#1
|
|||
|
|||
Keygenning Checksum based algos
Hi,
I have come across many keygenmes etc. which finds some checksum of a serial and then performs some XORs etc. on it and finally checks it against a value. How can I crack such protections? Is brutforcing he only way? Thomas Antony |
#2
|
|||
|
|||
Correct way is to analyze serial checking algorithm and reverse it (build function which generates correct serial for any name). In some cases (strong asymmetric crypto or table-based serial checking) algorithm can not be reversed, and building the keygen is impossible.
|
#3
|
|||
|
|||
Hi,
Yeah, for most algos that depend on the name, I can do that. But some just take the serial, calculate its checksums in a complicated manner and performs some more calculations b4 it is compared to a value. I am mostly able to reverse till I find the correct checksum for the key. But I can go no further. Thomas Antony |
#4
|
|||
|
|||
babylon pro v4x protection.
Use Similar Tactics for serial key verification |
#5
|
|||
|
|||
train both it and yourself :)
If you mean that the algorithm is independent of the given name, then it might be something other than user locked. Besides user lock, you may try to find any sign of system lock, hardware lock, time lock, etc., that has something to do with the serial, if the serial changes along with those environments.
If you are lucky, the serial is not locked against anything, then it might be a self checked serial. So some parts of the serial are bait things, the rest are for validating. That all depends upon the design ... where you should have known before you get a clue how to defeat it, I think |
#6
|
|||
|
|||
Hi,
Sorry for the late reply. Suppose I get a crackme program. (I did get one :-) ). It takes the name and finds the checksum using a function whcih uses some ROL's etc. Then it takes the serial and find its checksum using ANOTHER function. Then the serial is valid only if bothe the cksums are equal. How do I solve this? Thomas Antony |
#7
|
|||
|
|||
Let's name function that takes the name and finds the checksum as F1(), and name another function (for serial) as F2().
You need build function F2'() which is inverse of F2() i.e. F2(F2'(x)) == F2'(F2(x)) == x. After that to get valid serial for any name just calculate F2'(F1(Name)). |
#8
|
|||
|
|||
Hi,
I tried that way. I can't seem to be able to reverse the algo. I get wierd chars in the code and that also doesn't work in the actual program. The function they use on the name is mov esi,OFFSET NameBuffer cdq @@: mov eax,dword ptr [esi] inc esi add edx,eax shr eax,18h test eax,eax jnz @B Then they do this with the code: mov esi,OFFSET CodeBuffer xor edx,edx xor ecx,ecx @@: inc ecx movzx eax,byte ptr [esi+ecx] not al add dh,al rol edx,5 not al mov dl,al cmp ecx,16 jne @B It compares edx with the previous cksum. I tried reversing the second algo like this: mov ecx,10h xor eax,eax mov edi,OFFSET CodeBuffer @@: mov al,dl not al ror edx,5 sub dh,al not al stosb dec ecx jne @B Its not working. Please help!! Thomas Antony |
#9
|
|||
|
|||
Different starting points ?
Look at the code block 2, it reads from CodeBuffer[ 1 .. 16 ] to give the EDX; but in your so-called "reversed" code block, it writes to CodeBuffer[ 0 .. 15 ] or CodeBuffer[ -15 .. 0 ] depending upon the direction flag ...
They are NOT reversed to each other at all (( I am afraid you should revise the "reversed" code block to write to CodeBuffer[ 16 .. 1 ] instead, not only the ROR/SUB etc .... |
#10
|
|||
|
|||
Hi thomasantony !
I saw some wrong in your reversed code. Can you attach that keygenme/crackme ? |
#11
|
|||
|
|||
Hi,
Can someone help me with that one. I also found another algo which I can't reverse. It is 00401380 . BE E0324000 MOV ESI,KEYGENME.004032E0 ; Key1 (DWORD) 00401385 . BF 0B334000 MOV EDI,KEYGENME.0040330B ; Key2 (DWORD) 0040138A . B9 09000000 MOV ECX,9 0040138F > 0FBE0433 MOVSX EAX,BYTE PTR DS:[EBX+ESI] 00401393 . 0FC1C1 XADD ECX,EAX 00401396 . 03CB ADD ECX,EBX 00401398 . 66:0FACC2 04 SHRD DX,AX,4 0040139D . FEC2 INC DL 0040139F . 32D6 XOR DL,DH 004013A1 . 88143B MOV BYTE PTR DS:[EBX+EDI],DL 004013A4 . 43 INC EBX 004013A5 . 83FB 04 CMP EBX,4 004013A8 .^ 75 E5 JNZ SHORT KEYGENME.0040138F I have Key2. I want to get key1. How do I do it? BTW, I had made a post earlier but it didn't appear .Maybe the old man deleted it cuz I didn't have 15 posts then. Thomas Antony |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Checksum of WinLicnese 2.1.0.10 | ZeNiX | General Discussion | 1 | 01-11-2010 22:32 |
HEX and checksum | email2 | General Discussion | 3 | 01-05-2004 18:47 |