Archive for the ‘Solution for Zart’s mishka tribute’ Category

Solution for Zart’s mishka tribute

Posted: September 22, 2008 in My Tutorials, Solution for Zart's mishka tribute
0

One of my first keygenme’s in a long time. Was made to let newbies have a chance at getting into keygenning and hopefully lead into harder and harder ones.

make a keygen, do whatever you need to for this, just submit solution and keygen

serial fishing should be extremely easy, but then again – that wasn’t the point was it?

Difficulty: 1 – Very easy, for newbies
Platform: Windows
Language: C/C++

Download keygenme : http://www.crackmes.de/users/zart/mishka_tribute

————–
Solution :
///////////////////////////////////////////////////////////////////////////////////////////
Program : Zart’s Keygenme
Description : make a keygen, do whatever you need to for this, just submit solution and keygen.
Tools : IDA, OllyDbg
Difficult : Easy
Packer/Protector/Compiler : N/A
Objective : Keygen
Cracker : kienmanowar{REATEAM}
///////////////////////////////////////////////////////////////////////////////////////////

1. First, run this keygenme, wow i here the nice tune :). Input Name and Serial then press Enter, blah blah the crackme disappear.Without Nag 😦

2. Load to Olly and search all Ref text strings…..nothing special. Okie, fire up IDA,anaylize this keygenme and open Strings (Shift-F12). I found the Good Boy 😀

.data:00407028 szSerialcheckedout-nowrightakeygen_ db 0Ah ; DATA XREF: _main+15Ao_main
.data:00407028 db 'Serial checked out - now right a keygen.',0Ah,0

3.Double click to _main+15Ao we will back to the asm code.

.text:00401246 push offset szSerialcheckedout-nowrightakeygen_ ; "\nSerial checked out - now right a keyge"...
.text:0040124B jmp short loc_401252 ; Jump
.text:0040124B
.text:0040124D ; ---------------------------------------------------------------------------
.text:0040124D
.text:0040124D loc_40124D: ; CODE XREF: _main+158j
.text:0040124D push offset szSerialfailedcheck ; "\nSerial failed check!\n"
.text:0040124D

4. Ok reload this keygenme in Olly and press Ctrl+G to go to 0x00401246.Scroll up and set BP at the beginning of this sub.

004010EC >/$ B8 69414000 MOV EAX, ; _main <== set BP here
004010F1 |. E8 DA2E0000 CALL
004010F6 |. 83EC 24 SUB ESP, 24
004010F9 |. 53 PUSH EBX

5. Press F9 to run and we stop at the BP, trace down until we reach the asm code that gets characters from UserName and Serial. In this asm code,
i relize that it gets each char from Username, append char and store it in another buffer.Here it is :

0040119A >|> /FF15 9C604000 /CALL NEAR DWORD PTR DS:[] ; [loc_40119A
004011A0 |. |85C0 |TEST EAX, EAX
004011A2 |.^ 74 F6 |JE SHORT
004011A4 |. |FF15 98604000 |CALL NEAR DWORD PTR DS:[] ; [_getch
004011AA |. |837D E4 00 |CMP DWORD PTR SS:[EBP-1C], 0
004011AE |. |8845 E8 |MOV BYTE PTR SS:[EBP-18], AL
004011B1 |. |75 5E |JNZ SHORT
004011B3 |. |3C 0D |CMP AL, 0D
004011B5 |. |75 33 |JNZ SHORT
004011B7 |. |837D EC 00 |CMP DWORD PTR SS:[EBP-14], 0
004011BB |. |75 0F |JNZ SHORT
004011BD |. |8B0D 10604000 |MOV ECX, DWORD PTR DS:[] ; MSVCIRT.cout
004011C3 |. |68 60704000 |PUSH keygenme.00407060 ; ASCII 0A,"You must enter a name!\n Name: "
004011C8 |. |FFD6 |CALL NEAR ESI
004011CA |.^ EB CE |JMP SHORT
004011CC >|> |8B0D 10604000 |MOV ECX, DWORD PTR DS:[] ; loc_4011CC
004011D2 |. |68 54704000 |PUSH keygenme.00407054 ; ASCII "Serial: "
004011D7 |. |C745 E4 01000000 |MOV DWORD PTR SS:[EBP-1C], 1
004011DE |. |FFD6 |CALL NEAR ESI
004011E0 |. |50 |PUSH EAX
004011E1 |. |FF15 18604000 |CALL NEAR DWORD PTR DS:[] ; MSVCIRT.flush
004011E7 |. |59 |POP ECX
004011E8 |.^ EB B0 |JMP SHORT
004011EA >|> |FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; loc_4011EA
004011ED |. |8B0D 10604000 |MOV ECX, DWORD PTR DS:[] ; MSVCIRT.cout
004011F3 |. |FFD7 |CALL NEAR EDI
004011F5 |. |50 |PUSH EAX
004011F6 |. |FF15 18604000 |CALL NEAR DWORD PTR DS:[] ; MSVCIRT.flush
004011FC |. |59 |POP ECX
004011FD |. |FF75 E8 |PUSH DWORD PTR SS:[EBP-18]
00401200 |. |8D4D D0 |LEA ECX, DWORD PTR SS:[EBP-30]
00401203 |. |FF75 EC |PUSH DWORD PTR SS:[EBP-14]
00401206 |. |FF15 24604000 |CALL NEAR DWORD PTR DS:[<&MSVCP60.std::basic_string; MSVCP60.std::basic_string<char,std::char_traits,std::allocator >::append
0040120C |. |FF45 EC |INC DWORD PTR SS:[EBP-14]
0040120F |.^ EB 89 |JMP SHORT
00401211 >|> |3C 0D |CMP AL, 0D ; loc_401211
00401213 |. |74 23 |JE SHORT
00401215 |. |FF75 E8 |PUSH DWORD PTR SS:[EBP-18]
00401218 |. |8B0D 10604000 |MOV ECX, DWORD PTR DS:[] ; MSVCIRT.cout
0040121E |. |FFD7 |CALL NEAR EDI
00401220 |. |50 |PUSH EAX
00401221 |. |FF15 18604000 |CALL NEAR DWORD PTR DS:[] ; MSVCIRT.flush
00401227 |. |59 |POP ECX
00401228 |. |8D049B |LEA EAX, DWORD PTR DS:[EBX+EBX*4]
0040122B |. |0FBE4D E8 |MOVSX ECX, BYTE PTR SS:[EBP-18]
0040122F |. |8D5C41 D0 |LEA EBX, DWORD PTR DS:[ECX+EAX*2-30]
00401233 |.^\E9 62FFFFFF \JMP

analyze and build the pseudocode in IDA :

while ( TRUE )
{
while ( TRUE )
{
while ( !kbhit() )
;
iKeyInput = getch();
LOBYTE(iTempChar) = iKeyInput;
if ( v18 )
break;
if ( iKeyInput == Enter_key )
{
if ( iSize )
{
v18 = 1;
szStr = ostream__operator__(cout, "\nSerial: ");
flush(szStr);
}
else
{
ostream__operator__(cout, "\nYou must enter a name!\nName: ");
}
}
else
{
v11 = ostream__operator__(cout, iTempChar);
flush(v11);
std__basic_string_char_std__char_traits_char__std__allocator_char____append(&szStrBuffer, iSize++, iTempChar); //Append String
}
}
if ( iKeyInput == Enter_key )
break;
v12 = ostream__operator__(cout, iTempChar);
flush(v12);
szSerial = (char)iTempChar + 10 * szSerial - 48;
}

6. Continue trace and analyze asm code, i stop here ;

00401238 >|> \8D45 D0 LEA EAX, DWORD PTR SS:[EBP-30] ; loc_401238
0040123B |. 50 PUSH EAX ;
0040123C |. E8 BFFDFFFF CALL ; <== Trace Into

7. Trace into sub_calculate_serial() :

00401005 |. 33C0 XOR EAX, EAX ; <== eax = 0
00401007 |. 33F6 XOR ESI, ESI ; <== esi = 0
00401009 |. 8B51 08 MOV EDX, DWORD PTR DS:[ECX+8] ; <== Length(szTempString)
0040100C |. 57 PUSH EDI
0040100D |. 85D2 TEST EDX, EDX
0040100F |. BF BA430000 MOV EDI, 43BA ; <== edi = 0x43BA
00401014 |. 76 25 JBE SHORT
00401016 |. 53 PUSH EBX
00401017 |. 8B59 04 MOV EBX, DWORD PTR DS:[ECX+4] ; |> 8B0D 2C604000 /MOV ECX, DWORD PTR DS:[<&MSVCP60.`std::basic_string; loc_40101A
00401020 |. 85DB |TEST EBX, EBX
00401022 |. 74 03 |JE SHORT
00401024 |. 8D0C33 |LEA ECX, DWORD PTR DS:[EBX+ESI]
00401027 >|> 0FBE09 |MOVSX ECX, BYTE PTR DS:[ECX] ; <== ecx = szTempString[i]
0040102A |. 0FAFC7 |IMUL EAX, EDI ; <== eax = eax * edi
0040102D |. 03C1 |ADD EAX, ECX ; <== eax = eax + ecx
0040102F |. 69FF FAE60600 |IMUL EDI, EDI, 6E6FA
00401035 |. 46 |INC ESI ; <== esi++
00401036 |. 3BF2 |CMP ESI, EDX ; <== while esi < Length(szTempString)
00401038 |.^ 72 E0 \JB SHORT ; <== Then continue

build pseudocode :

int iReaKey; // eax@1
unsigned int iLenszStrBuffer; // edx@1
unsigned int iInit; // edi@1
unsigned int iIndex; // esi@1
int v5; // ebx@2
void *szChar; // ecx@3

iReaKey = 0;
iIndex = 0;
iLenszStrBuffer = *(_DWORD *)(a1 + 8); // Length of szStrBuffer
iInit = 0x43BAu;
if ( iLenszStrBuffer )
{
v5 = *(_DWORD *)(a1 + 4); // Point to szStrBuffer
do
{
szChar = _C;
if ( v5 )
szChar = (void *)(v5 + iIndex); // Get char for szStrBuffer
iReaKey = *(_BYTE *)szChar + iInit * iReaKey;
iInit *= 0x6E6FAu;
++iIndex;
}
while ( iIndex < iLenszStrBuffer );
}
return iReaKey;

8. After trace and analyze all the asm code, the soucre keygen for this keygenme :

char szName[64]={0};
char szSerial[64]={0};
char szTempString[128]={0};
char szTemp[64]={0};
int i=0,j=0,LenUser=0,iRealKey=0,iValue=0;

LenUser=GetDlgItemText(IDC_Name,szName,70);
if (LenUser 14)
{
MessageBox("----------===== Your name atleast 1 chart ====---------- \n\n ----------===== But not over 14 charts ====---------- ",
"Hey !! Please input your name again !! ");
}
else
{
i = 0;
while (i 0;j--)
{
szTemp[j-1] = szName[i];
}
strncat(szTempString,szTemp,i);
}

LenUser = strlen(szTempString);
i = 0;
_asm
{
xor eax,eax
xor esi,esi
xor edx,edx
mov edi,0x43BA
}
while (i < LenUser)
{
_asm
{
mov eax, iRealKey
lea ecx, dword ptr[szTempString]
movsx ecx,byte ptr[ecx+esi]
imul eax, edi
add eax, ecx
imul edi, edi, 0x6E6FA
inc esi
mov iRealKey,eax
}
i++;
}
wsprintf(szSerial,"%d",iRealKey);
}

SetDlgItemText(IDC_Serial,szSerial);

********************************
Right key
UserName: kienmanowar
Serial : 114
********************************

That's all. Thanx for reading my tutor.
Sorry for my bad English!!! 😐

--++--==[ Greatz Thanks To ]==--++--
My family, Computer_Angel, Moonbaby , Zombie_Deathman, Littleboy, Benina, QHQCrker,
the_Lighthouse, Merc, Hoadongnoi, Nini ... all REA‘s members, TQN, HacNho, RongChauA,
Deux, tlandn, light.phoenix, dqtln, ARTEAM .... all my friend, and YOU.

--++--==[ Thanks To ]==--++--
iamidiot, WhyNotBar, trickyboy, dzungltvn, takada, hurt_heart, haule_nth, hytkl, moth, XIANUA, nhc1987 v..v..

I want to thank Teddy Roggers for his great site, Reversing.be folks(especially haggar),
Arteam folks(Shub-Nigurrath, MaDMAn_H3rCuL3s) and all folks on crackmes.de, thank
to all members of unpack.cn (especially fly and linhanshi). Great thanks to lena151(I like your tutorials).
And finally, thanks to RICARDO NARVAJA and all members on CRACKSLATINOS.

>>>> If you have any suggestions, comments or corrections email me: kienmanowar[at]reaonline.net