downloadbrowseqpt^J's Crackme2

Download, 9 kb (password:
Browse contents of

For this crackme you must find Serial number
Patch isn't allowed

Difficulty: 2 - Needs a little brain (or luck)
Platform: Windows
Language: Assembler

Published: 22. Aug, 2009
Downloads: 489


Votes: 3
Crackme is nothing special.

Rate this crackme:

Send a message to qpt^J »

View profile of qpt^J »


Solution by mjones, published 24. aug, 2009; download (8 kb), password: or browse.

mjones has rated this crackme as awesome.

Submit your solution »

Discussion and comments

23. Aug 2009
Is there any way other than brute force to solve for the first part of the key?
23. Aug 2009
This crackme can be solved only by bruteforcing
24. Aug 2009
Wow, this crackme is a hard one (for me)

by implementing the function at $4012BA i figured (brute forced) out the string format:
- 18 characters long
- 4th and 10th character must be "-"
e.g: 123-12345-12345678

that function almost equals to this equation:
( SQR( ( SQR(x) * 4 + 9*x + $746 ) div 5 ) * 2 + 4 * ( ( SQR(x) * 4 + 9*x + $746 ) div 5 ) + $153F - $15F1F ) div 4 + $5A2D9 - $BBD59
EXCEPT for 1 iteration (ebx = 1)

I hope someone could dig deeper .. xD

Best regards
24. Aug 2009
very nice solution
24. Aug 2009
wow, im impressed;
i thought about analyzing the function and solving the equation for key/serial creation,
but bruteforcing also leads to victory xD
25. Aug 2009
You can analyze the function, but not realistically reverse it.

The hash method is:
a = (4*a*a + 9*a + 1862) / 5;
a = (2*a*a + 4*a - 84448) / 4;
a -= 400000;
(the use of IDIV should mean the number is signed, however, the program operates on the unsigned number for me -- so if you use the above, declare "a" as unsigned.)

The problem with trying to reverse the hash is the use of integer division. The inverse is not a function -- it maps many-to-one. i.e.: int(6/5) = int(7/5) = int(8/5) = int(9/5) = 1 (in fact, with x/n, there are n-1 values for x that are equivalent). So without the knowing the modulus result, each loop has (5-1)(4-1) = 12 possibilities.

The calculation of the first three digits loops 0x1C4 (452) times. Thus,
Reversal: 452 * 12 = 5,424 possible solutions.
Brute Force: 10^3 = 1,000 possible solutions.

In the end reversing the algorithm is basically a less efficient version of brute force.
10. Sep 2009
I may be wrong, but I think LoneWolf's equation could be brought to a 2nd grade equation of the form ay^2 + by + c = 0; where y equals to (4 * sqr(x) + 9 * x + 746) / 5;
For each y found, solve the equation of x.
So you end up with at most 4 values for x, some of which may be negative or complex. Of course, as x is the length of the code, it can only be a positive number.

For ebx > 1, you can still solve it by repeatedly propagating the result for the nth step to the nth-1 step.

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.