Jump to content
Tuts 4 You

[KGM] ViC KeygenMe #4 © vic4key


Recommended Posts

Link to download it:


Level: ?/10


Only find the serial or keygen it. Write a tut for it if u done and can. wink.png

Source code: Download [Password] To public when this topic was done. wink.png

Best regard,


Edited by vic4key
Link to comment
Share on other sites

"kao was here:"


without quotes, of course.

Problem #1: serial is checked on MouseUp/MouseDown. If you use keyboard (Enter key), serial will not be checked;

Problem #2: serial is valid only on first attempt. After that internal buffer is f**ked up and program state is undefined, you need to restart crackme to try again;

Difficulty: 1/10, lunch hour challenge.

Link to comment
Share on other sites

I'm not sure what are you asking, there was nothing hard in it. In fact, writing this post took me more time than to solve the crackme.

Find good boy string in IDA:

.text:00457058 aYouReWinner___ db 'You',27h,'re winner... Thanks for your reversin',27h,'...',0Dh,0Ah
.text:00457058 ; DATA XREF: .data:pGoodBoyo
.text:00457058 db 0Dh,0Ah
.text:00457058 db 'BR,vic4key',0

Strangely enough, it's not referenced by code directly. Instead, it's referenced from data:

.data:0045A738 pGoodBoy dd offset aYouReWinner___ ; DATA XREF: sub_4572A4+B0o
.data:0045A738 ; "You're winner... Thanks for your revers"...

Data are referenced from this code:

.text:00457331 mov eax, offset encrypted_code
.text:00457336 movzx edx, byte ptr [eax]
.text:00457339 decrypt_code: ; CODE XREF: sub_4572A4+A0j
.text:00457339 xor dl, cl
.text:0045733B mov [eax], dl
.text:0045733D inc eax
.text:0045733E movzx edx, byte ptr [eax]
.text:00457341 cmp dl, 0C3h
.text:00457344 jnz short decrypt_code
.text:00457346 mov eax, offset off_45A734
.text:0045734B mov eax, [eax]
.text:0045734D mov edx, offset unk_45A723
.text:00457352 mov [edx], eax
.text:00457354 mov eax, offset pGoodBoy
.text:00457359 mov eax, [eax]
.text:0045735B mov edx, offset unk_45A728
.text:00457360 mov [edx], eax
.text:00457362 mov ebx, offset unk_401233
.text:00457367 lea edx, [ebx+1]
.text:0045736A mov eax, offset unk_45A72E
.text:0045736F mov cl, 0E8h
.text:00457371 call sub_457278
.text:00457376 mov edx, offset unk_45A72F
.text:0045737B mov [edx], eax
.text:0045737D mov eax, offset encrypted_code
.text:00457382 mov [ebp+var_4], eax
.text:00457385 call [ebp+var_4]

So, here crackme decrypts some other code, fixes references to strings and calls decrypted code. All I need to do, is to find correct decryption key.

This code here:

.text:00457339 xor dl, cl

means that key is 1 byte long. I can either bruteforce 256 possibilities (easy), or think a bit.

Examining those references, this one caught my attention:

.text:00457362 mov ebx, offset unk_401233
.text:00457367 lea edx, [ebx+1]

It is a reference to MessageBoxA

.text:00401233 unk_401233 db 0C0h ; À; DATA XREF: sub_4572A4+BEo
.text:00401234 ; [00000006 BYTES: COLLAPSED FUNCTION MessageBoxA. PRESS KEYPAD "+" TO EXPAND]

So, we can assume that encrypted code is calling MessageBoxA.

In ASM call to MessageBox usually looks like this:

6A xx push Flags
68 xx xx xx xx push String1
68 xx xx xx xx push String2
?? push 0 or push hWnd value
?? "call" or "jump" or "call dword ptr"

We can assume that first byte of decrypted code should be 0x6A. In that case decryption key should be 0xCE xor 0x6A = 0xA4.

Try to use it, and it decodes proper code.

We know that decryption key was in CL register. It is calculated by this piece of code:

.text:00457318 mov dl, 1
.text:0045731A loc_45731A: ; CODE XREF: sub_4572A4+86j
.text:0045731A movzx ecx, dl
.text:0045731D mov ebx, [ebp+var_8]
.text:00457320 movzx ecx, byte ptr [ebx+ecx-1]
.text:00457325 add esi, ecx
.text:00457327 inc edx
.text:00457328 dec al
.text:0045732A jnz short loc_45731A
.text:0045732C loc_45732C: ; CODE XREF: sub_4572A4+72j
.text:0045732C mov ecx, esi
.text:0045732E and cl, 0FFh

If you can't immediately see it, debug the code in Olly. It's calculating sum of all letters in username and then taking least significant byte.

After that it's a 1 minute task with calculator, pen and paper.

  • Like 1
Link to comment
Share on other sites

Oh, you're so good. Through how you show up I was saw so. This kgm though nothing special. I only use a small technique is shellcode to hide the code of function MessageBoxA. And the main purpose is my hope that you found the standard code was called this MsgA and you're done it very well. >biggrin.png<

Now, I can public the of this keygenme, it's: 16091991

Edited by vic4key
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...