Jump to content
Tuts 4 You

[keygenme] Alive


Recommended Posts

  • 1 month later...

Is this ElGamal Signature Scheme? It looks like it.

Anyway, attempting to solve DLP to get the private key

gives me: "Can't solve that sh*t!" :(

Never solved ElGamal (or DLP) before, so I'm a newbie in that area.

I've identified all the FGInt calls and stuff and know what it's doing,

but don't know how to reverse it.

First thought was to generate first 2 parts of serial randomly and

then solve 9F76B9617C4B04782B89 ^ X mod E50D80BB9284DF3F23D3 = Y to

get the 3rd part, where X is the 3rd part of serial and Y is calculated

based on 1st and 2nd part of serial and name. But solving DLP every time is unfeasible.

-- EDIT --

Been trying to get the private key by solving the DLP (using another DLP solver)

for 3 hours now and still nothing. I must be doing something wrong.

Guess I'm not the only one having difficulties with this one, considering it's still unsolved.

-- EDIT --

If this is indeed ElGamal, then am I correct with the following?

Y = G ^ X mod P, where G,P,Y are public keys and X is the private key.

Y = E17D4BC428ED77A25829

G = 9F76B9617C4B04782B89

P = E50D80BB9284DF3F23D3

Edited by Saduff
Link to comment

You're correct, those are the values for P,G,Y.

About the DLP solving time, I would recommend you to use a solver based on Index Calculus method.

  • Like 1
Link to comment

Thanks, I found a calculator that solved the DLP in 0.5 seconds. :D

Now let's see if I can keygen this thing. :)

-- EDIT --

Now I don't understand what the 3rd part of the serial (last 20 chars) has to be. :D

I think that the first 2 parts of the serial are the signature (r, s).

The 3rd part of the serial is used only here: G ^ serial[3] mod P, so I thought that

it has to be MD5(name), but that can't be, since MD5 is 32 chars long.

So I tried using MD5(name) mod P as the 3rd part of the serial, but that didn't work. :unsure:

Edited by Saduff
Link to comment

The third part of the serial is part of the signature.

Difficulty of the challenge is to find out what the third part should be :^

Link to comment
  • 2 weeks later...
  • 4 weeks later...

Thanks, I found a calculator that solved the DLP in 0.5 seconds. :D

Now let's see if I can keygen this thing. :)

Care to share that tool, or give me/us a link for it? :)

I have been looking for a dlp solver using the index calculus method for a while now.

Maybe I'm just a bad googler :turned:

- rdbnhoax

Link to comment

I used Magma Calculator:


Used this script:

p := 1081671008419063856571347;
K := GF(p);
g := K ! 753046344671602713045897;
y := K ! 1064843761188532526405673;
x := Log(g, y);

Don't know if it uses the index calculus method, but it solved the DLP very fast, while other solvers failed.

Link to comment

yeah, really nice scheme :)

thanks to KKR, for informing me, that it's a special signature scheme, so could be solved more effective way, rather than runtime DLP solving for each signature. So I wrote the equation with pen and got the result

for those, who are interested how to get signing algorithm without searching for some common schemes:


maybe I'll solve this kgm soon, once i get bored. :)

Edited by qpt^J
  • Like 1
Link to comment

I got freak'd out by the serial decoding algo :P

May be if I get bored some time, I'll touch it again :D

way to go qpt :) do it !! :)

Link to comment

Okie.. I got bored & I touched it again.. This time I recoded ya Serial Decoding stuff in Delphi.

Here it is.


Accoriding to my logic.. It should be reversed as Under, but it isn't working.


Any 1 else having this prob ?

Edited by KKR_WE_RULE
Link to comment
  • 1 month later...

Nice job mate, wasn't that hard, huh? ;)

Btw, my intention was to use 'FUN' as first 3 chars... I didn't thought about other possible words :P

Link to comment

for me, it was hard, yeah :)

especially that Lexicographical order part, because there wasnt any good explaination about it on inet, only by guessing i found how it works :P

and found that 'KEY' part by guessing too :)

Link to comment

That transformation part kick'd my *** :P Real thanx goes to Dcoder__. I couldn't identify the algo there.

Ok.. now it can be made public.. Its BWT De_Transform() that used there. Need to use BWT_Transform() to reverse it :)

@qpt^J : Great work as always :) Congratz :)

@HMX : I'll still write a soln, coz last time I tried I had some probs with the BWT_Transform(). It was hard for me.. but I have gotta admit, it taught me a great deal of stuff. Thanx a bunch :)

Link to comment
  • 4 years later...

I'm years late as always D:

I'm including the modified ElGamal signature's paper, my notes (in italian, sorry), the (probable) original Delphi BWT source used in the KeygenMe, a sorta equivalent implementation in Python found on the net and most importantly my keygen in Python. Uses Z3Py to retrieve the first three letters of the serial :)
Also included a version with the precalculated string in case you don't want to install and configure Z3Py. The other dependencies are standard Python 2.7 modules.

EDIT: finally added to my KGCollection. Relevant sources: BWT, keygen.


Edited by SmilingWolf
  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...