Jump to content
Tuts 4 You

[unpackme][keygenme] Keygenme 17


ChOoKi

Recommended Posts

Looks like it's time for another challenge. This one comes with a mix of ideas so take your time reversing them and do not expect hints any time soon ^_^

 

Basic info/rules:

Compiler: Borland Delphi
Level: Designed to provide maximum fun and to test your skills, so kindly allow other members to enjoy solving it on their own
Packer: Packed with free (non-commercial) and
relatively easy Compressor/Protector (credit to author) to help you unpack it yourself or simply pm GIV :DGood luck to all and happy reversing

kgm#17.7z

  • Like 5
Link to comment
Share on other sites

@


Romulous


I guess this is a crack.


You don't have a valid name/serial combination.


If so is worthless.


@


EvOlUtIoN


I think all options are checked before protecting.


:)


As far i see OEP is stolen, imports are stolen etc....


 


Edit.


Better go direct to the Serial verification routine @ 004700DC

Edited by GIV
Link to comment
Share on other sites

I would say that this is a OEP, looks like one:



00406648 /. 53 PUSH EBX
00406649 |. 8BD8 MOV EBX,EAX
0040664B |. 33C0 XOR EAX,EAX
0040664D |. A3 88A74700 MOV DWORD PTR DS:[47A788],EAX
00406652 |. 6A 00 PUSH 0
00406654 |. E8 2BFFFFFF CALL 00406584
00406659 |. A3 F4374800 MOV DWORD PTR DS:[4837F4],EAX
0040665E |. A1 F4374800 MOV EAX,DWORD PTR DS:[4837F4]
00406663 |. A3 94A74700 MOV DWORD PTR DS:[47A794],EAX
00406668 |. 33C0 XOR EAX,EAX
0040666A |. A3 98A74700 MOV DWORD PTR DS:[47A798],EAX
0040666F |. 33C0 XOR EAX,EAX
00406671 |. A3 9CA74700 MOV DWORD PTR DS:[47A79C],EAX
00406676 |. E8 C1FFFFFF CALL 0040663C
0040667B |. BA 90A74700 MOV EDX,0047A790
00406680 |. 8BC3 MOV EAX,EBX
00406682 |. E8 99DDFFFF CALL 00404420
00406687 |. 5B POP EBX

But it seems some part of it is missing because it is being emulated by the packer.


Edited by xSRTsect
  • Like 1
Link to comment
Share on other sites

I would say that this is a OEP, looks like one:

00406648 /. 53 PUSH EBX

00406649 |. 8BD8 MOV EBX,EAX

0040664B |. 33C0 XOR EAX,EAX

0040664D |. A3 88A74700 MOV DWORD PTR DS:[47A788],EAX

00406652 |. 6A 00 PUSH 0

00406654 |. E8 2BFFFFFF CALL 00406584

00406659 |. A3 F4374800 MOV DWORD PTR DS:[4837F4],EAX

0040665E |. A1 F4374800 MOV EAX,DWORD PTR DS:[4837F4]

00406663 |. A3 94A74700 MOV DWORD PTR DS:[47A794],EAX

00406668 |. 33C0 XOR EAX,EAX

0040666A |. A3 98A74700 MOV DWORD PTR DS:[47A798],EAX

0040666F |. 33C0 XOR EAX,EAX

00406671 |. A3 9CA74700 MOV DWORD PTR DS:[47A79C],EAX

00406676 |. E8 C1FFFFFF CALL 0040663C

0040667B |. BA 90A74700 MOV EDX,0047A790

00406680 |. 8BC3 MOV EAX,EBX

00406682 |. E8 99DDFFFF CALL 00404420

00406687 |. 5B POP EBX

But it seems some part of it is missing because it is being emulated by the packer.

You miss the stolen OEP bytes.

 

004B0D4E    55              PUSH EBP                                 ; <------------------ Prima instructiune

004B0D52    8BEC            MOV EBP,ESP                              ; <----------------------- A doua instructiune

004B0D57    83C4 F0         ADD ESP,-0x10                            ; <------------------ A treia intructiune

004B0D5D    B8 1C8C4700     MOV EAX,kgm#17.00478C1C                  ; <------------------ A patra intructiune

004B0D65    68 6F0D4B00     PUSH kgm#17.004B0D6F                     ; <------------------ A cinceaintructiune

 

Link to comment
Share on other sites

Yeah I have just noticed it, a while ago. Seems this is going to give some work, since I think none of my Imprec plugins seem to do a fine job recovering the API's etc... I'd rather have to code a plugin myself.


 


eedc82c26a.png


Link to comment
Share on other sites

1. You must reconstruct OEP first instructions.

2. Recover API's

3. See what could go wrong next..

:)

 

 

Are you sure that is the way to unpack? I didn't know that, In fact I thought that the proper way to unpack anything was to throw the exe into the air, and expect it to fall upon my desk fully unpacked and functional...

Link to comment
Share on other sites

@ChOoKi: really nice one! :)


 



kao : 17A126194EF743CB6237887C578FFC88



I'm not going to make a keygen - I have all the components, but I'm too lazy to put them together in human readable form or to write a tutorial. ;)


  • Like 3
Link to comment
Share on other sites

@kao: Way to go man! :thumbsup:


@GIV: I couldn't agree more with your posts here :devil:


@njkermk: Omg! are you really [going to keygen this shit!] :bleh:


@xSRTsect: To pass the last check you'll have to get my nickname right this time around :^


 


So glad to see many of you enjoying this challenge, hopefully we get to see a kg or a tut at the end to share with the rest. Keep up the good work all.


  • Like 3
Link to comment
Share on other sites

Here comes the keygen (still no tutorial, though).

Releasing complete keygen source is quite pointless, as 60% of it is ripped code, 30% - reversed bit operations and the rest are calls to crypto/bignum libs and UI.

The main part is this:

KeygenProc PROC uses edi hWnd: HWND 	invoke GetDlgItemText, hWnd, IDC_NAME, offset userName,20h	; zero all buffers	mov	edi, offset buffer1	mov	ecx, 50h	xor	eax, eax	rep	stosb	; ripped code (004700DC - uses HAVAL hash with different count of rounds and hash size)	invoke	lstrlen, offset userName	mov	ecx, eax	mov	eax, offset userName	call	make_buffer1_buffer2	; ripped code (00470408 - bit operations)	invoke	make_buffer4	; we have calculated haval hash and buffer4, reverse the rest	; bruteforce the reverse of 004704F0. In less than 128 iterations it is really fast	invoke	bruteforce_chooki	; undo method at 00470460. This is ugly -----	; bswap loop (004704B8..004704EA)	xor	edx, edxbswaploop:	mov	eax, dword ptr [buffer3+edx]	bswap	eax	mov	dword ptr [buffer5+edx], eax        add	edx,4        cmp	edx,10h        jb 	bswaploop	;reverse xor with ror (004703EE..004703F2)	lea	eax, buffer4	lea	edx, buffer5	invoke	undo_xor_with_ror	; extra xor (004703E8..004703EC)	xor	dword ptr [buffer5], 0D4h	; recursively reverse loop (004703B7..004703E6)	invoke	untangle, 10h, 80h, 0	; bswap it again (00470463..0047049F)	xor	edx, edxbswaploop2:	mov	eax, dword ptr [buffer5+edx]	bswap	eax	mov	dword ptr [buffer3+edx], eax        add	edx,4        cmp	edx,10h        jb 	bswaploop2	; finally do simple bigint math (00470606..0470664)	call	bigintMath	invoke SetDlgItemText, hWnd, IDC_SERIAL, offset serialBuffer@exit:	retKeygenProc ENDP

keygen.zip

  • Like 5
Link to comment
Share on other sites

@kao: Well done mate :1a: and thank you for taking the time to solve this challenge.


Now let's see who else is finished with his kg and maybe even a tut :type:


Link to comment
Share on other sites

i'm stuck at big number math. These numbers are so big.


289190426366822397640236384991278098977 * x mod 340282366920938463463374607431768211297 = 46974954106352480795018069738232571914


x = ?


 I have no other ideas besides bruteforce them for million years. There must be a special functions like modinv or onebignumwhatisitmodtwobignuminvert which I do not know.


Link to comment
Share on other sites

This is real basic bignum stuff. I'm sure there are good tutorials about it, just have to find them.

In short: you need to solve x * y = z modulo q where y,q are constants and z comes from name.

Solving for x: x = z / y modulo q

It is the same as x = z * (1 / y) modulo q

Since y is constant, so is 1 / y modulo q.

You can calculate 1 / y modulo q using modinv function in any bignum lib or just use Wolfram Alpha.

Once you have that, keygen needs to do just one simple mulmod operation.

Link to comment
Share on other sites

@njkermk - how the hell did you solve my crackme #C4N number 2? Its the exact same problem, and you coded ExtendedGCD operation to solve it...


Link to comment
Share on other sites

Hello ChOoKi,

 

it took a long time but finally I finished the Keygen.
It has cost me a lot of time and energy for recognizing, researching and coding the Cipher you have used.
But I must say it made real fun.Again, thank you for the Keygenme and see you ... maybe.....on your next one....... :sneaky2: :sneaky2: :prop: :prop: :prop:

Solution_to_ChoOki#17.rar

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...