[keygenme] Funny KeyGenMe

[BoRoV]

It funny simple keygenme.

Solution only keygen. One name have many serials.

Please take a moment to just look and then decide what to do next, or leave it, or decide.

Closed two expolits.

funny_keygenme.zip

Edited June 12, 2010 by BoRoV

[Intline9]

Uuuu, wtf.

i got a keygen working now but it generates only 1 static serial let me see if i can figure out about the rest

//Edit

aa i think i've grasped the concept, (dont know how much i can tell here about the keygen btw so dont know if i'm correct)

Question:

Was it the goal that you could win this keygen by using it like (Intline9, 021D572C) or is that just a bug?

Edited June 11, 2010 by Intline9

[BoRoV]

make for many serials

[Intline9]

make for many serials

Lol i'm failing at basic AND NOT SUB here. Sigh.. o well gotta go to sleep now. So not sure when i have time to fix up the multi gen. (i still grasp the concept but this TEST, JE is killing me :S)

Nice way BoRoV funny !

[Hyperlisk]

You can make it easier by making the first part of the serial FFFFFFFF

For example: Hyperlisk/FFFFFFFFF5B5F6FD

A keygen will come when I have time.

Edited June 11, 2010 by Hyperlisk

[BoRoV]

hehe

Interestingly, I had not envisaged, but it is also only one key

[::: - phpbb3 - :::]

Thanks KeyGen Attached

KeyGen.zip

[T-rad]

here's my keyegen

Keygen.zip

my keygen's not fully functional, i had another look and am having problems with the NOT, AND, SUB thing.

Edited June 12, 2010 by T-rad

[BoRoV]

@::: - phpbb3 - :::

cool

@T-rad:

same.

Well, can solve each and who are still able to make a keygen for one name, many serial?

I have it.

[T-rad]

I can brute force a key ( with a generator ) for my name. a small cycle tales about a minute and produces 61 valid keys, but there's alot of possibilities. Not really viable for a brute force keygen

[ghandi]

Weird, i submitted tutorial and keygen to crackmes.de and now crackme has 'disappeared' off the site.

HR,

Ghandi

[Hyperlisk]

Here's how you can make more than one serial:

$H = name_hash();
$S1 = $S2 = $H;
for($i=0;$i<32;$i++){
if(!($H&BIT($i)) && rand(1,10) % 2){
$S2 |= BIT($i);
}
}
$S2 = ~$S2;

I wish we had a

tag... S1 and S2 would be the first and second parts of the serial respectively.

Edited June 13, 2010 by Hyperlisk

[Intline9]

Here's how you can make more than one serial:

Hahah when i was driving back from some awseome guitare hero action with some frends, it struck me that you could just add some ones(bin) to one part of the serial and the AND of the second serial will filter them out.

^^

[ghandi]

Yep, you can calculate the 'name' value and then using whatever method you want, change the bits on the result prior to the NOT. I didn't put that in the solution i posted, instead just showing the 'name' value.

HR,

Ghandi

Edited June 13, 2010 by ghandi

[Teddy Rogers]

I wish we had a spoiler tag...

What... you mean this?

$S1 = $S2 = $H;
for($i=0;$i<32;$i++){
if(!($H&BIT($i)) && rand(1,10) % 2){
$S2 |= BIT($i);
}
}
$S2 = ~$S2;

$H = name_hash();

Ted.

[Hyperlisk]

What... you mean this?

$S1 = $S2 = $H;
for($i=0;$i<32;$i++){
if(!($H&BIT($i)) && rand(1,10) % 2){
$S2 |= BIT($i);
}
}
$S2 = ~$S2;

$H = name_hash();

Ted.

Ah, I see, I guess we do, lol. I'll fix up my post, then.

[T-rad]

@Hyperlisk

what does the BIT($i) do??

[deepzero]

?

I didnt debug it yet, but for some reason none of the posted keygens/keys work for me...?

[Intline9]

@Hyperlisk

what does the BIT($i) do??

Retrieves i think the bit on that position something like this i thought up

bool bit(DWORD value, int i)
{
	return (value& (1 << i));
}

It retrieves the bit on the position i, so true if 1, false if 0

[ghandi]

Here's the keygen i posted on crackmes.de, doesn't look like the crackme is there anymore. It doesn't generate multiple serials, only a single one per name.

HR,

Ghandi

edit: Here is a multi-gen as well:

The way i've done the multi part is simple, GetTickCount when the keygen is first started. Then each time a serial is generated, the name hash is created and then copied to ECX where it is ORed with the tick count before the NOT. Once the string has been formatted, GetTickCount returns a new tick count value for the next serial.

The reason this works is simple also:

The name hash is the all important value, the copy placed in ECX has the 'random' bits ORed over it and the AND in the keygenme will strip these additional bits off. I had to do it before the NOT in the keygen, as it is done after the NOT in the keygenme and doing so makes the final SUB result NULL as well as sets the zero flag.

Keygen.rar

Muliti-Gen.rar

Edited June 13, 2010 by ghandi

[T-rad]

Retrieves i think the bit on that position something like this i thought up

bool bit(DWORD value, int i)
{
	return (value& (1 << i));
}

It retrieves the bit on the position i, so true if 1, false if 0

Thanks for the info

Here's my BF Keygen ( i can only produce 3 different keys Hyperlisk way before they start repeating ). All work for me ( Win7 x64 & WinXP SP3)

keygen.zip

Edited June 13, 2010 by T-rad

[Intline9]

Here's the keygen i posted on crackmes.de, doesn't look like the crackme is there anymore. It doesn't generate multiple serials, only a single one per name.

HR,

Ghandi

edit: Here is a multi-gen as well:

The way i've done the multi part is simple, GetTickCount when the keygen is first started. Then each time a serial is generated, the name hash is created and then copied to ECX where it is ORed with the tick count before the NOT. Once the string has been formatted, GetTickCount returns a new tick count value for the next serial.

The reason this works is simple also:

The name hash is the all important value, the copy placed in ECX has the 'random' bits ORed over it and the AND in the keygenme will strip these additional bits off. I had to do it before the NOT in the keygen, as it is done after the NOT in the keygenme and doing so makes the final SUB set the zero flag.

You can create even more serials by switching out what part you are randomising (the baseSerial, or the ~baseSerial). I'm still ****ing around, because i want to go through every solution at incrementel steps. But it sucks a bit because if i just use a counter++ and test if serial changes (with the masking) if you are getting to the higher end of the number such a cycle will take A LONG TIME. So gotta think of something better.

[ghandi]

I'm not touching the name_hash, because that part is untouched in the keygenme and there is no way to filter off extra bits, its generated from the name string only. The second part of the serial though, the ~name_hash, is open for modifying as long as none of the name_hash bits are affected (wont happen with an OR, because it only sets bits and can be seen as an inverse operation to AND [which filters off bits according to the mask supplied]).

The algorithm for generating the 'good seed' or name_hash is simple:

1. Take name string length, divide by 4, gives loop counter. If remainder, add 1 to loop counter

2. For 0 to $result - XOR EDX, DWORD PTR [EDI] - ROR EDX, 16 - ADD EDI, 4

Knowing we only need to do this, we don't need to brute force anything, because we calculate the name_hash and then NOT a copy of it to create the inverse. Making different serials is as simple as ORing in some random bits onto the 2nd copy of the name_hash prior to the NOT operation.

I'd like to see any way to modify the name_hash, but i can't see one being possible from where i'm looking at it. If you can see a way, please share it.

HR,

Ghandi

Edited June 13, 2010 by ghandi

[T-rad]

@ghandi what you say is true, but just the name_hash will work as well ( 61162D54 instead of 61162D549EE9D2AB ( for my name )). There are so many possibilites. If you were to take the name_hash and OR it with a random number and then NOT it, you can get most / every key that starts with your hash ( 61162D54 ). The keygenme will work if any two numbers run through the algo that = name_hash

the keygens for this (including mine ) all the keys start with your name_hash with brute force i can get at others ( i'm just looking for an easier/quicker way ).

These Keys work on my name as well ( T-rad )

E3576D5C864150A8

79BEAF571CA892A3

my name_hash is 61162D54

[E33]

Вот keygen with with multi serial for one nameKey Gen - E33.rar