Jump to content
Tuts 4 You

[KeygenMe]KKR's VoLtAgE


KKR_WE_RULE

Recommended Posts

KKR_WE_RULE

Rules : No patching.

: No Bruting.

Keygen is the only soln.

This will be a tough nut to crack.

Download

VoLtAgE_KGM.rar
/>http://www.multiupload.com/GKJX1MO8AZ

If ya r not a crypto geek, dont even bother. :)

Edited by Teddy Rogers
Added attachment to the topic...
Link to comment
  • 1 month later...

Mmmm, this is indeed a hard nut to crack

  • Using ECDSA
  • Key has to contain a + (so you get "somethinghere+somethingthere") thats because left of it is the r part and right of it is the s part
  • Completely reversed the ECDSAVerify function so i can dump the arguments and stuff
  • ECDSASign looks modified from the original library *first glance* *LOL Was looking at ECAddPoints*
  • Using http://www.koders.com/delphi/fid872E48EC7C07A22D798357AEC0BABAC9E52BD5AE.aspx for the SHA1 engine

Assumptions (Some unsure):

  • The key can only contain "234567ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  • User has a static/max size of 16
  • Password has a static/max size of 20

I will post more if i make any progress on this.

Good job ;)

Lol, i think i'm losing my goal here.... hahaha let me refigure out what i'm doing here :P

Findings:


Base256StringToFGInt("54634094332570460673290453", p);
Base256StringToFGInt("1", a);
Base256StringToFGInt("3114828639257633374313", n
Base256StringToFGInt("45755731989545870856686427", ;
Base256StringToFGInt("26209762790701662855805685", unk1);
Base256StringToFGInt("2551882749847930242152319", Bx);
Base256StringToFGInt("49588612658893045283534677", unk2);

sub_45DA38(passStr, 1, positionOfPlus - 1, (int)&r);
passLenght = lenghtOfStr(passStr);
sub_45DA38(passStr, _positionOfPlus + 1, passLenght, (int)&s);

The function gets the r and s part of the key by using the + as marker of the left and right part

Reversed bVerify function so far


int __usercall bVerify<eax>(int a1<eax>, int a2<edi>)
{
int lenghtUser; // esi@1
int v3; // ebx@1
int positionOfPlus; // eax@3
int _positionOfPlus; // ebx@3
int passLenght; // eax@4
int userCalcNum; // ebx@6
int passCalcNum; // eax@6
int v10; // [sp-Ch] [bp-B0h]@1
int (*v11)(); // [sp-8h] [bp-ACh]@1
int (*v12)(); // [sp-4h] [bp-A8h]@1
int v13; // [sp+8h] [bp-9Ch]@7
int v14; // [sp+Ch] [bp-98h]@6
int v15; // [sp+10h] [bp-94h]@6
int v16; // [sp+14h] [bp-90h]@6
int v17; // [sp+18h] [bp-8Ch]@6
int v18; // [sp+1Ch] [bp-88h]@6
int v19; // [sp+20h] [bp-84h]@6
int v20; // [sp+24h] [bp-80h]@6
int tmp_s; // [sp+28h] [bp-7Ch]@4
int tmp_r; // [sp+2Ch] [bp-78h]@4
char Bx_; // [sp+30h] [bp-74h]@1
char v24; // [sp+38h] [bp-6Ch]@6
char B; // [sp+44h] [bp-60h]@1
char v26; // [sp+4Ch] [bp-58h]@6
char hash; // [sp+58h] [bp-4Ch]@6
char n; // [sp+6Ch] [bp-38h]@1
char a; // [sp+74h] [bp-30h]@1
char p; // [sp+7Ch] [bp-28h]@1
char Valid; // [sp+87h] [bp-1Dh]@1
int M; // [sp+88h] [bp-1Ch]@6
int passStrH; // [sp+8Ch] [bp-18h]@6
int userStrH; // [sp+90h] [bp-14h]@6
int s; // [sp+94h] [bp-10h]@4
int r; // [sp+98h] [bp-Ch]@4
int passStr; // [sp+9Ch] [bp-8h]@1
int userStr; // [sp+A0h] [bp-4h]@1
int v39; // [sp+A4h] [bp+0h]@1 v3 = a1;
unknown_libname_73(&p, off_4591A8);
unknown_libname_73(&a, off_4591A8);
unknown_libname_73(&n, off_4591A8);
unknown_libname_73(&B, off_45AE6C);
unknown_libname_73(&Bx_, off_45AE6C);
v12 = (int (*)())&v39;
v11 = loc_45DEBA;
v10 = *MK_FP(__FS__, 0);
*MK_FP(__FS__, 0) = &v10;
Valid = 0;
Controls__TControl__GetText(*(_DWORD *)(v3 + 764), &userStr);
lenghtUser = lenghtOfStr(userStr);
Controls__TControl__GetText(*(_DWORD *)(v3 + 772), &passStr);
if ( lenghtUser )
{
if ( lenghtOfStr(passStr) )
{
positionOfPlus = getPositionOfPlus(passStr);
_positionOfPlus = positionOfPlus;
if ( positionOfPlus )
{
getSubString(passStr, 1, positionOfPlus - 1, (int)&r);
passLenght = lenghtOfStr(passStr);
getSubString(passStr, _positionOfPlus + 1, passLenght, (int)&s);
createKeyPart(r, &tmp_r);
System____linkproc___LStrLAsg(&r, tmp_r);
createKeyPart(s, &tmp_s);
System____linkproc___LStrLAsg(&s, tmp_s);
if ( (unsigned __int8)validInput(r) == 1 )
{
if ( (unsigned __int8)validInput(s) == 1 )
{
converToHexUser(userStr, &userStrH);
SHA1CreateHash((int)&hash, userStr);
convertToHex((int)&hash, 20, (int)&passStrH, _positionOfPlus, a2, lenghtUser);
userCalcNum = strEncryptionSomething(userStrH);
passCalcNum = strEncryptionSomething(passStrH);
Sysutils__IntToHex(passCalcNum ^ userCalcNum, 0, &M);
System__LoadResString(&off_45D70C, &v20);
Base256StringToFGInt(v20, &p);
System__LoadResString(&off_45D714, &v19);
Base256StringToFGInt(v19, &a);
System__LoadResString(&off_45D71C, &v18);
Base256StringToFGInt(v18, &n);
System__LoadResString(&off_45D724, &v17);
Base256StringToFGInt(v17, &;
System__LoadResString(&off_45D72C, &v16);
Base256StringToFGInt(v16, &v26);
System__LoadResString(&off_45D734, &v15);
Base256StringToFGInt(v15, &Bx_);
System__LoadResString(&off_45D73C, &v14);
Base256StringToFGInt(v14, &v24);
ECDSAVerify(M, r, s, (int)&p, (int)&a, (int)&n, (int)&B, (int)&Bx_, (int)&Valid);
if ( Valid == 1 )
{
System__LoadResString(&off_45D744, &v13);
Dialogs__MessageDlg(0);
}
}
}
}
}
}
*MK_FP(__FS__, 0) = v10;
v12 = loc_45DEC1;
System____linkproc___LStrArrayClr(&v13, 10);
System____linkproc___FinalizeArray(&Bx_, off_45AE6C, 2);
System____linkproc___FinalizeArray(&n, off_4591A8, 3);
return System____linkproc___LStrArrayClr(&M, 7);
}
Edited by Intline9
  • Like 1
Link to comment

Good work so far..

Waiting for ya keygen mate :)

The stupid r and s key checks/creations are killing me :S, gaaa been at this for hours now with just a little sleep. Going to play some games to let my brain cooldown :P

Hahaha, thanks again for the awesome challenge!

Edited by Intline9
Link to comment

Pfff i give up for now, its strange but i can not get the same digest from the username as the keygenme generates so did you mod any functions from the SHA1 lib?

O well perhaps sometimes i have to continue on this.

Link to comment
KKR_WE_RULE

Pfff i give up for now, its strange but i can not get the same digest from the username as the keygenme generates so did you mod any functions from the SHA1 lib?

O well perhaps sometimes i have to continue on this.

No sha is unmodified..

But there is a modded ****!

Ok.. I'll tell ya, a modded md5 :)

Link to comment

No sha is unmodified..

But there is a modded ****!

Ok.. I'll tell ya, a modded md5 :)

Mmmm, funny i did not find any traces of md5 lawl....... well first gotta crack a simple keygenme for fun. and then back to this (tomorrow)

Link to comment

Hahaha LOOOOL, while i was trying to reverse a Level 4 keygenme from Crackmes.de i was looking at some strange code. And then all of a sudden it hit me that almost the same code i had seen somewhere else in a keygenme (in the past days i've been doing keygenme's)

so i started opening keygenme's i've been working on and then i finally found your'se again so i was like huu its the exact same. LIBRARY MUCH!

So whats in common, mmm the table ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 (you have reversed it not sure why, win from KANAL :P)

so i searched google, and base32. LOOOL DOHO. So i searched some more for a library for delphi application and base32

SZCodeBaseX

and after reading some code, yes it matched :) so by accident i found that out, just fyi. If i can crack that keygenme i will lvl up and go back to this one :P

HAHAHA

~Intline9

Edited by Intline9
Link to comment
while i was trying to reverse a Level 4 keygenme from Crackmes.de

You mean my KeygenMe #2? :D

Btw' date=' for finding out about what units the KGM is using, you could look at the "PACKAGEINFO" with a resource editor.

(ResHack doesn't display it very good, so it's better to use XN Resource Editor or PE Explorer's Resource Editor).

By looking at the PACKAGEINFO, I could find these 'unusual' units:

ECDSA, ECGFp, FGInt, MD5K2, [b']SZCodeBaseX, uFMOD.

My KGM #2 is protected from this though. :P

Edited by Saduff
Link to comment

You mean my KeygenMe #2? :D

Btw, for finding out about what units the KGM is using, you could look at the "PACKAGEINFO" with a resource editor.

(ResHack doesn't display it very good, so it's better to use XN Resource Editor or PE Explorer's Resource Editor).

By looking at the PACKAGEINFO, I could find these 'unusual' units:

ECDSA, ECGFp, FGInt, MD5K2, SZCodeBaseX, uFMOD.

My KGM #2 is protected from this though. :P

Pfff where is the fun in that :P but thanks for the hint ^^ you using your own Base85 encryption library. And to bad that site where you hosted it is offline. else my job would be to damn easy :P

Link to comment

Pfff where is the fun in that :P but thanks for the hint ^^ you using your own Base85 encryption library. And to bad that site where you hosted it is offline. else my job would be to damn easy :P

Yeah, I made that KeygenMe only to advertise my unit. :thumbsup:

As far as I can see (from the code you posted), you're using C++,

so that unit would be of not much help unless you want to translate

from Delphi To C++. Or do you use Delphi too?

Btw, the site is back online. :)

Edited by Saduff
Link to comment

Yeah, I made that KeygenMe only to advertise my unit. :thumbsup:

As far as I can see (from the code you posted), you're using C++,

so that unit would be of not much help unless you want to translate

from Delphi To C++. Or do you use Delphi too?

Btw, the site is back online. :)

call me multilanguage i do not care much about what language it is, i can use a lot including delphi ;)

Link to comment

so dude, whats the status of ya keygen ?

kind of lost interest, haha, when i refind the motivation i will retry. (I mainly lost motivation because i saw some 1 cracked already ^^)

Link to comment
  • 2 weeks later...

Hmm.. odd.. But ya keygen doesn't work .. atleast here :(

& could ya plz explain why is the base32 buggy ?

My keygen doesn't work for some names, because your bintohex functions after the hashes, trim the higher nibble of a byte, if its 0.

i.e. input $07 -> output 7.

Also, i don't code in Delphi, and i don't want to debug the lib functions to reproduce whatever its going on in there.

Also, your base-32 routine is buggy, because to decode a base-32 string of certain length back to the original, one has to multiply the number by 4 before encoding it with the standard base-32 routine.


(Number * 4) -> normal base-32 routine -> your decoding routine -> Number
or
Number -> normal base-32 routine -> your decoding routine -> (Number /4)

Here are some names, that ironically work (put them without quotes):

"Buggy", "buggy" and i' m sure you can find plenty more if you try.

Edited by HVC
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...