Summary of previous parts
In Part-I, and Part -II we saw Reflector can very accurately de-compile .NET apps and we also studies some basics of packing and obfuscation.
We saw that Reflector cannot directly de-obfuscate obfuscated assemblies, so we need external tools to de-obfuscate .NET assemblies. {smartkill} is one such tool that can de-obfuscate assemblies obfuscated by {smartassembly}.
Reflector can't also unpack/decrypt packed/crypted exes, so we need unpackers and decryptors. PEiD can identify huge array of packed and crypted exes, to make our lives easier.
Introduction
I think readers are starting to lose interest as I cover only theoretical aspects of cracking. So, in this part I will actually CRACK an app
As I have written only about .NET cracking till now, so I would crack a .NET app. We will cover other languages gradually.
Here is the link to the target of this article is : http://crackmes.de/users/w02057/crac...02057/download
Background
The target is a Level-2 crackme, solved my me. This crackme was an easy one, designed by w02057.
The author(w02057) gives the following information about his crackme:
(*) Language : .NET
(*) Platform : Windows
The rule that the author stated for solving are:
(*) No Patching : that would make it too easy
(*) No Bruteforcing : that would make it time-consuming and boring
ACTION 
(1) Load the crack me into Reflector: File --> Open --> Select crackme location
(2) Expand the following: CrackMe5 --> frmMain --> btnValidate_Click
(3) See that it works with the following:
..(*) txtKey : a textbox obviously
..(*) txtSerial : another textbox obviously
..(*) getserial : a function
..(*) check : a function
(4) Click '
check' to goto the associated code. You will see this:Code: vb.net
Private Function check(ByVal str As String) As Boolean
Dim num As Integer = 0
Dim num2 As Integer = 0
Dim startIndex As Integer = 0
Dim flag2 As Boolean = False
Try
num2 = 1
Do
Dim num4 As Integer = (str.Length - 1)
startIndex = 0
Do While (startIndex <= num4)
If (Conversions.ToDouble(str.Substring(startIndex, 1)) = num2) Then
If flag2 Then
Return False
End If
flag2 = True
End If
startIndex += 1
Loop
flag2 = False
num2 += 1
Loop While (num2 <= 9)
If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(0, 1)), Conversion.Int(str.Substring(4, 1))), Conversion.Int(str.Substring(8, 1))), 15, False) Then
num += 1
End If
If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(2, 1)), Conversion.Int(str.Substring(4, 1))), Conversion.Int(str.Substring(6, 1))), 15, False) Then
num += 1
End If
If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(0, 1)), Conversion.Int(str.Substring(3, 1))), Conversion.Int(str.Substring(6, 1))), 15, False) Then
num += 1
End If
If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(1, 1)), Conversion.Int(str.Substring(4, 1))), Conversion.Int(str.Substring(7, 1))), 15, False) Then
num += 1
End If
If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(2, 1)), Conversion.Int(str.Substring(5, 1))), Conversion.Int(str.Substring(8, 1))), 15, False) Then
num += 1
End If
If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(0, 1)), Conversion.Int(str.Substring(1, 1))), Conversion.Int(str.Substring(2, 1))), 15, False) Then
num += 1
End If
If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(3, 1)), Conversion.Int(str.Substring(4, 1))), Conversion.Int(str.Substring(5, 1))), 15, False) Then
num += 1
End If
If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(6, 1)), Conversion.Int(str.Substring(7, 1))), Conversion.Int(str.Substring(8, 1))), 15, False) Then
num += 1
End If
Catch exception1 As Exception
ProjectData.SetProjectError(exception1)
ProjectData.ClearProjectError
Return False
End Try
Return (num = 8)
End Function
getserial' to goto associated code. You will observe this:Code: vb.net
Private Function getserial(ByVal str As String) As Object
Dim obj2 As Object
Try
Dim str3 As String = Conversions.ToString(Me.hash(str))
Dim str2 As String = ""
Dim startIndex As Integer = 0
Dim num2 As Integer = (str.Length - 1)
startIndex = 0
Do While (startIndex <= num2)
str2 = (str2 & str3.Substring(CInt(Math.Round(CDbl((Conversions.ToDouble(str.Substring(startIndex, 1)) - 1)))), 1))
startIndex += 1
Loop
str = Conversions.ToString(Me.hash(str2))
str2 = ""
startIndex = 1
Do
str2 = (str2 & str.Substring((startIndex * 4), 4))
If (startIndex <> 5) Then
str2 = (str2 & "-")
End If
startIndex += 1
Loop While (startIndex <= 5)
obj2 = Strings.UCase(str2)
Catch exception1 As Exception
ProjectData.SetProjectError(exception1)
obj2 = Nothing
ProjectData.ClearProjectError
End Try
Return obj2
End Function
Code: vb.net
Private Function hash(ByVal str As String) As Object
Dim provider As New MD5CryptoServiceProvider
Dim bytes As Byte() = Encoding.ASCII.GetBytes(str)
bytes = provider.ComputeHash(bytes)
str = ""
Dim num As Byte
For Each num In bytes
str = (str & num.ToString("x2"))
Next
Return str
End Function
NOTE FOR NEWBIES : Don't be afraid of seeing so much code. Your work is simple (as you will see when you read further). At max, you'll have to write about 10 lines
of code.(7) So, now we have enough information, about what's going on inside
:..(*) The
check function checks if the entered key is valid...(*) If key is valid, it generates a serial and matches the entered serial with it.
Simple, isn't it ?
(8) So, what we do to crack this easily is.. we try to understand what the check function expects as a GOOD key. Lets's analyze :
OBSERVATION : Observe the
Do...Loop While(num2 <= 9) loop inside the 'Try' block.CONCLUSION : It ensures that, there are not repeated digits in the key. Thus, note that, the key consists only of DIGITS no alphabets.
OBSERVATION : Next move to the sequence of 'If' Checks. [ There are 8 'If's ]. If an 'If' is satisfied, num is increased by 1 ( 'cuz num += 1). At the end the function checks if num = 8.
CONCLUSION : So, ALL 'If's must be satisfied.
(9) Study the 'If's now. BTW, hover mouse over 'Substring' and 'Conversions' to know about them. See that, the author extracts the i'th character in the string str (which is the key), by using the command 'str.Substring(i-1, 1)'. So, 'str.Substring(1, 1)' would give the 2nd character in the key.
Note that, the author uses i = 9 at max because he uses 'str.Substring(8, 1)' at maximum.
So, we got a hint -- the author checks ONLY the first 9 chars of key.
(10) Now, what does he check ?? Note again that, 'Conversion.Int(c)' returns the digit contained in the character c. As the key consists only of digits, 'Conversion.Int(str.Substring(i-1, 1))' would return the i'th digit in the key.
(11) So, finally we get to know that the function 'check' does this:
Code: Algorithm
(*) Checks that first 9 digits in key are unequal.
(*) Checks that the key satisfies the following:
(1) 0 + 4 + 8 = 15
(2) 2 + 4 + 6 = 15
(3) 0 + 3 + 6 = 15
(4) 1 + 4 + 7 = 15
(5) 2 + 5 + 8 = 15
(6) 0 + 1 + 2 = 15
(7) 3 + 4 + 5 = 15
(8) 6 + 7 + 8 = 15
[ Here 0 represents 1st digit, 4 represents 5th digit and so on... ;) ]
Code:
0 1 2 <-- 15
3 4 5 <-- 15
6 7 8 <-- 15
/ ^ ^ ^ \
/ | | | \
15 15 15 15 15
(13) Representation of 15 as sum of 3 distinct natural numbers :
Code: Algorithm
..(*) Using 1 : 1 + 6 + 8 [ as 1 can be present in 2 different combinations, it must be, ]
1 + 5 + 9 [ at the mid-point of a side of the magic square ]
..(*) Using 2 : 2 + 6 + 7 [ as 2 can be present in 3 different combinations, it must be, ]
2 + 5 + 8 [ at a vertex of of the magic square ]
2 + 4 + 9
..(*) Using 3 : 3 + 5 + 7 [ as 3 can be present in 2 different combinations, it must be, ]
3 + 4 + 8 [ at the mid-point of a side of the magic square ]
..(*) Using 4 : 4 + 2 + 9 [ as 4 can be present in 3 different combinations, it must be, ]
4 + 3 + 8 [ at a vertex of of the magic square ]
4 + 5 + 6
2 x x
x x 1
4 3 x
Now we can fill up logically as follows:
Code: Algorithm
(*) 1 and 3 cannot be opposite to each other as they are not together in any combination.
(*) 4 should not be above or below 1 as they are not together in any combination.
(*) Mid-Left is obviously 9.
(*) Bottom-Right is obviously 8.
2 x x
9 x 1
4 3 8
Code: Algorithm
(*) Center is of course 5
(*) Top-Right is 6.
(*) Mid-Top is 7.
2 7 6
9 5 1
4 3 8
So, the key corresponding to this is 276951438.
NOTE: All other keys can be formed by simply rotating and transposing.
(14) Now we know the valid keys. The
getserial function can fetch us a valid serial for a key, so we don't need to be bothered about calculating a serial. We can just copy the getserial function (and the hash function, because getserial uses it) to VB.NET and can pass the keys as arguments to get the serials (15) So, we are done ! We have just finished a keygen for w02057's Crackme
All the valid keys and serial combination are :
Code: Output
--------------------------------------------------
KEYS SERIALS
--------------------------------------------------
276951438 : 7DFF-7430-C0FE-FB5E-5675
294753618 : C528-6819-5244-62B2-9FA4
438951276 : CDB6-32A6-C696-62DA-E1BA
492357816 : 3AE9-0717-B6B6-7AFC-D688
618753294 : 8DC0-E6A2-D499-0F1E-29D5
672159834 : C520-15B6-6AFA-6B40-DFA1
816357492 : CE71-5143-D977-A8EA-C38E
834159672 : 60D7-0189-3A7E-5172-CE21
I hope you enjoyed making the keygen, as much as I enjoyed it.
Greets to shabbir and all my friends here at G4EF and thanks to you for reading this long article !
Take care and good bye
