View Full Version : crypto thought crackme #3

January 13th, 2003, 18:31
You want to generate serial numbers for an app.
The serial check goes like this:


Check signature on MD5 of serial number (gotten from the
author). If it fails, return false.

word i;
qword state;

usernamelen = length of username from the textbox
state=(rand()<<48) + (rand()<<32) + (rand()<<16) + rand();
for (i=1; i<4096; i++)
op=username[i mod usernamelen]&7;
switch (op)
case 0: state += rand(); break;
case 1: state >>= 1; break;
case 2: state -= rand(); break;
case 3: state <<= 1; break;
case 4: state += (1<<31) ; break;
case 5: state >>>= 37; break;
case 6: state <<<= 23; break;
case 7: state += (1<<63); break;
state ^=(rand()<<48) + (rand()<<32) + (rand()<<16) + rand();

if (serial = state) return true;
else return false;

<<< is left rotate, BTW. You're willing to buy one signature. What's your attack plan?

(Remember, if you have the answer, rot13 it before posting, but you're free to post ideas in cleartext)

January 14th, 2003, 22:09
Here's my first hint:

Gur svefg cneg bs guvf, gur fvtarq ZQ5 bs gur frevny, vf haoernxnoyr (hayrff arbcebwrpg gnxrf penpxvat ZQ5 ba vafgrnq bs gelvat sbe na EFN xrl--V guvax gung jbhyq or ernyyl pbby)

Gung zrnaf lbh'ir tbg bar frevny ahzore gb jbex jvgu. Gur frevny ahzore vf ragveryl qrgrezvarq ol gur hfreanzr. Jung cebcregvrf fubhyq gur hfreanzr unir?

January 15th, 2003, 02:42

Nf sne nf v Xabj...

Gur ZQ5 nytb gnxr na vachg zrffntr bs na neovgenel yratgu naq cebqhpr nf bhgchg n
zrffntr qvtrfg (svatrecevag) bs svkrq yratgu bs 128ovgf. Lbh pna'g cebqhpr gjb
qvssrerag zrffntrf hfvat gur fnzr svatrecevag.

Nf lbh fnvq, ZQ5 nytb vf n bar-jnl shapgvba. Pna'g or erirefrq.

Fb, gur Hfreanzr zhfg or havdhr sbe rnpu yvprapr, evtug ?

Vs jr tbg gur hfreanzr, jr pna evc gur vavgvnyvfngvba cunfr sebz gur nccyvpngvba
(nccraq cnqqvat ovgf, nccraq yratgu, rgp.. nf qrfpevorq va gur rkpryyrag Mnveba'f
cncre nobhg gung) gb frr jvgu jvpu inyhrf vg qrnyf. Bapr jr tbg gur inyhrf, jr fubhyq
or noyr gb pbzchgr n pbeerpg frevny sbe nal hfreanzr.


January 15th, 2003, 03:03
I decided this comment was worth sharing...

As far as i Know...

The MD5 algo take an input message of an arbitrary length and produce as output a message digest (fingerprint) of fixed length of 128bits. You can't produce two different messages using the same fingerprint.

As you said, MD5 algo is a one-way function. Can't be reversed.

So, the Username must be unique for each licence, right ?
Note that only the hash of the serial is signed, not the serial itself or the username. Can you prove that there's a one-to-one relationship between a username and serial? If so, can you break the system? If not, does one username generate many serial numbers, or are there many usernames that give one serial?
If we got the username, we can rip the initialisation phase from the application (append padding bits, append length, etc.. as described in the excellent Zairon's paper about that) to see with wich values it deals. Once we got the values, we should
be able to compute a correct serial for any username.


You don't need to do anything with MD5 to find out the correct serial for the username; it's the algorithm I gave.

January 15th, 2003, 05:32
Ok, thanks for pointing my misunderstanding on this one..


will have to think again about it....


January 15th, 2003, 12:02
Whfg n pbhcyr fznyy thrffrf:

Svefg, gurer vf PEP32 ba gur hfreanzr. Guvf pbhyq or creuncf hfrq gb trarengr n qvssrerag hfreanzr sbe n tvira frevny....

Nyfb, enaq() vf hfrq n ybg urer. Vs vg'f n jrnx enaq vg znl or na nggnpx cbvag.


January 15th, 2003, 14:58
Vz tbvat gb iragher n thrff gung svaqvat n frevny vfa'g ernyyl
bhe gnfx. Jung jr ernyyl jnag gb qb vf trarengr hfreanzrf gung
jvyy perngr gur frevny jr unq fvtarq. Nf zragvbarq va bar bs
gur rneyvre ceboyrzf, bapr lbh xabj gur qrfverq inyhr bs gur
PEP, lbh pna nyzbfg vafgnagyl trg gur erdhverq qngn inyhrf gb
znxr gung PEP. Gur gevpx gb guvf jbhyq or znxvat fher gur arj
hfreanzr unq gur fnzr ybjre 3 ovgf va rnpu punenpgre nf gur
bevtvany. Bar jnl nebhaq guvf jbhyq or gb znxr gur hfreanzr 4096 punef ybat (vs cbffvoyr). Gung jnl nyy lbh unir gb qb vf nccraq gur pbeerpg punenpgref gb gur raq gb svk gur PEP naq lbhyy unir
n inyvq frevny.

January 15th, 2003, 15:32
Kythen got it again! Avoid translating his post if you want to solve it yourself. nt20--flesh out your first suggestion and see what you come up with.