userCalcNum = strEncryptionSomething(userStrH); passCalcNum = strEncryptionSomething(passStrH); Sysutils__IntToHex(passCalcNum ^ userCalcNum, 0, &M); System__LoadResString(&off_45D70C, &v20); Base256StringToFGInt(v20, &p); System__LoadResString(&off_45D714, &v19); Base256StringToFGInt(v19, &a); System__LoadResString(&off_45D71C, &v18); Base256StringToFGInt(v18, &n); System__LoadResString(&off_45D724, &v17); Base256StringToFGInt(v17, &; System__LoadResString(&off_45D72C, &v16); Base256StringToFGInt(v16, &v26); System__LoadResString(&off_45D734, &v15); Base256StringToFGInt(v15, &Bx_); System__LoadResString(&off_45D73C, &v14); Base256StringToFGInt(v14, &v24); ECDSAVerify(M, r, s, (int)&p, (int)&a, (int)&n, (int)&B, (int)&Bx_, (int)&Valid); if ( Valid == 1 ) { System__LoadResString(&off_45D744, &v13); Dialogs__MessageDlg(0); } } } } } } *MK_FP(__FS__, 0) = v10; v12 = loc_45DEC1; System____linkproc___LStrArrayClr(&v13, 10); System____linkproc___FinalizeArray(&Bx_, off_45AE6C, 2); System____linkproc___FinalizeArray(&n, off_4591A8, 3); return System____linkproc___LStrArrayClr(&M, 7);} Edited June 8, 2010 by Intline9 1
KKR_WE_RULE Posted June 8, 2010 Author Posted June 8, 2010 Good work so far.. Waiting for ya keygen mate
Intline9 Posted June 8, 2010 Posted June 8, 2010 (edited) Good work so far.. Waiting for ya keygen mate The stupid r and s key checks/creations are killing me :S, gaaa been at this for hours now with just a little sleep. Going to play some games to let my brain cooldown Hahaha, thanks again for the awesome challenge! Edited June 8, 2010 by Intline9
Intline9 Posted June 8, 2010 Posted June 8, 2010 Pfff i give up for now, its strange but i can not get the same digest from the username as the keygenme generates so did you mod any functions from the SHA1 lib?O well perhaps sometimes i have to continue on this.
KKR_WE_RULE Posted June 8, 2010 Author Posted June 8, 2010 Pfff i give up for now, its strange but i can not get the same digest from the username as the keygenme generates so did you mod any functions from the SHA1 lib? O well perhaps sometimes i have to continue on this. No sha is unmodified.. But there is a modded ****! Ok.. I'll tell ya, a modded md5
Intline9 Posted June 8, 2010 Posted June 8, 2010 No sha is unmodified.. But there is a modded ****! Ok.. I'll tell ya, a modded md5 Mmmm, funny i did not find any traces of md5 lawl....... well first gotta crack a simple keygenme for fun. and then back to this (tomorrow)
KKR_WE_RULE Posted June 8, 2010 Author Posted June 8, 2010 Thats coz its modified no scanner detects that give ya brain a break & startup 2morrow BOL
Intline9 Posted June 9, 2010 Posted June 9, 2010 (edited) Hahaha LOOOOL, while i was trying to reverse a Level 4 keygenme from Crackmes.de i was looking at some strange code. And then all of a sudden it hit me that almost the same code i had seen somewhere else in a keygenme (in the past days i've been doing keygenme's) so i started opening keygenme's i've been working on and then i finally found your'se again so i was like huu its the exact same. LIBRARY MUCH! So whats in common, mmm the table ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 (you have reversed it not sure why, win from KANAL ) so i searched google, and base32. LOOOL DOHO. So i searched some more for a library for delphi application and base32 SZCodeBaseX and after reading some code, yes it matched so by accident i found that out, just fyi. If i can crack that keygenme i will lvl up and go back to this one HAHAHA ~Intline9 Edited June 9, 2010 by Intline9
Saduff Posted June 9, 2010 Posted June 9, 2010 (edited) while i was trying to reverse a Level 4 keygenme from Crackmes.de You mean my KeygenMe #2? Btw' date=' for finding out about what units the KGM is using, you could look at the "PACKAGEINFO" with a resource editor. (ResHack doesn't display it very good, so it's better to use XN Resource Editor or PE Explorer's Resource Editor). By looking at the PACKAGEINFO, I could find these 'unusual' units: ECDSA, ECGFp, FGInt, MD5K2, [b']SZCodeBaseX, uFMOD. My KGM #2 is protected from this though. Edited June 9, 2010 by Saduff
Intline9 Posted June 9, 2010 Posted June 9, 2010 You mean my KeygenMe #2? Btw, for finding out about what units the KGM is using, you could look at the "PACKAGEINFO" with a resource editor. (ResHack doesn't display it very good, so it's better to use XN Resource Editor or PE Explorer's Resource Editor). By looking at the PACKAGEINFO, I could find these 'unusual' units: ECDSA, ECGFp, FGInt, MD5K2, SZCodeBaseX, uFMOD. My KGM #2 is protected from this though. Pfff where is the fun in that but thanks for the hint ^^ you using your own Base85 encryption library. And to bad that site where you hosted it is offline. else my job would be to damn easy
Saduff Posted June 9, 2010 Posted June 9, 2010 (edited) Pfff where is the fun in that but thanks for the hint ^^ you using your own Base85 encryption library. And to bad that site where you hosted it is offline. else my job would be to damn easy Yeah, I made that KeygenMe only to advertise my unit. As far as I can see (from the code you posted), you're using C++, so that unit would be of not much help unless you want to translate from Delphi To C++. Or do you use Delphi too? Btw, the site is back online. Edited June 9, 2010 by Saduff
Intline9 Posted June 10, 2010 Posted June 10, 2010 Yeah, I made that KeygenMe only to advertise my unit. As far as I can see (from the code you posted), you're using C++, so that unit would be of not much help unless you want to translate from Delphi To C++. Or do you use Delphi too? Btw, the site is back online. call me multilanguage i do not care much about what language it is, i can use a lot including delphi
KKR_WE_RULE Posted June 16, 2010 Author Posted June 16, 2010 so dude, whats the status of ya keygen ?
Intline9 Posted June 17, 2010 Posted June 17, 2010 so dude, whats the status of ya keygen ?kind of lost interest, haha, when i refind the motivation i will retry. (I mainly lost motivation because i saw some 1 cracked already ^^)
KKR_WE_RULE Posted July 5, 2010 Author Posted July 5, 2010 Keygen.rar Hmm.. odd.. But ya keygen doesn't work .. atleast here & could ya plz explain why is the base32 buggy ?
HVC Posted July 5, 2010 Posted July 5, 2010 (edited) Hmm.. odd.. But ya keygen doesn't work .. atleast here & could ya plz explain why is the base32 buggy ? My keygen doesn't work for some names, because your bintohex functions after the hashes, trim the higher nibble of a byte, if its 0. i.e. input $07 -> output 7. Also, i don't code in Delphi, and i don't want to debug the lib functions to reproduce whatever its going on in there. Also, your base-32 routine is buggy, because to decode a base-32 string of certain length back to the original, one has to multiply the number by 4 before encoding it with the standard base-32 routine. (Number * 4) -> normal base-32 routine -> your decoding routine -> NumberorNumber -> normal base-32 routine -> your decoding routine -> (Number /4) Here are some names, that ironically work (put them without quotes): "Buggy", "buggy" and i' m sure you can find plenty more if you try. Edited July 7, 2010 by HVC
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now