.NET KeyGenMe by Freddy #1

[freddy]

View File

.NET KeyGenMe by Freddy #1

---

Hey there!

I made this KeyGenMe because I enjoy playing chess.

This challenge is written in .NET and involves some mathematical operations, mixed with a few chess-related twists. Your task is to figure out the logic behind generating a valid serial key based on the username you enter. But be warned—it’s not as simple as just moving a pawn forward ( maybe a hint )

Protection used : None.

Goals :

1. Provide valid combination for Username - Serial Key ( Bronze )

2. Fully KeyGen it - every username with different serial key algorithm ( Silver )

3. Full KeyGen plus EXPLANATION on what u did and how you figured out everything ( Gold )

Good luck!

---

• Submitter
  freddy
• Submitted
  03/17/2025
• Category
  KeygenMe

 

[Washi]

You may want to revise your keygenme challenge, the challenge is trivial to solve (5 minutes work)  

Here are some working serials:

Spoiler

washi: E5 C1 G9 G9 E5 E5 - e2e4 e2e4 e2e4 Bf1c4 d2d4 e2e4 e2e4 e2e4 e2e4 e2e4 e2e4 e2e4
tuts4you: E5 G4 A2 C1 C1 G9 I8 A7 E5 - e2e4 e2e4 e2e4 Bf1c4 d2d4 e2e4 e2e4 e2e4 e2e4 e2e4 e2e4 e2e4
freddy: E5 I3 G9 I8 I8 I8 A7 - e2e4 e2e4 e2e4 Bf1c4 d2d4 e2e4 e2e4 e2e4 e2e4 e2e4 e2e4 e2e4

Explanation:

Spoiler

The problem with these types of keygenmes is that they validate by generating the valid serial for us and comparing it to the input serial. This makes building a keygen trivial, as we can just let the program generate the serial for us or decompile the original program and paste the serial generation algorithm into our keygen, without having to understand how it happens.

In this case, A1B2C3.BetaGenerate generates the correct key, which is then compared to the input key using A1B2C3.PiSlowCompare. Just decompile the A1B2C3.BetaGenerate function and all its related functions, and you get a fully working keygen  

Code:

using System.Numerics;

public static class A1B2C3
{
    // ----------------------------------
    // This is my code
    // ----------------------------------

    public static void Main(string[] args)
    {
        Console.WriteLine($"{args[0]}: {A1B2C3.BetaGenerate(args[0])}");
    }

    // ----------------------------------
    // Remainder is 1:1 copied from ILSpy
    // ----------------------------------
  
    /* ... snipped ... */
}

 

 

Edited March 17 by Washi
Move serials into spoiler

[14yoKID]

Since @Washi provided the solution first, you may mark his answer as solved. However, I’d like to share my approach as well for reference.

1) Polynomial Coefficients and Matrix

1. Username - Polynomial Coeffs

The code has a function that folds ASCII values into 8 coefficients ( size = 7 ).

• For "CHESSKING" , we take each character's ASCII and add it to slot in the array.

2. Matrix Build

We then build 5 x 5 integer matrix from these 7 coefficients. Each entry is computed via this formula :

mat(r,c) = ( coeffs ( r mod 7 ) x ( c + 1)) + ( r + 1 ) ---> All in paranthesses from start has to be to the power of 2.

3. Determinant ( mod 65521 )

We do a row-reduction to find the matrix's determinant, and then take /bmod 65521.

 

2) Toy Elliptic-Curve Step

The code defines a small curve:  y2 ≡ x3 +Ax+B (modp), p=1201, A=1,B =1. ( x3 here is actually x to the power of 3 )

We have a base point G = ( 5,116 ) this goes : finalPoint= ECSM (G,detMod)

That is, we "add" G to itself ( detMod ) times in elliptic-curve arithmetic.

The result is ( X , Y ) . Then we define it with this formula :

curveSecret= X+ (Y≪16)

 

3) LFSR Shuffle

We take 64 bits (lowest bits) from curveSecret and feed them into a Linear Feedback Shift Register for 64 rounds, producing a new 64-bit integer lfsrOutput. This step effectively scrambles the bits further.

 

4) BFS-Based Knight Path

1. The code starts at square E5 on a 10×10 board labeled A..J (files) and 1..10 (ranks). Internally, E5 is (4,4) in 0-based coordinates.
2. For each character in the username, we do: steps= (ASCII of char) mod 5 , then run a BFS for that many expansions. The BFS uses Knight moves (like (2,1), (1,2), etc.) with wrapping if we go off the board.
3. We capture the last enqueued square after those BFS expansions, add that to our path, and repeat for the next character in the username.

5) “Check to the King”

1. There is a King placed on G10 → (6,9) in 0-based coordinates.
2. We look at the final square in our BFS path.
3. If that final square is one knight’s move away from (6,9), we do an extra step: lfsrOutput  =  lfsrOutput⊕0xA5A5A5A5

For "CHESSKING" , the BFS path’s last square does or does not cause this XOR. In our run, it does cause the XOR (i.e., it’s in position to “check the King”).

6) Nibble → Weird SAN Moves

We take the final integer (lfsrOutput) and break it into 12 consecutive 4-bit nibbles. For each nibble, we pick a “weird” standard algebraic notation (SAN) chess move from the code’s move table. This yields moves like e2e4, Na3xb5, Qd1h5, etc.

7) Final Serial

1. Part A: The BFS squares (space-separated).
2. A dash ( - )
3. Part B: The 12 SAN moves from the nibble-based table.

Verifying everythin we gathered so far :

For "CHESSKING" :

• E5 I3 C1 A7 G4 C1 C1 I8 E5 G4
• After the code determines the King is in check, it XORs the LFSR output with 0xA5A5A5A5
• Extract 12 nibbles → map to the weird SAN table. They all turned out to be mostly e2e4, with a couple of different ones in the middle (Bf1c4, d2d4)

My final answer which is my Username and Serial Key is :

Spoiler

Username : CHESSKING

Serial Key : E5 I3 C1 A7 G4 C1 C1 I8 E5 G4 - e2e4 e2e4 e2e4 Bf1c4 d2d4 e2e4 e2e4 e2e4 e2e4 e2e4 e2e4 e2e4
 

 

[dongledumpers]