Jump to content
Tuts 4 You

[keygenme] .net KeyFileMe #1 ByteBreaker


Recommended Posts

Rating: Easy / Medium

This is my first ever crackme/keygenme/keyfileme. It is programmed in .net (VB but in Reflector they all look the same ;-) )

It needs .net 4.0 Client Profile.

It is obfuscated but its easy to remove and I think its not made much harder.

Make a working keyfile for the Enterprise or Ultimate versions or better make a keyfile gen.

Maybe do a tut to show how this protection could be made better (it could).



Edited by ByteBreaker
Link to comment
Share on other sites

  • 2 weeks later...
  • 4 weeks later...

way my av pop up and say TR/Dropper.gen for are vb.net application?

And yes the most people hate .net

Edited by accede
Link to comment
Share on other sites

TR/Dropper. Stupid useless AV. This only reads the license file and validates it. There is no other function.

Reverse engineer it and check for yourself :-)

So much scope for RE its a shame peple not like .net!!!

I thought this keyfileme would be solve quickly or someone would post something about what it is doing so I change the rating I think.

I upgrade it to medium - hard then, but it has weak points...

Edited by ByteBreaker
Link to comment
Share on other sites

Just to prove that it's doable.. ;)

It's quite a nice crackme. It's a shame that biggest difficulty in this crackme comes from Eazfuscator protection, not from your work.

Weakest points : xor encryption, calculating/showing correct signature.




Link to comment
Share on other sites

Your keyfileme is are simble xor as i can see and somthing about md5.

Your need only to find the methods for all labels and so on that is all her is the routine for lbl20:

Public Function method_16(ByVal byte_1 As Byte()) As UInteger
Dim num1 As UInteger
Dim byteArray1 As Byte()
Dim num2 As Integer
Dim byte1 As Byte
num1 = -2128831035
byteArray1 = byte_1
num2 = 0
GoTo Label_0020
Do While (num2 < byteArray1.Length)
byte1 = byteArray1(num2)
num1 = (num1 Xor byte1)
num1 = (num1 * 16777619)
num2 = (num2 + 1)
Return num1
End Function
Edited by accede
Link to comment
Share on other sites

@accede: why don't you post your own keyfile? :)

Here's my solution (I abused flaws in keyfileme):

1. Removing Eazfuscator.

Everyone knows about de4dot. :-) After deobfuscation signature validation routines didn’t work properly, but keygenme was decrypting key file correctly. That was enough.

2. Key file decryption routine.

After looking around for a minute, I found it:


It loads file, decrypts it using XOR algorithm (with unknown key) and then tries to load it as XML.

What’s the problem here? XOR algorithm is symmetrical. Same code that decrypts the file can be used to encrypt the file. All I need is to get decrypted memory stream contents – then I can modify data and force keygenme to encrypt it back.

3. Injecting code.

Injecting few lines of IL code is easy with Reflexil. But I needed more than that – I needed to be able to dump entire memory stream contents, and Reflexil cannot do that, not even with its C# compilation feature. There were several options:

• Any native code debugger should be able to do that. Ugly and slow process.

• DILE or ILSpy .NET debuggers should be able to do that somehow. No matter how hard developers try, these tools still are crappy.

So, I decided to do it in an old-school way – ILDASM/ILASM cycle. I injected 2 IL instructions right after the decryption loop is finished:


and created new method which dumps memory stream to a file. In C# it looked like this:


It’s like 25 IL instructions long, so I won’t show it…

4. ILASM happily compiled the file but it wouldn’t run:

Unhandled Exception: System.IO.FileLoadException: Could not load file or assembly 'KeyFileMe01, Version=, Culture=neutral, PublicKeyToken=de67839265de3f3f' or one of its dependencies. Strong name validation failed. (Exception from HRESULT: 0x8013141A) ---> System.Security.SecurityException: Strong name validation failed. (Exception from HRESULT: 0x8013141A)
--- End of inner exception stack trace ---

This can be fixed using CFF Explorer:


Now I have patched keygenme which will encrypt/decrypt key file of my choice.

5. After running patched keygenme, I got this nice decrypted XML:

<Product> KeyFileMe 2012 </Product>
<Version> Professional </Version>
<Name> Aaron Aardvark </Name>
<Serial> 0000-0001 </Serial>
<Signature> B6CqR24q18vVCUJMFZIy3dNUO6QcTGrWe5Vc91KuuwtL </Signature>

I replaced values with my own and saved file as License.dat. After running patched keygenme again, I got error message saying "License file format error: Invalid character in the given encoding. Line 1, position 1." but I also got encrypted file with my name but bad signature.

So, I copied encrypted file to License.dat and ran original keygenme.


Here I can copy correct signature, modify XML again and encrypt it. Game over!

P.S. It took me 2 times longer to write the tutorial than to break this keygenme.. Oh well, maybe someone will learn something from it..



  • Like 4
Link to comment
Share on other sites

Sorry i hate net, the only thing that that i can say is that this the key for the binarary file is

BinaryReader reader = new BinaryReader(new MemoryStream(this.method_20("xfee465e31ac15d7b21d8ca9d6f5ac685")));

I can not found the routine or my eys are blind.

Edited by accede
Link to comment
Share on other sites

@accede that is something that is encrypted, but it is nothing to do with the license file. What is brilliant about Kao tutorial is that finding out *what* is being decrypted here is not important.

I will do a keyfileme #2 that will need these more hidden features to be understood...


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...