Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Sunday, March 29 2020 @ 08:43 PM CEST

Solution to BoR0's 1st KeyGenME


TutorialsLevel : newbie

Target : BoR0's 1st KeyGenme
get it here : crackme

Ok this crackme was a lil difficult for me(i am a newbie) as i was
not able to find the working solution for FSTP menomic ... in fact i was not able to get how a floating point number is rounded off to a integer. So if got it the other way. it was a nice learning for me.. i.e you can get the results from another algorithm if you know the Algebra well i.e the knowledge of Arithmetic Progressions(A.P) helped me a lot. the main part of the keygen is presented at the end.


This crackme was packed.. but it was not hard to fine OEP.
load it in Olly

004175D0 > $ 60 PUSHAD <---------------We are at EP.
004175D1 . BE 00104100 MOV ESI,CRACKME3.00411000
004175DC . 57 PUSH EDI
004175E0 . EB 10 JMP SHORT CRACKME3.004175F2
004175E2 90 NOP
004175E3 90 NOP
004175E4 90 NOP
a bit of code cut here

00417706 . 55 PUSH EBP
00417707 . FF96 487A0100 CALL DWORD PTR DS:[ESI+17A48]
0041770D . 09C0 OR EAX,EAX
0041770F . 74 07 JE SHORT CRACKME3.00417718
00417711 . 8903 MOV DWORD PTR DS:[EBX],EAX
00417713 . 83C3 04 ADD EBX,4
00417716 .^ EB E1 JMP SHORT CRACKME3.004176F9
00417718 > FF96 4C7A0100 CALL DWORD PTR DS:[ESI+17A4C]
0041771E > 61 POPAD
0041771F .- E9 999CFEFF JMP CRACKME3.004013BD <----JMP to OEP

so we know that the OEP is at 4013BD. You know my secret is that
once i land on OEP i always press the page UP or page Down keys
2-3 times to see something interesting.

so when you are at OEP just press page UP 2-3 times till you see

004012A9 57 PUSH EDI
004012AA E8 51FDFFFF CALL CRACKME3.00401000<-----Serial Check routine;
004012AF 83C4 0C ADD ESP,0C
004012B2 68 88130000 PUSH 1388
004012B7 8BF0 MOV ESI,EAX
004012B9 FF15 64704000 CALL DWORD PTR DS:[407064]<-----Sleep funtion.!!;
004012BF 83FE 02 CMP ESI,2
004012C2 75 0F JNZ SHORT CRACKME3.004012D3
004012C4 6A 10 PUSH 10
004012C6 68 84724000 PUSH CRACKME3.00407284; ASCII "BoR0's 1st keygenme"
004012CB 68 98724000 PUSH CRACKME3.00407298; ASCII "Username cannot be 5 chars or less!"
004012D0 57 PUSH EDI
004012D1 FFD3 CALL EBX
004012D3 83FE 01 CMP ESI,1
004012D6 75 0F JNZ SHORT CRACKME3.004012E7
004012D8 6A 40 PUSH 40
004012DA 68 BC724000 PUSH CRACKME3.004072BC; ASCII "BoR0's 1st keygenme"
004012DF 68 D0724000 PUSH CRACKME3.004072D0; ASCII "Congratulations!!

You've done it! :-D"
004012E4 57 PUSH EDI
004012E5 FFD3 CALL EBX
004012E7 85F6 TEST ESI,ESI
004012E9 75 0F JNZ SHORT CRACKME3.004012FA
004012EB 6A 10 PUSH 10
004012ED 68 F8724000 PUSH CRACKME3.004072F8; ASCII "BoR0's 1st keygenme"
004012F2 68 0C734000 PUSH CRACKME3.0040730C; ASCII "Wrong serial!"
004012F7 57 PUSH EDI
004012F8 FFD3 CALL EBX
004012FA 33C0 XOR EAX,EAX
a bit of code cut here
004013B4 FF15 44904000 CALL DWORD PTR DS:[409044]
004013BA 59 POP ECX
004013BB 59 POP ECX
004013BC C3 RETN
004013BD 6A 60 PUSH 60 <-----------------OEP... we are here!!
004013BF 68 38734000 PUSH CRACKME3.00407338
004013C4 E8 DB110000 CALL CRACKME3.004025A4
004013C9 BF 94000000 MOV EDI,94
004013D0 E8 2B130000 CALL CRACKME3.00402700
004013D5 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004013D8 8BF4 MOV ESI,ESP
so double click on the line "004012AA E8 51FDFFFF CALL CRACKME3.00401000"
coz this is the serial check routine. now u would ask how did i know??
its very simple. just look at the CMP before the Good Boy message.
004012D3 83FE 01 CMP ESI,1

we get to this line by a JNZ at

004012C2 75 0F JNZ SHORT CRACKME3.004012D3<------this one.

moving up we see two calls at 004012B9 and second at 004012AA
by tracing into both calls i found out that 004012AA is the serial check


the check routine is very long so i am not pasting it here.. just see it yourself.
the code checks the length of our name many times.. just to fool may be.
the check routine is like this

var1=length of name
var2= second character of the name.
var3=var1/31.2 + 72

var3 is stored into memory as two intergers. (FSTP mnenomic!!!! check out the numbers in olly)
lets call them var3A, var3B ;

var4= 6th character of name. (thats why name should be > 5 chars)

having calculated all these.. it puts them in wsprintf funtion.. its same c++ function.
string is "C%c32-B%co%fC%dR%d0%XE" always.


because %f is not a valid format specifire. therefor its ignored. read api help for
more. so only first 5 parameters are used and the sixth one is discarded. May be a
coding bug.

lastly the lowercase letters are converted to upper case. and there you go..

The main algo of the serial check is given here:

i have calculated the var3A and var3B (s1,s2) diferently from the original algo. as i dont
believe in pasting the asm into the c++ source as most of the reversers do.

char str[26],n[50];
int len=strlen(str);
MessageBox(NULL,"The Name must be more than 5 chars","Error",NULL);
s1= 1078487722+1050,s2=2863311531+1101273665,b=3193693630,a=1101273666;
for(int i=26;i>=len;i--)
{s1-=1051; s2=s2+b;}

wsprintf(n,"C%c32-B%co%fC%dR%d0%XE",len+32,str[1],s2,s1,str[5]); for(i=0;n[i]!='

What's Related

Story Options

Solution to BoR0's 1st KeyGenME | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.81 seconds