Tuts 4 You

# r00t0's KeygenMe

Go to solution Solved by SmilingWolf,

## Recommended Posts

Difficulty : 8
Language : C/C++
Platform : Windows 32bit
OS Version : Windows 7+
Packer / Protector : UPX 3.91

Description :

The goal is to write a keygen for it without patching the file. Key must have 5 characters.

Screenshot :

Edited by r00t0
##### Share on other sites

`One correct key: ajjag`

Last letter appears to be unused, the sum of the indexes of the first 4 letters inside the alphabet

`abcdefghijklmnopqrtuvwxyz`

must equal the index of letter "t" inside said alphabet.

In the serial above:
a = 0 + j = 9 + j = 9 + a = 0 -> 18
Alpha[18] = t
Serial check passed.

How is this a difficulty 8 KeygenMe? Is that some kind of bait? Am I missing something?

• 2
##### Share on other sites

It's not a bait, maybe difficult is 2. And it's not one correct key.

You correctly solved how to work algorithm. Good work.

Edited by r00t0
##### Share on other sites

• Solution

Yeah, I meant it as "one correct key (among the many possible ones)".

Attached my keygen in python 2.7
Some more sample keys:

```cbdmn
aaatj
gaama```

In general anything that can be solved by hand like that shouldn't get a difficulty rating above 2.

If I may and you're willing to, can I ask you now to explain how/why my keygen works?

Edited by SmilingWolf
• 1
##### Share on other sites

Keygen randomize 4 character from pattern (max array length / 3) from array and append to empty array, 5 character are randomized because is not used.

I understood the question well ?

There's my algorith to checking key

Spoiler
```
int key = 0;
for (int i=0; i<5; i++)
for (int j=0; j<25; j++)
key+=j;```

Edited by r00t0
##### Share on other sites

Yeah you got the question.

I'm generating the first 3 characters randomly, making sure that the sum of their indexes doesn't exceed 18 by simply using indexes between 0 and 6 (len(alpha) - 1 = 18; 18 / 3 = 6). This way the worst case scenario is that I've got 6 + 6 + 6 = g + g + g.
Then I'm subtrating from the max allowed index (18) the sum of the first three. This way, if the sum was 18 here I simpy get 0, which means "a" gets chosen as fourth letter.

You said the serial should be 5 letters long, but there's actually no check on the serial's length. Moreover, fgets(char * str, int num, FILE * stream) only memorizes num - 1 entered characters and appends a null byte at the end, which means the last iteration of the loop always checks a null byte instead of a letter, so my keygen would do just as well generating only 4 letters. This totally slipped past me

Edited by SmilingWolf
• 1
• 1