[keygenme] .net KeyFileMe #1 ByteBreaker

[ByteBreaker]

Rating: Easy / Medium

This is my first ever crackme/keygenme/keyfileme. It is programmed in .net (VB but in Reflector they all look the same ;-) )

It needs .net 4.0 Client Profile.

It is obfuscated but its easy to remove and I think its not made much harder.

Make a working keyfile for the Enterprise or Ultimate versions or better make a keyfile gen.

Maybe do a tut to show how this protection could be made better (it could).

BB

KeyFileMe01.zip

Edited October 9, 2012 by ByteBreaker

[ByteBreaker]

Anyone tried this? Did I put the rating wrong or maybe people hate .net :-)

[Accede]

way my av pop up and say TR/Dropper.gen for are vb.net application?

And yes the most people hate .net

Edited November 10, 2012 by accede

[ByteBreaker]

TR/Dropper. Stupid useless AV. This only reads the license file and validates it. There is no other function.

Reverse engineer it and check for yourself :-)

So much scope for RE its a shame peple not like .net!!!

I thought this keyfileme would be solve quickly or someone would post something about what it is doing so I change the rating I think.

I upgrade it to medium - hard then, but it has weak points...

Edited November 10, 2012 by ByteBreaker

[kao]

Just to prove that it's doable..

It's quite a nice crackme. It's a shame that biggest difficulty in this crackme comes from Eazfuscator protection, not from your work.

Weakest points : xor encryption, calculating/showing correct signature.

Cheers,

kao.

License.zip

[ByteBreaker]

Nice one Kao. Thanks for this and you got yourself the Ultimate version

https://forum.tuts4you.com/gallery/image/402-bbkfm01sol01/

Can you say some about what you did? Did you make a keygen, inject some code and hijack the keyfileme's own routines?

Cheers

BB

[Accede]

Your keyfileme is are simble xor as i can see and somthing about md5.

Your need only to find the methods for all labels and so on that is all her is the routine for lbl20:

Public Function method_16(ByVal byte_1 As Byte()) As UInteger
Dim num1 As UInteger
Dim byteArray1 As Byte()
Dim num2 As Integer
Dim byte1 As Byte
num1 = -2128831035
byteArray1 = byte_1
num2 = 0
GoTo Label_0020
Do While (num2 < byteArray1.Length)
	 byte1 = byteArray1(num2)
	 num1 = (num1 Xor byte1)
	 num1 = (num1 * 16777619)
	 num2 = (num2 + 1)
Label_0020:
Loop
Return num1
End Function

Edited November 11, 2012 by accede

[kao]

@accede: why don't you post your own keyfile?

Here's my solution (I abused flaws in keyfileme):

1. Removing Eazfuscator.

Everyone knows about de4dot. :-) After deobfuscation signature validation routines didn’t work properly, but keygenme was decrypting key file correctly. That was enough.

2. Key file decryption routine.

After looking around for a minute, I found it:

It loads file, decrypts it using XOR algorithm (with unknown key) and then tries to load it as XML.

What’s the problem here? XOR algorithm is symmetrical. Same code that decrypts the file can be used to encrypt the file. All I need is to get decrypted memory stream contents – then I can modify data and force keygenme to encrypt it back.

3. Injecting code.

Injecting few lines of IL code is easy with Reflexil. But I needed more than that – I needed to be able to dump entire memory stream contents, and Reflexil cannot do that, not even with its C# compilation feature. There were several options:

• Any native code debugger should be able to do that. Ugly and slow process.

• DILE or ILSpy .NET debuggers should be able to do that somehow. No matter how hard developers try, these tools still are crappy.

So, I decided to do it in an old-school way – ILDASM/ILASM cycle. I injected 2 IL instructions right after the decryption loop is finished:

and created new method which dumps memory stream to a file. In C# it looked like this:

It’s like 25 IL instructions long, so I won’t show it…

4. ILASM happily compiled the file but it wouldn’t run:

Unhandled Exception: System.IO.FileLoadException: Could not load file or assembly 'KeyFileMe01, Version=1.0.0.0, Culture=neutral, PublicKeyToken=de67839265de3f3f' or one of its dependencies. Strong name validation failed. (Exception from HRESULT: 0x8013141A) ---> System.Security.SecurityException: Strong name validation failed. (Exception from HRESULT: 0x8013141A)
--- End of inner exception stack trace ---

This can be fixed using CFF Explorer:

Now I have patched keygenme which will encrypt/decrypt key file of my choice.

5. After running patched keygenme, I got this nice decrypted XML:

<License>
<Product> KeyFileMe 2012 </Product>
<Version> Professional </Version>
<Registration>
<Name> Aaron Aardvark </Name>
<Serial> 0000-0001 </Serial>
</Registration>
<Signature> B6CqR24q18vVCUJMFZIy3dNUO6QcTGrWe5Vc91KuuwtL </Signature>
</License>

I replaced values with my own and saved file as License.dat. After running patched keygenme again, I got error message saying "License file format error: Invalid character in the given encoding. Line 1, position 1." but I also got encrypted file with my name but bad signature.

So, I copied encrypted file to License.dat and ran original keygenme.

Here I can copy correct signature, modify XML again and encrypt it. Game over!

P.S. It took me 2 times longer to write the tutorial than to break this keygenme.. Oh well, maybe someone will learn something from it..

Cheers,

kao.

[Accede]

Sorry i hate net, the only thing that that i can say is that this the key for the binarary file is

BinaryReader reader = new BinaryReader(new MemoryStream(this.method_20("xfee465e31ac15d7b21d8ca9d6f5ac685")));

I can not found the routine or my eys are blind.

Edited November 11, 2012 by accede

[ByteBreaker]

Hi Kao

Excellent tutorial thank you for doing it there is lots to learn from this.

BB

[ByteBreaker]

@accede that is something that is encrypted, but it is nothing to do with the license file. What is brilliant about Kao tutorial is that finding out *what* is being decrypted here is not important.

I will do a keyfileme #2 that will need these more hidden features to be understood...

BB