View previous topic :: View next topic |
Author |
Message |
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Tue May 20, 2008 2:27 pm Post subject: Simple Keygen-Me |
|
|
I hope you'll have fun solving it out, I had some fun writing it .
Link: [Attached]
Level: Easy
|
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Tue May 20, 2008 3:31 pm Post subject: |
|
|
CPUID <--- ?
|
|
Back to top |
|
|
lurc Grandmaster Cheater Supreme Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Tue May 20, 2008 3:40 pm Post subject: |
|
|
@Labyrnth:
http://en.wikipedia.org/wiki/CPUID
Code: | .text:00401000 ; =============== S U B R O U T I N E =======================================
.text:00401000
.text:00401000 ; Attributes: bp-based frame
.text:00401000
.text:00401000 ; int __stdcall sub_401000(LPCSTR lpString, int)
.text:00401000 sub_401000 proc near ; CODE XREF: DialogFunc+6Ep
.text:00401000
.text:00401000 var_4 = dword ptr -4
.text:00401000 lpString = dword ptr 8
.text:00401000 arg_4 = dword ptr 0Ch
.text:00401000
.text:00401000 push ebp
.text:00401001 mov ebp, esp
.text:00401003 mov eax, 1
.text:00401008 cpuid
.text:0040100A push ecx
.text:0040100B push [ebp+lpString] ; lpString
.text:0040100E call lstrlenA
.text:00401013 mov ecx, eax
.text:00401015 sub ecx, 100h
.text:0040101B neg ecx
.text:0040101D mov edi, [ebp+lpString]
.text:00401020
.text:00401020 loc_401020: ; CODE XREF: sub_401000+33j
.text:00401020 ror word ptr [esp+4+var_4], 5
.text:00401025 ror [esp+4+var_4], 0Dh
.text:00401029 neg [esp+4+var_4]
.text:0040102C mov al, byte ptr [esp+4+var_4]
.text:0040102F or [ecx+edi-1], al
.text:00401033 loop loc_401020
.text:00401035 add esp, 4
.text:00401038 mov eax, edi
.text:0040103A mov eax, [eax]
.text:0040103C sub eax, [ebp+arg_4]
.text:0040103F lea ebx, unk_403027
.text:00401045 xlat
.text:00401046 shl eax, 18h
.text:00401049 rol eax, 8
.text:0040104C add eax, offset aWorngTryAgain ; "Worng, Try again!"
.text:00401051 pop ebp
.text:00401052 retn 8
.text:00401052 sub_401000 endp
|
This looks like the Encryption or however ur generating the serial, ill look more into it after.
_________________
|
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Tue May 20, 2008 4:29 pm Post subject: |
|
|
I know what it is mate,
But for a genme?
Why would you use the stepping, model, and family information.
Im getting the idea this genme is machine specific in what results are the real ones.
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Tue May 20, 2008 10:28 pm Post subject: |
|
|
Labyrnth wrote: | I know what it is mate,
But for a genme?
Why would you use the stepping, model, and family information.
Im getting the idea this genme is machine specific in what results are the real ones. | I used it to generate a different number per machine, because I want you to focus on the algorithm instead of just showing me one possible answer and marking it as solved
Last edited by DoomsDay on Wed May 21, 2008 1:50 am; edited 1 time in total |
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Wed May 21, 2008 12:22 am Post subject: |
|
|
Kinda defeats the purpose of a genme dont yah think?
Since the gen will only be good on a specific machine.
It can still be reversed to work on any machine without genning it tho
I have never attempted to code an actual keygen.
But maybe one day it will give it a shot lol.
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Wed May 21, 2008 1:55 am Post subject: |
|
|
I believe any non-zero number would be okay in this implementation. Anyways, I think you should crack it first, or step through it, as it's not a regular compare.
|
|
Back to top |
|
|
Symbol I'm a spammer Reputation: 0
Joined: 18 Apr 2007 Posts: 5094 Location: Israel.
|
Posted: Wed May 21, 2008 2:44 am Post subject: |
|
|
At 401045, EBX+AL should point to the value 0x12, the question is what writes to EBX+AL, that I'm still trying to figure out.
Edit: well it can't point to one of the name/serial addresses, EBX+FF points to 403136 and the name/serial starts at 403137...
Is this even possible?
|
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Wed May 21, 2008 12:06 pm Post subject: |
|
|
DoomsDay wrote: | I believe any non-zero number would be okay in this implementation. Anyways, I think you should crack it first, or step through it, as it's not a regular compare. |
I have already seen that lol.
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Sat May 24, 2008 7:52 am Post subject: |
|
|
Well, since no one is willing to actually take a look at it, here's the algorithm:
|
|
Back to top |
|
|
Danielb Cheater Reputation: 0
Joined: 22 Jul 2007 Posts: 30
|
Posted: Sat May 24, 2008 7:08 pm Post subject: |
|
|
---------------------------
Unique ID required
---------------------------
Unique ID required
---------------------------
OK
---------------------------
004010A1 /75 4E JNZ SHORT 004010F1
Password: Danielz Cracked...
11111111111111111111
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Sun May 25, 2008 2:49 am Post subject: |
|
|
Danielb wrote: | ---------------------------
Unique ID required
---------------------------
Unique ID required
---------------------------
OK
---------------------------
004010A1 /75 4E JNZ SHORT 004010F1
Password: Danielz Cracked...
11111111111111111111 |
This is a keygen me, not a crackme/patchme. You patched it to take any input which is not the point of the challenge.
_________________
- Retired. |
|
Back to top |
|
|
|