[Keygenme] Levis's Simple Keygenme05

[Levis]

Hello all mates,

This keygen i created today, just for fun, and for who want to test their reversing skills. It's an easy one ( as i said in the title, very simple ), so feel free to defeat it.

Name :Levis's Simple Keygenme05

Language: Borland Delphi

Packer : N/A

Level : Tell me?

PlAyInG rUlEz: Only keygen accepted, serial fishing is okay, but will not be valid solution. and, of course , no patching at all ;

Demo picture:

Download(some errors fixed) :

>http://up.ht/Tjbrx8

or attached file below.

All bug reports are welcome.

You can post solution here, and would be better if you post solution at this place(my thread at RePT's Forum

Enjoy and best regards,

Levis

Edit: Bugs were found in this keygenme. and i fixed some. Please download again (the fixed file). Sorry...

kgm05-fixed.7z

Edited November 27, 2012 by Levis

[kao]

Correct serial cannot be fished in this crackme, so I'm really confused by your rules..

Anyway, I can't be bothered to reimplement several of your procedures (crc, md5) into my code - so no keygen from me.

Here's valid serial:

Name: kao.was.here

Serial: ERBQAJRQHHERBYJYLQAMEBDLREXBJBXL

Obviously it will only work for today..

[ChOoKi]

@Levis: I have a question m8 hope you don't take it the wrong way, do you actually have a working keygen for this challenge, I only ask cuz something(s) don't add up here, example (and without giving too much away):

(Smaller Number - a value) * number of times = Bigger Number

Regards

{.... updated post ....}

I see you have updated the challenge, hope the problem is fixed

{.... Updated again! ....}

Bug still exists!!

I have a working keygen, but with the bug existing, some names can not have a valid serial on certain days. Example:

name: Levis

serial: < nothing for 27,28,29 / 11/ 2012 >

but if you care to wait till the 30th, then you can use LMDRRSJHJMBQBBSLMBRXHACQAQPXLQEJ

Hope I didn't give away too much to ruin it for others.

Edited November 27, 2012 by ChOoKi

[Levis]

@all: thanks for trying

@kao: Greats,mate. We still can fish the serial, i used some small trick to hide information of serial. If found them, so we can fish it easily.

@ChOoki:

I have working keygen( maybe). It gave me serial for 27th, 28th, and 29th serials.

Name: Levis
Serial for 27th: MAMPSQRPEQXDSJJPSJBHXCRXXJBSWPɉ
Serial for 28th: JEYBXMLRBRSCPQHQDLXPC‹MECSLBQALQ
Serial for 29th: YAYBMBBYHXPPMMPSTDYBYPEYXJCQJ3XD
Serial for 30th: LMDRRSJHJMBQBBSLMBRXHACQAQPXLQEJ (like yours)

and yes, bugs still there. Thank you. The serial of 27th contains a strange character "‰" which i never mind about it.

You can download the working keygen in the attachment.

Project2.7z

Edited November 28, 2012 by Levis

[ChOoKi]

You do realize that these "strange characters" in your 3 keys are the result of chrs obtained from outside the lookup string, and this happens only when used md5 string has a zero chr '0' beyond the 17th position.

Name: Levis

Serial for 27th:

MAMPSQRPEQXDSJJPSJBHXCRXXJBSWPɉ < 29th,31st,32nd loops

E1EBD8FBC826D99BD93425F2293D0B00 < md5

Serial for 28th:

JEYBXMLRBRSCPQHQDLXPC‹MECSLBQALQ < 22nd loop

9C732EAF3FD5B8486A2B50EC5DA381A8 < md5

Serial for 29th:

YAYBMBBYHXPPMMPSTDYBYPEYXJCQJ3XD < 30th loop

7173E33742BBE0BD06737BC729589026 < md5

This final check is a simple one, problem was in implementing it creating a nasty bug. It uses two strings, the frst is a 32 heximal chrs string created from md5 hashing a 4 longs buffer, the second one "AXBHCDYQJLPESMRUT" is a 17 chrs string and used as a lookup string.

The need to have a 32 chrs serial is abvious since the length of the serial is added to a preset value to make the goodboy message address, as for the loop, well it's set based on the length of the serial. This is what happens inside the loop:

At every round, grab a chr from the md5 string, turn it to an integer, use that integer to point at a chr in the lookup string, xor that chr with chr from serial and finally subtract result from the goodboy address, so this means the xor result should be zero else our goodboy address will change. A simple question here will be "What if we have a zero chr '0' in the md5 string, wouldn't the integer from it (zero) point to a byte before the lookup string? For that your code shows a condition has been set for when this happenes and if it does then this integer will get the loop counter value instead, but with that we have a new problem now for when a zero chr '0' is found in the md5 string after position 17, that will make it point past the 17 chrs lookup string and into? you guessed it

Sugesstions: Any of the three bellow should work:

1) replace lookup string with a [0..15] lookup buffer, now pointer is set right between 0..15

2) if you want a lookup string then by adding 1 to the integer from md5 you will get 1..16 and again pointer will be set right

3) if you choose to use loop counter value as pointer, increase the length of the lookup string to 32 chrs to accomidate the 32 loop rounds.

Regards

Edited November 28, 2012 by ChOoKi

[kao]

ChOoKi: actually, there are more ways to solve the crackme (by exploiting another bug in it) Think harder.

Below are valid serials (numbers&letters only) for name Levis for Nov-27 and Nov-28, but please don't look if you don't want to spoil the fun..

(forum engine breaks serial into several lines. It must be all on one line!)

Name: Levis

Nov-27: mampsqRPEQXDSJJPSJBHXCRXXJBSWPII11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

Nov-28: jeYBXMLRBRSCPQHQDLXPCKMECSLBQALQ1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

[ChOoKi]

LOL, sure you can increase & decrease values here & there to come out with the goodboy address, but my bet is Levis never intended it to be as such, I mean check his kgm.

Also, when reporting bugs back to the author/poster one can only hope that he/she will understand how disappointing it is when one or two slip through, good thing is, we all make honest mistakes and they end up making us.

Edited November 28, 2012 by ChOoKi

[Levis]

Yes, I said "All bug reports are welcome". And these reports will help me improve my skills . the problem about "Strange Character", after i saw it, I take a look to find out what happended. And all things that ChOoKi said are correct . I'm waste too many time to handle the address pointer of goodboy, but I forgot the simple thing (but very important). That's my mistake. You guys are waked me up. This would be very useful for me.