Jump to content
Tuts 4 You

[keygenme] Funny KeyGenMe


BoRoV

Recommended Posts

It funny simple keygenme. :D

Solution only keygen. One name have many serials.

Please take a moment to just look and then decide what to do next, or leave it, or decide. :)

Closed two expolits. :P

funny_keygenme.zip

Edited by BoRoV
Link to comment

Uuuu, wtf.

i got a keygen working now but it generates only 1 static serial ;) let me see if i can figure out about the rest

//Edit

aa i think i've grasped the concept, (dont know how much i can tell here about the keygen btw so dont know if i'm correct)

Question:

Was it the goal that you could win this keygen by using it like (Intline9, 021D572C) or is that just a bug?

Edited by Intline9
Link to comment

make for many serials :D

Lol i'm failing at basic AND NOT SUB here. Sigh.. o well gotta go to sleep now. So not sure when i have time to fix up the multi gen. (i still grasp the concept but this TEST, JE is killing me :S)

Nice way BoRoV funny !

Link to comment

You can make it easier by making the first part of the serial FFFFFFFF :P

For example: Hyperlisk/FFFFFFFFF5B5F6FD

A keygen will come when I have time.

Edited by Hyperlisk
Link to comment

@::: - phpbb3 - :::

cool :D

@T-rad:

same. :D

Well, can solve each and who are still able to make a keygen for one name, many serial?

I have it.

Link to comment

I can brute force a key ( with a generator ) for my name. a small cycle tales about a minute and produces 61 valid keys, but there's alot of possibilities. Not really viable for a brute force keygen

Link to comment

Here's how you can make more than one serial:


$H = name_hash();
$S1 = $S2 = $H;
for($i=0;$i<32;$i++){
if(!($H&BIT($i)) && rand(1,10) % 2){
$S2 |= BIT($i);
}
}
$S2 = ~$S2;

I wish we had a

tag... S1 and S2 would be the first and second parts of the serial respectively.

Edited by Hyperlisk
Link to comment

Here's how you can make more than one serial:

Hahah when i was driving back from some awseome guitare hero action with some frends, it struck me that you could just add some ones(bin) to one part of the serial and the AND of the second serial will filter them out.

^^

Link to comment

Yep, you can calculate the 'name' value and then using whatever method you want, change the bits on the result prior to the NOT. I didn't put that in the solution i posted, instead just showing the 'name' value.

HR,

Ghandi

Edited by ghandi
Link to comment
Teddy Rogers
I wish we had a spoiler tag...

What... you mean this?


$S1 = $S2 = $H;
for($i=0;$i<32;$i++){
if(!($H&BIT($i)) && rand(1,10) % 2){
$S2 |= BIT($i);
}
}
$S2 = ~$S2;
$H = name_hash();

Ted.

Link to comment

What... you mean this?


$S1 = $S2 = $H;
for($i=0;$i<32;$i++){
if(!($H&BIT($i)) && rand(1,10) % 2){
$S2 |= BIT($i);
}
}
$S2 = ~$S2;
$H = name_hash();

Ted.

Ah, I see, I guess we do, lol. I'll fix up my post, then.

Link to comment

@Hyperlisk

what does the BIT($i) do??

Retrieves i think the bit on that position something like this i thought up


bool bit(DWORD value, int i)
{
return (value& (1 << i));
}

It retrieves the bit on the position i, so true if 1, false if 0

Link to comment

Here's the keygen i posted on crackmes.de, doesn't look like the crackme is there anymore. It doesn't generate multiple serials, only a single one per name.

HR,

Ghandi

edit: Here is a multi-gen as well:

The way i've done the multi part is simple, GetTickCount when the keygen is first started. Then each time a serial is generated, the name hash is created and then copied to ECX where it is ORed with the tick count before the NOT. Once the string has been formatted, GetTickCount returns a new tick count value for the next serial.

The reason this works is simple also:

The name hash is the all important value, the copy placed in ECX has the 'random' bits ORed over it and the AND in the keygenme will strip these additional bits off. I had to do it before the NOT in the keygen, as it is done after the NOT in the keygenme and doing so makes the final SUB result NULL as well as sets the zero flag.

Keygen.rar

Muliti-Gen.rar

Edited by ghandi
Link to comment

Retrieves i think the bit on that position something like this i thought up


bool bit(DWORD value, int i)
{
return (value& (1 << i));
}

It retrieves the bit on the position i, so true if 1, false if 0

Thanks for the info

Here's my BF Keygen ( i can only produce 3 different keys Hyperlisk way before they start repeating ). All work for me ( Win7 x64 & WinXP SP3)

keygen.zip

Edited by T-rad
Link to comment

Here's the keygen i posted on crackmes.de, doesn't look like the crackme is there anymore. It doesn't generate multiple serials, only a single one per name.

HR,

Ghandi

edit: Here is a multi-gen as well:

The way i've done the multi part is simple, GetTickCount when the keygen is first started. Then each time a serial is generated, the name hash is created and then copied to ECX where it is ORed with the tick count before the NOT. Once the string has been formatted, GetTickCount returns a new tick count value for the next serial.

The reason this works is simple also:

The name hash is the all important value, the copy placed in ECX has the 'random' bits ORed over it and the AND in the keygenme will strip these additional bits off. I had to do it before the NOT in the keygen, as it is done after the NOT in the keygenme and doing so makes the final SUB set the zero flag.

You can create even more serials by switching out what part you are randomising (the baseSerial, or the ~baseSerial). I'm still ****ing around, because i want to go through every solution at incrementel steps. But it sucks a bit because if i just use a counter++ and test if serial changes (with the masking) if you are getting to the higher end of the number such a cycle will take A LONG TIME. So gotta think of something better.

Link to comment

I'm not touching the name_hash, because that part is untouched in the keygenme and there is no way to filter off extra bits, its generated from the name string only. The second part of the serial though, the ~name_hash, is open for modifying as long as none of the name_hash bits are affected (wont happen with an OR, because it only sets bits and can be seen as an inverse operation to AND [which filters off bits according to the mask supplied]).

The algorithm for generating the 'good seed' or name_hash is simple:

1. Take name string length, divide by 4, gives loop counter. If remainder, add 1 to loop counter

2. For 0 to $result - XOR EDX, DWORD PTR [EDI] - ROR EDX, 16 - ADD EDI, 4

Knowing we only need to do this, we don't need to brute force anything, because we calculate the name_hash and then NOT a copy of it to create the inverse. Making different serials is as simple as ORing in some random bits onto the 2nd copy of the name_hash prior to the NOT operation.

I'd like to see any way to modify the name_hash, but i can't see one being possible from where i'm looking at it. If you can see a way, please share it.

HR,

Ghandi

Edited by ghandi
Link to comment

@ghandi what you say is true, but just the name_hash will work as well ( 61162D54 instead of 61162D549EE9D2AB ( for my name )). There are so many possibilites. If you were to take the name_hash and OR it with a random number and then NOT it, you can get most / every key that starts with your hash ( 61162D54 ). The keygenme will work if any two numbers run through the algo that = name_hash

the keygens for this (including mine ) all the keys start with your name_hash with brute force i can get at others ( i'm just looking for an easier/quicker way ).

These Keys work on my name as well ( T-rad )

E3576D5C864150A8

79BEAF571CA892A3

my name_hash is 61162D54

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...