Thursday, 1 April 2010

Fyury's challenge - Keygenme

This dude saved me the life. I though I would get rusty for ever with only PHP. I was wrong! In this night of 6th Jan. 2009 I decided to visit his blog. And then, I can see this (The original message is in French. So I translate it):
After a little call-up by Xylitol (thx), I decided to post my FooMe.

I presented it on FC and so I didn't saw any importance to dispose on the blog (according to the commentary).

level : 0.5 || 1
secure : no package ..
Anti debugger (bad implemented)

Goals :

- Make a keygen. ( 1 )
- Find a serial for your own pseudo. (0.5 )


The article in question is actualy down. But we'll try to go on without it. You can download the executable here: http://venom630.free.fr/geo/autre_chose/foome__fyuw/foome%20%7bpart%20I%7d.exe!

I download the package without wondering. I only focus on this:
- Make a keygen. ( 1 )
- Find a serial for your own pseudo. (0.5 )


I though I would never manage to do the keygen. After severals tentatives because I'm someone of very pressed. :)

So, I extract the package's content into a folder, and I run foome.exe :
C:\Documents and Settings\Geoffrey\Bureau\foome>"foome {part I}.exe"
[ foome part I by fyuw]

Login : Geo0w
pwd : 15612


I entered a random password. Then a wonderful MessageBox appears and tells me "You're a tapz". Fucking bullshit. I'll show you.

I rush in order to open this fucking software with OllyDbg. I don't delay to find the most important code chunk:

00401431  |> C70424 2C30400>MOV DWORD PTR SS:[ESP],foome_{p.0040302C ; ||||ASCII "                 [ foome part I by fyuw]

Login : "
00401438  |. E8 C7060000    CALL                 ; |||\printf
0040143D  |. 8D85 88FEFFFF  LEA EAX,DWORD PTR SS:[EBP-178]           ; |||
00401443  |. 894424 04      MOV DWORD PTR SS:[ESP+4],EAX             ; |||
00401447  |. C70424 5F30400>MOV DWORD PTR SS:[ESP],foome_{p.0040305F ; |||ASCII "%s"
0040144E  |. E8 A9060000    CALL                  ; ||\scanf
00401453  |. 8D85 88FEFFFF  LEA EAX,DWORD PTR SS:[EBP-178]           ; ||
00401459  |. 890424         MOV DWORD PTR SS:[ESP],EAX               ; ||
0040145C  |. E8 93060000    CALL 
00401461  |. 83F8 04        CMP EAX,4                                ; |
00401464  |. 77 1B          JA SHORT foome_{p.00401481               ; |
00401466  |. C70424 6230400>MOV DWORD PTR SS:[ESP],foome_{p.00403062 ; |ASCII "Need more 5 char..."
0040146D  |. E8 92060000    CALL                 ; \printf
00401472  |. C785 84FEFFFF >MOV DWORD PTR SS:[EBP-17C],0
0040147C  |. E9 F5000000    JMP foome_{p.00401576
00401481  |> 8D85 88FEFFFF  LEA EAX,DWORD PTR SS:[EBP-178]           ; ||
00401487  |. 890424         MOV DWORD PTR SS:[ESP],EAX               ; ||
0040148A  |. E8 65060000    CALL 
0040148F  |. 83F8 0B        CMP EAX,0B                               ; |
00401492  |. 76 1B          JBE SHORT foome_{p.004014AF              ; |
00401494  |. C70424 7630400>MOV DWORD PTR SS:[ESP],foome_{p.00403076 ; |ASCII "Need less 10 char..."
0040149B  |. E8 64060000    CALL                 ; \printf
004014A0  |. C785 84FEFFFF >MOV DWORD PTR SS:[EBP-17C],0
004014AA  |. E9 C7000000    JMP foome_{p.00401576
004014AF  |> C70424 8B30400>MOV DWORD PTR SS:[ESP],foome_{p.0040308B ; |||||ASCII "pwd : "
004014B6  |. E8 49060000    CALL                 ; ||||\printf
004014BB  |. 8D85 B4FEFFFF  LEA EAX,DWORD PTR SS:[EBP-14C]           ; ||||
004014C1  |. 894424 04      MOV DWORD PTR SS:[ESP+4],EAX             ; ||||
004014C5  |. C70424 9230400>MOV DWORD PTR SS:[ESP],foome_{p.00403092 ; ||||ASCII "%d"
004014CC  |. E8 2B060000    CALL                  ; |||\scanf
004014D1  |. 0FBE9D 8AFEFFF>MOVSX EBX,BYTE PTR SS:[EBP-176]          ; |||
004014D8  |. 8D85 88FEFFFF  LEA EAX,DWORD PTR SS:[EBP-178]           ; |||
004014DE  |. 890424         MOV DWORD PTR SS:[ESP],EAX               ; |||
004014E1  |. E8 0E060000    CALL 
004014E6  |. 89C2           MOV EDX,EAX                              ; ||
004014E8  |. 89D0           MOV EAX,EDX                              ; ||
004014EA  |. 01C0           ADD EAX,EAX                              ; ||
004014EC  |. 01D0           ADD EAX,EDX                              ; ||
004014EE  |. C1E0 09        SHL EAX,9                                ; ||
004014F1  |. 01D0           ADD EAX,EDX                              ; ||
004014F3  |. 01C3           ADD EBX,EAX                              ; ||
004014F5  |. 8B85 A0FEFFFF  MOV EAX,DWORD PTR SS:[EBP-160]           ; ||
004014FB  |. 890424         MOV DWORD PTR SS:[ESP],EAX               ; ||
004014FE  |. E8 F1050000    CALL                 ; |\strlen
00401503  |. 29C3           SUB EBX,EAX                              ; |
00401505  |. 89D8           MOV EAX,EBX                              ; |
00401507  |. 83C0 0C        ADD EAX,0C                               ; |
0040150A  |. 3985 B4FEFFFF  CMP DWORD PTR SS:[EBP-14C],EAX           ; |
00401510  |. 74 33          JE SHORT foome_{p.00401545               ; |
00401512  |. C74424 0C 0000>MOV DWORD PTR SS:[ESP+C],0               ; |
0040151A  |. C74424 08 9530>MOV DWORD PTR SS:[ESP+8],foome_{p.004030>; |ASCII "Iz N0t da g00d password"
00401522  |. C74424 04 2730>MOV DWORD PTR SS:[ESP+4],foome_{p.004030>; |ASCII "t4pZ"
0040152A  |. C70424 0000000>MOV DWORD PTR SS:[ESP],0                 ; |
00401531  |. E8 06060000    CALL            ; \MessageBoxA
00401536  |. 83EC 10        SUB ESP,10
00401539  |. C785 84FEFFFF >MOV DWORD PTR SS:[EBP-17C],0
00401543  |. EB 31          JMP SHORT foome_{p.00401576
00401545  |> C74424 0C 0000>MOV DWORD PTR SS:[ESP+C],0               ; |
0040154D  |. C74424 08 AD30>MOV DWORD PTR SS:[ESP+8],foome_{p.004030>; |ASCII "U win.. make a keygen"
00401555  |. C74424 04 2730>MOV DWORD PTR SS:[ESP+4],foome_{p.004030>; |ASCII "t4pZ"
0040155D  |. C70424 0000000>MOV DWORD PTR SS:[ESP],0                 ; |
00401564  |. E8 D3050000    CALL            ; \MessageBoxA


I set a breakpoint on the address 004014CC, which calls the scanf() function in order to get the password from the standart input stream - the keyboard, if you life. I launch, and then, another MessageBox(), with a "U sUck" title, tells me once again I'm a tapz. BITCH!

I wonder - without having read that there was anti-debuging protection - that there are a protection to bypass. Great, I discover this:
00401324  |. C785 98FEFFFF >MOV DWORD PTR SS:[EBP-168],foome_{p.0040>; |ASCII "OLLYDBG.EXE"
0040132E  |. C785 9CFEFFFF >MOV DWORD PTR SS:[EBP-164],foome_{p.0040>; |ASCII "idag.exe"
00401338  |. C785 A0FEFFFF >MOV DWORD PTR SS:[EBP-160],foome_{p.0040>; |ASCII "windbg.exe"


Without hesitating, I modify the values in the dump:
- "OLLYDBG.EXE" becomes "yourmom.EXE" ;
- "idag.exe" becomes "stfu.exe" ;
- "windbg.exe" becomes "azerty.exe".

I launch again, and there are no window. Who is the tapz? HAHA!

Then I enter Geo0w as a login and 2151 as password (randomly).

I'm going on...

Without entering into details, I arrive on this ligne, after many tracings over several calls:
0040150A  |. 3985 B4FEFFFF  CMP DWORD PTR SS:[EBP-14C],EAX


I look for eax, it contents 00001E76. In Decimal, we have 7798.
I close ollydbg and all the brothel, then I launch foome.exe in command line:

C:\Documents and Settings\Geoffrey\Bureau\foome>"foome {part I}.exe"
[ foome part I by fyuw]

Login : Geo0w
pwd : 7798


A MessageBox() comes again, but its title is different. "U win.. make a keygen", and still a "t4pZ". This fucking bitch deserve that I insult badly, like DR_KILLER. Go making me a fucking sandwich!

I do apologize for talking dirty. It's emotional because it's the first keygen of my life. Yes, I'm going on my nervs and I have forgotten that I though I would never manage to do this. I rush headlong.

I open up again my friend OllyDbg and I modify again the values in the dump so the anti-debuger would not make me shit.

And then, I set a breakpoint on:
004014CC  |. E8 2B060000    CALL <JMP.&msvcrt.scanf>


This line corresponds to the call just after the input of the password. So, I launch, I enter "albert" as a login and "11111" as a password. Then the programs pauses at my breakpoint. I trace the code:
004014E6  |. 89C2           MOV EDX,EAX                              ; ||
004014E8  |. 89D0           MOV EAX,EDX                              ; ||
004014EA  |. 01C0           ADD EAX,EAX                              ; ||
004014EC  |. 01D0           ADD EAX,EDX                              ; ||
004014EE  |. C1E0 09        SHL EAX,9                                ; ||
004014F1  |. 01D0           ADD EAX,EDX                              ; ||
004014F3  |. 01C3           ADD EBX,EAX                              ; ||
004014F5  |. 8B85 A0FEFFFF  MOV EAX,DWORD PTR SS:[EBP-160]           ; ||
004014FB  |. 890424         MOV DWORD PTR SS:[ESP],EAX               ; ||
004014FE  |. E8 F1050000    CALL <JMP.&msvcrt.strlen>                ; |\strlen
00401503  |. 29C3           SUB EBX,EAX                              ; |
00401505  |. 89D8           MOV EAX,EBX                              ; |
00401507  |. 83C0 0C        ADD EAX,0C                               ; |
0040150A  |. 3985 B4FEFFFF  CMP DWORD PTR SS:[EBP-14C],EAX           ; |


This is a the last line that our password entered is compared to the true key. So, I analyze the assembler code above of this instruction, and I translate it in pseudo-algorithmic language (after several debuging sessions):

keygen >- length(login)
keygen >- keygen * 3
keygen >- keygen * 512
keygen >- keygen + length(login) (I thanks UnKnOwN*DrAgOoN for having reported to me this forget)
keygen >- keygen + (integer value)login[3]
keygen >- keygen - longueur_chaine("windbg.exe")
keygen >- keygen + 12


Finally I programmed my Keygen in C: http://venom630.free.fr/geo/autre_chose/foome__fyuw/keygen_c.txt. And it works.

Conclusion


Very experiencing. I thanks Fyury a lot for this very interesting challenge. The proverb is clear, unequivocally: In practice makes perfect.

Geo
Posted by at 1 comment:
Subscribe to: Posts (Atom)