[KeygenMe]KKR's VoLtAgE

[KKR_WE_RULE]

Rules : No patching.

: No Bruting.

Keygen is the only soln.

This will be a tough nut to crack.

Download

VoLtAgE_KGM.rar
/>http://www.multiupload.com/GKJX1MO8AZ

If ya r not a crypto geek, dont even bother.

Edited May 15, 2010 by Teddy Rogers
Added attachment to the topic...

[Intline9]

Mmmm, this is indeed a hard nut to crack

• Using ECDSA
  
• Key has to contain a + (so you get "somethinghere+somethingthere") thats because left of it is the r part and right of it is the s part
  
• Completely reversed the ECDSAVerify function so i can dump the arguments and stuff
  
• ECDSASign looks modified from the original library *first glance* *LOL Was looking at ECAddPoints*
  
• Using http://www.koders.com/delphi/fid872E48EC7C07A22D798357AEC0BABAC9E52BD5AE.aspx for the SHA1 engine
  

Assumptions (Some unsure):

• The key can only contain "234567ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  
• User has a static/max size of 16
  
• Password has a static/max size of 20
  

I will post more if i make any progress on this.

Good job

Lol, i think i'm losing my goal here.... hahaha let me refigure out what i'm doing here

Findings:

Base256StringToFGInt("54634094332570460673290453", p);
Base256StringToFGInt("1", a);
Base256StringToFGInt("3114828639257633374313", n
Base256StringToFGInt("45755731989545870856686427", ;
Base256StringToFGInt("26209762790701662855805685", unk1);
Base256StringToFGInt("2551882749847930242152319", Bx);
Base256StringToFGInt("49588612658893045283534677", unk2);

        sub_45DA38(passStr, 1, positionOfPlus - 1, (int)&r);
        passLenght = lenghtOfStr(passStr);
        sub_45DA38(passStr, _positionOfPlus + 1, passLenght, (int)&s);

The function gets the r and s part of the key by using the + as marker of the left and right part

Reversed bVerify function so far

int __usercall bVerify<eax>(int a1<eax>, int a2<edi>)
{
  int lenghtUser; // esi@1
  int v3; // ebx@1
  int positionOfPlus; // eax@3
  int _positionOfPlus; // ebx@3
  int passLenght; // eax@4
  int userCalcNum; // ebx@6
  int passCalcNum; // eax@6
  int v10; // [sp-Ch] [bp-B0h]@1
  int (*v11)(); // [sp-8h] [bp-ACh]@1
  int (*v12)(); // [sp-4h] [bp-A8h]@1
  int v13; // [sp+8h] [bp-9Ch]@7
  int v14; // [sp+Ch] [bp-98h]@6
  int v15; // [sp+10h] [bp-94h]@6
  int v16; // [sp+14h] [bp-90h]@6
  int v17; // [sp+18h] [bp-8Ch]@6
  int v18; // [sp+1Ch] [bp-88h]@6
  int v19; // [sp+20h] [bp-84h]@6
  int v20; // [sp+24h] [bp-80h]@6
  int tmp_s; // [sp+28h] [bp-7Ch]@4
  int tmp_r; // [sp+2Ch] [bp-78h]@4
  char Bx_; // [sp+30h] [bp-74h]@1
  char v24; // [sp+38h] [bp-6Ch]@6
  char B; // [sp+44h] [bp-60h]@1
  char v26; // [sp+4Ch] [bp-58h]@6
  char hash; // [sp+58h] [bp-4Ch]@6
  char n; // [sp+6Ch] [bp-38h]@1
  char a; // [sp+74h] [bp-30h]@1
  char p; // [sp+7Ch] [bp-28h]@1
  char Valid; // [sp+87h] [bp-1Dh]@1
  int M; // [sp+88h] [bp-1Ch]@6
  int passStrH; // [sp+8Ch] [bp-18h]@6
  int userStrH; // [sp+90h] [bp-14h]@6
  int s; // [sp+94h] [bp-10h]@4
  int r; // [sp+98h] [bp-Ch]@4
  int passStr; // [sp+9Ch] [bp-8h]@1
  int userStr; // [sp+A0h] [bp-4h]@1
  int v39; // [sp+A4h] [bp+0h]@1  v3 = a1;
  unknown_libname_73(&p, off_4591A8);
  unknown_libname_73(&a, off_4591A8);
  unknown_libname_73(&n, off_4591A8);
  unknown_libname_73(&B, off_45AE6C);
  unknown_libname_73(&Bx_, off_45AE6C);
  v12 = (int (*)())&v39;
  v11 = loc_45DEBA;
  v10 = *MK_FP(__FS__, 0);
  *MK_FP(__FS__, 0) = &v10;
  Valid = 0;
  Controls__TControl__GetText(*(_DWORD *)(v3 + 764), &userStr);
  lenghtUser = lenghtOfStr(userStr);
  Controls__TControl__GetText(*(_DWORD *)(v3 + 772), &passStr);
  if ( lenghtUser )
  {
    if ( lenghtOfStr(passStr) )
    {
      positionOfPlus = getPositionOfPlus(passStr);
      _positionOfPlus = positionOfPlus;
      if ( positionOfPlus )
      {
        getSubString(passStr, 1, positionOfPlus - 1, (int)&r);
        passLenght = lenghtOfStr(passStr);
        getSubString(passStr, _positionOfPlus + 1, passLenght, (int)&s);
        createKeyPart(r, &tmp_r);
        System____linkproc___LStrLAsg(&r, tmp_r);
        createKeyPart(s, &tmp_s);
        System____linkproc___LStrLAsg(&s, tmp_s);
        if ( (unsigned __int8)validInput(r) == 1 )
        {
          if ( (unsigned __int8)validInput(s) == 1 )
          {
            converToHexUser(userStr, &userStrH);
            SHA1CreateHash((int)&hash, userStr);
            convertToHex((int)&hash, 20, (int)&passStrH, _positionOfPlus, a2, lenghtUser);
            userCalcNum = strEncryptionSomething(userStrH);
            passCalcNum = strEncryptionSomething(passStrH);
            Sysutils__IntToHex(passCalcNum ^ userCalcNum, 0, &M);
            System__LoadResString(&off_45D70C, &v20);
            Base256StringToFGInt(v20, &p);
            System__LoadResString(&off_45D714, &v19);
            Base256StringToFGInt(v19, &a);
            System__LoadResString(&off_45D71C, &v18);
            Base256StringToFGInt(v18, &n);
            System__LoadResString(&off_45D724, &v17);
            Base256StringToFGInt(v17, &;
            System__LoadResString(&off_45D72C, &v16);
            Base256StringToFGInt(v16, &v26);
            System__LoadResString(&off_45D734, &v15);
            Base256StringToFGInt(v15, &Bx_);
            System__LoadResString(&off_45D73C, &v14);
            Base256StringToFGInt(v14, &v24);
            ECDSAVerify(M, r, s, (int)&p, (int)&a, (int)&n, (int)&B, (int)&Bx_, (int)&Valid);
            if ( Valid == 1 )
            {
              System__LoadResString(&off_45D744, &v13);
              Dialogs__MessageDlg(0);
            }
          }
        }
      }
    }
  }
  *MK_FP(__FS__, 0) = v10;
  v12 = loc_45DEC1;
  System____linkproc___LStrArrayClr(&v13, 10);
  System____linkproc___FinalizeArray(&Bx_, off_45AE6C, 2);
  System____linkproc___FinalizeArray(&n, off_4591A8, 3);
  return System____linkproc___LStrArrayClr(&M, 7);
}

Edited June 8, 2010 by Intline9

[KKR_WE_RULE]

Good work so far..

Waiting for ya keygen mate

[Intline9]

Good work so far..

Waiting for ya keygen mate

The stupid r and s key checks/creations are killing me :S, gaaa been at this for hours now with just a little sleep. Going to play some games to let my brain cooldown

Hahaha, thanks again for the awesome challenge!

Edited June 8, 2010 by Intline9

[KKR_WE_RULE]

haa.. sure.. dont over heat ya engine

[Intline9]

Pfff i give up for now, its strange but i can not get the same digest from the username as the keygenme generates so did you mod any functions from the SHA1 lib?

O well perhaps sometimes i have to continue on this.

[KKR_WE_RULE]

Pfff i give up for now, its strange but i can not get the same digest from the username as the keygenme generates so did you mod any functions from the SHA1 lib?

O well perhaps sometimes i have to continue on this.

No sha is unmodified..

But there is a modded ****!

Ok.. I'll tell ya, a modded md5

[Intline9]

No sha is unmodified..

But there is a modded ****!

Ok.. I'll tell ya, a modded md5

Mmmm, funny i did not find any traces of md5 lawl....... well first gotta crack a simple keygenme for fun. and then back to this (tomorrow)

[KKR_WE_RULE]

Thats coz its modified

no scanner detects that

give ya brain a break & startup 2morrow

BOL

[Intline9]

Hahaha LOOOOL, while i was trying to reverse a Level 4 keygenme from Crackmes.de i was looking at some strange code. And then all of a sudden it hit me that almost the same code i had seen somewhere else in a keygenme (in the past days i've been doing keygenme's)

so i started opening keygenme's i've been working on and then i finally found your'se again so i was like huu its the exact same. LIBRARY MUCH!

So whats in common, mmm the table ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 (you have reversed it not sure why, win from KANAL )

so i searched google, and base32. LOOOL DOHO. So i searched some more for a library for delphi application and base32

SZCodeBaseX

and after reading some code, yes it matched so by accident i found that out, just fyi. If i can crack that keygenme i will lvl up and go back to this one

HAHAHA

~Intline9

Edited June 9, 2010 by Intline9

[Saduff]

while i was trying to reverse a Level 4 keygenme from Crackmes.de

You mean my KeygenMe #2?

Btw' date=' for finding out about what units the KGM is using, you could look at the "PACKAGEINFO" with a resource editor.

(ResHack doesn't display it very good, so it's better to use XN Resource Editor or PE Explorer's Resource Editor).

By looking at the PACKAGEINFO, I could find these 'unusual' units:

ECDSA, ECGFp, FGInt, MD5K2, [b']SZCodeBaseX, uFMOD.

My KGM #2 is protected from this though.

Edited June 9, 2010 by Saduff

[Intline9]

You mean my KeygenMe #2?

Btw, for finding out about what units the KGM is using, you could look at the "PACKAGEINFO" with a resource editor.

(ResHack doesn't display it very good, so it's better to use XN Resource Editor or PE Explorer's Resource Editor).

By looking at the PACKAGEINFO, I could find these 'unusual' units:

ECDSA, ECGFp, FGInt, MD5K2, SZCodeBaseX, uFMOD.

My KGM #2 is protected from this though.

Pfff where is the fun in that but thanks for the hint ^^ you using your own Base85 encryption library. And to bad that site where you hosted it is offline. else my job would be to damn easy

[Saduff]

Pfff where is the fun in that but thanks for the hint ^^ you using your own Base85 encryption library. And to bad that site where you hosted it is offline. else my job would be to damn easy

Yeah, I made that KeygenMe only to advertise my unit.

As far as I can see (from the code you posted), you're using C++,

so that unit would be of not much help unless you want to translate

from Delphi To C++. Or do you use Delphi too?

Btw, the site is back online.

Edited June 9, 2010 by Saduff

[Intline9]

Yeah, I made that KeygenMe only to advertise my unit.

As far as I can see (from the code you posted), you're using C++,

so that unit would be of not much help unless you want to translate

from Delphi To C++. Or do you use Delphi too?

Btw, the site is back online.

call me multilanguage i do not care much about what language it is, i can use a lot including delphi

[KKR_WE_RULE]

so dude, whats the status of ya keygen ?

[GioTiN]

i dont try for ECDSA yet . it need to more time!

[Intline9]

so dude, whats the status of ya keygen ?

kind of lost interest, haha, when i refind the motivation i will retry. (I mainly lost motivation because i saw some 1 cracked already ^^)

[KKR_WE_RULE]

Hmm.... as u wish

[HVC]

Keygen.rar

[KKR_WE_RULE]

Keygen.rar

Hmm.. odd.. But ya keygen doesn't work .. atleast here

& could ya plz explain why is the base32 buggy ?

[HVC]

Hmm.. odd.. But ya keygen doesn't work .. atleast here

& could ya plz explain why is the base32 buggy ?

My keygen doesn't work for some names, because your bintohex functions after the hashes, trim the higher nibble of a byte, if its 0.

i.e. input $07 -> output 7.

Also, i don't code in Delphi, and i don't want to debug the lib functions to reproduce whatever its going on in there.

Also, your base-32 routine is buggy, because to decode a base-32 string of certain length back to the original, one has to multiply the number by 4 before encoding it with the standard base-32 routine.

(Number * 4) -> normal base-32 routine  -> your decoding routine -> Number
or
Number  -> normal base-32 routine  -> your decoding routine -> (Number /4)

Here are some names, that ironically work (put them without quotes):

"Buggy", "buggy" and i' m sure you can find plenty more if you try.

Edited July 7, 2010 by HVC

[KKR_WE_RULE]

Well.. Yea few names does work

Well done