Teddy Rogers Posted November 30, 2010 Share Posted November 30, 2010 (edited) Your task is to retrieve data from a special application.Answer has to be sent to contest@eset.sk. Prize and glory awaits so test your self and collect the prize!ESET Crackme Contest Rules:Contest Participants All participants of CONFidence conference held November 29 – 30, 2010 in Prague can enter the contest. No ESET employees will be admitted to participate.Contest Organizers ESET, spol. s r.o. has the right to organize the contest as part of CONFidence conference, held November 29. – 30, 2010 in Prague based on agreement between the foundation Fundacja Wspierania Edukacji Informatycznej PROIDEA and ESET, spol. s r.o..Contest Objective “ESET crackme” is a program that tests the ability and skills in reverse engineering. The objective of the contest is to arrive at the name and registration code embedded in the file.Contest Prize The contest winner will receive hardware and software provided by ESET.Contest Start The contest begins November 29th, 2010 at 14:00. Contest End The contest will come to a close after the first submission of the correct solution, and will run no later than November 30th 2010, 17:00. Contest Winner The winner will be the first entrant to send the correct name and registration code to contest@eset.sk‘Crack me’ Solution The contest results will be announced after the correct answer is sent to contest@eset.sk. The prize will be awarded after the announcement of results./>http://201002.confidence.org.pl/crack-meTed.CrackMe.CONFidence.zip Edited December 4, 2010 by Teddy Rogers Edited topic title... Link to comment Share on other sites More sharing options...
EvOlUtIoN Posted November 30, 2010 Share Posted November 30, 2010 (edited) it has some crc featureas md5 etc...but i seen harder things in my life. Edited November 30, 2010 by EvOlUtIoN Link to comment Share on other sites More sharing options...
Vovan666 Posted November 30, 2010 Share Posted November 30, 2010 (edited) PasswordsPro module for brute CRC32/>http://www.mediafire.com/?7dn1y4izwfpxfl500401535 MOV EBP,EAX<-(hash in eax)brute charset "2WQKHTL3VJBYG6PZCM9AXF0UED5RS7N8"P.S. - Teddy, it is not crackme it is keygenme(serialfind)Sorry for my bad English... Edited December 1, 2010 by Vovan666 Link to comment Share on other sites More sharing options...
Teddy Rogers Posted December 4, 2010 Author Share Posted December 4, 2010 P.S. - Teddy, it is not crackme it is keygenme(serialfind)Thanks, I have edited the topic title.For those interested here is the solution: http://esec-lab.sogeti.com/dotclear/index.php?post/2010/12/01/ESET-CONFidence-2010-Crackme-WriteUp#!/usr/bin/env python# confidence 2010 crackme - keygen# jb@security-labs.orgimport sysfrom Crypto.Util import number # sorry you'll have to install pycryptofrom Crypto.Hash import MD5import randomfrom struct import pack, unpackcrc32_table = [0] * 256crc32_reverse = [0] * 256def build_crc_tables(): for i in range(256): fwd = i rev = i << 24 for j in range(8, 0, -1): # build normal table if (fwd & 1) == 1: fwd = (fwd >> 1) ^ 0xedb88320 else: fwd >>= 1 crc32_table[i] = fwd # build reverse table =) if rev & 0x80000000 == 0x80000000: rev = ((rev ^ 0xedb88320) << 1) | 1 else: rev <<= 1 crc32_reverse[i] = revdef dlog_solve_rho(q, r, n, p): # Pollard's rho algorithm # find x such as q^x = r mod p, with q of order n # adapted in python from miracl code x = y = 1 ay = by = 0 rr = 1 while 1: x = y ax = ay bx = by rr *= 2 for i in xrange(rr): # random mapping, 3 paths if y < p / 3: y = y * q % p ay = (ay + 1) % n elif y < 2 * p / 3: y = y * y % p ay = 2 * ay % n by = 2 * by % n else: y = y * r % p by = (by + 1) % n if x == y: break if x == y: return ((ax - ay) % n) * (number.inverse(by - bx, n)) % ndef pohlig_hellman(g, y, p, n, factors): # horrible code xi = [] for f in factors: gamma = 1 l = 0 x = 0 alpha = pow(g, n / f[0], p) for i in range(f[1]): if i != 0: gamma = (gamma * pow(g, l * pow(f[0], i-1), p)) % p beta = pow(y * number.inverse(gamma, p), n / pow(f[0], i+1), p) l = dlog_solve_rho(alpha, beta, f[0], p) x += l * pow(f[0], i) xi.append(x) x = 0 # chinese remainder theorem, not really optimized =) for i in range(len(factors)): ni = n / pow(factors[i][0], factors[i][1]) x += xi[i] * ni * number.inverse(ni, pow(factors[i][0], factors[i][1])) x %= n return xdef crc32forge3(wanted_crc): charset = '2WQKHTL3VJBYG6PZCM9AXF0UED5RS7N8' start_value = 0x45534554 ^ 0xffffffff # ESET while 1: # generate random string of 4 chars s = ''.join(charset[random.randint(0, 31)] for i in range(4)) crc = start_value for i in range(4): crc = (crc >> 8) ^ crc32_table[(crc ^ ord(s[i])) & 0xff] s += pack('<L', crc) crc = wanted_crc ^ 0xffffffff for i in range(7, 3, -1): crc = (crc << 8) ^ crc32_reverse[crc >> 24] ^ ord(s[i]) crc &= 0xffffffff s2 = s[:4] + pack('<L', crc) # check if added bytes are in the charset # else same player play again valid = True for i in range(4): if charset.find(xxx((crc >> (8 * i)) & 0xff)) == -1: valid = False continue if valid == True: return s2def string_to_int64(s): l = unpack('<LLLL', s) value = ((l[1] ^ l[3]) << 32) | (l[0] ^ l[2]) return value & 0x7fffffffffffffffdef decimal_encode(n): charset = 'QA9532BJNP' # btc stuff s = '' for i in range(20): s = charset[n % 10] + s n /= 10 return sdef hash_to_string(hash): out = '' for i in range(16): out += xxx(ord('a') + (ord(hash[i]) % 26)) return outdef x65599(s): hash = 0 s2 = s.upper() for i in range(len(s2)): c = ord(s2[i]) hash = (hash * 65599) & 0xffffffff hash = (hash + c) & 0xffffffff return hashdef keygen(username): if len(username) < 4: print 'Invalid name' return build_crc_tables() # elgamal parameters p = 18446744073709461511L g = 3 y = 0x5353453233444f4e x = 7123850746259367287L # factors. p-1 = 2 * 3**2 * 5 * 7 * ... factors = [[2, 1], [3, 2], [5, 1], [7, 1], [11, 1], [13, 1], [3797, 1], [42701, 1], [1262887, 1]] md_name = MD5.new(username).digest() hash_str = hash_to_string(md_name) hash_value = x65599(hash_str) while 1: # crap crap crap... # r is random value, with r=g^k mod p # we need to bruteforce r such as gcd(k, p-1) == 1 else k has no inverse s2 = crc32forge3(hash_value) md2 = MD5.new(s2).digest() r = string_to_int64(md2) k = pohlig_hellman(g, r, p, p-1, factors) if number.GCD(k, p-1) == 1: break h = string_to_int64(md_name) s = ((h - x * r) % (p-1)) s = s * number.inverse(k, p-1) % (p-1) print 'Serial: %s-%s' % (s2, decimal_encode(s))if __name__ == '__main__': if len(sys.argv) != 2: print "Usage: %s <name>" % sys.argv[0] else: keygen(sys.argv[1])Python keygen is attached below...Ted.confidence2010-keygen.zip Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now