Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Looks like it's time for another challenge. This one comes with a mix of ideas so take your time reversing them and do not expect hints any time soon ^_^

 

Basic info/rules:

Compiler: Borland Delphi
Level: Designed to provide maximum fun and to test your skills, so kindly allow other members to enjoy solving it on their own
Packer: Packed with free (non-commercial) and
relatively easy Compressor/Protector (credit to author) to help you unpack it yourself or simply pm GIV :DGood luck to all and happy reversing

kgm#17.7z

Hint:


OEP bytes are stolen.


Start is here:



 


004B0D4E 


n6nyFhs.png


 


Keygen'd: not yet.


Very good job! To unpack this one will take a while! :prop:


@


Romulous


I guess this is a crack.


You don't have a valid name/serial combination.


If so is worthless.


@


EvOlUtIoN


I think all options are checked before protecting.


:)


As far i see OEP is stolen, imports are stolen etc....


 


Edit.


Better go direct to the Serial verification routine @ 004700DC

Edited by GIV

I would say that this is a OEP, looks like one:



00406648 /. 53 PUSH EBX
00406649 |. 8BD8 MOV EBX,EAX
0040664B |. 33C0 XOR EAX,EAX
0040664D |. A3 88A74700 MOV DWORD PTR DS:[47A788],EAX
00406652 |. 6A 00 PUSH 0
00406654 |. E8 2BFFFFFF CALL 00406584
00406659 |. A3 F4374800 MOV DWORD PTR DS:[4837F4],EAX
0040665E |. A1 F4374800 MOV EAX,DWORD PTR DS:[4837F4]
00406663 |. A3 94A74700 MOV DWORD PTR DS:[47A794],EAX
00406668 |. 33C0 XOR EAX,EAX
0040666A |. A3 98A74700 MOV DWORD PTR DS:[47A798],EAX
0040666F |. 33C0 XOR EAX,EAX
00406671 |. A3 9CA74700 MOV DWORD PTR DS:[47A79C],EAX
00406676 |. E8 C1FFFFFF CALL 0040663C
0040667B |. BA 90A74700 MOV EDX,0047A790
00406680 |. 8BC3 MOV EAX,EBX
00406682 |. E8 99DDFFFF CALL 00404420
00406687 |. 5B POP EBX

But it seems some part of it is missing because it is being emulated by the packer.


Edited by xSRTsect

I would say that this is a OEP, looks like one:

00406648 /. 53 PUSH EBX

00406649 |. 8BD8 MOV EBX,EAX

0040664B |. 33C0 XOR EAX,EAX

0040664D |. A3 88A74700 MOV DWORD PTR DS:[47A788],EAX

00406652 |. 6A 00 PUSH 0

00406654 |. E8 2BFFFFFF CALL 00406584

00406659 |. A3 F4374800 MOV DWORD PTR DS:[4837F4],EAX

0040665E |. A1 F4374800 MOV EAX,DWORD PTR DS:[4837F4]

00406663 |. A3 94A74700 MOV DWORD PTR DS:[47A794],EAX

00406668 |. 33C0 XOR EAX,EAX

0040666A |. A3 98A74700 MOV DWORD PTR DS:[47A798],EAX

0040666F |. 33C0 XOR EAX,EAX

00406671 |. A3 9CA74700 MOV DWORD PTR DS:[47A79C],EAX

00406676 |. E8 C1FFFFFF CALL 0040663C

0040667B |. BA 90A74700 MOV EDX,0047A790

00406680 |. 8BC3 MOV EAX,EBX

00406682 |. E8 99DDFFFF CALL 00404420

00406687 |. 5B POP EBX

But it seems some part of it is missing because it is being emulated by the packer.

You miss the stolen OEP bytes.

 

004B0D4E    55              PUSH EBP                                 ; <------------------ Prima instructiune

004B0D52    8BEC            MOV EBP,ESP                              ; <----------------------- A doua instructiune

004B0D57    83C4 F0         ADD ESP,-0x10                            ; <------------------ A treia intructiune

004B0D5D    B8 1C8C4700     MOV EAX,kgm#17.00478C1C                  ; <------------------ A patra intructiune

004B0D65    68 6F0D4B00     PUSH kgm#17.004B0D6F                     ; <------------------ A cinceaintructiune

 

Yeah I have just noticed it, a while ago. Seems this is going to give some work, since I think none of my Imprec plugins seem to do a fine job recovering the API's etc... I'd rather have to code a plugin myself.


 


eedc82c26a.png


1. You must reconstruct OEP first instructions.


2. Recover API's


3. See what could go wrong next..


:)


1. You must reconstruct OEP first instructions.

2. Recover API's

3. See what could go wrong next..

:)

 

 

Are you sure that is the way to unpack? I didn't know that, In fact I thought that the proper way to unpack anything was to throw the exe into the air, and expect it to fall upon my desk fully unpacked and functional...

unpacked :victory: . now I'm going to keygen this shit :D


You don't really need to unpack in order to keygen.

;)

There needed a little patch during unpacking to get stolen import back.


kgm#17_dump.7z

@ChOoKi: really nice one! :)


 



kao : 17A126194EF743CB6237887C578FFC88



I'm not going to make a keygen - I have all the components, but I'm too lazy to put them together in human readable form or to write a tutorial. ;)


  • Author

@kao: Way to go man! :thumbsup:


@GIV: I couldn't agree more with your posts here :devil:


@njkermk: Omg! are you really [going to keygen this shit!] :bleh:


@xSRTsect: To pass the last check you'll have to get my nickname right this time around :^


 


So glad to see many of you enjoying this challenge, hopefully we get to see a kg or a tut at the end to share with the rest. Keep up the good work all.


thank you for the challange, chooki


 



sama


82FBD310A6BC9D449441FA2B62019C1D


  • Author

Wow! A second combo!, very nice sama :yahoo:


Here comes the keygen (still no tutorial, though).

Releasing complete keygen source is quite pointless, as 60% of it is ripped code, 30% - reversed bit operations and the rest are calls to crypto/bignum libs and UI.

The main part is this:

KeygenProc PROC uses edi hWnd: HWND 	invoke GetDlgItemText, hWnd, IDC_NAME, offset userName,20h	; zero all buffers	mov	edi, offset buffer1	mov	ecx, 50h	xor	eax, eax	rep	stosb	; ripped code (004700DC - uses HAVAL hash with different count of rounds and hash size)	invoke	lstrlen, offset userName	mov	ecx, eax	mov	eax, offset userName	call	make_buffer1_buffer2	; ripped code (00470408 - bit operations)	invoke	make_buffer4	; we have calculated haval hash and buffer4, reverse the rest	; bruteforce the reverse of 004704F0. In less than 128 iterations it is really fast	invoke	bruteforce_chooki	; undo method at 00470460. This is ugly -----	; bswap loop (004704B8..004704EA)	xor	edx, edxbswaploop:	mov	eax, dword ptr [buffer3+edx]	bswap	eax	mov	dword ptr [buffer5+edx], eax        add	edx,4        cmp	edx,10h        jb 	bswaploop	;reverse xor with ror (004703EE..004703F2)	lea	eax, buffer4	lea	edx, buffer5	invoke	undo_xor_with_ror	; extra xor (004703E8..004703EC)	xor	dword ptr [buffer5], 0D4h	; recursively reverse loop (004703B7..004703E6)	invoke	untangle, 10h, 80h, 0	; bswap it again (00470463..0047049F)	xor	edx, edxbswaploop2:	mov	eax, dword ptr [buffer5+edx]	bswap	eax	mov	dword ptr [buffer3+edx], eax        add	edx,4        cmp	edx,10h        jb 	bswaploop2	; finally do simple bigint math (00470606..0470664)	call	bigintMath	invoke SetDlgItemText, hWnd, IDC_SERIAL, offset serialBuffer@exit:	retKeygenProc ENDP

keygen.zip

  • Author

@kao: Well done mate :1a: and thank you for taking the time to solve this challenge.


Now let's see who else is finished with his kg and maybe even a tut :type:


i'm stuck at big number math. These numbers are so big.


289190426366822397640236384991278098977 * x mod 340282366920938463463374607431768211297 = 46974954106352480795018069738232571914


x = ?


 I have no other ideas besides bruteforce them for million years. There must be a special functions like modinv or onebignumwhatisitmodtwobignuminvert which I do not know.


This is real basic bignum stuff. I'm sure there are good tutorials about it, just have to find them.

In short: you need to solve x * y = z modulo q where y,q are constants and z comes from name.

Solving for x: x = z / y modulo q

It is the same as x = z * (1 / y) modulo q

Since y is constant, so is 1 / y modulo q.

You can calculate 1 / y modulo q using modinv function in any bignum lib or just use Wolfram Alpha.

Once you have that, keygen needs to do just one simple mulmod operation.

@njkermk - how the hell did you solve my crackme #C4N number 2? Its the exact same problem, and you coded ExtendedGCD operation to solve it...


Hello ChOoKi,

 

it took a long time but finally I finished the Keygen.
It has cost me a lot of time and energy for recognizing, researching and coding the Cipher you have used.
But I must say it made real fun.Again, thank you for the Keygenme and see you ... maybe.....on your next one....... :sneaky2: :sneaky2: :prop: :prop: :prop:

Solution_to_ChoOki#17.rar

found OEP = http://pbrd.co/1o2drxD

 

but IAT need to restore :(
 

what use method to restore IAT?

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.