VSEC KeygenMe

[Gladiator]

View File

VSEC KeygenMe

---

Simple Code Virtualization KeygenMe ( Not Commercial VM )
Try to find Algorithm and make correct key 
It's not too hard
Your opinions about VM Complexity are welcome.

Thanks

---

• Submitter
  Gladiator
• Submitted
  02/05/2025
• Category
  KeygenMe

 

[14yoKID]

Hello! I am 14yoKID , and i have documented everything tothe best of my ability. If you have any questions, please feel free to reach out or respond to my solution. I appreciate any feedback or discussion.

The first step is to look inside the crackme’s binary for any references to “Wrong key!” (the error message). We load the executable into a disassembler or debugger (IDA, x64dbg, or similar). A quick search reveals that “Wrong key! Try again.” is located around the following code:

00408C3E | A1 0CA34000       | mov eax, [0x40A30C]
00408C43 | BA D48C4000       | mov edx, 0x408CD4  ; "Wrong key! Try again."

This is where program prints the "Wrong Key! message.

Scrolling above that reference,we see : 

00408C16 | A1 98B74000    | mov eax, [0x40B798]    ; loads the user's computed key
00408C1B | 3B05 ACB74000  | cmp eax, [0x40B7AC]    ; compares it to the correct key
00408C21 | 75 1B          | jne 0x408C3E          ; jump if not equal => "Wrong key!"

This shows:

• The user’s input key is stored at [0x40B798].
• The “correct” key resides at [0x40B7AC].
• If these two values do not match, we jump to the code that prints “Wrong key! Try again.”
• If they do match, we take the path that prints “Correct key!, Now Try to Keygen ME !”

Finding Where [0x40B7AC] Is Set :

Quick look upword in disassembly reveals:

00408BB0 | E8 5BFEFFFF   | call 0x408A10
00408BB5 | A3 ACB74000   | mov [0x40B7AC], eax

So at address 0x00408BB0, we call a function (which we’ll refer to as sub_408A10). Right after that call, we store EAX into [0x40B7AC]. That means the function at 0x00408A10 produces the correct key in EAX.

To finally find a key set a breakpoint at 0x00408BB0 or directly inside sub_408A10 at 0x00408A10.

Run the program and break on that address,press F7 ( Step into ) the call to examine how the function computes EAX.

Inside sub_408A10, we notice:

• It reads a hard-coded byte 0x5A from [0x40A298]
• It loops exactly four times over bytes stored at [0x40A29C..0x40A29F] ( for instance , 0xA5 , 0x3C , 0xD7 , 0x82 )
• Each iteration does some arithmetic: XOR , multiply by 12345 , add 0x6789, shift bits, etc.
• After finishing four iterations, it multiplies EAX by 0xDEADBEEF , does a final XOR and then returns EAX.

Stepping through the entire function, we see that every run ends with a single final value:

EAX = 0x8981B3E0

Then writes this to [0x40B7AC]. Therefore, the correct key is a constant number: 0x8981B3E0 ( OR IS IT?? )

Even though we know the internal number is 0x8981B3E0 , how do we type it so that crackme accepts it? 

By stepping into the function that  processes (sub_4060A8 or sub_4045D4), or simply by trial and error, we learn:

• The crackme expects a leading '$' to interpret the rest of the text as hex.

• Typing XXXX1B3E0 ( dont want to spoil fun for others ) is interpreted as the hex value 0x8981B3E0.

This matches the stored correct key, so the crackme prints : Correct key!, Now Try to Keygen ME !

But why $?  

In this particular crackme, the $ symbol is how the program’s input-parsing routine recognizes the user’s entry as a hexadecimal number. Without the '$' prefix, the code typically treats your input as decimal (or otherwise misreads it). Since the “correct key” is stored internally as the hexadecimal value 0x8981B3E0, the crackme will only accept a matching hex number—and it specifically wants you to indicate “hex mode” with '$'.

That’s why typing 0x8981B3E0 or plain 8981B3E0 fails: the program doesn’t parse those formats as the same 32-bit value. Only '$8981B3E0' matches the exact hexadecimal integer 0x8981B3E0 the crackme expects.

The final answer of mine and correct/valid key is : 

Spoiler

$8981B3E0

 

 

Edited February 5 by 14yoKID
Fixed few typos,is it me or everything i write here is in pure blue color?

[Gladiator]

Well done 14yoKID
and what is your point about it's complexity ? it used internal virtualization ( simple but with special complexity )

Thanks you , you did it very well

[14yoKID]

I had fun doing ur KeygenMe,virtualization itself is very straightforward-simple as well as "special complexity",i had few problems but i resolved them pretty quick.