Levis Posted November 27, 2012 Posted November 27, 2012 (edited) Hello all mates, This keygen i created today, just for fun, and for who want to test their reversing skills. It's an easy one ( as i said in the title, very simple ), so feel free to defeat it. Name :Levis's Simple Keygenme05 Language: Borland Delphi Packer : N/A Level : Tell me? PlAyInG rUlEz: Only keygen accepted, serial fishing is okay, but will not be valid solution. and, of course , no patching at all ; Demo picture: Download(some errors fixed) : >http://up.ht/Tjbrx8 or attached file below. All bug reports are welcome. You can post solution here, and would be better if you post solution at this place(my thread at RePT's Forum Enjoy and best regards, Levis Edit: Bugs were found in this keygenme. and i fixed some. Please download again (the fixed file). Sorry... kgm05-fixed.7z Edited November 27, 2012 by Levis
kao Posted November 27, 2012 Posted November 27, 2012 Correct serial cannot be fished in this crackme, so I'm really confused by your rules.. Anyway, I can't be bothered to reimplement several of your procedures (crc, md5) into my code - so no keygen from me. Here's valid serial: Name: kao.was.here Serial: ERBQAJRQHHERBYJYLQAMEBDLREXBJBXL Obviously it will only work for today..
ChOoKi Posted November 27, 2012 Posted November 27, 2012 (edited) @Levis: I have a question m8 hope you don't take it the wrong way, do you actually have a working keygen for this challenge, I only ask cuz something(s) don't add up here, example (and without giving too much away): (Smaller Number - a value) * number of times = Bigger Number Regards {.... updated post ....} I see you have updated the challenge, hope the problem is fixed {.... Updated again! ....} Bug still exists!! I have a working keygen, but with the bug existing, some names can not have a valid serial on certain days. Example: name: Levis serial: < nothing for 27,28,29 / 11/ 2012 > but if you care to wait till the 30th, then you can use LMDRRSJHJMBQBBSLMBRXHACQAQPXLQEJ Hope I didn't give away too much to ruin it for others. Edited November 27, 2012 by ChOoKi
Levis Posted November 28, 2012 Author Posted November 28, 2012 (edited) @all: thanks for trying @kao: Greats,mate. We still can fish the serial, i used some small trick to hide information of serial. If found them, so we can fish it easily. @ChOoki: I have working keygen( maybe). It gave me serial for 27th, 28th, and 29th serials. Name: LevisSerial for 27th: MAMPSQRPEQXDSJJPSJBHXCRXXJBSWPɉSerial for 28th: JEYBXMLRBRSCPQHQDLXPC‹MECSLBQALQSerial for 29th: YAYBMBBYHXPPMMPSTDYBYPEYXJCQJ3XDSerial for 30th: LMDRRSJHJMBQBBSLMBRXHACQAQPXLQEJ (like yours) and yes, bugs still there. Thank you. The serial of 27th contains a strange character "‰" which i never mind about it. You can download the working keygen in the attachment. Project2.7z Edited November 28, 2012 by Levis
ChOoKi Posted November 28, 2012 Posted November 28, 2012 (edited) You do realize that these "strange characters" in your 3 keys are the result of chrs obtained from outside the lookup string, and this happens only when used md5 string has a zero chr '0' beyond the 17th position. Name: Levis Serial for 27th: MAMPSQRPEQXDSJJPSJBHXCRXXJBSWPɉ < 29th,31st,32nd loops E1EBD8FBC826D99BD93425F2293D0B00 < md5 Serial for 28th: JEYBXMLRBRSCPQHQDLXPC‹MECSLBQALQ < 22nd loop 9C732EAF3FD5B8486A2B50EC5DA381A8 < md5 Serial for 29th: YAYBMBBYHXPPMMPSTDYBYPEYXJCQJ3XD < 30th loop 7173E33742BBE0BD06737BC729589026 < md5 This final check is a simple one, problem was in implementing it creating a nasty bug. It uses two strings, the frst is a 32 heximal chrs string created from md5 hashing a 4 longs buffer, the second one "AXBHCDYQJLPESMRUT" is a 17 chrs string and used as a lookup string. The need to have a 32 chrs serial is abvious since the length of the serial is added to a preset value to make the goodboy message address, as for the loop, well it's set based on the length of the serial. This is what happens inside the loop: At every round, grab a chr from the md5 string, turn it to an integer, use that integer to point at a chr in the lookup string, xor that chr with chr from serial and finally subtract result from the goodboy address, so this means the xor result should be zero else our goodboy address will change. A simple question here will be "What if we have a zero chr '0' in the md5 string, wouldn't the integer from it (zero) point to a byte before the lookup string? For that your code shows a condition has been set for when this happenes and if it does then this integer will get the loop counter value instead, but with that we have a new problem now for when a zero chr '0' is found in the md5 string after position 17, that will make it point past the 17 chrs lookup string and into? you guessed it Sugesstions: Any of the three bellow should work: 1) replace lookup string with a [0..15] lookup buffer, now pointer is set right between 0..15 2) if you want a lookup string then by adding 1 to the integer from md5 you will get 1..16 and again pointer will be set right 3) if you choose to use loop counter value as pointer, increase the length of the lookup string to 32 chrs to accomidate the 32 loop rounds. Regards Edited November 28, 2012 by ChOoKi
kao Posted November 28, 2012 Posted November 28, 2012 ChOoKi: actually, there are more ways to solve the crackme (by exploiting another bug in it) Think harder. Below are valid serials (numbers&letters only) for name Levis for Nov-27 and Nov-28, but please don't look if you don't want to spoil the fun.. (forum engine breaks serial into several lines. It must be all on one line!) Name: Levis Nov-27: mampsqRPEQXDSJJPSJBHXCRXXJBSWPII11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 Nov-28: jeYBXMLRBRSCPQHQDLXPCKMECSLBQALQ1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
ChOoKi Posted November 28, 2012 Posted November 28, 2012 (edited) LOL, sure you can increase & decrease values here & there to come out with the goodboy address, but my bet is Levis never intended it to be as such, I mean check his kgm.Also, when reporting bugs back to the author/poster one can only hope that he/she will understand how disappointing it is when one or two slip through, good thing is, we all make honest mistakes and they end up making us. Edited November 28, 2012 by ChOoKi
Levis Posted November 28, 2012 Author Posted November 28, 2012 Yes, I said "All bug reports are welcome". And these reports will help me improve my skills . the problem about "Strange Character", after i saw it, I take a look to find out what happended. And all things that ChOoKi said are correct . I'm waste too many time to handle the address pointer of goodboy, but I forgot the simple thing (but very important). That's my mistake. You guys are waked me up. This would be very useful for me.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now