Kremlin 1.1, a stupidly protected encryption utility
(An useful encryptor for our studies, btw)
(17 August 1997, slightly edited by Fravia)
Courtesy of Fravia's page
of reverse engineering
Well, it's pretty obvious how much important
this kind of targets are for our trade: encryption and decryption (in a broad
sense :-) are similar activities.
Yet I'm not happy with the fact that an
+HCU follower (and that's what Jon is, despite the fact that he is a newbye) has
not finished a good reverse engineering work... and await Jon's completation of
this essay... the scheme in Kremlin is indeed very easy to reverse: there is no
point in simply having ONE choice of encryption algorhytm if you can easily
have all of them... Jon, are you reading this?
Download Kremlin 1.1 at http://wwww.mach5.com/
I found this nice shareware utility a day I was searching for an encryption
utility. It looked pretty good, so I decided to try it.
Of course, like all shareware programs, it had a nag-screen and some
limitations. It didn't look too hard to crack, since it only uses a simple
registration-code scheme. I looked trough the help-file to find some hints,
and I found out that it had two types of registration-codes, one to
remove the nag, and one that not only removes the nag, but also enables all
encryption algorithms. I also found that both codes should be 10 digits long
(as you can see, it is always worth to check first of all the target's own
Since I'm not so familiar with Softice yet, I decided to try an easier way
to crack this target: the Windows registry approach.
I looked at HKEY_CURRENT_USER\Software\Mach5 Software\Kremlin, and found
something interesting: the key "glommer".
I tried to change its value to 10 random numbers (because the size of the
code is 10 numbers long), and then I started Kremlin.
The nag was gone!This is an incredible stupid protection scheme!
But there was still a problem: the "limitation" that the help file spoke of:
the strongest encryption-algorithms were still missing.
I tried everything in the program to find any hints, and then I noticed that
in the options-menu there was the option "Remember last algorithm used".
I checked it, selected an algorithm and encrypted a random file (to allow
the program to record the last algorithm used).
I quitted Kremlin, and started regedit.
Now there were quite a lot of new keys.
The most interesting was "actualalg" (actual algorithm).
I changed its value to 1, and started Kremlin, and now the before unselectable
"Blowfish" algorithm was selected and ready to use!
This means that you can change this value to select any one of the following
algorithms: ASCII=0, Blowfish=1, DES=2, IDEA=3, NewDES=4, Psuedo-RC4=5,
Safer=6 and Vigenere=7.
This protection-scheme is probably the most stupid that exist, since even a
newbie cracker, like myself, can quikly figure it out without using a debugger or
BTW, when you have edited the registry to use your favorite algorithm, and start
Kremlin, DON'T select another algorithm inside it, since that algorithm will then
be the default.
(c) jon 1997. All rights reserved
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Is reverse engineering illegal?