SecureArtisan

My Road to Digital Forensics Excellence

crackme analysis

Posted by Paul Bobby on July 10, 2009

I’ve finished my analysis of the crackme I’ve been talking about for the last couple of posts.  The userid-to-serial manipulation is accomplished using Complex numbers.

The crackme is split in to three parts:

  1. Userid manipulation
  2. Serial Code manipulation
  3. Complex number arithmetic against the manipulated Serial Code and manipulated Userid

Userid Manipulation is in four parts

  1. Sum the ordinal values of each character in the userid – this value is used in a complex number (c6.real)
  2. The imaginery part of this complex number is (c6.real-1)*3
  3. Iterate through the userid as follows
    1. EAX=0x12345678
    2. for x in userid:
      1. eax = eax XOR x
      2. rotate EAX left 5 times
  4. Create a complex number out of two parts of the processed userid
    1. userid_complex.real = (EAX / 31337) AND 0xFFF
    2. userid_complex.imag = EAX % 31337

The following Python code accomplishes the UserID Manipulation:

   1: #

   2: #Process the raw Userid in four steps

   3: #

   4: #userid munge part1

   5: userid2 = 0;

   6: for x in userid:

   7:     userid2 += ord(x);

   8: userid_munge1 = userid2

   9:

  10: #userid munge part2

  11: userid2 = (userid2-1) * 3;

  12: userid_munge2 = userid2

  13:

  14: #Userid munge part3

  15: EAX = 0x12345678

  16: useridList = []

  17: for x in userid:

  18:     useridList.append(ord(x))

  19: useridList.append(0)

  20: for EDX in useridList:

  21:     EAX = EAX ^ EDX #XOR EAX,EDX

  22:     for y in range(5): #ROL EAX,5

  23:         EAX *= 2

  24:         if EAX > 0xffffffff:

  25:             EAX -= 0x100000000

  26:             EAX += 1

  27:

  28: #Userid munge part4

  29: #Divide EAX by 0x7a69, or 31337 base10 🙂

  30: EDX = EAX % 0x7a69 #EDX contains remainder from a DIV

  31: EAX = EAX / 0x7a69

  32: EAX = EAX & 0xfff

Serial Code Manipulation

The crackme reads in a serial code, 36bytes in length. The code is manipulated by
  1. Bytes 9,18,27,36 are reset to 0
  2. Each byte in the serial number is converted
    1. ord(byte) – 0x30
    2. shift the result left 4 times
   1: def processRawSerial(rawSerial):

   2:     EAX = 0

   3:     for x in rawSerial:

   4:         y = ord(x) - 0x30

   5:         if y > 0x0A:

   6:             y = y - 7

   7:         EAX = EAX * 16 #SHL EAX, 4

   8:         if EAX > 0xffffffff:

   9:             EAX = EAX & 0xFFFFFFFF

  10:         EAX = EAX | y

  11:     return EAX

This function is used to produce four parts of the serial number: serial1 through serial4

Complex Numbers against the Serial Code and Userid

Python has builtin support for Complex numbers, making the following calculations very easy. Isn’t it interesting that I had a harder time coding Rotates and Shifts than I did complex arithmetic.

A series of complex number calculations are performed using the Serial Code. A series of complex number calculations are performed using the Userid. The outcome should be equal if you are using a valid Serial Code. Here are both processes.

  1. c3_real = 0
  2. c3_imag = 0x4e21
  3. c1 = (serial1+1J*serial2)
  4. c2 = (serial3+1J*serial4)
  5. c6 = (userid_munge1+1J*userid_munge2)
  6. uc = (userid1+1J*userid2)
  7. Loop:
    1. add 3 to c3_real
    2. subtract 2 from c3_imag
    3. c3 = (c3_real+1J*c3_imag)
    4. # Compute the serial number complex arithmetic
    5. sc1 = c3 * c3
    6. sc2 = c1 * c3
    7. c4 = sc1 + sc2
    8. c4 = c4 + c2
    9. # Compute the userid complex arithmetic
    10. sc1 = c3 + c6
    11. sc2 = c3 + uc
    12. c5 = sc1 * sc2
    13. if c5 != c4 then exit #wrong serial
    14. repeat the loop 6666 times

And that’s it. What follows will be the keygen.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: