⬆️ ⬇️

KeygenMe # 2 Analysis by Paic_Citron

KeygenMe page on crackmes.de

You have to find a valid serial.



The only protection is the serial ...!



This is a kind of headache ...: D

')

Good luck

Difficulty: 5 - Professional problem to solve

Platform: Windows

Language: Borland Delphi





This keygenme is a console application, so we don’t have to look for button handlers and so on. Therefore, we are looking for a conditional transition, during which we will be shown a success message.

  CODE: 0040A71D mov edx, offset aSerial;  "Serial:"
 CODE: 0040A722 call Write0LString
 CODE: 0040A727 call @ Flush $ qqrr15System @ TTextRec;  Flush (System :: TTextRec &)
 CODE: 0040A72C call @_IOTest
 CODE: 0040A731 mov edx, offset Serial
 CODE: 0040A736 mov eax, ds: off_40B370
 CODE: 0040A73B call @ReadLString
 CODE: 0040A740 mov eax, ds: off_40B370
 CODE: 0040A745 call @ReadLn
 CODE: 0040A74A call @_IOTest
 CODE: 0040A74F mov eax, ds: Serial
 CODE: 0040A754 call LStrLen
 CODE: 0040A759 mov edi, eax
 CODE: 0040A75B test edi, edi
 CODE: 0040A75D jle _end_of_serial
 CODE: 0040A763 mov ds: pos, 1
 CODE: 0040A76D
 CODE: 0040A76D _next_char:;  CODE XREF: start + 2FE j
 CODE: 0040A76D mov eax, ds: Serial
 CODE: 0040A772 mov edx, ds: pos
 CODE: 0040A778 movzx edx, byte ptr [eax + edx-1]
 CODE: 0040A77D mov eax, esi
 CODE: 0040A77F call ProcessCommand
 CODE: 0040A784 push offset test_z;  a4
 CODE: 0040A789 mov test_y offset;  a3
 CODE: 0040A78E mov edx, offset test_x;  a2
 CODE: 0040A793 mov eax, esi;  a1
 CODE: 0040A795 call GetPosMarker3D
 CODE: 0040A79A cmp ds: test_x, 2
 CODE: 0040A7A1 jnz _incorrect_pos
 CODE: 0040A7A7 cmp ds: test_y, 4
 CODE: 0040A7AE jnz _incorrect_pos
 CODE: 0040A7B4 cmp ds: test_z, 4
 CODE: 0040A7BB jnz _incorrect_pos
 CODE: 0040A7C1 cmp dword ptr [esi + 218h], 0Ch
 CODE: 0040A7C8 jnz _incorrect_pos
 ... displaying a message that the key was successfully found ...
 CODE: 0040A97B _incorrect_pos:;  CODE XREF: start + 11D j
 CODE: 0040A97B;  start + 12A j ...
 CODE: 0040A97B inc ds: pos
 CODE: 0040A981 dec edi
 CODE: 0040A982 jnz _next_char
 CODE: 0040A988
 CODE: 0040A988 _end_of_serial:;  CODE XREF: start + D9 j
 CODE: 0040A988 mov eax, ebx
 CODE: 0040A98A call @ WriteLn
 CODE: 0040A98F call @_IOTest
 CODE: 0040A994 mov eax, ebx
 CODE: 0040A996 mov edx, offset aNanCEstPasBon;  "Nan, c'est pas bon :)"
 CODE: 0040A99B call Write0LString
 CODE: 0040A9A0 call @ WriteLn 




The same code in Delphi syntax will look like this:



Thus, in order to successfully complete the task after processing the next character of the serial number, the coordinates of some label must be (2, 4, 4) and some variable must be equal to 12.



Let's see what is in the function GetPosMarker3D ( 00409D88 ).



An item is searched in a three-dimensional array (cube) with a marker. Here you can also see the dimension of the cube - 5x5x5.

Each element of the cube is described by a number from 0 to 15.

Initialization of the cube occurs in the function at address 00408D90 .

The contents of the initialized cube in expanded form:





The list of possible values ​​in the elements of the cube:

0regular field
oneimpassable field (wall)
2starting position
3key to pass through the field with ID = 4
fourtrigger field with event pass
fiveevent field for passing through a field with id = 6
6trigger field with event pass
7gateway to another level
eightrotate the current level 90 degrees
9teleport starting point
Ateleport destination
Bfield with constant (1,2,3,6)
Cfield with arithmetic operation (+, -, /, *)
Dput the result first operand
Ecalculate the expression
Fexit from the cube




The list of commands, which are characters from the entered serial number, are processed in function 0040A2C0 :

Pmove left (x + 1)
Imove right (X-1)
Amove up (Y-1)
Cmove down (Y + 1)
Dmove one level down (Z + 1)
Umove one level up (Z-1)
-perform an action


The necessary conditions for the D and U commands are the location of the marker in the cell with ID = 7 and the presence of the same receiving gateway on another layer at the same coordinates (X, Y).

The action command can be applied while in the field with ID = 5, 8, B, C, D, E. The processing of actions is performed in the procedure at address 00409FEC .



In fact, inside this keygenme there is a small step-by-step quest. The main task is to pass from the field with coordinates (1,0,0) in the field with coordinates (2, 4, 4).



Communications in teleports on the fourth level are as follows:





Passing the first four layers is only to move around the map. In the last fifth layer, one must also fulfill an additional condition for leaving the cube.

Using a set of numbers 1,3,4,6 (fields with ID = B) and arithmetic actions +, -, *, / (fields with ID = C) you need to get the number 12, and all constants should be used. Those. option (3-1) * 6 is not suitable.

To use this mini-calculator, you must first perform an action (- command) on two fields with ID = B and one with ID = C. After that, step onto the field with ID = E and perform the action. To use the result as the first operand, you must perform an action on the field with ID = D. After all the operations, we stand on the field with ID = F.



The code for the passage of the first layer:

CIIAIPCPPPCCCIIIAIA--AD



The passage of the second and third layers is closely interrelated, so the solution is one to two at once:

CCCAAAAII---AAPPPDC-AUIIICC---PPAADCI---APUIIPPDIC-PAUIIDIAD



Code for the fourth layer:

PAICP--CPIUC-ADIICAI-ICAAAAPAD



And finally for the last fifth layer:

CCP-A-II-CC-PP-AAA-II-CCC-PP-AAP-IIII-PCC-P-



Total we have a serial number:

CIIAIPCPPPCCCIIIAIA--ADCCCAAAAII---AAPPPDC-AUIIICC---PPAADCI---APUIIPPDIC-PAUIIDIADPAICP--CPIUC-ADIICAI-ICAAAAPADCCP-A-II-CC-PP-AAA-II-CCC-PP-AAP-IIII-PCC-P-



Enter it in the keygenme and get congratulations.





In addition to the article, two videos of the passage of all layers of the cube in binary and pseudographic forms.



To analyze the contents of the cube after processing each character, a simple dll was written, which was inserted into the keygenme address space.

Source: https://habr.com/ru/post/180919/



All Articles