KeygenMe # 2 Analysis by Paic_Citron
KeygenMe page on crackmes.de
You have to find a valid serial.
The only protection is the serial ...!
This is a kind of headache ...: D
')
Good luck
Difficulty: 5 - Professional problem to solve
Platform: Windows
Language: Borland Delphi
This keygenme is a console application, so we don’t have to look for button handlers and so on. Therefore, we are looking for a conditional transition, during which we will be shown a success message.
The same code in Delphi syntax will look like this:
Thus, in order to successfully complete the task after processing the next character of the serial number, the coordinates of some label must be (2, 4, 4) and some variable must be equal to 12.
Let's see what is in the function GetPosMarker3D (
An item is searched in a three-dimensional array (cube) with a marker. Here you can also see the dimension of the cube - 5x5x5.
Each element of the cube is described by a number from 0 to 15.
Initialization of the cube occurs in the function at address
The contents of the initialized cube in expanded form:
The list of possible values in the elements of the cube:
The list of commands, which are characters from the entered serial number, are processed in function
The necessary conditions for the D and U commands are the location of the marker in the cell with ID = 7 and the presence of the same receiving gateway on another layer at the same coordinates (X, Y).
The action command can be applied while in the field with ID = 5, 8, B, C, D, E. The processing of actions is performed in the procedure at address
In fact, inside this keygenme there is a small step-by-step quest. The main task is to pass from the field with coordinates (1,0,0) in the field with coordinates (2, 4, 4).
Communications in teleports on the fourth level are as follows:
Passing the first four layers is only to move around the map. In the last fifth layer, one must also fulfill an additional condition for leaving the cube.
Using a set of numbers 1,3,4,6 (fields with ID = B) and arithmetic actions +, -, *, / (fields with ID = C) you need to get the number 12, and all constants should be used. Those. option (3-1) * 6 is not suitable.
To use this mini-calculator, you must first perform an action (- command) on two fields with ID = B and one with ID = C. After that, step onto the field with ID = E and perform the action. To use the result as the first operand, you must perform an action on the field with ID = D. After all the operations, we stand on the field with ID = F.
The code for the passage of the first layer:
The passage of the second and third layers is closely interrelated, so the solution is one to two at once:
Code for the fourth layer:
And finally for the last fifth layer:
Total we have a serial number:
Enter it in the keygenme and get congratulations.
In addition to the article, two videos of the passage of all layers of the cube in binary and pseudographic forms.
To analyze the contents of the cube after processing each character, a simple dll was written, which was inserted into the keygenme address space.
You have to find a valid serial.
The only protection is the serial ...!
This is a kind of headache ...: D
')
Good luck
Difficulty: 5 - Professional problem to solve
Platform: Windows
Language: Borland Delphi
This keygenme is a console application, so we don’t have to look for button handlers and so on. Therefore, we are looking for a conditional transition, during which we will be shown a success message.
CODE: 0040A71D mov edx, offset aSerial; "Serial:" CODE: 0040A722 call Write0LString CODE: 0040A727 call @ Flush $ qqrr15System @ TTextRec; Flush (System :: TTextRec &) CODE: 0040A72C call @_IOTest CODE: 0040A731 mov edx, offset Serial CODE: 0040A736 mov eax, ds: off_40B370 CODE: 0040A73B call @ReadLString CODE: 0040A740 mov eax, ds: off_40B370 CODE: 0040A745 call @ReadLn CODE: 0040A74A call @_IOTest CODE: 0040A74F mov eax, ds: Serial CODE: 0040A754 call LStrLen CODE: 0040A759 mov edi, eax CODE: 0040A75B test edi, edi CODE: 0040A75D jle _end_of_serial CODE: 0040A763 mov ds: pos, 1 CODE: 0040A76D CODE: 0040A76D _next_char:; CODE XREF: start + 2FE j CODE: 0040A76D mov eax, ds: Serial CODE: 0040A772 mov edx, ds: pos CODE: 0040A778 movzx edx, byte ptr [eax + edx-1] CODE: 0040A77D mov eax, esi CODE: 0040A77F call ProcessCommand CODE: 0040A784 push offset test_z; a4 CODE: 0040A789 mov test_y offset; a3 CODE: 0040A78E mov edx, offset test_x; a2 CODE: 0040A793 mov eax, esi; a1 CODE: 0040A795 call GetPosMarker3D CODE: 0040A79A cmp ds: test_x, 2 CODE: 0040A7A1 jnz _incorrect_pos CODE: 0040A7A7 cmp ds: test_y, 4 CODE: 0040A7AE jnz _incorrect_pos CODE: 0040A7B4 cmp ds: test_z, 4 CODE: 0040A7BB jnz _incorrect_pos CODE: 0040A7C1 cmp dword ptr [esi + 218h], 0Ch CODE: 0040A7C8 jnz _incorrect_pos ... displaying a message that the key was successfully found ... CODE: 0040A97B _incorrect_pos:; CODE XREF: start + 11D j CODE: 0040A97B; start + 12A j ... CODE: 0040A97B inc ds: pos CODE: 0040A981 dec edi CODE: 0040A982 jnz _next_char CODE: 0040A988 CODE: 0040A988 _end_of_serial:; CODE XREF: start + D9 j CODE: 0040A988 mov eax, ebx CODE: 0040A98A call @ WriteLn CODE: 0040A98F call @_IOTest CODE: 0040A994 mov eax, ebx CODE: 0040A996 mov edx, offset aNanCEstPasBon; "Nan, c'est pas bon :)" CODE: 0040A99B call Write0LString CODE: 0040A9A0 call @ WriteLn
The same code in Delphi syntax will look like this:
Thus, in order to successfully complete the task after processing the next character of the serial number, the coordinates of some label must be (2, 4, 4) and some variable must be equal to 12.
Let's see what is in the function GetPosMarker3D (
00409D88 ).
An item is searched in a three-dimensional array (cube) with a marker. Here you can also see the dimension of the cube - 5x5x5.
Each element of the cube is described by a number from 0 to 15.
Initialization of the cube occurs in the function at address
00408D90 .
The contents of the initialized cube in expanded form:
The list of possible values in the elements of the cube:
| 0 | regular field |
| one | impassable field (wall) |
| 2 | starting position |
| 3 | key to pass through the field with ID = 4 |
| four | trigger field with event pass |
| five | event field for passing through a field with id = 6 |
| 6 | trigger field with event pass |
| 7 | gateway to another level |
| eight | rotate the current level 90 degrees |
| 9 | teleport starting point |
| A | teleport destination |
| B | field with constant (1,2,3,6) |
| C | field with arithmetic operation (+, -, /, *) |
| D | put the result first operand |
| E | calculate the expression |
| F | exit from the cube |
The list of commands, which are characters from the entered serial number, are processed in function
0040A2C0 :
| P | move left (x + 1) |
| I | move right (X-1) |
| A | move up (Y-1) |
| C | move down (Y + 1) |
| D | move one level down (Z + 1) |
| U | move one level up (Z-1) |
| - | perform an action |
The necessary conditions for the D and U commands are the location of the marker in the cell with ID = 7 and the presence of the same receiving gateway on another layer at the same coordinates (X, Y).
The action command can be applied while in the field with ID = 5, 8, B, C, D, E. The processing of actions is performed in the procedure at address
00409FEC .
In fact, inside this keygenme there is a small step-by-step quest. The main task is to pass from the field with coordinates (1,0,0) in the field with coordinates (2, 4, 4).
Communications in teleports on the fourth level are as follows:
Passing the first four layers is only to move around the map. In the last fifth layer, one must also fulfill an additional condition for leaving the cube.
Using a set of numbers 1,3,4,6 (fields with ID = B) and arithmetic actions +, -, *, / (fields with ID = C) you need to get the number 12, and all constants should be used. Those. option (3-1) * 6 is not suitable.
To use this mini-calculator, you must first perform an action (- command) on two fields with ID = B and one with ID = C. After that, step onto the field with ID = E and perform the action. To use the result as the first operand, you must perform an action on the field with ID = D. After all the operations, we stand on the field with ID = F.
The code for the passage of the first layer:
CIIAIPCPPPCCCIIIAIA--AD
The passage of the second and third layers is closely interrelated, so the solution is one to two at once:
CCCAAAAII---AAPPPDC-AUIIICC---PPAADCI---APUIIPPDIC-PAUIIDIAD
Code for the fourth layer:
PAICP--CPIUC-ADIICAI-ICAAAAPAD
And finally for the last fifth layer:
CCP-A-II-CC-PP-AAA-II-CCC-PP-AAP-IIII-PCC-P-
Total we have a serial number:
CIIAIPCPPPCCCIIIAIA--ADCCCAAAAII---AAPPPDC-AUIIICC---PPAADCI---APUIIPPDIC-PAUIIDIADPAICP--CPIUC-ADIICAI-ICAAAAPADCCP-A-II-CC-PP-AAA-II-CCC-PP-AAP-IIII-PCC-P-
Enter it in the keygenme and get congratulations.
In addition to the article, two videos of the passage of all layers of the cube in binary and pseudographic forms.
To analyze the contents of the cube after processing each character, a simple dll was written, which was inserted into the keygenme address space.
Source: https://habr.com/ru/post/180919/
All Articles