mudlord Posted February 4, 2013 Posted February 4, 2013 sorry for taking so long.mudlord_keygenme2.zip
atom0s Posted February 4, 2013 Posted February 4, 2013 Virus scanners detects:TrojanDropper:Win32/Jevafus.A
mudlord Posted February 4, 2013 Author Posted February 4, 2013 That would be the packer. I used obfuscation in the packer, as well as the keygenme.
deepzero Posted February 4, 2013 Posted February 4, 2013 (edited) easy unpack, never seen the packer before, though. What is this? Edited February 4, 2013 by deepzero
mudlord Posted February 4, 2013 Author Posted February 4, 2013 That would be my own packer. It does give positive feedback on a proper serial though, is that what you mean?
mudlord Posted February 4, 2013 Author Posted February 4, 2013 Yes, a MessageBox is given on valid serial.
NikolayD Posted February 4, 2013 Posted February 4, 2013 I always have same value: CMP DWORD PTR SS:[EBP-0x358],EAX [EBP-0x358]=00000060 It's correct?
mudlord Posted February 4, 2013 Author Posted February 4, 2013 (edited) Odd, any exact address? EDIT: tried debugging my code, my keygen works on my system :/ Edited February 4, 2013 by mudlord
deepzero Posted February 4, 2013 Posted February 4, 2013 yeah, that looks like a off-by-4 bug to me, too. Looks like you are comparing the return address instead of the serial dword. e.g. 00402929 . 3985 9CFCFFFF CMP DWORD PTR SS:[EBP-364],EAX stack: 0012F554 2A323106 //value that is in eax, too0012F558 E9988CC8 //actual part of serial0012F55C 77F16BF2 RETURN to GDI32.77F16BF2 //some return addresss state/pane: EAX=2A323106Stack SS:[0012F55C]=77F16BF2 (GDI32.77F16BF2) Or mybe it`s just a nifty trick?
deepzero Posted February 4, 2013 Posted February 4, 2013 Ah, so it is a trick?Anyways, it`ll have to wait for tomorrow... :tired:
NikolayD Posted February 4, 2013 Posted February 4, 2013 For this address 0040267B value always 60. But it is set earlier this address 00403387. Ok?
mudlord Posted February 4, 2013 Author Posted February 4, 2013 (edited) looks like you are running into issues with the obfu/antidebug (used BeaJunker macros ported to C) :< If people prefer, I could leave the packing code as-is and remove the obfu in the checking code? Not sure why it would be interfering though. Edited February 4, 2013 by mudlord
deepzero Posted February 4, 2013 Posted February 4, 2013 could you drop off an example name/serial combo to verify that it actually owkrs? (only if it doesnt ruin the challenge, ofcourse...)
mudlord Posted February 4, 2013 Author Posted February 4, 2013 (edited) For my hardwaremudlordN+NGKVDLDk+8pESolBZYNNvZVQHqd6oNQTpQn+Mf2Gs= was intending the crackme to be HWID based, should have added a HWID label in the crackme :< Edited February 4, 2013 by mudlord
NikolayD Posted February 4, 2013 Posted February 4, 2013 Don't know. I unpack and kill obfu/antidebug.
mudlord Posted February 4, 2013 Author Posted February 4, 2013 (edited) Okay, so it was not working properly at all.Sorry for the issues, should have tested more. Back to the drawing board I suppose. :<mudlord_keygen.zip Edited February 4, 2013 by mudlord
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now