1. ## a simple cryptography crackme

This is very simple crackme,use some cryptography arihmetic.I hope you can learn something from this crackme.If you register succeeded,you will see a picture.

lordor
1.7

2. Hi lordor,
nice to see another crackme from you, thx :-)

The crackme wants a code/serial combination to be registered. The code box is already filled with a value obtained by this simple operation:
(Volume_Serial_Number xor 0xABCDE123) / 4

The serial box is not filled and it's another story...
I don't have solved it yet but, stepping a little through the program I notice that Rijndael algo is used. You can found a lot of informations about this block cipher at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/

Back to the crackme. The code and the serial are both read at the beginning of the protection routine; after that there is a suspicious call:
Code:
00401286 PUSH crackme.0040E304         ; Arg2 = 0040E304 -> empty buffer
0040128B PUSH crackme.0040E374         ; Arg1 = 0040E374 -> the serial you have typed
00401290 LEA ECX,DWORD PTR SS:[ESP+24]
00401294 CALL crackme.004023B0
This call fills the buffer pointed by 40E304 with 16 bytes. The call encrypts the serial using Rijndael algo with 128 bit Key equals to:
0x01 0x03 0x05 0x07 0x09 0x01 0x02 0x06 0x07 0x08 0x09 0x00 0x07 0x03 0x07 0x08
How can I understand this fact? Well, there is not a specific rule to understand which algo is used but there are some facts that can guide you through the identification process. I.e. the initial xor between the key and the serial that produces 4 dword, the fact that these dword are used and changed in the next 9 rounds cycle, the 128 bit return value and so on...; little things all together.
Obviously, to be sure about the use of the rijndael algo I have tested the serial/key with my own rijndael simulation program, trying to verify my idea. If you are too lazy to write some lines in c (or in your preferred language) you can use a nice tool called CrypTool available from http://www.cryptool.com/
It does contains the implementations of the most common algos and it might help you in these cases.

After this algo and before the final check there is another call:
Code:
004012B9 PUSH crackme.0040E374   ; 40E374 points to an empty buffer
004012BE PUSH crackme.0040E304   ; 40E304 points to a string obtained from the mix
; of the serial and the rijndael returned bytes
004012C3 LEA ECX,DWORD PTR SS:[ESP+24]
004012C7 STOS WORD PTR ES:[EDI]
004012C9 CALL crackme.004026B0
Even this call seems to be another Rijndael algo; the call is *very* similar to the previous one and the key should be:
0x53 0xDD 0xFA 0x1A 0x2B 0x11 0xC5 0x75 0x38 0xC1 0xAE 0x8D 0xA5 0x0D 0x58 0x11
Unfortunately, this is not true or (maybe) I drown in a inch of water...

Is there someone that is working on this crackme that can help me?

ciao,
ZaiRoN

3. All what you found out is right as alwasy...:P
The crypto calls are the same only the key is different.

But the main problem is how to get pass this :

.text:004012DB jnz short loc_4012D6
.text:004012DD mov cl, byte_40E374
.text:004012E3 sub eax, edx
.text:004012E5 cmp cl, 30h
.text:004012E8 jnz loc_4013B1
.text:004012EE cmp byte_40E373[eax], 3Dh
.text:004012F5 jnz loc_4013B1
.text:004012FB cmp eax, 10h
.text:004012FE jnz loc_4013B1
.text:00401304 mov edx, dword_40E379

bye NeO

4. Hi NeO,
Originally Posted by NeO
The crypto calls are the same only the key is different.
Ok, you are right but it's not totally true. The call implements Rijndael algo but this time it decrypts the text using the same key used in the previous Rijndael call.
This is the structure of the main protection routine:
Code:
key = 0x01 0x03 0x05 0x07 0x09 0x01 0x02 0x06 0x07 0x08 0x09 0x00 0x07 0x03 0x07 0x08

Rijndael_encrypt(serial, key) = r1
r1 and serial are mixed using the call at 4012A3; rm1 is the result
Rijndael_decrypt(rm1, key) = r2
final_check...
Part of the final check was posted by Ne0; as you can see the first byte of r2 must be 0x30 and the last byte (the 16°) must be 0x03D. r2 has to satisfy another rule:
Code:
00401304 MOV EDX,DWORD PTR DS:[40E379] <-- edx takes char number 6,7,8 and 9 from r2
...
00401325 MOV DWORD PTR DS:[40E308],EDX <-- move them
0040132B MOV DL,BYTE PTR DS:[40E340]   <-- dl = the first char of the code in hex format
...
00401336 CMP DL,BYTE PTR DS:[40E308]   <-- char number 6 from r2 must be equal to dl
...
00401350 JNZ SHORT crackme.004013B1    <-- jump to error if not equals, otherwise: registered
That's all! Who wants to write the keygen? ;-)

ZaiRoN

5. Hello all ..

I think you need to write bruter for this...if there is any other way let me know :P

Hint:use serial_lenght 16 bytes(32letters)

Bye NeO

6. Hi Ne0,
you should be right, at the moment I can only see the brute force approach.

For those whom wants to try, here is one of the many implementations that I found on the net:
ftp://ftp.compapp.dcu.ie/pub/crypto/rijndael.c
In order to use it, you only need to modify the 'main' procedure, in particular to apply Rijndael you need to call these functions:
Code:
gentables();		// No params...
gkey(int,int,char *);	// For Rijndael 128bit you have to pass 4 and 4 as
// for the first 2 params; the 3° param is the key
and then one of:
Code:
encrypt(char *);	// Encrypts text passed as (char *)
decrypt(char *);	// Decrypts text passed as (char *)
Good luck!

ZaiRoN

7. Has anyone still got this crackme. The link points nowhere.

yaa

Regards,

9. I have update the attaching file

10. Originally Posted by lordor
I have update the attaching file
Code: 299068997
Key:9610BE12D6E4132827705794F435CF8C

pop up a box but no pics.

11. Originally Posted by schar
Code: 299068997
Key:9610BE12D6E4132827705794F435CF8C

pop up a box but no pics.

please see the showing pics's code again
or bpm the reg code,that will take some byte to cmp

12. Originally Posted by lordor
please see the showing pics's code again
or bpm the reg code,that will take some byte to cmp
this one works:
Code: 299068997
Key: 10F8C2C958F2076FD2C46F67D89FB319

lots of milk

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•