November 1, 2025Nov 1 r00t0 KeygenMe v4 Difficulty: 5Language: C GCCPlatform: x64OS Version: Windows 10+Packer / Protector : SelfmadeDescription :Implement keygenme that generate a serial derived from a nickname. Also demonstrate a generator that, given a nickname, produces the correct serial.I used my own tool that I've been developing for two years. It started as an optimizer, but I’m now experimenting with the reverse idea — using it to help with obfuscation and code retranslation. File Information Submitter r00t0 Submitted 11/02/2025 Category KeygenMe View File
April 2Apr 2 Nice one, have to give you credit for your obsfuscator:KeyName: Blue Indian, Key: 65234d32586edb4287545b89711bd6d7
April 2Apr 2 Author 3 hours ago, Blue said:Nice one, have to give you credit for your obsfuscator:KeyName: Blue Indian, Key: 65234d32586edb4287545b89711bd6d7Okay, that’s the correct key. Did you use any tool or just brute-force it? Edited April 2Apr 2 by r00t0
April 3Apr 3 22 hours ago, Blue said:Nice one, have to give you credit for your obsfuscator:KeyName: Blue Indian, Key: 65234d32586edb4287545b89711bd6d7You still alive? What this blue 🤔 anyway is good to see you after 2 years Edited April 3Apr 3 by RADIOX
April 6Apr 6 @ro0t I traced your obsfuscations, IAT, and sections, no brute force. I found static strings such as Nickname, serial key, etc., in the rdata section. The main function was to set up the stack frame and then jump to the .ll section with MBA chains. I spent a while trying to make sense of it, but got nowhere with it.So, I wrote a small emulator to fake out the Windows structure (honestly, I am not on Windows these days), .a2l runtime needs (TED/PEB/LDR it walks to resolve the VirtualAlloc, which is kind of neat) and hooked IAT functions. Figured out the program does malloc for parsing the input serial bytes, then malloc for a 16-byte buffer where it stores the result of some custom 128-bit hash over the nickname, and the comparison between the two is done inline, so you can't just set a breakpoint to check. And then I read the computed hash from the heap, and that's your serial.I think it's really solid work. The MBA transforms did their job; I genuinely could not recover the logic.The .a2l runtime with its own stack and PEB walking dispatcher is a nice touch too. The thing that let me bypass all of it was that the I/O boundary is still clean and IAT calls to printf, fgets, and malloc are right there unprotected, so hooking them gives you the inputs and outputs without having to understand anything in between. Edited April 6Apr 6 by Blue
Create an account or sign in to comment