downloadbrowseqpt^J's KeyGenMe 1

Download, 14 kb (password:
Browse contents of

Rules are:
No Patching,Key-Fishing,SelfGening
Only Fully working KeyGen is a valid solution

Difficulty: 4 - Needs special knowledge
Platform: Windows
Language: Assembler

Published: 14. Sep, 2009
Downloads: 546


Votes: 5
Crackme is boring.

Rate this crackme:

Send a message to qpt^J »

View profile of qpt^J »


Solution by alex_ls, published 17. mar, 2010; download (65 kb), password: or browse.

alex_ls has not rated this crackme yet.

Solution by KernelJ, published 17. mar, 2010; download (20 kb), password: or browse.

KernelJ has rated this crackme as boring crap.

The submission of solutions is closed.

Discussion and comments

02. Nov 2009
Well, I have been able to reverse the algorithm for the second part of the serial but the first 7 bytes are the tricky part. They are put through a StrToInt function and xor'd by 5050h. This result is an address that is followed after lstrcmp returns positive. Without the correct first 7 bytes, the program fails.

18. Nov 2009
i didn't find any variable pushes to the stack for message boxes either, and there are only 4 wsprintfa calls, none of which have variable pointers, so no way to really modify those with a unique or crafty jump

the only way i found was to patch the invalid serial number box so that it reports the 40C07E string instead
18. Nov 2009
like cobrasniper555 said,
>>the first 7 bytes are the tricky part. They are put through a StrToInt function and xor'd by 5050h.
then it's converting to an address which must be goodboy message address, and not need to patch the program
05. Mar 2010
Looking at the lstrcat at 00401116, there is an element of randomness as you have saved the ESP value to 0041C385. As the address is stored little endian, it is included in the string added to the entered name.

Havent reversed it any further yet so i dont know how or even if this influences anything.
09. Mar 2010
As _ghandi_ pointed out, the current value of ESP (and other junk on the stack in fact) is included in the serial calculation mechanism. Changing the ESP at the program entry point (the OS doesn't have to give you the same one) gives you completely different valid serial, meaning it's impossible to write a proper keygen for this, the only solution is to fish for the serial or copy the code so that you get the same behaviour. Basically you have to self-keygen it, there's no other way worth mentioning. Finding the first 7 bytes was slightly enjoyable with analysis tools, but only because the chain of instructions was fairly short and could be traced back easily. Very poorly written keygenme in general... I've submitted a tutorial on how to reverse the required parts of this, find the first bytes, and selfkeygen.
09. Mar 2010
thanks KernelJ for solving this shit. I knew that serials could be different in each computer. Maybe I will agree with selfkeygen, because there is no way to write keygen.
p.s: this is my first keygenme, thats why it has a stupid protection
10. Mar 2010
Would be nice crackme but this an unfortunate bug!
I have patched a few bytes into SHA1 modified function
(just put 0 to address 41c385) and created a keygen which works for every name. Very liked the obfuscated part of code :)

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.