Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[Keygenme] Keygenme#2 by Ksbunker

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
Ksbunker
Advanced Cheater
Reputation: 0

Joined: 18 Oct 2006
Posts: 88

PostPosted: Tue Jul 10, 2007 4:57 am    Post subject: [Keygenme] Keygenme#2 by Ksbunker Reply with quote

Author: Ksbunker
Lang: ASM

Difficulty: 2/10

Goals:
1) Fish a valid serial
2) Write a keygen

Rules:
1) No patching

About:
I've introduced a little trick, I wonder if you can spot it. (May cause some unexpected serials)
Back to top
View user's profile Send private message
DevilGilad
Grandmaster Cheater
Reputation: 0

Joined: 10 May 2007
Posts: 624
Location: Delete C:\WINDOWS folder and you'll be able to see me.

PostPosted: Tue Jul 10, 2007 4:59 am    Post subject: Reply with quote

I'll try it out :]
_________________
Back to top
View user's profile Send private message AIM Address Yahoo Messenger
tfo
Cheater
Reputation: 0

Joined: 13 Aug 2006
Posts: 28

PostPosted: Tue Jul 10, 2007 7:31 am    Post subject: Reply with quote

1) tfo@CEF:13FE465-1C00465
Back to top
View user's profile Send private message
haha01haha01
Grandmaster Cheater Supreme
Reputation: 0

Joined: 15 Jun 2007
Posts: 1233
Location: http://www.SaviourFagFails.com/

PostPosted: Sun Jul 15, 2007 2:53 am    Post subject: Reply with quote

argh that test command is always on ur keygens on the critical lines... its always
Code:
test eax,eax
jnz (address with "wrong" msg)


can u be alil fair and atleast tell me what test does?
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
Ksbunker
Advanced Cheater
Reputation: 0

Joined: 18 Oct 2006
Posts: 88

PostPosted: Mon Jul 16, 2007 3:57 am    Post subject: re: Reply with quote

Extract of "Art of Assembly"

Quote:
10.2.5 The TEST Instruction
The 80x86 TEST instruction is to the AND instruction what the CMP instruction is to SUB. That is, the TEST instruction computes the logical AND of its two operands and sets the condition code flags based on the result; it does not, however, store the result of the logical AND back into the destination operand. The syntax for the TEST instruction is similar to AND, it is

test( operand1, operand2 );



The TEST instruction sets the zero flag if the result of the logical AND operation is zero. It sets the sign flag if the H.O. bit of the result contains a one. TEST always clears the carry and overflow flags.

The primary use of the TEST instruction is to check to see if an individual bit contains a zero or a one. Consider the instruction "test( 1, AL);" This instruction logically ANDs AL with the value one; if bit one of AL contains zero, the result will be zero (setting the zero flag) since all the other bits in the constant one are zero. Conversely, if bit one of AL contains one, then the result is not zero so TEST clears the zero flag. Therefore, you can test the zero flag after this TEST instruction to see if bit zero contains a zero or a one.

The TEST instruction can also check to see if all the bits in a specified set of bits contain zero. The instruction "test( $F, AL);" sets the zero flag if and only if the L.O. four bits of AL all contain zero.

One very important use of the TEST instruction is to check to see if a register contains zero. The instruction "TEST( reg, reg );" where both operands are the same register will logically AND that register with itself. If the register contains zero, then the result is zero and the CPU will set the zero flag. However, if the register contains a non-zero value, logically ANDing that value with itself produces that same non-zero value, so the CPU clears the zero flag. Therefore, you can test the zero flag immediately after the execution of this instruction (e.g., using the SETZ or SETNZ instructions) to see if the register contains zero. E.g.,

Code:
test( eax, eax );
 
      setz( bl );          // BL is set to one if EAX contains zero.
Back to top
View user's profile Send private message
haha01haha01
Grandmaster Cheater Supreme
Reputation: 0

Joined: 15 Jun 2007
Posts: 1233
Location: http://www.SaviourFagFails.com/

PostPosted: Mon Jul 16, 2007 6:03 am    Post subject: Reply with quote

wow thx for instruction.
btw and is the command that put the number into binary then put it one on another and if there is 1 and 1 it writes 1 else its 0?
like AND 101,110
101
110
-----
100

am i right?
if so there is no code that can match ur crackme cause anding a num on itself will never get 0
O.o

~srry for being noob~

aha..............
theres only 1 case where a serial would be correct... when eax will turn into 0.....................................
that pop up an idea in my head.....

so lemme get it... to crack ur crackme... i need to find the only combo of id+serial that will create 0 as eax... that wont take along time.... Twisted Evil *evil laugh in the dark castle while thunder storm is going outside*

reporting logic: b4 eax is tested, ebx is moved into him, and b4 ebx moved into him he gets imuled with itsels and some other number, ebx CANNOT be 0 in any other way beside the emul line, cause right b4 it theres a line of "add ebx,eax", and b4 this there an "add eax,some number" and there are no more lines that modify ebx or eax after this. take alook at the code it will make ur life easyer:
Code:
add eax,0a
add ebx,eax
imul ebx,ebx,7a69
mov eax,ebx
test eax,eax
jnz short keygenme.004010f5


because the rules say no patching, so even if eax was 0, it is now 0a, and that means even if ebx was 0, its now atleast 0a, then imul, then ebx is eax, means if there wasnt an imul command eax was ATLEAST 0a, then if eax is not 0 it will be detected on test, and memory will jnz to the fail msg.

thats all the critical lines of the script, il try to analyze them now O.o im bad at keygens... im not used to it, im used to the "cmp eax,ebx jnz blahblah" then u just BP on cmp and stack ss is the code...


Last edited by haha01haha01 on Mon Jul 16, 2007 6:39 am; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
Ksbunker
Advanced Cheater
Reputation: 0

Joined: 18 Oct 2006
Posts: 88

PostPosted: Mon Jul 16, 2007 6:27 am    Post subject: re: Reply with quote

The "TEST" instruction is after the lstrcmp() function.

So EAX is not anything to do directly with the serial but rather the result of the lstrcmp() call.

The return value of lstrcmp() dictates that if the two strings ARE equal, the return value is 0 (i.e. EAX = 0), if the strings ARE NOT equal, the return value is 1. (i.e. EAX = 1).

Hence, the use of instruction "TEST".
Back to top
View user's profile Send private message
haha01haha01
Grandmaster Cheater Supreme
Reputation: 0

Joined: 15 Jun 2007
Posts: 1233
Location: http://www.SaviourFagFails.com/

PostPosted: Mon Jul 16, 2007 6:40 am    Post subject: Reply with quote

whats the istrcpm() thing and where is it? is it the commands that hiding between the lines?
ohhh.... its that thingy... told ya im bad at those stuff... well im bad at all hacking stuff but w\e Smile ill keep looking it....

EDIT:OMG... PLEASE DONT TELL ME IM DREAMING.... I FOUND A VALID PASSWORD!!!!!
THE USERNAME "ASDASD" MATCH THE PASS "EB41CC-EBA1CC"

OMGOMGOGMGOMGOGMGOGMOGMGOGMGOMOGMGOMGOGMGOGMOGM

FOUND ANOTHER 1!!!!!!!!
asdasd = 147108C-147508C
btw, i still dont get the way it choose serials but ill soon find it out.


Last edited by haha01haha01 on Mon Jul 16, 2007 7:09 am; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
Ksbunker
Advanced Cheater
Reputation: 0

Joined: 18 Oct 2006
Posts: 88

PostPosted: Mon Jul 16, 2007 7:08 am    Post subject: re: Reply with quote

Link to common string function, inc. lstrcmp();

http://msdn2.microsoft.com/en-us/library/ms647488.aspx
Back to top
View user's profile Send private message
haha01haha01
Grandmaster Cheater Supreme
Reputation: 0

Joined: 15 Jun 2007
Posts: 1233
Location: http://www.SaviourFagFails.com/

PostPosted: Mon Jul 16, 2007 7:11 am    Post subject: Reply with quote

omg omg omg i know how to get serial for all user that i want but omg i cant write a software for this cause i dont get the way that crackme choose the serials....

kai kai i got the lstrcmp thing but i dont get what is the calculation to reach the serial.... i can find a matching serial to all username in the world but i cannot build a software that will do it...

wopwowowowowowowow!!!!!!
omg!!!!!!
i patched ur program so it will msgbox me the correct serial!!!!
beware Ksbunker! im soon done with it! just nopping all ur code... and i will get a keygen!




last, but not least, i am proud to upload my 1st keygen!
(btw because im such bad programmer i just made ksbunker crackme msgbox the correct serial, so ignore the "serial" box.)
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
Ksbunker
Advanced Cheater
Reputation: 0

Joined: 18 Oct 2006
Posts: 88

PostPosted: Mon Jul 16, 2007 10:06 am    Post subject: re: Reply with quote

That's awesome man, keygen injection they call what you did.

Works really well man.

Good work!
Back to top
View user's profile Send private message
haha01haha01
Grandmaster Cheater Supreme
Reputation: 0

Joined: 15 Jun 2007
Posts: 1233
Location: http://www.SaviourFagFails.com/

PostPosted: Mon Jul 16, 2007 10:13 am    Post subject: Reply with quote

lol k Very Happy
btw how can i find out what was the calculation to get the serial?
cause on ur first keygenme there are no msgboxes so i cant do the same trick like here =( and even if i go to the place that the strings are pointing to i cant find anything in there Crying or Very sad so how do i find it out O.o
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
Ksbunker
Advanced Cheater
Reputation: 0

Joined: 18 Oct 2006
Posts: 88

PostPosted: Mon Jul 16, 2007 11:52 pm    Post subject: re: Reply with quote

Just think logically about it.

The entered username is read using GetDlgItemText(), and finally the valid password and compared against the original password using lstrcmp().

So the routine responsible for generating the password from the given username, MUST reside somewhere between GetDlgItemText() and lstrcmp(). Have a look at GetDlgItemText(), particularly the parameter that stores the read value and begin to trace it, watch where it goes, etc...
Back to top
View user's profile Send private message
haha01haha01
Grandmaster Cheater Supreme
Reputation: 0

Joined: 15 Jun 2007
Posts: 1233
Location: http://www.SaviourFagFails.com/

PostPosted: Tue Jul 17, 2007 1:11 am    Post subject: Reply with quote

O.o
kk.
i found something interesting else.
at the line of "string 2", and at line of "text" in the msgbox command
the command was to push an address.
if i went to this address nothing was important there, but when i put the address of the string 2, as the command of the text in the msgbox, i got the valid serial (string 2)
actually the way ur crackme work is to take the username and somehow change him with some sort of calculation, then the target is actually that the serial and username will be the same thing.
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites