Jump to content
Tuts 4 You

[KeygenMe] Introduction To x64


Saduff

Recommended Posts

I've never seen x64 KeygenMes before, so I thought why not write one.

This is my first x64 code. I hope there are no bugs.

I kept the algo fairly simple and wrote it in MASM.

Rules:

- No patching!

- No bruteforcing in keygen!

Since there aren't any great x64 debuggers available,

please tell me what debugger you used to solve this,

so I could get a small overview of what people use for debugging x64 code.

In case you don't know what debugger to use, I'll give you a starting point.

Consider using FDBG. It's also the debugger I used to test this KGM.

Good Luck! smile.png

KeygenMe x64.zip

Edited by Saduff
Link to comment

Are you absolutely sure this is keygennable?

SPOILER ALERT

.

.

.

We have to divide the end value (2^64-255) by the hash (made of name+part2), but obviously the end value is not always evenly dividable by the hash value. How am I supposed to make sure it's a multiple of the hash?

Or am I totally off track here?

EDIT Please don't tell me you want us to calculate the XOR equations in GF(2) cold2.gif

PPS: I found this nice video while looking up SHRD: http://www.youtube.com/watch?v=EXxNiWnkqMo

It's part of a huge series of videos about x64 ASM and interaction with C++

Edited by Killboy
Link to comment

I'm pretty sure it's keygennable. I didn't make a keygen myself, but I calculated a serial using my own tool and windows calculator.

You can try this combo for testing:


Saduff
DEADC0DEDEADC0DE-4931A3254B6E53F7
We have to divide the end value (2^64-255) by the hash (made of name+part2), but obviously the end value is not always evenly dividable by the hash value. How am I supposed to make sure it's a multiple of the hash?

I'm not sure I entirely understood everything here, but I don't think this is the way to go.

P.S Does the KGM run properly on your machine? I've experienced some strange behavior.

After some time, the KGM starts to crash immediately on my machine when run. I have to recompile to fix it.

It doesn't even open up in FDBG.

Link to comment

I'm in a deadlock here doh.gif , will give it another try sometime this week.

Anyway, you made me go and code up a new WTL keygen template. Been on my todo list for some time, never got a good reason to do that.

PS: The exe works like a charm on win7

Link to comment

Great job qpt^J for solving it without debugging. smile.png

Keygen works too. Only thing is that

it doesn't work with names that have more than 8 chars.

Looks like that's because of the XOR loop:


00401195 |> /AC /LODS BYTE PTR [ESI]
00401196 |. |3207 |XOR AL,[EDI]
00401198 |. |AA |STOS BYTE PTR ES:[EDI]
00401199 |.^\E2 FA \LOOPD SHORT 00401195

In the KGM is this:

000000013FD6124B			488B94CD01FFFFFF			mov rdx,[rbp+rcx*8-000000FF]

The KGM loads the qword from memory as little endian (I think), but your keygen

XOR's byte by byte, starting from most significant byte (big endian).

So, for example, if there's 5361647566660000 in memory, then rdx will be 0000666675646153.

I'm not sure it's actually because of the XOR loop, as I only had a quick look at the keygen,

but that seems like the most likely place for errors.

Anyway, great job for solving it without debugging. smile.png

Link to comment

I just got the crashes you described...

It crashes somewhere before the entrypoint, I had to redownload the file and replace it.

Maybe Windows puts it into compatibility mode, and replacing it removes the attribtues. Definitely weird...

Link to comment
I'm pretty sure it's keygennable. I didn't make a keygen myself, but I calculated a serial using my own tool and windows calculator.

@ Saduff: Just a thought, why not make a 32 bit version of it so we can all try it and see if it is keygennable, it sounds like fun to try despite all the problems mentioned above. I hate to tell you this, but I am certain that others feel the same way, simply "Left Out" cc_confused.gif

Edited by ChOoKi
Link to comment

I thought x64 machines are pretty common by now, they've been around for 8 years now.

PS: am I on the right track with multiplicative inverse in GF(2^64)? Looks like I need a big num lib then

Link to comment

@ChOoKi: Well the whole point of this KGM is that it's 64-bit.

If you're running 32-bit Windows, you can still try it on a VM for example,

or you can solve it without debugging, like qpt^J did. tongue.png

-- EDIT --

PS: am I on the right track with multiplicative inverse in GF(2^64)? Looks like I need a big num lib then

Yup, you're on the right track. And actually, there's no need for a big num lib.

It can be done with just the 64-bit registers, or you could use the 128-bit XMM registers.

I once did it for a 32-bit KGM, where I held the integer 0x100000000 over 2 registers (EDX:EAX).

With DIV and MUL instructions, you can extend the integer over 2 registers, RDX:RAX, making it

possible to do calculations with 128-bit integers, and DIV and MUL is all you need.

Edited by Saduff
Link to comment

So far I got it mostly working, but one question:

I could have a fixed first part but I prefer using random numbers. Not all numbers have a multiplicative inverse in GF(2^64), so what's a good way to make sure the random number does, without 'bruteforcing' (ie. drawing numbers until one is relatively prime to the modulo)?

Link to comment
Not all numbers have a multiplicative inverse in GF(2^64), so what's a good way to make sure the random number does, without 'bruteforcing' (ie. drawing numbers until one is relatively prime to the modulo)?

I think that's the only way. That kind of "bruteforcing" is allowed. Not using multiplicative inverse is not allowed.

Link to comment

Good job, Killboy. What debugger did you use?

is there anything not kegenneble that isn't under a big number encryption cipher cryptext?

I don't know and I'm not capable of thinking at the moment. biggrin.png

Link to comment

What debugger did you use?

IDA, all the others suck hard

PS. Keep the keygenmes coming! I know most of the regulars laugh about the diffculty level (no debugging! lol), but for me this is easy enough to grasp with the little maths I know, and still fun to implement in C++ without just blindly using GNU MP or Miracle.

Edited by Killboy
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...