Jump to content
Tuts 4 You

[keygenme] Got skills?


kao

Recommended Posts

Hi guys,

After being idle for a long long time, I'm happy to present you a small challenge. I hope it will keep you busy for a while. :)

GykCMKD.png

From the readme:

Goal: write a keygen.

Difficulty: 5/10.

Protection: yes, there is some.

Time required: entire evening or more.

This is an oldschool keygenme that will test both your reversing and coding skills. However, if your reversing skills are limited to running OllyScripts, de4dot and Reflector, don't waste your time, you won't break it. If you can't write your own tools, you will struggle. You have been warned.

Cracked exes and loaders are for eternal noobs. The only proper solution is a keygen.

Requirements: .NET 2.0, tested on 32bit XP, 64bit Win7, 32bit Win8.

Have fun!

kao.

GotSkills_by_kao.zip

  • Like 5
Link to comment
Share on other sites

Hadits follower

this is nice obfucator i dont know who ever made it but strong name nice i just remove strong remove name and file full clean at all done but the calli system void and string encryption part is also excellent there hold but trying my best that part hard for me cause u know as well i am still not good coder like u 0xd4d,codecracker,yck1509 but still learning everyday and trying to fix my private obc.


 


just say cool obfucator its must be private ? or made by u you may be ? nice many days after see a nice 2nd new obfucator which is fully new oc ,codecracker obfucator also cool excellent nice both. 


 


sorry if offtopic or if you think i something wrong then try to forgive but nice actually if i post again that may be unpack which is just try to unpack  thats for saying this this is a nice obfucicator the strong name part is super thats for i cant decrypt string and system void calli => its a new future which as same delegate quality but it fully different ,excellent ,


 


just want to say nice obc :) . dont mind if i offtopic or anything wrong , cause codecracker , yck1509 , 0xd4d was my teacher always respect this 3 guy . yck , 0xd4d many days no seen ,


 


excellent obc kao :) .its bit  hard then codecracker's one but both r excellent .many days after seeing a new second obc which is fully different from other commurical obc .


 


sorry for my bad english.


Edited by Death
Link to comment
Share on other sites

@Death: I'm glad you like it. :) If you can make fully unpacked (and correctly working!) file, please feel free to post it here.

SN protection, string and call obfuscation is my own, but I don't have a complete obfuscator. The keygenme EXE was handcrafted using ILASM, hex editor and CFF.

When someone solves the keygenme, I could write a small tutorial on how it was created.

  • Like 4
Link to comment
Share on other sites

Damn! That antitamper!I had to patch mscorlib(Environment.Exit) to modify it a little. I don't think i can stand a chance against this, but i will let you know!


Link to comment
Share on other sites

@LoLLo90: Nice catch! :) I somehow overlooked that.

if (badThingDetected){   Environment.Exit();   return;   <---- this one is missing. Silly me. }GoodBoyCode();return;

@ragdog: What I meant with "old school" is "crackme designed to show some novel idea; hard but solvable" - as opposed to recent "generate correct serial, compare it with entered serial and protect it with off-the-shelf protector" kind of crackme. ;)

  • Like 2
Link to comment
Share on other sites

@LoLLo90: Nice catch! :) I somehow overlooked that.


if (badThingDetected)

{

Environment.Exit();

return; <---- this one is missing. Silly me. ;)

}

GoodBoyCode();

return;

@ragdog: What I meant with "old school" is "crackme designed to show some novel idea; hard but solvable" - as opposed to recent "generate correct serial, compare it with entered serial and protect it with off-the-shelf protector" kind of crackme. ;)

 

I had a stroke of luck!

Link to comment
Share on other sites

Hadits follower

kao sorry for post again its super hard protection for me entrypoint "062a" . so need some help from u .


 


install method body fully jit hooked and super signeture as like dnghvm , the cant grab jitdumper or any any jithooker but all can possible with metadata but ur strong name and anti temper is super hard result for i can't dump installing method .cctor "062a" and jit hook in <module> upside method, really jit dumped success but cant save the unpacked exe for the strong name .


if u just littile help me will be glad about the anti temper then it will be eassy for me to unpack . 


its really super protection that i cant explain ..... , 


 


but i am trying thats for just ask about the anti temper location need help from u if u can the location anti temper .this is first time just seen like this super protection .


Edited by Death
Link to comment
Share on other sites

The protection is not JIT-hook based, all the .NET code is in plain sight. So, there is no need to use JitDumper. ;)

Link to comment
Share on other sites

Hadits follower

i see all install string in memory run time . so its not jit hooked ? 


just show a simple memory reading running time ur all string hooked or dynamic


 


wudo7Oe.jpg


 


i said jitdumper can do the method install method in correct and grab all the memory code but how ever thats not a metter ,i am seeing all string only runtime but u said not hooked confused !!


Edited by Death
Link to comment
Share on other sites

Hadits follower

i will give tutroial soon how to unpack it properly . i already told you string is hooked and the key which related jit only for your anti temper i cant able save the dump exe ,


 


just need some time for understand ur strong anti temper remove then reflection unpack it with one click as same jitdumper , just taking time for the tutroial how to unpack it, not sooo hard bit eassy :)


 


however good protection


 


this is the  key of string decrypt , sample the install method which is hooked and place in .cctor 0x06000001



byte[] data = {
0x6F, 0x6E, 0x31, 0x00, 0x00, 0xE4, 0x35, 0xEF, 0x0E, 0x58, 0x8E, 0x28, 0x0C, 0xF5, 0x01, 0x43,
0x68, 0x65, 0x63, 0x6B, 0x21, 0x00, 0x00, 0xA7, 0xB2, 0x30, 0x3C, 0x40, 0x0E, 0x7E, 0xD9, 0x01,
0x74, 0x65, 0x78, 0x74, 0x42, 0x6F, 0x78, 0x31, 0x00, 0x00, 0x75, 0x03, 0xA0, 0x69, 0x0E, 0xA6,
0xC8, 0x22, 0xAD, 0x01, 0x6B, 0x61, 0x6F, 0x00, 0x42, 0x1E, 0xBA, 0x91, 0xB3, 0x52, 0xB6, 0x96,
0x01, 0x74, 0x65, 0x78, 0x74, 0x42, 0x6F, 0x78, 0x32, 0x00, 0x00, 0xEE, 0x01, 0x2E, 0x2E, 0x2E,
0x20, 0x77, 0x61, 0x69, 0x74, 0x69, 0x6E, 0x67, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x79, 0x6F, 0x75,
0x20, 0x2E, 0x2E, 0x2E, 0x00, 0x54, 0x2F, 0xC8, 0x12, 0x01, 0x6C, 0x61, 0x62, 0x65, 0x6C, 0x31,
0x00, 0x00, 0xCB, 0xA9, 0x27, 0x99, 0x01, 0x4E, 0x61, 0x6D, 0x65, 0x3A, 0x00, 0xFD, 0x74, 0x14,
0xA5, 0x13, 0x01, 0x6C, 0x61, 0x62, 0x65, 0x6C, 0x32, 0x00, 0x00, 0x1C, 0x26, 0x4E, 0x01, 0x53,
0x74, 0x61, 0x74, 0x75, 0x73, 0x3A, 0x00, 0x00, 0x0B, 0x01, 0x6C, 0x69, 0x6E, 0x6B, 0x4C, 0x61,
0x62, 0x65, 0x6C, 0x31, 0x00, 0x00, 0x48, 0x01, 0xD6, 0x44, 0x10, 0xE5, 0xBD, 0xB2, 0x08, 0x29,
0x01, 0x28, 0x63, 0x29, 0x20, 0x6B, 0x61, 0x6F, 0x2C, 0x20, 0x32, 0x30, 0x31, 0x34, 0x2E, 0x20,
0x20, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x62, 0x6F, 0x61, 0x72, 0x64, 0x2E, 0x62, 0x2D,
0x61, 0x74, 0x2D, 0x73, 0x2E, 0x69, 0x6E, 0x66, 0x6F, 0x2F, 0x00, 0x00, 0x98, 0x05, 0x73, 0x97,
0x28, 0x09, 0xCE, 0x0B, 0x4B, 0xB1, 0xE3, 0x4D, 0xEB, 0x01, 0x24, 0x74, 0x68, 0x69, 0x73, 0x2E,
0x49, 0x63, 0x6F, 0x6E, 0x00, 0x00, 0x42, 0xBB, 0x35, 0xB7, 0xFA, 0xD9, 0xFE, 0x78, 0x01, 0x46,
0x6F, 0x72, 0x6D, 0x31, 0x00, 0x45, 0x0C, 0xB7, 0x2E, 0xD3, 0x8E, 0x01, 0x47, 0x6F, 0x74, 0x20,
0x73, 0x6B, 0x69, 0x6C, 0x6C, 0x73, 0x3F, 0x00, 0x00, 0x2D, 0x72, 0xF9, 0x4F, 0xB2, 0x2E, 0x14,
0xA2, 0x7B, 0x08, 0xEB, 0xCC, 0xD2, 0x1F, 0x4E, 0xA7, 0x3E, 0x16, 0x3E, 0xFF, 0x5F, 0xCC, 0x2A,
0x6B, 0xD1, 0x6D, 0x5E, 0x6D, 0x43, 0xAF, 0x4C, 0x00, 0xE3, 0x57, 0x27, 0xA8, 0x74, 0x52, 0x49,
0x4A, 0x9A, 0x1D, 0x80, 0xCF, 0x6A, 0xCC, 0xF7, 0x72, 0x23, 0xD8, 0xEC, 0xCA, 0x31, 0xC2, 0xB8,
0x74, 0x7A, 0x77, 0x9D, 0xE6, 0x4F, 0xED, 0x08, 0x47, 0xB9, 0x27, 0xD9, 0xE4, 0x9A, 0x7F, 0xC2,
0xB9, 0x93, 0xB1, 0xFF, 0xF4, 0x82, 0xDA, 0xE3, 0x6B, 0xFB, 0x98, 0xBB, 0x24, 0x00, 0xC9, 0xC2,
0xD7, 0x93, 0x99, 0xD4, 0x34, 0x4C, 0x9A, 0x57, 0x26, 0x83, 0xBF, 0xA2, 0x66, 0xEE, 0x55, 0xE5,
0xA2, 0xE9, 0x58, 0xCD, 0x9D, 0xE2, 0x96, 0xDD, 0x97, 0x6B, 0x3E, 0x94, 0xD8, 0x40, 0x3E, 0x1A,
0xBB, 0x71, 0xE1, 0x2C, 0x26, 0xA4, 0x00, 0x22, 0xBA, 0xCF, 0x96, 0xF1, 0xE9, 0x3D, 0xB9, 0x26,
0x5B, 0x4D, 0x6C, 0x01, 0x2E, 0x2E, 0x2E, 0x20, 0x77, 0x61, 0x69, 0x74, 0x69, 0x6E, 0x67, 0x20,
0x66, 0x6F, 0x72, 0x20, 0x79, 0x6F, 0x75
};

for read this just binary reader can read it by ur packed exe. 


 


edited : other topic something i see which is related appfucator attribute liOnisar that guy said made obfucator like this and give protection services "related buyer or seller" in hackforums , appfucator use online server for read string key and your exe use jit hook for read string key runtime only. 


Edited by Death
  • Like 1
Link to comment
Share on other sites

Hadits follower

its ok kao i may be misstake :/ i just want say u something 


Edited by Death
Link to comment
Share on other sites

Hadits follower

here is dump all string and everything have in this dll runtime reading string from here  :)


 


pass



pmed

2 way to unpack


1. by dump /dll rebuilt a new netmodule exe combine by original packed exe with hxd.exe or cff or ildasm


2. jitdumper is a debugger which use .load by clr 


dump native dll clr.zip

Edited by Death
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...