Posted July 19, 201411 yr Looks like it's time for another challenge. This one comes with a mix of ideas so take your time reversing them and do not expect hints any time soon Basic info/rules: Compiler: Borland DelphiLevel: Designed to provide maximum fun and to test your skills, so kindly allow other members to enjoy solving it on their ownPacker: Packed with free (non-commercial) and relatively easy Compressor/Protector (credit to author) to help you unpack it yourself or simply pm GIV Good luck to all and happy reversing kgm#17.7z
July 21, 201411 yr @ Romulous I guess this is a crack. You don't have a valid name/serial combination. If so is worthless. @ EvOlUtIoN I think all options are checked before protecting. As far i see OEP is stolen, imports are stolen etc.... Edit. Better go direct to the Serial verification routine @ 004700DC Edited July 21, 201411 yr by GIV
July 21, 201411 yr I would say that this is a OEP, looks like one: 00406648 /. 53 PUSH EBX 00406649 |. 8BD8 MOV EBX,EAX 0040664B |. 33C0 XOR EAX,EAX 0040664D |. A3 88A74700 MOV DWORD PTR DS:[47A788],EAX 00406652 |. 6A 00 PUSH 0 00406654 |. E8 2BFFFFFF CALL 00406584 00406659 |. A3 F4374800 MOV DWORD PTR DS:[4837F4],EAX 0040665E |. A1 F4374800 MOV EAX,DWORD PTR DS:[4837F4] 00406663 |. A3 94A74700 MOV DWORD PTR DS:[47A794],EAX 00406668 |. 33C0 XOR EAX,EAX 0040666A |. A3 98A74700 MOV DWORD PTR DS:[47A798],EAX 0040666F |. 33C0 XOR EAX,EAX 00406671 |. A3 9CA74700 MOV DWORD PTR DS:[47A79C],EAX 00406676 |. E8 C1FFFFFF CALL 0040663C 0040667B |. BA 90A74700 MOV EDX,0047A790 00406680 |. 8BC3 MOV EAX,EBX 00406682 |. E8 99DDFFFF CALL 00404420 00406687 |. 5B POP EBXBut it seems some part of it is missing because it is being emulated by the packer. Edited July 21, 201411 yr by xSRTsect
July 21, 201411 yr I would say that this is a OEP, looks like one: 00406648 /. 53 PUSH EBX 00406649 |. 8BD8 MOV EBX,EAX 0040664B |. 33C0 XOR EAX,EAX 0040664D |. A3 88A74700 MOV DWORD PTR DS:[47A788],EAX 00406652 |. 6A 00 PUSH 0 00406654 |. E8 2BFFFFFF CALL 00406584 00406659 |. A3 F4374800 MOV DWORD PTR DS:[4837F4],EAX 0040665E |. A1 F4374800 MOV EAX,DWORD PTR DS:[4837F4] 00406663 |. A3 94A74700 MOV DWORD PTR DS:[47A794],EAX 00406668 |. 33C0 XOR EAX,EAX 0040666A |. A3 98A74700 MOV DWORD PTR DS:[47A798],EAX 0040666F |. 33C0 XOR EAX,EAX 00406671 |. A3 9CA74700 MOV DWORD PTR DS:[47A79C],EAX 00406676 |. E8 C1FFFFFF CALL 0040663C 0040667B |. BA 90A74700 MOV EDX,0047A790 00406680 |. 8BC3 MOV EAX,EBX 00406682 |. E8 99DDFFFF CALL 00404420 00406687 |. 5B POP EBX But it seems some part of it is missing because it is being emulated by the packer. You miss the stolen OEP bytes. 004B0D4E 55 PUSH EBP ; <------------------ Prima instructiune 004B0D52 8BEC MOV EBP,ESP ; <----------------------- A doua instructiune 004B0D57 83C4 F0 ADD ESP,-0x10 ; <------------------ A treia intructiune 004B0D5D B8 1C8C4700 MOV EAX,kgm#17.00478C1C ; <------------------ A patra intructiune 004B0D65 68 6F0D4B00 PUSH kgm#17.004B0D6F ; <------------------ A cinceaintructiune
July 21, 201411 yr Yeah I have just noticed it, a while ago. Seems this is going to give some work, since I think none of my Imprec plugins seem to do a fine job recovering the API's etc... I'd rather have to code a plugin myself.
July 21, 201411 yr 1. You must reconstruct OEP first instructions. 2. Recover API's 3. See what could go wrong next..
July 21, 201411 yr 1. You must reconstruct OEP first instructions. 2. Recover API's 3. See what could go wrong next.. Are you sure that is the way to unpack? I didn't know that, In fact I thought that the proper way to unpack anything was to throw the exe into the air, and expect it to fall upon my desk fully unpacked and functional...
July 21, 201411 yr There needed a little patch during unpacking to get stolen import back.kgm#17_dump.7z
July 21, 201411 yr @ChOoKi: really nice one! kao : 17A126194EF743CB6237887C578FFC88 I'm not going to make a keygen - I have all the components, but I'm too lazy to put them together in human readable form or to write a tutorial.
July 22, 201411 yr Author @kao: Way to go man! @GIV: I couldn't agree more with your posts here @njkermk: Omg! are you really [going to keygen this shit!] @xSRTsect: To pass the last check you'll have to get my nickname right this time around So glad to see many of you enjoying this challenge, hopefully we get to see a kg or a tut at the end to share with the rest. Keep up the good work all.
July 24, 201411 yr Here comes the keygen (still no tutorial, though).Releasing complete keygen source is quite pointless, as 60% of it is ripped code, 30% - reversed bit operations and the rest are calls to crypto/bignum libs and UI.The main part is this:KeygenProc PROC uses edi hWnd: HWND invoke GetDlgItemText, hWnd, IDC_NAME, offset userName,20h ; zero all buffers mov edi, offset buffer1 mov ecx, 50h xor eax, eax rep stosb ; ripped code (004700DC - uses HAVAL hash with different count of rounds and hash size) invoke lstrlen, offset userName mov ecx, eax mov eax, offset userName call make_buffer1_buffer2 ; ripped code (00470408 - bit operations) invoke make_buffer4 ; we have calculated haval hash and buffer4, reverse the rest ; bruteforce the reverse of 004704F0. In less than 128 iterations it is really fast invoke bruteforce_chooki ; undo method at 00470460. This is ugly ----- ; bswap loop (004704B8..004704EA) xor edx, edxbswaploop: mov eax, dword ptr [buffer3+edx] bswap eax mov dword ptr [buffer5+edx], eax add edx,4 cmp edx,10h jb bswaploop ;reverse xor with ror (004703EE..004703F2) lea eax, buffer4 lea edx, buffer5 invoke undo_xor_with_ror ; extra xor (004703E8..004703EC) xor dword ptr [buffer5], 0D4h ; recursively reverse loop (004703B7..004703E6) invoke untangle, 10h, 80h, 0 ; bswap it again (00470463..0047049F) xor edx, edxbswaploop2: mov eax, dword ptr [buffer5+edx] bswap eax mov dword ptr [buffer3+edx], eax add edx,4 cmp edx,10h jb bswaploop2 ; finally do simple bigint math (00470606..0470664) call bigintMath invoke SetDlgItemText, hWnd, IDC_SERIAL, offset serialBuffer@exit: retKeygenProc ENDPkeygen.zip
July 25, 201411 yr Author @kao: Well done mate and thank you for taking the time to solve this challenge. Now let's see who else is finished with his kg and maybe even a tut
July 25, 201411 yr i'm stuck at big number math. These numbers are so big.289190426366822397640236384991278098977 * x mod 340282366920938463463374607431768211297 = 46974954106352480795018069738232571914x = ? I have no other ideas besides bruteforce them for million years. There must be a special functions like modinv or onebignumwhatisitmodtwobignuminvert which I do not know.
July 25, 201411 yr This is real basic bignum stuff. I'm sure there are good tutorials about it, just have to find them.In short: you need to solve x * y = z modulo q where y,q are constants and z comes from name.Solving for x: x = z / y modulo qIt is the same as x = z * (1 / y) modulo qSince y is constant, so is 1 / y modulo q.You can calculate 1 / y modulo q using modinv function in any bignum lib or just use Wolfram Alpha.Once you have that, keygen needs to do just one simple mulmod operation.
July 25, 201411 yr @njkermk - how the hell did you solve my crackme #C4N number 2? Its the exact same problem, and you coded ExtendedGCD operation to solve it...
August 2, 201411 yr Hello ChOoKi, it took a long time but finally I finished the Keygen.It has cost me a lot of time and energy for recognizing, researching and coding the Cipher you have used.But I must say it made real fun.Again, thank you for the Keygenme and see you ... maybe.....on your next one....... :sneaky2: :prop: Solution_to_ChoOki#17.rar
August 3, 201411 yr found OEP = http://pbrd.co/1o2drxD but IAT need to restore what use method to restore IAT?
Create an account or sign in to comment