downloadbrowseS!x0r's Crackme#2 by S!x0r

Download Crackme#2_S!, 6 kb (password:
Browse contents of Crackme#2_S!


Because my first crackme was really fast solved, I created another crackme.

I hope, it is a little bit harder.

The main target is: Create a keygen.

Have Fun!

Difficulty: 3 - Getting harder
Platform: Windows
Language: Assembler

Published: 25. Dec, 2014
Downloads: 348


Waiting for at least 3 votes
(we have only 1).

Rate this crackme:

Send a message to S!x0r »

View profile of S!x0r »


Solution by Encrypto, published 20. jan, 2015; download (408 kb), password: or browse.

Encrypto has rated this crackme as nothing special.

Submit your solution »

Discussion and comments

21. Dec 2014
Okay, I've cracked this thing but can't make a keygen.
At 004012E0 replace C3 (RET) with 90 (NOP).
Still trying to figure out how to bypass the RET without replacing it with NOP but to look for the comparisons.
Need help...
Office Jesus
21. Dec 2014
@stanoja: Scroll up to 004012B3 and you will see the first three checks you need to pass. They're pretty easy to figure out. ;)
25. Dec 2014
Sorry, in the first version was a bug. Accepted invalid Serials. A thank goes to Office Jesus, who reported me that bug. I hope this version is bug free.
26. Dec 2014
Are you sure on your last step with bn2Bytes, do you take care of Endian ?
feature or bug?
at the end it is not hard.

every right solution is wrong in your keygenme due the endian issue.!

26. Dec 2014
Hi ragdog,

Yes, I´m sure. I can generate valid serials, with my own keygen for it.
26. Dec 2014
I have test it i have the correct serial but you compare it in a wrong endian can you check it please?

00401254 . 8D35 B2454000 LEA ESI, DWORD PTR DS:[4045B2]
0040125A . 8D3D C2454000 LEA EDI, DWORD PTR DS:[4045C2]
00401260 . B9 10000000 MOV ECX, 10
00401265 . 33D2 XOR EDX, EDX
00401267 . 33D2 XOR EDX, EDX
00401269 . EB 0A JMP SHORT Crackme#.00401275
0040126B > 8A06 MOV AL, BYTE PTR DS:[ESI]
0040126D . 3A07 CMP AL, BYTE PTR DS:[EDI]
0040126F . 75 01 JNZ SHORT Crackme#.00401272
26. Dec 2014
The check is correct. Can you send me the part where you generate the serial?

The surrender from h(m) reaches.
26. Dec 2014
26. Dec 2014
This is Correct!
26. Dec 2014
Yes i know but my first thinking was a wrong way.

mfg,raggy gRn
29. Dec 2014
Seriously, Keygen is not hard to code if i know what's the algorithm at 0x402840...
it look's like a big int operation, however i can't identify it.

Just a overview to this cm:
after text of Edit_username and Edit_password was got, the dw_KeyTable at 0x404013 was used to calculate four part of sum of the username in four similar way like:
lodsb // get char from username one by one as a loop
//do something to al
//part2:al ^bx, part4:al+4e, part1:al/16, part3:al+4
add sum,dw_KeyTable[al]

then the password was used as 2x128bit big int, seperated by '-' with some endian reverse.

after some big int calculation, the four part of the sum will be used as a 128bit big int to be compared with the first 128bit of the 256bit big int to deicde the password is or not corret.

and the very last, please forgive me about the poor english...
29. Dec 2014
Little tip

What's the result for

result =AD089BD35F53D4687921D4B4DAF4D4F3^2
21. Jan 2015
Nicely done, Encrypto. The keygen looks pretty badass. Good to see some of the older folks are still around :-)
23. Jan 2015
Thanks for the kind words boonz :)

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.