Sean Park - Lovejoy Posted January 28, 2022 Posted January 28, 2022 View File Sean's KeyGenMe Crack and keygen this for training your skills. It is protected with ConfuserEx using some anti tricks. Write a tutorial and document the methods used in your solution. My Anti-virus engine detects it's a virus, but it's not. Submitter Sean Park Submitted 01/24/2022 Category KeygenMe
Solution Washi Posted March 31, 2022 Solution Posted March 31, 2022 (edited) Keys: Spoiler Washi: BB55119A323F17EF498AB5D7C48CB02F, left checkbox Tuts4you: 47087AD3BF78425E511684EFF304618B, left checkbox Not all users will have a valid key + checkbox combi. Keys that require the right checkbox to be checked actually never will succeed (e.g. "washi", "tuts4you" don't have a valid combination). Not sure if this was intentional or not. Approach: Spoiler Turns out we don't really need any deobfuscation. Most of it is readable with WinDbg. Open in dnSpy, notice it is packed / compressed. Run app outside of debugger, then attach WinDbg to dump the module (use !dumpdomain to get the address of the module to save with !savemodule) This dump needs to be fixed before we can open it in a decompiler, as some anti-dump was applied. This can all be done using CFF Explorer and any hex editor with a search function: Fix CLR directory fields cb = 0x48 and version=2.5 (these are standard values). Locate metadata header by searching for the version string v4.0.30319 in the hex editor. 0x10 bytes before this the metadata header starts. Grab this offset (0x760C), convert to an RVA (0xA20C), then update CLR directory accordingly. Just use some random value for the size of the directory. Set the appropriate header values for the metadata header; signature = 0x424A5342 (BSJB) Restore names in metadata streams in the following order: #~, #Strings, #GUID, #Blob App is now readable in dnSpy Notice in dnSpy there's some basic proxy call obfuscation going on. All method calls are outlined to separate methods. We could deobfuscate this, but since these proxy stubs are super small, the JIT will actually inline all those calls. We can therefore just look into WinDbg's x86 view of every method to just read out all method calls, which makes it pretty clear what's going on. Dumps here: https://pastebin.com/JV5TBy2w Break on System.Windows.Forms.Control.OnClick (!name2ee to find its address, bp for setting a breakpoint), and step into the button handler, which in turns calls method 0x06000040, where the actual verification happens. Click handler first calculates "Hello World. New Year 2022 - " + usernameTextBox.ToString() Method 0600003f is then called with the result as argument. This function which calls methods related to turning some ASCII input string into an MD5 uppercase hex digest. It is easily verified with e.g. CyberChef and some sample inputs that this is indeed nothing more than hashing the input with MD5. Digest is compared to the serial, which concludes the first half of the verification. Second half happens in the remainder of the x86, which contains a very convoluted way of testing whether the 4 digit hexadecimal number starting at character 20 in the serial key is even or odd. It uses this value to test whether the left or right checkbox needs to be ticked. Funnily enough, the right checkbox checks don't work, meaning that usernames that have a hex digest with this property will never have a valid serial + checkbox combination. Keygen is simply reimplementing the checksum generation algorithm. Sample python impl below: import hashlib import sys def generate(user): digest = hashlib.md5(b"Hello World. New Year 2022 - System.Windows.Forms.TextBox, Text: " + user).digest() return { "key": digest.hex().upper(), "checkbox": "left" if (digest[11] % 2) == 1 else "right" } print(generate(sys.argv[1].encode("ascii"))) Edited March 31, 2022 by Washi 1
Sean Park - Lovejoy Posted April 22, 2022 Author Posted April 22, 2022 @Washi I'm the original author of this keygenme. I couldn't login for a while 'cause of some reason that I don't know. anyways Congratualtions! You Solved it. The bug you pointed at is not intended at all. my coding has the bugs. thanks for solving it. see u around. regards. Sean.
Teddy Rogers Posted April 22, 2022 Posted April 22, 2022 6 hours ago, windowbase said: I couldn't login for a while 'cause of some reason that I don't know. If it was a site issue please send me a PM with details so I can investigate... Ted. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now