View previous topic :: View next topic |
Author |
Message |
Ksbunker Advanced Cheater Reputation: 0
Joined: 18 Oct 2006 Posts: 88
|
Posted: Tue Jul 10, 2007 4:57 am Post subject: [Keygenme] Keygenme#2 by Ksbunker |
|
|
Author: Ksbunker
Lang: ASM
Difficulty: 2/10
Goals:
1) Fish a valid serial
2) Write a keygen
Rules:
1) No patching
About:
I've introduced a little trick, I wonder if you can spot it. (May cause some unexpected serials)
|
|
Back to top |
|
|
DevilGilad Grandmaster Cheater Reputation: 0
Joined: 10 May 2007 Posts: 624 Location: Delete C:\WINDOWS folder and you'll be able to see me.
|
Posted: Tue Jul 10, 2007 4:59 am Post subject: |
|
|
I'll try it out :]
_________________
|
|
Back to top |
|
|
tfo Cheater Reputation: 0
Joined: 13 Aug 2006 Posts: 28
|
Posted: Tue Jul 10, 2007 7:31 am Post subject: |
|
|
1) tfo@CEF:13FE465-1C00465
|
|
Back to top |
|
|
haha01haha01 Grandmaster Cheater Supreme Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Sun Jul 15, 2007 2:53 am Post subject: |
|
|
argh that test command is always on ur keygens on the critical lines... its always
Code: | test eax,eax
jnz (address with "wrong" msg) |
can u be alil fair and atleast tell me what test does?
|
|
Back to top |
|
|
Ksbunker Advanced Cheater Reputation: 0
Joined: 18 Oct 2006 Posts: 88
|
Posted: Mon Jul 16, 2007 3:57 am Post subject: re: |
|
|
Extract of "Art of Assembly"
Quote: | 10.2.5 The TEST Instruction
The 80x86 TEST instruction is to the AND instruction what the CMP instruction is to SUB. That is, the TEST instruction computes the logical AND of its two operands and sets the condition code flags based on the result; it does not, however, store the result of the logical AND back into the destination operand. The syntax for the TEST instruction is similar to AND, it is
test( operand1, operand2 );
The TEST instruction sets the zero flag if the result of the logical AND operation is zero. It sets the sign flag if the H.O. bit of the result contains a one. TEST always clears the carry and overflow flags.
The primary use of the TEST instruction is to check to see if an individual bit contains a zero or a one. Consider the instruction "test( 1, AL);" This instruction logically ANDs AL with the value one; if bit one of AL contains zero, the result will be zero (setting the zero flag) since all the other bits in the constant one are zero. Conversely, if bit one of AL contains one, then the result is not zero so TEST clears the zero flag. Therefore, you can test the zero flag after this TEST instruction to see if bit zero contains a zero or a one.
The TEST instruction can also check to see if all the bits in a specified set of bits contain zero. The instruction "test( $F, AL);" sets the zero flag if and only if the L.O. four bits of AL all contain zero.
One very important use of the TEST instruction is to check to see if a register contains zero. The instruction "TEST( reg, reg );" where both operands are the same register will logically AND that register with itself. If the register contains zero, then the result is zero and the CPU will set the zero flag. However, if the register contains a non-zero value, logically ANDing that value with itself produces that same non-zero value, so the CPU clears the zero flag. Therefore, you can test the zero flag immediately after the execution of this instruction (e.g., using the SETZ or SETNZ instructions) to see if the register contains zero. E.g.,
Code: | test( eax, eax );
setz( bl ); // BL is set to one if EAX contains zero. |
|
|
|
Back to top |
|
|
haha01haha01 Grandmaster Cheater Supreme Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Mon Jul 16, 2007 6:03 am Post subject: |
|
|
wow thx for instruction.
btw and is the command that put the number into binary then put it one on another and if there is 1 and 1 it writes 1 else its 0?
like AND 101,110
101
110
-----
100
am i right?
if so there is no code that can match ur crackme cause anding a num on itself will never get 0
O.o
~srry for being noob~
aha..............
theres only 1 case where a serial would be correct... when eax will turn into 0.....................................
that pop up an idea in my head.....
so lemme get it... to crack ur crackme... i need to find the only combo of id+serial that will create 0 as eax... that wont take along time.... *evil laugh in the dark castle while thunder storm is going outside*
reporting logic: b4 eax is tested, ebx is moved into him, and b4 ebx moved into him he gets imuled with itsels and some other number, ebx CANNOT be 0 in any other way beside the emul line, cause right b4 it theres a line of "add ebx,eax", and b4 this there an "add eax,some number" and there are no more lines that modify ebx or eax after this. take alook at the code it will make ur life easyer:
Code: | add eax,0a
add ebx,eax
imul ebx,ebx,7a69
mov eax,ebx
test eax,eax
jnz short keygenme.004010f5 |
because the rules say no patching, so even if eax was 0, it is now 0a, and that means even if ebx was 0, its now atleast 0a, then imul, then ebx is eax, means if there wasnt an imul command eax was ATLEAST 0a, then if eax is not 0 it will be detected on test, and memory will jnz to the fail msg.
thats all the critical lines of the script, il try to analyze them now O.o im bad at keygens... im not used to it, im used to the "cmp eax,ebx jnz blahblah" then u just BP on cmp and stack ss is the code...
Last edited by haha01haha01 on Mon Jul 16, 2007 6:39 am; edited 1 time in total |
|
Back to top |
|
|
Ksbunker Advanced Cheater Reputation: 0
Joined: 18 Oct 2006 Posts: 88
|
Posted: Mon Jul 16, 2007 6:27 am Post subject: re: |
|
|
The "TEST" instruction is after the lstrcmp() function.
So EAX is not anything to do directly with the serial but rather the result of the lstrcmp() call.
The return value of lstrcmp() dictates that if the two strings ARE equal, the return value is 0 (i.e. EAX = 0), if the strings ARE NOT equal, the return value is 1. (i.e. EAX = 1).
Hence, the use of instruction "TEST".
|
|
Back to top |
|
|
haha01haha01 Grandmaster Cheater Supreme Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Mon Jul 16, 2007 6:40 am Post subject: |
|
|
whats the istrcpm() thing and where is it? is it the commands that hiding between the lines?
ohhh.... its that thingy... told ya im bad at those stuff... well im bad at all hacking stuff but w\e ill keep looking it....
EDIT:OMG... PLEASE DONT TELL ME IM DREAMING.... I FOUND A VALID PASSWORD!!!!!
THE USERNAME "ASDASD" MATCH THE PASS "EB41CC-EBA1CC"
OMGOMGOGMGOMGOGMGOGMOGMGOGMGOMOGMGOMGOGMGOGMOGM
FOUND ANOTHER 1!!!!!!!!
asdasd = 147108C-147508C
btw, i still dont get the way it choose serials but ill soon find it out.
Last edited by haha01haha01 on Mon Jul 16, 2007 7:09 am; edited 1 time in total |
|
Back to top |
|
|
Ksbunker Advanced Cheater Reputation: 0
Joined: 18 Oct 2006 Posts: 88
|
|
Back to top |
|
|
haha01haha01 Grandmaster Cheater Supreme Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Mon Jul 16, 2007 7:11 am Post subject: |
|
|
omg omg omg i know how to get serial for all user that i want but omg i cant write a software for this cause i dont get the way that crackme choose the serials....
kai kai i got the lstrcmp thing but i dont get what is the calculation to reach the serial.... i can find a matching serial to all username in the world but i cannot build a software that will do it...
wopwowowowowowowow!!!!!!
omg!!!!!!
i patched ur program so it will msgbox me the correct serial!!!!
beware Ksbunker! im soon done with it! just nopping all ur code... and i will get a keygen!
last, but not least, i am proud to upload my 1st keygen!
(btw because im such bad programmer i just made ksbunker crackme msgbox the correct serial, so ignore the "serial" box.)
|
|
Back to top |
|
|
Ksbunker Advanced Cheater Reputation: 0
Joined: 18 Oct 2006 Posts: 88
|
Posted: Mon Jul 16, 2007 10:06 am Post subject: re: |
|
|
That's awesome man, keygen injection they call what you did.
Works really well man.
Good work!
|
|
Back to top |
|
|
haha01haha01 Grandmaster Cheater Supreme Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Mon Jul 16, 2007 10:13 am Post subject: |
|
|
lol k
btw how can i find out what was the calculation to get the serial?
cause on ur first keygenme there are no msgboxes so i cant do the same trick like here =( and even if i go to the place that the strings are pointing to i cant find anything in there so how do i find it out O.o
|
|
Back to top |
|
|
Ksbunker Advanced Cheater Reputation: 0
Joined: 18 Oct 2006 Posts: 88
|
Posted: Mon Jul 16, 2007 11:52 pm Post subject: re: |
|
|
Just think logically about it.
The entered username is read using GetDlgItemText(), and finally the valid password and compared against the original password using lstrcmp().
So the routine responsible for generating the password from the given username, MUST reside somewhere between GetDlgItemText() and lstrcmp(). Have a look at GetDlgItemText(), particularly the parameter that stores the read value and begin to trace it, watch where it goes, etc...
|
|
Back to top |
|
|
haha01haha01 Grandmaster Cheater Supreme Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Tue Jul 17, 2007 1:11 am Post subject: |
|
|
O.o
kk.
i found something interesting else.
at the line of "string 2", and at line of "text" in the msgbox command
the command was to push an address.
if i went to this address nothing was important there, but when i put the address of the string 2, as the command of the text in the msgbox, i got the valid serial (string 2)
actually the way ur crackme work is to take the username and somehow change him with some sort of calculation, then the target is actually that the serial and username will be the same thing.
|
|
Back to top |
|
|
|