View previous topic :: View next topic |
Author |
Message |
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Thu Aug 06, 2009 8:12 pm Post subject: My first (real) KeyGenMe |
|
|
I've written a KeyGenMe in C++, as I'm all too aware that people can quickly and easily decompile .NET applications to an almost perfect representation of the original application. I'm not brilliant with C++ but I know enough to get some small apps working.
It's a simple enough KeyGenMe, works as usual - i.e. you have to type in a valid key to pass validation. I've thrown in a few bits of dummy code to make reverse engineering the checking algorithm a little harder. Your task is to create at least one valid key for the application. Extra credit if you produce a keygen.
Link: http://www.mediafire.com/?v5zn8wnyahy
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Mon Aug 10, 2009 6:27 am Post subject: |
|
|
Nobody cracked it yet? Am I that awesome?
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Mon Aug 10, 2009 7:59 am Post subject: |
|
|
I didn't have the time to wirte a keygen...
The key's length is 64 charaacters. Input should be in hex, lowercase.
The first procedure(loop) sums up all the characters' inverts (xor FF = not) - this sum should be FA0. The second procedure xors the charaters in the followind order into a string:
A:B:C:D:E:F:...:F:E:D:C:B:A (String - A^A:B^B:...)
if the result equals "system32.dll~x86" then the key is valid.
When I'll find the time I'll write a keygen.
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Mon Aug 10, 2009 8:16 am Post subject: |
|
|
You have the first procedure wrong. You're not too far off though.
As far as I can tell, you have the second procedure right.
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Mon Aug 10, 2009 2:55 pm Post subject: |
|
|
Burningmace wrote: | You have the first procedure wrong. You're not too far off though.
As far as I can tell, you have the second procedure right. | This would pass the first loop: Code: | 05050505050505050505050505050505ffffffffffffffffffffffffffffffff |
not(ff) + not(05) = FA (16 pairs of this would sum to FA0)
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Mon Aug 10, 2009 3:09 pm Post subject: |
|
|
The value passes the first check, but not because it sums to FA0. Here's a hint - the following also passes the first check:
Code: | efefefefefefefefefefefefefefefefffffffffffffffffffffffffffffffff |
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Mon Aug 10, 2009 3:19 pm Post subject: |
|
|
Ah I see your point
jle
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Aug 18, 2009 7:06 am Post subject: |
|
|
Did you ever get round to creating a keygen?
_________________
It's not fun unless every exploit mitigation is enabled. |
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Tue Aug 18, 2009 9:25 am Post subject: |
|
|
*EDIT*
General key structure: Code: | AA:BB:CC:DD:...:dd:cc:bb:aa |
Total length: 64 characters, converted to 32 bytes, used in pairs(AA:aa, BB:bb,...), based on the general structure.
Code analysis:
Loop #1:
The loop sums up the following:
sum = not(AA) + not(BB) + not(CC) + ... + not(bb) + not(aa)
The sum should be at a minimum of 100h, and a maximum of FA0h
Loop #2:
The loop XORs each pair and ensures that the input construcs the string "system32.dll~x86"
Key generation:
Loop #1 - finding a valid range of input 'bytes'
As the sum is a multiply of 16, it would be safe to decide that each pair's inverts should sum up to any number between either 10h or FAh - that way the first loop would always pass.
Each pair for that matter, consists of 2 'bytes', hence it is possible to say that each one of them should be less than or equal to half of the maximum (FAh) or higher than or equal to half the minimum (10h) required for the first loop: Code: | (Maximum:) FAh / 2 = 7Dh; not(7Dh) = 82h
(Minimum:) 10h / 2 = 08h; not(08h) = F7h |
The input's safe range would then be anything between 82 and F7
For example, both Code: | 8282828282828282828282828282828282828282828282828282828282828282
f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7 | Are the 'end' cases: anything between those would pass the first loop.
Loop #2 - finding an actual key
A quick analysis: Code: | system32.dll~x86: 73 79 73 74 65 6D 33 32 2E 64 6C 6C 7E 78 38 36 |
Example Key: Code: | 73 83:f0
79 89:f0
73 83:f0
74 84:f0
65 85:e0
6D 8d:e0
33 83:b0
32 82:b0
2E 8e:a0
64 84:e0
6C 8c:e0
6C 8c:e0
7E 8e:f0
78 88:f0
38 88:b0
36 86:b0
--------------
83:f0
83 89:f0 f0
83 89 83:f0 f0 f0
...
83898384858d83828e848c8c8e888886b0b0f0f0e0e0e0a0b0b0e0e0f0f0f0f0 | I'll write a keygen when I'll find the time...
Last edited by DoomsDay on Thu Aug 20, 2009 5:57 am; edited 3 times in total |
|
Back to top |
|
|
Fafaffy Cheater Reputation: 65
Joined: 12 Dec 2007 Posts: 28
|
Posted: Wed Aug 19, 2009 11:50 am Post subject: |
|
|
cool
_________________
Brillia wrote: | I FUCKING FUCK SEX |
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Thu Aug 20, 2009 4:09 am Post subject: |
|
|
I'm not 100% sure how the code looks in ASM, so I can't really help. You had the second procedure pretty much right the first time, but I don't know what you're trying to do now.
I'm on my girlfriend's laptop right now, and don't have access to my original code. I'll check it when I get back home, which will probably be Saturday night.
_________________
It's not fun unless every exploit mitigation is enabled. |
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Thu Aug 20, 2009 9:10 am Post subject: |
|
|
Here's a keygen...
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Thu Aug 20, 2009 11:10 am Post subject: |
|
|
Nice one, I'll try it out when I get back home.
_________________
It's not fun unless every exploit mitigation is enabled. |
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
|
Back to top |
|
|
|