Simple crackme/keygenme

[blank]

Difficulty : 4 (I don't know)
Language : C# .NET
Platform : Windows
OS Version : 7 and above
Packer / Protector : Custom tool written from scratch and Obfuscar

 

Description :

Here is a project I've been working on for a few days. The protection algorithm is all written by myself (pretty basic though). I am basically a noob, so it might just be crap. However, I'd appreciate if someone could take a look at it, and provide some instructions on how to crack it. In the end, I ran the dlls through Obfuscar, for some simple renaming.

The program takes two strings: a name, and a serial. Then it checks if the given serial is valid for the given name. If so, it generates an ID number from the name and serial.

There is one valid pair of name and serial provided.

The goals are simple:
-Crack the program (make it generate the right IDs for any combination of names and serials)
-Make a keygen that generates valid serials for any name.

Screenshot :

 

 

crackme2.zip

Edited September 20, 2018 by Teddy Rogers

[blank]

Sorry, the first version had a bug, it wouldn't work on some configurations. Here is the fixed one. If someone could edit the question to include this one instead, it would be great.

crackme2.zip

[kao]

I think that some (long) usernames cannot have a valid serial. Can you re-check that, please?

In the meantime, here's a keygen that works for most usernames (max 11 chars).

 

Keygen for Blank.zip

[blank]

@kao Wow, impressive work. Can you share any hints on how you extracted those dynamic methods?

36 minutes ago, kao said:

I think that some (long) usernames cannot have a valid serial.

Yes, that's true. I made the serial algo in a rush, just to have something complex to protect. I noticed afterwards that if the name is too long or has too many characters with large ASCII values, it doesn't produce valid serials anymore. Anyway, your keygen is brilliant, and it works just as good as my original one.

[kao]

DnSpy explicitly tells that

Quote

• Dynamic modules can be debugged (but not dynamic methods due to CLR limitations)

So, I had to do it the old fashioned way. You did not obfuscate names of the important stuff. It made my life so much easier!

 

1) Use dnSpy to extract IL code. Put a breakpoint inside LoadObject and dump "code" array. You can even see correct names for obfuscated methods!

Spoiler

2) Load dumped IL code in IDA and add informaction from the dnSpy. "serializableMethod" variable has wealth of useful information. Particularly, called methods and params. 

Spoiler

3) Stare at the IL code until it starts to make sense. Problem solved.

[blank]

13 minutes ago, kao said:

DnSpy explicitly tells that

So, I had to do it the old fashioned way. You did not obfuscate names of the important stuff. It made my life so much easier!

 

1) Use dnSpy to extract IL code. Put a breakpoint inside LoadObject and dump "code" array. You can even see correct names for obfuscated methods!

  Reveal hidden contents

2) Load dumped IL code in IDA and add informaction from the dnSpy. "serializableMethod" variable has wealth of useful information. Particularly, called methods and params. 

  Reveal hidden contents

3) Stare at the IL code until it starts to make sense. Problem solved.

Yeah, I rushed things a bit, so I skipped some steps. I tried to run the exe through Obfuscar to rename as much as possible. However, it kept breaking it, until I gave up. It wasn't very efficient on the dlls anyway, as they were pretty readable even after using it.

The whole thing was built from scratch in 3 days, so this explains why the info is so easy to read from the SerializableMethods. I could at least save some random names for the dynamic methods, but I didn't realize how helpful having the original names would be.

On Monday I started the work. I was looking for a way to store encrypted methods as resources, and use them when needed. I came across dynamic methods, but I couldn't find anything on how to implement them (Or at least the SetCode method, which seems that nobody except me uses 😂), so I figured it would be fun to give it a shot.

[kao]

It's not a totally original protection idea. For example, reWolf described a different way of solving similar crackme back in 2013: http://blog.rewolf.pl/blog/?p=502

But it's still a really nice protection and will stop most of so called ".NET crackers" - as they can't use anything else but dnSpy and de4dot..

 

 

[Gordon]

very nice obfuscation

[blank]

42 minutes ago, kao said:

It's not a totally original protection idea. For example, reWolf described a different way of solving similar crackme back in 2013: http://blog.rewolf.pl/blog/?p=502

But it's still a really nice protection and will stop most of so called ".NET crackers" - as they can't use anything else but dnSpy and de4dot..

 

 

Yeah, that's one of the (only) three pages I could find for my research. I managed to find a copy of the crackme he was talking about, and started from there. The second page was here: https://stackoverrun.com/ru/q/11057358, which uses the class presented here: https://blogs.msdn.microsoft.com/haibo_luo/2006/11/07/turn-methodinfo-to-dynamicmethod/. With the info and code from these pages I managed to write my own libraries to serialize and deserialize methods.

Edited September 20, 2018 by blank

[blank]

I am also preparing something else. I hope to post it soon (and to be fun 🙂).

 

 

31 minutes ago, Gordon said:

very nice obfuscation

Thanks, I am glad you like it.