#  qpt^J's Crackme2

Download Crackme2.zip, 9 kb (password: crackmes.de)
Browse contents of Crackme2.zip

For this crackme you must find Serial number
Patch isn't allowed

Difficulty: 2 - Needs a little brain (or luck)
Platform: Windows
Language: Assembler

Published: 22. Aug, 2009
Downloads: 489

#### Rating

Votes: 3
Crackme is nothing special.

Rate this crackme:

Send a message to qpt^J »

View profile of qpt^J »

## Solutions

Solution by mjones, published 24. aug, 2009; download (8 kb), password: crackmes.de or browse.

mjones has rated this crackme as awesome.

Submit your solution »

## Discussion and comments

kstangl23. Aug 2009 Is there any way other than brute force to solve for the first part of the key? This crackme can be solved only by bruteforcing Wow, this crackme is a hard one (for me) by implementing the function at \$4012BA i figured (brute forced) out the string format: - 18 characters long - 4th and 10th character must be "-" e.g: 123-12345-12345678 that function almost equals to this equation: ( SQR( ( SQR(x) * 4 + 9*x + \$746 ) div 5 ) * 2 + 4 * ( ( SQR(x) * 4 + 9*x + \$746 ) div 5 ) + \$153F - \$15F1F ) div 4 + \$5A2D9 - \$BBD59 EXCEPT for 1 iteration (ebx = 1) I hope someone could dig deeper .. xD Best regards mjones very nice solution wow, im impressed; i thought about analyzing the function and solving the equation for key/serial creation, but bruteforcing also leads to victory xD thanks You can analyze the function, but not realistically reverse it. The hash method is: a = (4*a*a + 9*a + 1862) / 5; a = (2*a*a + 4*a - 84448) / 4; a -= 400000; (the use of IDIV should mean the number is signed, however, the program operates on the unsigned number for me -- so if you use the above, declare "a" as unsigned.) The problem with trying to reverse the hash is the use of integer division. The inverse is not a function -- it maps many-to-one. i.e.: int(6/5) = int(7/5) = int(8/5) = int(9/5) = 1 (in fact, with x/n, there are n-1 values for x that are equivalent). So without the knowing the modulus result, each loop has (5-1)(4-1) = 12 possibilities. The calculation of the first three digits loops 0x1C4 (452) times. Thus, Reversal: 452 * 12 = 5,424 possible solutions. Brute Force: 10^3 = 1,000 possible solutions. In the end reversing the algorithm is basically a less efficient version of brute force. I may be wrong, but I think LoneWolf's equation could be brought to a 2nd grade equation of the form ay^2 + by + c = 0; where y equals to (4 * sqr(x) + 9 * x + 746) / 5; For each y found, solve the equation of x. So you end up with at most 4 values for x, some of which may be negative or complex. Of course, as x is the length of the code, it can only be a positive number. For ebx > 1, you can still solve it by repeatedly propagating the result for the nth step to the nth-1 step.

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.