[KEYGENME - EASY] Cracking Your First Program

Reverse Engineering Challenges
,
1

Welcome to my first challenge! If you’re interested in becoming a reverse engineer, it’s important that you have a strong background with low level data and can understand the process of disassembly and debugging.

Details of the Challenge

A friend of yours is an arts major but he hasn’t been making enough money for his software working as a McDonald’s cashier since he graduated. He has recently received a huge opportunity to showcase his computer-generated graphics skills for a gaming company and has been begging you, the master cracker, to crack the latest version of this new viral product on the market. The mission, should you choose to accept it, will be briefed ahead. As always, should you or any of your cracking team be caught, you will be jailed for the failure to comply to the Digital Millennium Copyright Act (DMCA) and your friend will disavow any knowledge of your actions. Good luck.

This challenge is known as a Keygenme and the goal of this type of challenge is to understand the algorithms associated with key generation (hence keygen). For this specific challenge, you must take the binary, open it up, figure out the algorithm and then create the necessary components to unlock the program. Please note that this is not a crackme so try to refrain from using methods such as binary patching as it defeats the entire purpose of the challenge.

Difficulty: 1/10

The Binary

Here is a base64 dump of keygenme.gz for Linux users. To recover the binary, use cat keygenme | base64 -d | gunzip >dump && chmod +x dump.

Original, normal mode(stripped):

H4sICGKT1VcAA2tleWdlbm1lAO1Yb2wUxxWfvVufN8n5fC4X6oRrOeAIpDIX23EIIaSNsYGQOASI
Ia0gOc53e+zF51trdy/gCjXA4YBlObIqmi+JFFDabyRCihShJFJND0xp+eCmqGo/tfmru2AkK7Su
pQDX39uZtZeT8yGf6zm9nXnv/ea9tzNv9mbm1U1dmyVJYk7xMC8jbvsxWWmjuoHL21iE3cVWszBb
wnw2DzoMDCiCDkQ1kMkgL6gbfPcRWSFaBH6R0EmC7IK+RI0KY0TUnwW5XqkHvS0rRE0QNIN8Qu9B
FYI+BB1RCTyRT/gg0oDX4JuoE3ynS7f9Syu1oZaxDcdlhagJsiaXfgf0bJ7i4+7ZTujd8c1ANuN6
v4eymZ6Hsqk12UwufzBm6rFWrgsK/ZZtu8RYc5uNom9IjB3p1fHWH9/o/Wvd35evKP9uavDsscXX
9xH+LmHDHqsIfkL27jOfj1XHu9bV/gHoiSp+ZRXfWcVHqvi9Lp50T1fp76/i7wFNviYr9G4NDAOG
cUnSeKxl8a3PxU0rlcnF86aaYmm9X82x/rxlsjjkiWRvPKn1xtOJTJb1G5mclWbpZFY3VZY21EQK
IDJFSMOK9yUyOUj29+k5IYmzLV1bN3bEW2Nts62W2VYzH3svxtxjz4GT85Kog+IdQplMHc1Mr5A1
2LyX5QUftHkPe1XgbyIXfJhQ/ylZqYWhINVwEKIaE9tINQYjTDUmMEI18FGqkY+rqcY6eL4wqZQ+
h8EjxWSYseHCzUqlMjhm1ZRyEBYuKHuKs+NceURGr8pKBU+bX0neNWqW/4VulZUUhUa68oTNUzQa
hV8es3mKSqMULJ+1eYpOo+ktn7J5ilJbTfyozVO0Go1h+bDNU9TaOuL7wbZcf2no08IXU9u7d2oT
mHttHx47dmvPDmKd/h6Af6dH3b/hcLTo5s89CnNr2vAozPgOSMVz9CZ49+ldQ18WJhsvyVHSVSYu
F0c+INW5Ngd/fsYz9IfzXy+VJv4yk5eKH9odP3E6DnVGZafzJ5eLQ9MjH68ixOEnSMTyi2yYUjqE
EMdrSCZdvoHITgcxqfC/1Alk8WwgpEEg5QF0GS2beJLqi6nC5D71NK1l+NzbMnYJnqcwCOjxDarS
n25XKtCECoeiIZZfDPFtEhcgPkfZVz6DxzAAAPnRWaGxJiOkHOmMhofkaGkTN9III43MqqWq/sBS
x9aj0NoWgPz2lrB77QUYsVP72iMj3dEwAEFpov4DtsGyZnveujXX8/xszx8VCAsnwfpfXQA0hI9m
6dekJnPDXdG96sN19MZI0Tchvjw7paO7Xmip7H6+dC8iOlL8zX1I38nwcDbaPPK+HwNWagB6pKCg
+eD4+duewWlrFZ9XBLFuqCmKd1TQbKPpq5z8iICFS9Jj/83/s3AhvOel+IvFa3Wj7nKjKNbPO7fI
44r7xILx2uvbwwzWqw6kM1k1lkpYbJNh6Mb6yNZcUjcMNWlFoET/fDKpmub6SIee228krHw2YWX0
nLks8gs9v+oVNXJAzy0je0u8j9PCoO/bMaxR+n424EVp9UUR6QnUJ1FfYPzbTkX65U4mHVKkJX5Z
PiHx7yjWOFuH/qMECCibA/6n6++x5IPsZ/c//pPW6HLSPwk6jVe6myakPaAMejbW1Xh90kXYocW3
j3zBd4I5+vaA/7i3IxB8TW4PhAo12wLNnqcCofZiINg+HvC3Xwoo7RcDMiXEW6A/oq+HLZSFslAW
ykJZKP9fJYL9KRvke2jnjOoHnSzICjb57Cp2R9hL2Ge+JYz/59N5xw8+LPj/3K7oZ3DepLNZ9ijO
AqivgL8b9RDj5yH6v71X+KQ9CcNOk/53n2R8j0DH7R+CuuGX2l2o6SxFgS0SNf6qdT/k2FroFOcU
6umjPPbvW+j87LT/BptfgaZBPpz/F4MeAK0FbT42h9vS0bE+snpXTz5n5SNtsXWx1jUtj+VttuVB
LmAsZmqmZViJHhbD+U01+lksp1tqrH3j1jVWYr/g9ufysZ58BoflTIrZnJYwNRZLDeTMgT5eWwbX
vKIaJrZhdzBx6Aw1Szje6M9a5DCDp6UexDMNBiod270Ei6laPG0k+tS4ljLmON4jnjCMxADv4bRf
Thp2EIm+TBKOdct+cC/cYo9pslhS7+tTc9b3GHfKBZo7mnv7nkTi8+sU546EZLUCZ99nSHeey2VR
L3PhTgBHe8voPDi6t5lGvhCOcvWMsFfjwhH9VMRIOMrhK8CdYvy+QmJz9xmbGc9jwlHOZz0816vf
YxuoIvxSrk57eL47fj2C9jCe39SmHPd7+dpw+6XyMuP3HoSjNdLl5WvD/R7Emy4craluYY9wfhfu
kLBPfmjNnwRuxTzjd8CFGwNuDLhRFy4osEddOLpL2w7hUc+dOConXDj6xlz1zZ0V3H5fZ3P5UqKT
GnA758G94cLZ91u1/G6rGvdbF04DTgPu7Dy490ABxufYvu+qn9O5cXTcrhc4+ib6vwM3LvwSjg7Q
we/A/VmMCeHse776uTs+B0fzdtVlj+5fbs5jj+gfLhx9c2kCqseF6DMXrgm4piD3Ux1fSfgnHN0W
tAXv9Ovk/XXRbhY84aJVOIe8LvnPgZuex97/AItqRoawFQAA

Easy mode (includes symbols):

H4sICI4R1lcAA2tleWdlbm1lAO1ZbWwUxxmeXZ/tA87nMxiwgwmX9hBOC5czGOqQRuGwDTExHzEG
lEJZznd7vqvvw7rbAztCKXDmwwJLVpUfqfoRo0RVf1AlUlvktlELMR8lQpWDKvqjhbYqVHahlZu0
xFKA6/PuzO7tXZxK+e85vTv7zPvMvO+8M7M3O/vt1vZNkiQxI8mshBFyD9jsjchDVby8kbnZHFbP
nmRLWJmOIUfAgbhRgaQUZTZICaQTuPOozU6yAHiB0ElC9IS6JBPljJFQfebiensl5E2bnaQeBSsh
ZUIvI6uGvho6kglgkjJhgyQCfgS2SVqAWyy6HXe1kAP2HCdtdpKVKFtp0b8MPZshlXHzrAN6q3/T
KJu29O+ZWLTrmVhoVSyayPR500nvaq5zCf3mbbtErHmbNaJutYgd6X8/9ad0wzfeWfjOG1tv/XzP
pyNnqm51Et8u2tBj5cZPlP3kpb9dKPZ3neV+PmR5EX6+CLuL8C4LJl1zkf6JIjwP8t4Jm536UsUQ
IMQhSP1fx5S27UpaC0UTSiathlg42asmWG9GSzMF5YFgjxKM9CjhQDTGwsFYMq2ycEoNhKClNoiS
0pR4IJpASXc8mRAlCtvc3raxWVnt9Zl3jeZdA+Pz2SZGVkbkJDG/XcJvVzRaQbqQKKvWcQlLCFyl
Y5n1Cf5DjHcZgu8YsdnL0ZCLcgxMNeUYvBrKYa6OcvDclGOQPZRjzu3M3rdP/AENHR07WcfY6ezD
XC53/IJWOtGFwuwl+96xgjHMrbWhZm65HVcdLyfLEbqd/Auq5paTBxHSTY7rmDyJkOuTF3RMHkVo
ik2+q2PyLELDOTmiY/IwUk94WMfkacRH+Ahgwz/3D/41e2dqR2dHZOQEaXB5eXdk6XGsu9+A8J/w
sPV3us4zZsWja9DcKh8u2emyQ9LYKHmO/j7YNXg3e7/mqs1Dutz4tbGh86Qa9Rn8i9Py4PsX/7FM
Gv9wOiON/VKveMOoONjisRmVb1wbG3ww9N4KYhx5nopYZoFOs08chotXSqlMuvYxPDvrwgDC/jLD
kUWmI6SBI5P9qDI8mcaVVHemsvcPqGdpbcLmvoYLV2H5AoKAGu8jm/jgcS4HTXX2sKeaZRah+HdU
nEXxKM20yXO4nAYBJAcq2ym21Agph1o8dYM2z0Qrb6QGjdQwrZyyykPLjLa+Bq3eApifPhLt3tuD
RvRpfG/tUKenDgSXNF55nn1d08yajx7la140ay7NEhdGXJWvXQL1DlFvkJqaO93u2aeuqaAeY1p+
D8XXzCEd3rWnIbd758RCeHR07HItpuz9utMxj2/opw4EbGIp2ENZO26fvnLxsXz8gbaCjyucaBpc
6UEf7bhtpOHLvf4rImavSs9+kvlz9lLd3v3KN8fuVQxb08djYs289Ygs7qwVi4SekxLWZYr1qP3h
aEz1hgIaa02lkqn17rZEMJlKqUHNDSXqZ4JBNZ1e725OJrpTAS0TC2jRZCL9lPuVZGbFQdV9KJl4
itpbUvJcPePP4texLuk/owodpdXmgaenqBz5Jcaf1ZSkVzuYdNguLXHYbKck/pzEumYvov4RIjjt
m5yOLZXzNFsfe+GJ576y2vMl0m+AnEWX5tKA+J324/LGitKSMuky2mlC0QGyBdsBZuj9TsfJkman
64TN76zOlm5z+uQXndX+MafLf8Xp8F912v2XnTaaEN+H/BZ1ZTabZtNsmk2zaTbNpv+XpvC+Oz7A
99jGO6oD0pu12fECwN7GFgl7D/2dbwnjewR6/3EA1wn838e55Dm8b9K72b5jeE9Afh14LvJjjL8f
0f/zQmGT9jAMO1P6n6b/fNpT0Ov2YsKwS/c+5PRuRY4tEDn+2pNTaB9bkST5OYX89jHu+xdN9P5s
3J+HrSuQm5C/Qx5AyhCTRQN5zubm5vXu+l1dmYSWcTd6m7yNq1ZndNTwWkOj19foXfM0L2fMm+6P
a4Eu5FqK5xHjLprQ1FQv8yaSmur1b2xbpQW6BepOZLxdmSjen6MhpqNIIB1h3lB/Au3xXEtxzUE1
lcZOrgAo0KXUGPH4TW9MI4NRXDW1D9cwAFRJ7BgDzKtGlHAqEFeVSCiVR7yGEkilAv28hnH/rWBK
dyIQjwZhOKnpF26Ft9iVTjNvMBmPqwnti4wFzSsaT5oP+tmJxMfcSMa5yZch5YKnn3FIhe/uNpE3
WHinwKP9qWcGHu1zH2AOEY/m7znRXqmFR7KN8TlMPJrX18EbZvwMQ2L5M47djM9t4tE62Cfz+V/c
j/2QnLBL8/e2zM8RDLuykB7G5zzd07yfkvn+2WqX0quQOaIOrRtfCV8v1n4Qzlp4tM6aSvj6I57D
wjsj2ic79BzoLeGxL47fSQtvBLwR8I5YeC7B/Y6FR+drbhQekwt5lN6w8Oi583ZZ/n3DaveHLD9f
RsEbBa9jBt6PLDz9zKucn3cV835m4TWB1wTeuzPwfg1xMj7G+hlYZV5n5X0AqRQ8ek46Pod3U9gl
Hr2Euz6H90cRE+LpZ3+V+XM/g0fjdsfSHp3XPJyhPZJJC4+ewzQA9TPwPrLw6sGrd3E7xf5NC/vE
oxMHn6vQrjHvH4l7n8DE+2oRj6TK8E2kveCVSYU8I7e+61UvwnyF4aW4X8Xy63JOUXsD+AN7y1LR
0vRnEj2PmF6fsyIm5g2cMjG3cM7EPALXTcxX475jBuajd9vE5TqeMjGPNK1njufouMnEc3Xca+J5
Oh4xsUPH7gEDV+iY1hXHTh2PmrhSx7ROOOarssnE/EDc/qaB53O+ifkT22VivnKrTcz//R+aeBEP
8IiBF+uw3sQ1vP8mrmXWVIJdiHXcbOzfOYfFvgT7VOOA6L+M/nuRD1uwH/m4Be8R9vg8rGVhS/8k
9G+I8f2Swf+uJR4S4jFa5E+xf3TCeeekwa9iHxb5y4r4tyz26R/iX5Z4SojnJxb7pNfPVEYM/WL9
2wSdXcq6toL5LA65Ie3AOwb4ufV8uYJ1Sfn4uxH/uJSPvwtYs9Sn0T8h5efTfMynM0X6HxfhX1ja
p/auFOlvFvl3l75/CH6VXMM+kgrP2SW5sP6TwHRMGxD99RbpXwBuNO3XshY5vz6I/5LM14PRfods
7X8t2w9M578UZ+IHLe2Tv4csfPI3W6T/gZxfr/NpvQZTWlrLhMPeIFOULc0dSnvbzk5FYSE1pXZH
09gqKlpcCcaSCTXNZihSlFBS6Y4luwIxJaQlU2klkOlj2IH1xlRNDXnXrX22YWaSkt/ZKditpfoZ
3wuGMvF4P6pYkJLfEApqj9rfrSbiqu72pg7/1laldVsL/OadMO4L6oWY0vLKNv/WtuZCjf49gymb
27dv9Lcr2zdt2tnaqXT6N7a3KsZHkGA6o7vLlLbOrUo+Np1bmykMnYGumApuX9M6b7eqKb1BRYtk
Ej3erj5G+1LDhKpvUvlXlg0b8t9KRNtFn2PyjEb+SSZf4KOQ5humrzmFyoIPNeCmk0okkAiRl4Wf
gz7zlaewHbP3+iZe/3ZU4LgeVdG7cK8SOYQ62IOLIv7VaMtBpUPEqzkWSKf1WYPIGaNEIZ05oLrR
/wG4gQZFJx0AAA==

For Windows users, here is the download link to keygenme.zip: MediaFire and the VirusTotal scan for it.

Ikarus Trojan.Agent 20160911??
Someone needs to get their shit together.

BOTH BINARIES HAVE BEEN COMPILED WITH THE SAME CODE AND FLAGS.

Hints

Man pages
Google

This isn’t a very hard challenge.

Conclusion

If there are any issues with either binaries, please message me and I will try to fix it ASAP.
This message will self-destruct in five seconds…

20 Likes
2

Good job

perl -e ‘print "t"x 0x10’ > keyfile.dat

5 Likes
3

:trophy: Well done pico, jack of all trades, master of none! :trophy:

2 Likes
4

Not sure how to interpret that sentence… I’d say thanks… just in case

7 Likes
5

@dtm, I want to believe that you were too tired while typing that comment.

4 Likes
6

Right, I forgot the other half: though oftentimes better than master of one. I can’t confirm your masteries, I’d assume you have a few.

4 Likes
7

Would you be able to direct me to how you got there?

8

Sure

The easiest way is to use radare 2
Sorry about the image do not know how to make it bigger. it says:

$ r2 ./k
[xxxx] aa
[xxxx] pdf @main

You can see in the assembly how the program opens a file named ‘keyfile.dat’ and then reads its content using fread into memory. Then, the relevant part is:

|    .----> 0x080485f6      8d54241c       lea edx, [esp + 0x1c]       ; 0x1c
|    ||||   0x080485fa      8b442410       mov eax, dword [esp + 0x10] ; [0x10:4]=0x30002
|    ||||   0x080485fe      01d0           add eax, edx
|    ||||   0x08048600      0fb600         movzx eax, byte [eax]
|    ||||   0x08048603      3c74           cmp al, 0x74                ; 't'
|   ,=====< 0x08048605      741f           je 0x8048626
|   |||||   0x08048607      c70424fe8604.  mov dword [esp], str.Error:_Incorrect_key ; [0x80486fe:4]=0x6f727245 LEA str.Error:_Incorrect_key ; "Error: Incorrect key" @ 0x80486fe
|   |||||   0x0804860e      e8fdfdffff     call sym.imp.puts
|   |||||   0x08048613      8b442414       mov eax, dword [esp + 0x14] ; [0x14:4]=1
|   |||||   0x08048617      890424         mov dword [esp], eax
|   |||||   0x0804861a      e8c1fdffff     call sym.imp.fclose
|   |||||   0x0804861f      b801000000     mov eax, 1
|  ,======< 0x08048624      eb1d           jmp 0x8048643
|  |`-----> 0x08048626      8344241001     add dword [esp + 0x10], 1
|  | ||||   ; JMP XREF from 0x080485f4 (main)
|  | |`---> 0x0804862b      837c24100f     cmp dword [esp + 0x10], 0xf ; [0xf:4]=0x3000200
|  | `====< 0x08048630      7ec4           jle 0x80485f6

The first lines access the buffer one by one in a loop using a counter at [esp+0x10] and compares the value with the character ‘t’ (0x74). If any of the values is different it just prints the bad guy. Otherwise it jums ot 0x8048626 and increases the loop counter. When it reaches the value 0xf we are done and we get the success message.

I actually didn’t use radare2 but gdb… However explaining how to solve it with gdb will require a longer text. Radare does most of the work automatically :slight_smile:

4 Likes
9

Right I’m still not fully sure what you’ve done? Using a program called r2? I apologize since I’m an insane noob at RE but would love to be more proficient at it, especially in Linux.

1 Like
10

It’s radare2 and it’s an open-source RE framework. There is plenty of documentation around it and it’s on the rise. Quite of a pain in the ass to master it though.

Have a look at this link in case you are interested in getting started with it: https://blog.techorganic.com/2016/03/08/radare-2-in-0x1e-minutes/

1 Like
11

Sorry about that.

If @dtm is OK I can publish a more detailed explanation. I mean, maybe he wants to write such a paper himself.

As @_py mentioned below radare2 is a reverse engineering tool… it automates a lot of things and, in general, simplifies the whole process.

12

You’re more than welcome to write your analysis.

1 Like
13

That article is mostly good. although there appears to be a lot of handwaving on how he gets the password? He says that the disassembly of the function reveals what characters are required, where does it say the characters?

14

Yes, the characters are looking at you straight in the eyes.

cmp al, 0x74 ; ‘t’

1 Like
15

I’m referring to helloworld in that article you linked me.

Sorry. Took a little more looking :stuck_out_tongue: found it! Thanks. I was expecting a string or an array of sorts of chars.

16

I know you were expecting a string or an array of chars.

17

I have a question regarding a line in this challenge:

[spoiler]cmp dword [local_10h], 0xf

0xf is equal to 15 in decimal, so why did it take 16 t’s for the cmp to be true? I know hex is base16 and starts counting at zero but 0xF == 1111 == 15. Edit: I should clarify that I used Radare2. Also, a side question what does this line mean in r2? - ; [0xf:4]=0x3000200 it’s on the same line as the cmp.[/spoiler]

18 
jle 0x80485f6

It will keep looping while it’s less or equal. Meaning, the counter will be in the range of [0,15] (note I didn’t type [0,15)), which in total is 16.

1 Like
19

I’m assuming the iterator starts at 0, please check if you’re making a fence post error.

1 Like
20

Quite an easy task :stuck_out_tongue:

You can find my solution below:

When starting the static analysis I spotted a few details which gave me plenty of information about the required key.

  • The binary seems to load the key from a file named keyfile.dat

  • The key length should be, at least, 16 chars

  • Each char is compared to the following value : 0x74 (’t’)

Consequently, we can assume that the key only contains ’t’ chars. After a quick dynamic analysis, the key length found was 17 chars.

=> Challenge completed.

Thanks for the challenge @dtm

2 Likes