Jump to content
Tuts 4 You

[keygenme] ESET Crackme...


Teddy Rogers

Recommended Posts

Your task is to retrieve data from a special application.

Answer has to be sent to contest@eset.sk. Prize and glory awaits so test your self and collect the prize!

ESET Crackme Contest Rules:

  1. Contest Participants All participants of CONFidence conference held November 29 – 30, 2010 in Prague can enter the contest. No ESET employees will be admitted to participate.
  2. Contest Organizers ESET, spol. s r.o. has the right to organize the contest as part of CONFidence conference, held November 29. – 30, 2010 in Prague based on agreement between the foundation Fundacja Wspierania Edukacji Informatycznej PROIDEA and ESET, spol. s r.o..
  3. Contest Objective “ESET crackme” is a program that tests the ability and skills in reverse engineering. The objective of the contest is to arrive at the name and registration code embedded in the file.
  4. Contest Prize The contest winner will receive hardware and software provided by ESET.
  5. Contest Start The contest begins November 29th, 2010 at 14:00.
  6. Contest End The contest will come to a close after the first submission of the correct solution, and will run no later than November 30th 2010, 17:00.
  7. Contest Winner The winner will be the first entrant to send the correct name and registration code to contest@eset.sk
  8. ‘Crack me’ Solution The contest results will be announced after the correct answer is sent to contest@eset.sk. The prize will be awarded after the announcement of results.


/>http://201002.confidence.org.pl/crack-me

Ted.

CrackMe.CONFidence.zip

Edited by Teddy Rogers
Edited topic title...
Link to comment
Share on other sites

PasswordsPro module for brute CRC32
/>http://www.mediafire.com/?7dn1y4izwfpxfl5

00401535 MOV EBP,EAX<-(hash in eax)

brute charset "2WQKHTL3VJBYG6PZCM9AXF0UED5RS7N8"

P.S. - Teddy, it is not crackme it is keygenme(serialfind)

Sorry for my bad English...

Edited by Vovan666
Link to comment
Share on other sites

P.S. - Teddy, it is not crackme it is keygenme(serialfind)

Thanks, I have edited the topic title.

For those interested here is the solution: http://esec-lab.sogeti.com/dotclear/index.php?post/2010/12/01/ESET-CONFidence-2010-Crackme-WriteUp

#!/usr/bin/env python# confidence 2010 crackme - keygen
# jb@security-labs.orgimport sys
from Crypto.Util import number # sorry you'll have to install pycrypto
from Crypto.Hash import MD5
import random
from struct import pack, unpackcrc32_table = [0] * 256
crc32_reverse = [0] * 256def build_crc_tables():
for i in range(256):
fwd = i
rev = i << 24
for j in range(8, 0, -1):
# build normal table
if (fwd & 1) == 1:
fwd = (fwd >> 1) ^ 0xedb88320
else:
fwd >>= 1
crc32_table[i] = fwd
# build reverse table =)
if rev & 0x80000000 == 0x80000000:
rev = ((rev ^ 0xedb88320) << 1) | 1
else:
rev <<= 1
crc32_reverse[i] = revdef dlog_solve_rho(q, r, n, p):
# Pollard's rho algorithm
# find x such as q^x = r mod p, with q of order n
# adapted in python from miracl code
x = y = 1
ay = by = 0
rr = 1 while 1:
x = y
ax = ay
bx = by
rr *= 2 for i in xrange(rr):
# random mapping, 3 paths
if y < p / 3:
y = y * q % p
ay = (ay + 1) % n
elif y < 2 * p / 3:
y = y * y % p
ay = 2 * ay % n
by = 2 * by % n
else:
y = y * r % p
by = (by + 1) % n
if x == y:
break
if x == y:
return ((ax - ay) % n) * (number.inverse(by - bx, n)) % ndef pohlig_hellman(g, y, p, n, factors):
# horrible code
xi = []
for f in factors:
gamma = 1
l = 0
x = 0
alpha = pow(g, n / f[0], p)
for i in range(f[1]):
if i != 0:
gamma = (gamma * pow(g, l * pow(f[0], i-1), p)) % p
beta = pow(y * number.inverse(gamma, p), n / pow(f[0], i+1), p)
l = dlog_solve_rho(alpha, beta, f[0], p)
x += l * pow(f[0], i)
xi.append(x)
x = 0
# chinese remainder theorem, not really optimized =)
for i in range(len(factors)):
ni = n / pow(factors[i][0], factors[i][1])
x += xi[i] * ni * number.inverse(ni, pow(factors[i][0], factors[i][1]))
x %= n
return xdef crc32forge3(wanted_crc):
charset = '2WQKHTL3VJBYG6PZCM9AXF0UED5RS7N8' start_value = 0x45534554 ^ 0xffffffff # ESET
while 1:
# generate random string of 4 chars
s = ''.join(charset[random.randint(0, 31)] for i in range(4)) crc = start_value
for i in range(4):
crc = (crc >> 8) ^ crc32_table[(crc ^ ord(s[i])) & 0xff] s += pack('<L', crc)
crc = wanted_crc ^ 0xffffffff for i in range(7, 3, -1):
crc = (crc << 8) ^ crc32_reverse[crc >> 24] ^ ord(s[i])
crc &= 0xffffffff s2 = s[:4] + pack('<L', crc) # check if added bytes are in the charset
# else same player play again
valid = True
for i in range(4):
if charset.find(xxx((crc >> (8 * i)) & 0xff)) == -1:
valid = False
continue if valid == True:
return s2def string_to_int64(s):
l = unpack('<LLLL', s)
value = ((l[1] ^ l[3]) << 32) | (l[0] ^ l[2])
return value & 0x7fffffffffffffffdef decimal_encode(n):
charset = 'QA9532BJNP' # btc stuff
s = '' for i in range(20):
s = charset[n % 10] + s
n /= 10
return sdef hash_to_string(hash):
out = ''
for i in range(16):
out += xxx(ord('a') + (ord(hash[i]) % 26))
return outdef x65599(s):
hash = 0
s2 = s.upper()
for i in range(len(s2)):
c = ord(s2[i])
hash = (hash * 65599) & 0xffffffff
hash = (hash + c) & 0xffffffff
return hashdef keygen(username):
if len(username) < 4:
print 'Invalid name'
return build_crc_tables() # elgamal parameters
p = 18446744073709461511L
g = 3
y = 0x5353453233444f4e
x = 7123850746259367287L
# factors. p-1 = 2 * 3**2 * 5 * 7 * ...
factors = [[2, 1], [3, 2], [5, 1], [7, 1], [11, 1], [13, 1], [3797, 1], [42701, 1], [1262887, 1]] md_name = MD5.new(username).digest()
hash_str = hash_to_string(md_name)
hash_value = x65599(hash_str) while 1:
# crap crap crap...
# r is random value, with r=g^k mod p
# we need to bruteforce r such as gcd(k, p-1) == 1 else k has no inverse
s2 = crc32forge3(hash_value)
md2 = MD5.new(s2).digest()
r = string_to_int64(md2)
k = pohlig_hellman(g, r, p, p-1, factors)
if number.GCD(k, p-1) == 1:
break h = string_to_int64(md_name)
s = ((h - x * r) % (p-1))
s = s * number.inverse(k, p-1) % (p-1)
print 'Serial: %s-%s' % (s2, decimal_encode(s))
if __name__ == '__main__':
if len(sys.argv) != 2:
print "Usage: %s <name>" % sys.argv[0]
else:
keygen(sys.argv[1])

Python keygen is attached below...

Ted.

confidence2010-keygen.zip

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...