[unpackme][keygenme] Keygenme 17

July 19, 2014

Looks like it's time for another challenge. This one comes with a mix of ideas so take your time reversing them and do not expect hints any time soon

Basic info/rules:

Compiler: Borland Delphi
Level: Designed to provide maximum fun and to test your skills, so kindly allow other members to enjoy solving it on their own
Packer: Packed with free (non-commercial) and relatively easy Compressor/Protector (credit to author) to help you unpack it yourself or simply pm GIV Good luck to all and happy reversing

kgm#17.7z

July 19, 2014

A good start will be here:



https://tuts4you.com/download.php?view.2803

July 21, 2014

Hint:

OEP bytes are stolen.

Start is here:

004B0D4E

July 21, 2014

Keygen'd: not yet.

July 21, 2014

Very good job! To unpack this one will take a while!

July 21, 2014

@

Romulous

I guess this is a crack.

You don't have a valid name/serial combination.

If so is worthless.

@

EvOlUtIoN

I think all options are checked before protecting.

As far i see OEP is stolen, imports are stolen etc....

Edit.

Better go direct to the Serial verification routine @ 004700DC

Edited July 21, 2014 by GIV

July 21, 2014

I would say that this is a OEP, looks like one:



00406648   /.  53                             PUSH EBX

00406649   |.  8BD8                           MOV EBX,EAX

0040664B   |.  33C0                           XOR EAX,EAX

0040664D   |.  A3 88A74700                    MOV DWORD PTR DS:[47A788],EAX

00406652   |.  6A 00                          PUSH 0

00406654   |.  E8 2BFFFFFF                    CALL 00406584

00406659   |.  A3 F4374800                    MOV DWORD PTR DS:[4837F4],EAX

0040665E   |.  A1 F4374800                    MOV EAX,DWORD PTR DS:[4837F4]

00406663   |.  A3 94A74700                    MOV DWORD PTR DS:[47A794],EAX

00406668   |.  33C0                           XOR EAX,EAX

0040666A   |.  A3 98A74700                    MOV DWORD PTR DS:[47A798],EAX

0040666F   |.  33C0                           XOR EAX,EAX

00406671   |.  A3 9CA74700                    MOV DWORD PTR DS:[47A79C],EAX

00406676   |.  E8 C1FFFFFF                    CALL 0040663C

0040667B   |.  BA 90A74700                    MOV EDX,0047A790

00406680   |.  8BC3                           MOV EAX,EBX

00406682   |.  E8 99DDFFFF                    CALL 00404420

00406687   |.  5B                             POP EBX

But it seems some part of it is missing because it is being emulated by the packer.

Edited July 21, 2014 by xSRTsect

July 21, 2014

I would say that this is a OEP, looks like one:
00406648 /. 53 PUSH EBX
00406649 |. 8BD8 MOV EBX,EAX
0040664B |. 33C0 XOR EAX,EAX
0040664D |. A3 88A74700 MOV DWORD PTR DS:[47A788],EAX
00406652 |. 6A 00 PUSH 0
00406654 |. E8 2BFFFFFF CALL 00406584
00406659 |. A3 F4374800 MOV DWORD PTR DS:[4837F4],EAX
0040665E |. A1 F4374800 MOV EAX,DWORD PTR DS:[4837F4]
00406663 |. A3 94A74700 MOV DWORD PTR DS:[47A794],EAX
00406668 |. 33C0 XOR EAX,EAX
0040666A |. A3 98A74700 MOV DWORD PTR DS:[47A798],EAX
0040666F |. 33C0 XOR EAX,EAX
00406671 |. A3 9CA74700 MOV DWORD PTR DS:[47A79C],EAX
00406676 |. E8 C1FFFFFF CALL 0040663C
0040667B |. BA 90A74700 MOV EDX,0047A790
00406680 |. 8BC3 MOV EAX,EBX
00406682 |. E8 99DDFFFF CALL 00404420
00406687 |. 5B POP EBX

But it seems some part of it is missing because it is being emulated by the packer.

You miss the stolen OEP bytes.

004B0D4E 55 PUSH EBP ; <------------------ Prima instructiune

004B0D52 8BEC MOV EBP,ESP ; <----------------------- A doua instructiune

004B0D57 83C4 F0 ADD ESP,-0x10 ; <------------------ A treia intructiune

004B0D5D B8 1C8C4700 MOV EAX,kgm#17.00478C1C ; <------------------ A patra intructiune

004B0D65 68 6F0D4B00 PUSH kgm#17.004B0D6F ; <------------------ A cinceaintructiune

July 21, 2014

Yeah I have just noticed it, a while ago. Seems this is going to give some work, since I think none of my Imprec plugins seem to do a fine job recovering the API's etc... I'd rather have to code a plugin myself.

July 21, 2014

1. You must reconstruct OEP first instructions.

2. Recover API's

3. See what could go wrong next..

July 21, 2014

1. You must reconstruct OEP first instructions.

2. Recover API's

3. See what could go wrong next..

Are you sure that is the way to unpack? I didn't know that, In fact I thought that the proper way to unpack anything was to throw the exe into the air, and expect it to fall upon my desk fully unpacked and functional...

July 21, 2014

unpacked . now I'm going to keygen this shit

July 21, 2014

You don't really need to unpack in order to keygen.

July 21, 2014

There needed a little patch during unpacking to get stolen import back.

kgm#17_dump.7z

July 21, 2014

@ChOoKi: really nice one!

kao : 17A126194EF743CB6237887C578FFC88

I'm not going to make a keygen - I have all the components, but I'm too lazy to put them together in human readable form or to write a tutorial.

July 22, 2014

@kao: Way to go man!

@GIV: I couldn't agree more with your posts here

@njkermk: Omg! are you really [going to keygen this shit!]

@xSRTsect: To pass the last check you'll have to get my nickname right this time around

So glad to see many of you enjoying this challenge, hopefully we get to see a kg or a tut at the end to share with the rest. Keep up the good work all.

July 23, 2014

thank you for the challange, chooki

sama

82FBD310A6BC9D449441FA2B62019C1D

July 23, 2014

Wow! A second combo!, very nice sama

July 24, 2014

Here comes the keygen (still no tutorial, though).

Releasing complete keygen source is quite pointless, as 60% of it is ripped code, 30% - reversed bit operations and the rest are calls to crypto/bignum libs and UI.

The main part is this:

KeygenProc PROC uses edi hWnd: HWND 	invoke GetDlgItemText, hWnd, IDC_NAME, offset userName,20h	; zero all buffers	mov	edi, offset buffer1	mov	ecx, 50h	xor	eax, eax	rep	stosb	; ripped code (004700DC - uses HAVAL hash with different count of rounds and hash size)	invoke	lstrlen, offset userName	mov	ecx, eax	mov	eax, offset userName	call	make_buffer1_buffer2	; ripped code (00470408 - bit operations)	invoke	make_buffer4	; we have calculated haval hash and buffer4, reverse the rest	; bruteforce the reverse of 004704F0. In less than 128 iterations it is really fast	invoke	bruteforce_chooki	; undo method at 00470460. This is ugly -----	; bswap loop (004704B8..004704EA)	xor	edx, edxbswaploop:	mov	eax, dword ptr [buffer3+edx]	bswap	eax	mov	dword ptr [buffer5+edx], eax        add	edx,4        cmp	edx,10h        jb 	bswaploop	;reverse xor with ror (004703EE..004703F2)	lea	eax, buffer4	lea	edx, buffer5	invoke	undo_xor_with_ror	; extra xor (004703E8..004703EC)	xor	dword ptr [buffer5], 0D4h	; recursively reverse loop (004703B7..004703E6)	invoke	untangle, 10h, 80h, 0	; bswap it again (00470463..0047049F)	xor	edx, edxbswaploop2:	mov	eax, dword ptr [buffer5+edx]	bswap	eax	mov	dword ptr [buffer3+edx], eax        add	edx,4        cmp	edx,10h        jb 	bswaploop2	; finally do simple bigint math (00470606..0470664)	call	bigintMath	invoke SetDlgItemText, hWnd, IDC_SERIAL, offset serialBuffer@exit:	retKeygenProc ENDP

keygen.zip

July 25, 2014

@kao: Well done mate and thank you for taking the time to solve this challenge.

Now let's see who else is finished with his kg and maybe even a tut

July 25, 2014

i'm stuck at big number math. These numbers are so big.

289190426366822397640236384991278098977 * x mod 340282366920938463463374607431768211297 = 46974954106352480795018069738232571914

x = ?

I have no other ideas besides bruteforce them for million years. There must be a special functions like modinv or onebignumwhatisitmodtwobignuminvert which I do not know.

July 25, 2014

This is real basic bignum stuff. I'm sure there are good tutorials about it, just have to find them.

In short: you need to solve x * y = z modulo q where y,q are constants and z comes from name.

Solving for x: x = z / y modulo q

It is the same as x = z * (1 / y) modulo q

Since y is constant, so is 1 / y modulo q.

You can calculate 1 / y modulo q using modinv function in any bignum lib or just use Wolfram Alpha.

Once you have that, keygen needs to do just one simple mulmod operation.

July 25, 2014

@njkermk - how the hell did you solve my crackme #C4N number 2? Its the exact same problem, and you coded ExtendedGCD operation to solve it...

August 2, 2014

Hello ChOoKi,

it took a long time but finally I finished the Keygen.
It has cost me a lot of time and energy for recognizing, researching and coding the Cipher you have used.
But I must say it made real fun.Again, thank you for the Keygenme and see you ... maybe.....on your next one....... :sneaky2: :prop:

Solution_to_ChoOki#17.rar

August 3, 2014

found OEP = http://pbrd.co/1o2drxD

but IAT need to restore

what use method to restore IAT?

Sign In

[unpackme][keygenme] Keygenme 17

Recommended Posts

ChOoKi

GIV

GIV

Romulous

EvOlUtIoN

GIV

xSRTsect

GIV

xSRTsect

GIV

xSRTsect

njkermk

GIV

njkermk

kao

ChOoKi

sama

ChOoKi

kao

ChOoKi

njkermk

kao

xSRTsect

sama

Gegul

Create an account or sign in to comment

Create an account

Sign in

Community

Search