cyrex’s Easy Math Keygenme
crackme is packed , symbol table is missing , no anti debug
- make a keygen (mhh)
- find a valid name/serial pair (easy)
- No Patching.have fun
Difficulty: 2 - Needs a little brain (or luck)
Platform: Unix/linux etc.
Language: C/C++
get it here
some SOPs:
we know the crackme is packed based from the the author’s description. maybe “strings” can help us? so let’s try that.
misha@heaven ~/cyrex $ strings keygenme Linux $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 1.25 Copyright (C) 1996-2004 the UPX Team. All Rights Reserved. $ ... snipped ... UPX! j!Xj /tmp/upxAAAAAAAAAAA ... snipped ... UPX!
seems it has been packed by the UPX[1] packer. (strace also showed the (typical) UPX payload being executed at the start) fortunately, we can decompress (that is, unpack the binary and remove the UPX stub from it) the crackme by using the -d switch to UPX. then after that, let’s “file” the crackme.
misha@heaven ~/cyrex $ upx -d keygenme
Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24 Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002
File size Ratio Format Name
-------------------- ------ ----------- -----------
435060 <- 184048 42.30% linux/386 keygenme
Unpacked 1 file.
misha@heaven ~/cyrex $ file keygenme
keygenme: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.4.1, statically linked, stripped
the crackme is static linked + stripped. we’re practically looking at a deadlisting at the very least. unless we restore the stripped symbols, we’re going to have to exert extra effort to determine what “every” function call does… there are tools like the dress utility from project fenris[2] to aid us in symbol restoration but for this example, i created a libc fingerprint[3] for ida[4], which should at least provide relevant symbols we might encounter.
analysis proper:
fire up ida and load the crackme. let’s start interpreting things shall we?
<optional>
press “shift f5″, then press ‘insert’. choose
the correct libray signature from the list of signatures then apply it by
pressing enter. after a few seconds, the analysis will be completed. (with
updated symbols).
</optional>
0x08048214 - 0x080482d2
jump to 0x08048214 which is the address or the crackme’s main() function. it saves the byte value 0xc0 to a variable. we notice a couple of printf()s.. which prints the banner and the prompt “enter name:”. then, an fgets(username, 16, stdin) gets called for user input. followed by an fflush(stdin). same goes for serial input.
0x080482D5 - 0x0804835C
it then enters a loop that removes spaces in serial input and also null terminates it afterwards.
0x0804835F - 0x080483C5
this block encrypts, the username. it roughly goes:
char tmp;
int x;
for (x=0; x<strlen(username); x++) {
tmp = username[x];
tmp *= tmp;
tmp ^= username[x];
tmp ^= 0xc0;
encrypted[x] = tmp;
}
0x080483C7 - 0x08048424
then, encrypted username is modified (or further encrypted) like so:
for (x=0; x<strlen(encrypted); x++) {
tmp = encrypted[2];
tmp *=username[3];
tmp ^= encrypted[x];
tmp ^= 0xc0;
encrypted[x] = tmp;
}
0x08048426 - 0x08048455
selected four bytes from the encrypted username is used as arguments to sprintf(); these are indices 1, 2, 2 and 4.
sprintf(serial, "%p-%x-%x-%p", encrypted[1], encrypted[2], encrypted[2], encrypted[4]);
0x0804846C - 0x080484A3
finally, we reach the part where the “user serial” buffer is compared against the “encrypted serial” computed from our user input.
if (strcmp(user_serial, serial) == 0) {
printf("- Registered Successfully -\n");
} else {
printf("Try Again!\n");
}
so we’ve translated the disassembly listing to c. now, it’s a matter of copying
the logic to make a keygenerator.
trying things out:
misha@heaven ~/cyrex $ ./getkey username : larry the cow serial : 0x2c-3a-3a-0xffffff9c misha@heaven ~/cyrex $ ./keygenme ====================================== | | Easy Math Keygenme | by cyrex | Good Luck! \__ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __/ -=[ Enter Name: larry the cow -=[ Enter Serial: 0x2c-3a-3a-0xffffff9c - Registered Successfully -
links:
[1] http://upx.sourceforge.net/
[2] http://lcamtuf.coredump.cx/fenris/devel.shtml
[3] http://www.esnips.com/nsdoc/2d629ab1-9a79-4979-bb51-bc027393d6df
[4] http://www.datarescue.com
