Solution to BoR0's 1st KeyGenME

Friday, April 29 2005 @ 04:04 PM CEST

Contributed by: [N.T.G]

Level : newbie

Target : BoR0's 1st KeyGenme
get it here : [file:20050302183555989 crackme]

INTRO:
Ok this crackme was a lil difficult for me(i am a newbie) as i was
not able to find the working solution for FSTP menomic ... in fact i was not able to get how a floating point number is rounded off to a integer. So if got it the other way. it was a nice learning for me.. i.e you can get the results from another algorithm if you know the Algebra well i.e the knowledge of Arithmetic Progressions(A.P) helped me a lot. the main part of the keygen is presented at the end.

SOLUTION:

This crackme was packed.. but it was not hard to fine OEP.
load it in Olly
=======================================================

004175D0 > $ 60 PUSHAD <---------------We are at EP.
004175D1 . BE 00104100 MOV ESI,CRACKME3.00411000
004175D6 . 8DBE 0000FFFF LEA EDI,DWORD PTR DS:[ESI+FFFF0000]
004175DC . 57 PUSH EDI
004175DD . 83CD FF OR EBP,FFFFFFFF
004175E0 . EB 10 JMP SHORT CRACKME3.004175F2
004175E2 90 NOP
004175E3 90 NOP
004175E4 90 NOP
-----------////////////----------------
a bit of code cut here
------------/////////----------------

00417706 . 55 PUSH EBP
00417707 . FF96 487A0100 CALL DWORD PTR DS:[ESI+17A48]
0041770D . 09C0 OR EAX,EAX
0041770F . 74 07 JE SHORT CRACKME3.00417718
00417711 . 8903 MOV DWORD PTR DS:[EBX],EAX
00417713 . 83C3 04 ADD EBX,4
00417716 .^ EB E1 JMP SHORT CRACKME3.004176F9
00417718 > FF96 4C7A0100 CALL DWORD PTR DS:[ESI+17A4C]
0041771E > 61 POPAD
0041771F .- E9 999CFEFF JMP CRACKME3.004013BD <----JMP to OEP
==================================================================

so we know that the OEP is at 4013BD. You know my secret is that
once i land on OEP i always press the page UP or page Down keys
2-3 times to see something interesting.

so when you are at OEP just press page UP 2-3 times till you see
this.

==============================================================
004012A9 57 PUSH EDI
004012AA E8 51FDFFFF CALL CRACKME3.00401000<-----Serial Check routine;
004012AF 83C4 0C ADD ESP,0C
004012B2 68 88130000 PUSH 1388
004012B7 8BF0 MOV ESI,EAX
004012B9 FF15 64704000 CALL DWORD PTR DS:[407064]<-----Sleep funtion.!!;
004012BF 83FE 02 CMP ESI,2
004012C2 75 0F JNZ SHORT CRACKME3.004012D3
004012C4 6A 10 PUSH 10
004012C6 68 84724000 PUSH CRACKME3.00407284; ASCII "BoR0's 1st keygenme"
004012CB 68 98724000 PUSH CRACKME3.00407298; ASCII "Username cannot be 5 chars or less!"
004012D0 57 PUSH EDI
004012D1 FFD3 CALL EBX
004012D3 83FE 01 CMP ESI,1
004012D6 75 0F JNZ SHORT CRACKME3.004012E7
004012D8 6A 40 PUSH 40
004012DA 68 BC724000 PUSH CRACKME3.004072BC; ASCII "BoR0's 1st keygenme"
004012DF 68 D0724000 PUSH CRACKME3.004072D0; ASCII "Congratulations!!

You've done it! :-D"
004012E4 57 PUSH EDI
004012E5 FFD3 CALL EBX
004012E7 85F6 TEST ESI,ESI
004012E9 75 0F JNZ SHORT CRACKME3.004012FA
004012EB 6A 10 PUSH 10
004012ED 68 F8724000 PUSH CRACKME3.004072F8; ASCII "BoR0's 1st keygenme"
004012F2 68 0C734000 PUSH CRACKME3.0040730C; ASCII "Wrong serial!"
004012F7 57 PUSH EDI
004012F8 FFD3 CALL EBX
004012FA 33C0 XOR EAX,EAX
--------------/////////----------------------
a bit of code cut here
-------------//////////---------------------
004013B4 FF15 44904000 CALL DWORD PTR DS:[409044]
004013BA 59 POP ECX
004013BB 59 POP ECX
004013BC C3 RETN
004013BD 6A 60 PUSH 60 <-----------------OEP... we are here!!
004013BF 68 38734000 PUSH CRACKME3.00407338
004013C4 E8 DB110000 CALL CRACKME3.004025A4
004013C9 BF 94000000 MOV EDI,94
004013CE 8BC7 MOV EAX,EDI
004013D0 E8 2B130000 CALL CRACKME3.00402700
004013D5 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004013D8 8BF4 MOV ESI,ESP
004013DA 893E MOV DWORD PTR DS:[ESI],EDI
===============================================================================
so double click on the line "004012AA E8 51FDFFFF CALL CRACKME3.00401000"
coz this is the serial check routine. now u would ask how did i know??
its very simple. just look at the CMP before the Good Boy message.
004012D3 83FE 01 CMP ESI,1

we get to this line by a JNZ at

004012C2 75 0F JNZ SHORT CRACKME3.004012D3<------this one.

moving up we see two calls ...one at 004012B9 and second at 004012AA
by tracing into both calls i found out that 004012AA is the serial check
routine.
===============================================================================

SERIAL CHECK:

the check routine is very long so i am not pasting it here.. just see it yourself.
the code checks the length of our name many times.. just to fool may be.
the check routine is like this

var1=length of name
var2= second character of the name.
var3=var1/31.2 + 72

var3 is stored into memory as two intergers. (FSTP mnenomic!!!! check out the numbers in olly)
lets call them var3A, var3B ;

var4= 6th character of name. (thats why name should be > 5 chars)

having calculated all these.. it puts them in wsprintf funtion.. its same c++ function.
string is "C%c32-B%co%fC%dR%d0%XE" always.

wsprintf(serial,"C%c32-B%co%fC%dR%d0%XE",var1+32,var2,var3A,var3B,var4,var1);

because %f is not a valid format specifire. therefor its ignored. read api help for
more. so only first 5 parameters are used and the sixth one is discarded. May be a
coding bug.

lastly the lowercase letters are converted to upper case. and there you go..

=======================================================================================
The main algo of the serial check is given here:

i have calculated the var3A and var3B (s1,s2) diferently from the original algo. as i dont
believe in pasting the asm into the c++ source as most of the reversers do.

char str[26],n[50];
GetDlgItemText(hDlg,IDC_t1,str,27);/*cin>>str*/
int len=strlen(str);
if(len<6)
MessageBox(NULL,"The Name must be more than 5 chars","Error",NULL);
else
{
s1= 1078487722+1050,s2=2863311531+1101273665,b=3193693630,a=1101273666;
for(int i=26;i>=len;i--)
{
if((i+1)%4==0)
{s1-=1051; s2=s2+b;}
else

if((i%3==0&&i<19)||i==26||i==23||i==20)
s2++;
}

wsprintf(n,"C%c32-B%co%fC%dR%d0%XE",len+32,str[1],s2,s1,str[5]); for(i=0;n[i]!='

0 comments



http://www.reversing.be/article.php?story=20050429091739916