Application 9 creating keygen
Application 9 creating keygen
ghost | 6279 Reads | I just solved this challenge and I decided to share my experience. There are several ways to solve this. In the other articles about application 9 challenge is explained how to reach to the password at the end but this is not the description of the challenge (Keygen). So if you want to pass this challenge quickly read other articles on the topic otherwise prepare to create a keygen. First run crackme1.exe. Explore it. What do you see. There is 2 textboxes (Username and Code), one button and a menu. In the menu there is an interesting item (Hint). Press it. A message box appears with the text: ’You need to see what the app does with your name!“. So it seems that the program is encoding the username somehow and may be this is the Code. Try to type something in the username and code text boxes and press try it button. A message box with the error message ‘Sorry, Try Again“ appears. Now let’s see this in debugger.
I’m using OllyDbg like most of the crackers do today I think. Open crackme1.exe in olly and search for all referenced text strings. There is our error message “Sorry, Try Again” as well as the congratulations screen “Well done, you did it!”. Double-click on one of these references. You will be brought to the code that is displaying the message box with the corresponding message. Here is the end of the code checking logic. Here you can solve the challenge only by changing a single instruction. But our purpose is to create a keygen not just to solve the challenge. So move up until you see a reference to GetWindowTextA WinAPI function. Here the program is reading the data from both text boxes Username and Code and is storing it to global variables. Right after that the username encoding begins. To see what happens next put a breakpoint after GetWindowTextA, Click Debug/Run, enter some username (better with at least 8 characters) and some code and hit Try It. Right now you will reach the breakpoint in Olly. Begin tracing the code with F8 (Step Over) and notice what happens in the code, in the stack and in the registers. The encoding algorithm is very simple. It seems that only 8 characters of the username are used for the code generation. Step over and write down (in some text editor or whatever you like) all the calculations that the program is doing with your username.
After a several lines you will reach the code: 00401305 |. 57 PUSH EDI
After this line several lines of code will be repeated 8 times. If you manage to found out what is doing one of these code fragments the keygen creation will be very easy.
At the end of those 8 fragments there is a check that compares the calculated code with your code and if they equals then enjoy.
So at this point you must know how the Username becomes Code. If you don’t then try trace it all over again. I wrote my keygen in C++ , you can use any language even PHP if you want. The rest is just to implement the written during tracing instructions into your keygen source and to try the result Code on the crackme1 application.
This becomes an Olly tutorial more then an Application 9 guide but I hope there will be people that will find this helpful.
