Sean's KeyGenMe

[Sean Park]

View File

Sean's KeyGenMe

---

Crack and keygen this for training your skills. It is protected with ConfuserEx using some anti tricks.

Write a tutorial and document the methods used in your solution.

My Anti-virus engine detects it's a virus, but it's not.

 

---

• Submitter
  Sean Park
• Submitted
  01/24/2022
• Category
  KeygenMe

 

[Washi]

Keys:

Spoiler

Washi: BB55119A323F17EF498AB5D7C48CB02F, left checkbox

Tuts4you: 47087AD3BF78425E511684EFF304618B, left checkbox

Not all users will have a valid key + checkbox combi. Keys that require the right checkbox to be checked actually never will succeed (e.g. "washi", "tuts4you" don't have a valid combination). Not sure if this was intentional or not.

Approach:

Spoiler

• Turns out we don't really need any deobfuscation. Most of it is readable with WinDbg.
• Open in dnSpy, notice it is packed / compressed. Run app outside of debugger, then attach WinDbg to dump the module (use !dumpdomain to get the address of the module to save with !savemodule)
• This dump needs to be fixed before we can open it in a decompiler, as some anti-dump was applied. This can all be done using CFF Explorer and any hex editor with a search function:
  • Fix CLR directory fields cb = 0x48 and version=2.5 (these are standard values).
  • Locate metadata header by searching for the version string v4.0.30319 in the hex editor. 0x10 bytes before this the metadata header starts. Grab this offset (0x760C), convert to an RVA (0xA20C), then update CLR directory accordingly. Just use some random value for the size of the directory.
  • Set the appropriate header values for the metadata header; signature = 0x424A5342 (BSJB)
  • Restore names in metadata streams in the following order: #~, #Strings, #GUID, #Blob
  • App is now readable in dnSpy
• Notice in dnSpy there's some basic proxy call obfuscation going on. All method calls are outlined to separate methods. We could deobfuscate this, but since these proxy stubs are super small, the JIT will actually inline all those calls. We can therefore just look into WinDbg's x86 view of every method to just read out all method calls, which makes it pretty clear what's going on. Dumps here: https://pastebin.com/JV5TBy2w
  • Break on System.Windows.Forms.Control.OnClick (!name2ee to find its address, bp for setting a breakpoint), and step into the button handler, which in turns calls method 0x06000040, where the actual verification happens.
  • Click handler first calculates "Hello World. New Year 2022 - " + usernameTextBox.ToString()
  • Method 0600003f is then called with the result as argument. This function which calls methods related to turning some ASCII input string into an MD5 uppercase hex digest. It is easily verified with e.g. CyberChef and some sample inputs that this is indeed nothing more than hashing the input with MD5.
  • Digest is compared to the serial, which concludes the first half of the verification.
  • Second half happens in the remainder of the x86, which contains a very convoluted way of testing whether the 4 digit hexadecimal number starting at character 20 in the serial key is even or odd. It uses this value to test whether the left or right checkbox needs to be ticked. Funnily enough, the right checkbox checks don't work, meaning that usernames that have a hex digest with this property will never have a valid serial + checkbox combination.
• Keygen is simply reimplementing the checksum generation algorithm. Sample python impl below:

import hashlib
import sys 

def generate(user):
    digest = hashlib.md5(b"Hello World. New Year 2022 - System.Windows.Forms.TextBox, Text: " + user).digest()
    return {
        "key": digest.hex().upper(),
        "checkbox": "left" if (digest[11] % 2) == 1 else "right"
    }

print(generate(sys.argv[1].encode("ascii")))

 

Edited March 31, 2022 by Washi

[Sean Park - Lovejoy]

@Washi

I'm the original author of this keygenme. I couldn't login for a while 'cause of some reason that I don't know. anyways Congratualtions! You Solved it. The bug you pointed at is not intended at all. my coding has the bugs.  thanks for solving it.

see u around.

regards.

Sean.

[Teddy Rogers]

6 hours ago, windowbase said:

I couldn't login for a while 'cause of some reason that I don't know.

If it was a site issue please send me a PM with details so I can investigate...

Ted.